The most important data protection regulation is EU Regulation 2016/679 (the General Data Protection Regulation, GDPR). Apart from the GDPR, the right to data protection is also enshrined in Article 51 of the Polish Constitution, according to which no one may be obliged, except on the basis of statute, to disclose information concerning themself.

When it comes to Polish national law, the Act of 10 May 2018 on the Protection of Personal Data ("the Polish Data Protection Act”) is also of importance because it completes the GDPR and specifies how the Polish data protection authority operates. The Act also stipulates the maximum penalty for GDPR infringement that can be imposed on public bodies in Poland.

Furthermore, there are various sector-specific data protection regulations – for example, in the area of telecommunication, banking and employment laws.

The key regulators in Poland who are responsible for data protection law enforcement are the President of the Personal Data Protection Office ("the Polish DPA") and the President of the Office of Electronic Communications. Both authorities act independently and are not bound by governmental instructions.

The President of the Personal Data Protection Office is a data protection authority under Article 51 GDPR, and is responsible for monitoring application of the GDPR, to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the EU. The Polish DPA has published several important guidelines and opinions regarding the interpretation of data protection law in Poland since 2018. It has also so far approved two codes of conduct proposed by entities from the medical sector.

The Polish DPA conducts audits systematically and publishes annually its sectoral inspection plan. Furthermore, the authority can initiate investigation, whether incidentally as a response to the complaints lodged by data subjects, on the basis of their own initiative, or following a notification or other request from the controller or a request by another authority.

The Polish DPA is authorised to impose penalties for violating the GDPR. Apart from imposing fines on controllers and processors who do not comply with the GDPR, the Polish DPA is authorised to exercise corrective powers as stipulated in Article 58 (2) GPDR

The President of the Office of Electronic Communications is responsible for enforcing compliance with cookie law. As of the date of this article, no information is available as to whether the authority has imposed any penalty for infringing cookie law. The authority can initiate investigation on its own initiative and does not publish annual sectorial inspection plans regarding compliance with the cookie law.

When the Polish DPA imposes administrative fines or decides to use corrective measures, it has to follow the general conditions stipulated in the GDPR and the Polish Administrative Procedure Code that specify circumstances that the authority has to take into consideration while establishing the extent of the penalty. During inspections, the auditors designated by the Polish DPA may request access to all documents regarding personal data protection that are in the possession of the audited controller (eg, records of processing activities) and make copies of them. They are also authorised by the law to access software programs; in addition, they can request certain documents or information to be communicated after the inspection.

At the end of the inspection, the Polish DPA issues an inspection report, to which the controller is allowed to respond.

The President of the Office of Electronic Communications has to follow general conditions stipulated in the Polish national law while imposing the fines.

Since the GDPR applies in Poland, the Polish DPA is part of the European Data Protection Board (EDPB) – an independent European body which contributes to the consistent application of data protection rules throughout all EU member states.

Polish national law does not include special provisions for NGOs or SROs. However, NGOs can act as data subjects’ proxies in the proceedings before the Polish DPA or in the court proceedings, and SROs are free to develop codes of conduct.

The major privacy NGO in Poland is Panoptykon Foundation. The organisation was established in 2009, and since then it has significantly contributed to the development of data protection law. The Foundation regularly publicises the cases of violation of data protection law and supports data subjects in proceedings before the Polish DPA.

Among Polish SROs, IAB Poland plays a significant role when it comes to data protection law. The association aims to support the activities of the participants of the interactive communication market in Poland and to popularise the internet as an effective medium. IAB Poland actively contributes to developing benchmarks for data protection in online marketing.

As an EU member state, Poland has adjusted its legal system to the requirements resulting from the GDPR. Before the GDPR came into force, Poland had its own data protection law that was a transposition of the EU Directive 95/46. The GDPR has strengthened the position of the national supervisory authority in Poland and put data protection issues on the map nationwide. The Polish DPA is increasingly enforcing GDPR compliance, especially by imposing fines and using its corrective powers.

In the past months, the Polish DPA has actively enforced data privacy rules by conducting inspections and responding to the complaints lodged by the data subjects. Among many actions taken by the Polish DPA, these are the most significant:

• the administrative fine of approximately EUR1 million imposed by the Polish DPA on Fortum Marketing and Sales Polska S.A for failure to implement adequate technical and organisational measures to ensure personal data security and failure to verify the processor;
• the Polish DPA’s statement about the legality of combining the function of the DPO with tasks related to handling requests from whistle-blowers;
• the Polish DPA’s reprimand for a website operator regarding processing personal data with cookies without a legal basis;
• the administrative fine of approximately EUR250,000 imposed by the Polish DPA on Cyfrowy Polsat S.A. for failure to implement appropriate technical and organisational measures in co-operation with the shipping company;
• the Polish DPA approved two codes of conduct provided by entities from the medical sector, but has not as yet accredited monitoring bodies for the codes.

The Polish DPA received complaints from NOYB – the European Center for Digital Rights (a non-profit organisation based in Vienna, Austria, led by an privacy activist Maximillian Schrems) regarding data transfers to the USA and use of "dark patterns" (ie, a manipulative interface that tricks users). However the Polish DPA has not adjudicated upon them.

At the European level, the EDPB published the final versions of the following guidelines:

• Guidelines 02/2021 on virtual voice assistants;
• Guidelines 04/2021 on codes of conduct as tools for transfers;
• Guidelines 8/2020 on the targeting of social media users;
• Guidelines 07/2020 on the concepts of "controller" and "processor" in the GDPR;
• Guidelines 01/2021 on examples regarding personal data breach notification.

