Poland - Data Protection
History of Data Protection in POLAND
The Polish Act on Personal Data Protection of the 29 August 1997, which implemented Directive 95/46/EC, was the first dedicated legislation in this area. Its introduction signalled an increasing interest in the rights of individual citizens that has accompanied the progressive democratisation of public life in Poland.
This is also reflected in Articles 47 and 51 of the Constitution of the Republic of Poland. Article 47 ensures the legal protection of the private and family life of citizens. Article 51 limits the circumstances in which the state can gather the personal data, and confers basic rights upon citizens, for instance the right to access.
Summary of Data Protection in POLAND
| Title of Data Protection Legislation | Act on Personal Protection of Data- amended 2004 |
| Name of supervisory authority | General Inspector for the Protection of Personal Data |
| General Powers of supervisory authority |
The Act on Personal Data Protection sets out the general
duties and powers of the General Inspector: 2) issuing administrative decisions and consideration of complaints with respect to the enforcement of the regulations on the protection of personal data; 3) keeping the register of data filing systems and providing information on the registered data filing systems; 4) issuing opinions on draft laws and regulations with respect to the protection of personal data; 5) initiating and undertaking activities aimed at more efficient protection of personal data; 6) participating in the work of international organisations and institutions involved in personal data protection". 2) The power to demand written or oral explanation and the power to summon and hear any person with regard to determining the actual state of things; 3) The power to demand presentation of documents and any data relating to the subject of the control; 4) The power to demand that any devices, data carriers, and automatic systems of data processing be submitted for the purpose of examination; 5) The power to order expert analysis and opinions to be prepared". 1) to eliminate any failure; 2) to complete, update, correct, disclose or keep confidential the personal data; 3) to apply additional measures protecting the personal data files; 4) to suspend the transmission of personal data to third countries; 5) to safeguard the data or to transfer them to other entities; or 6) to erase the personal data". |
| Who has standing to notify the supervisory authority of breaches? | The data subject. |
| What are the penalties for data controllers if they breach the law? | If the data controller breaches the law then they can be fined or imprisoned (See Articles 49 - 54 of the Act on Personal Data Protection). |
| Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? | Yes. The main provisions in this regard are contained in the Act on Census and Identification Documents 1974. |
| Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? | It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it. |
| Does the Data Protection Legislation cover the deceased? | No |
| Who is able to indirectly identify the data subject? | Anybody |
Laws and Regulations
- The
Act on the Personal Protection of Data 1997- amended 2004