1. Protection of Personal Data Act of 10 May 2018, which specifies in particular:

• the procedure for notifying the appointment of a Data Protection Officer (“DPO”);
• monitoring compliance with the personal data protection provisions;
• criminal liability for violating such provisions;

2. Telecommunications Act of 16 July 2004 (ePrivacy Directive implementation, revised by Directive 2009/136) - in practice, this applies to every entrepreneur with a website (probably will be replaced by a new regulation soon) or to any entrepreneur willing to conduct direct marketing activities; 3. Labour Code of 23 December 1997 (defines in detail the rules for the processing of employees' personal data).

What’s new?

The biggest recent update in Polish data protection concerns the Labour Code in area of remote work and sobriety tests / tests for use of illegal substances. Poland fits also into broader international trends. Increased legal focus is set on the AI where main issues concern e.g. copyrights, responsibility for the result of AI "work", confidentiality of information and the a/m personal data protection. An important aspect is the use of algorithms, and the content of inquiries that users address to AI. Other significant privacy related focus points in Poland include:

• international data transfers;
• children’s personal data;
• the cybersecurity of websites and IT systems;
• the role of DPO.

When you should consider GDPR & Polish privacy laws compliance?

In some cases, you need to be GDPR compliant even if you are not from Poland or the European Union. Processing data is, pretty much, everything you can do with it: managing, storing, collecting, modifying and deleting. GDPR is usually applicable if the processing is done for business purposes at least partly by any automated means (for example data will be stored on a computer) and:

• data controller is based within the EU; OR
• processing concerns data subjects who are in the EU in the context of offering them goods or services (even for free) or monitoring their behaviour (if the behaviour takes place in the EU).

So, if you are a data controller or a data processor and GDPR is applicable based on the above, you must take necessary steps. Privacy law sets a number of rules on how much data you can collect and what can you do with it. Moreover, in Poland President of the Personal Data Protection Office can effectively enforce GDPR and Polish privacy laws. The President can not only require you to stop processing activities that are not privacy law compliant, but also to show proper documentation or to pay significant fines. From a positive perspective, privacy law can also be used as an opportunity to improve the quality of data you are processing and security levels within your company.

About us

As the advisors we have been dealing with legal protection of personal data since 2010, long before the world even heard of GDPR. Supporting Poland’s largest social network and other entities over the years, we had real impact on shaping the authorities’ approach in this area. The experience we gained then prepared us organically for the implementation of GDPR for our clients from 2018 onwards. Personal data protection is one of our key specializations. For years, we have been providing comprehensive services to tech companies at every stage of their development - we work with both start-ups and global corporations (considering cross-border data flows). We provide legal support for companies wishing to set up a business in Poland and to expand abroad - we regularly support international companies with expanding their activities to Poland and then provide them with ongoing support (including also suggesting best ways to obtain tax exceptions / tax credits for the company and for the team). Whether the plan involves internal reorganization (intra-group transactions), dynamic growth through acquisition of another company, we know how to carry out these safely, optimally for all parties and with minimal operational and tax costs. Find out what we can do for you. By: Mateusz Borkiewicz, attorney at law, managing partner at Leśniewski Borkiewicz Kostka & Partners