The EDPB will further work on the following draft guidelines:

• Guidelines 01/2022 on data subject rights – right of access;
• Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers as per Chapter 5 of the GDPR.

In the next 12 months, we will see further legislative works at the European Union level on the draft Data Act, draft ePrivacy Regulation and draft AI Act. Furthermore, the Data Governance Act is set to be adopted in 2022.

Requirement for Appointment (and Relevant Responsibilities) of Privacy or Data Protection Officers

The requirements for appointing a data protection officer are stipulated in Article 37 (1) GPDR. The designation of a data protection officer is mandatory for entities:

• whose core consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale;
• whose core activities consist of processing on a large scale of special categories of data pursuant to Article 9 or personal data relating to criminal convictions and offences referred to in Article 10.

Furthermore public bodies are legally obliged to appoint a data protection officer (with the exception of the courts).

Criteria Necessary to Authorise Collection, Use or Other Processing

Criteria necessary to authorise collection, use or other processing are stipulated in Article 6 (1) GDPR that provides potential legal basis for the processing. According to that provision, the controller is allowed to process personal data if:

• the data subject has consented to it;
• processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, particularly where the data subject is a child.

The criteria necessary to authorise collection use or other processing of special category data (eg, health data) are stipulated in Article 9 (2) GDPR.

The data subject’s consent is only lawful under GDPR if it is freely given, specific, informed and unambiguously indicated by the data subject.

Data Subject Rights

Data subject rights under the GDPR are described in 2.2Sectoral and Special Issues.

Use of Data Pursuant to Anonymisation, De-identification, Pseudonymisation

Pseudonymous data are still considered personal data under the GDPR. If the data is anonymous then the GPDR does not apply to it. However, the controllers have to be able to prove that they process anonymous data (ie, data that no longer identifies the data subject).

Restrictions on Profiling, Microtargeting, etc

Restrictions on (or allowances for) profiling, microtargeting, automated decision-making, online monitoring or tracking, big data analysis, artificial intelligence, algorithms (explanations, logic, code) are described in 2.2 Sectoral and Special Issues and 5.1 Addressing Current Issues in Law.

Application of “Privacy by Design” or “Privacy by Default”

In the context of the GDPR, "privacy by design" means that data protection must already be taken into account during the conception and development of systems, software or hardware. The goal is to ensure that data collection and data processing are minimised to what is absolutely necessary through appropriate planning and subsequent implementation. In addition, sensible default settings should ensure that personal data is only collected for the processing purpose in question.

"Privacy by default" is also part of privacy by design, as this is an important element for user-friendly data protection. It is required that privacy-friendly default settings be created. With the default settings, only absolutely necessary data should be collected, and only if the data subject wishes to use additional functions will the corresponding personal data also be collected (opt-in instead of opt-out). Until now, opt-out options were often not easy to find for the average user and therefore these options were often not used. Privacy by default should ensure that data subjects do not unintentionally share their data. As a result, this should lead to a minimisation of shared personal data.

Need to Adopt Internal or External Privacy Policies

Neither the controllers nor the processors are obliged under the GDPR to adopt external or internal privacy policies. However, it is recommended that they adopt such documents to be able to prove GDPR-compliance.

Need to Conduct Privacy, Fairness or Legitimate Impact Analyses

Under Article 35(1) GDPR, controllers are obliged to conduct data protection impact in the case of: 

• a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning a natural person or similarly significantly affect a natural person;
• processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10;
• a systematic monitoring of a publicly accessible area on a large scale.

Special Category Data

The GDPR recognises the concept of special categories of personal data that are enumerated in Article 9 (1) GDPR. Their processing is only permitted in particular situations stipulated in Article 9 (2) GDPR – for instance, when a data subject consents to processing such data – and may require a data protection impact assessment. Therefore, it is important to know exactly which data fall under this term.

Special categories of personal data include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (for the purpose of uniquely identifying a natural person), data concerning health or data concerning a natural person’s sex life or sexual orientation.

Health Data

Under Article 4 (15) GPDR, health data is personal data related to the physical or mental health of a natural person, including the provision of healthcare services, which reveal information about their health status. Health data falls under the special category of personal data.

Financial Data, Telecommunication Data

According to the applicable Polish law, a bank, its employees and persons through whom it performs banking activities are obliged to maintain banking secrecy, which includes all information concerning a banking activity, obtained during negotiations, in the course of concluding and performing an agreement on the basis of which the bank performs this activity.

Telecommunication data is considered secret. The Polish telecommunication law stipulates that telecommunications secrecy covers: information transmitted in telecommunications networks, including the content of the transmission and accompanying information; and data on users, including personal data on calls, including the fact of the call, call attempt data, the circumstances and type of call, the date and time of the start/end of the call.

Children’s Data

Children are considered vulnerable data subjects under the GDPR and, therefore, enjoy a higher level of protection than adults. Under Article 8 GDPR on processing personal data while offering information services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if, and to the extent that, consent is given or authorised by a person with parental responsibility for the child.

The GDPR provides discretion for the EU member states when it comes to establishing the age threshold beyond which children may consent to process their data by information services providers independently from their parents. The age threshold for obtaining parental consent is different for each EU member state and can vary between 13 and 16 years; in Poland, the age threshold is 13 years since the national legislator did not introduce special provisions in this area.

Cookies and Beacons

The permissibility of installing tracking codes is defined in Article 173 of the Polish Telecommunications Law Act. According to this provision, storing information or gaining access to information already stored in the subscriber's or end user's telecommunications terminal equipment is permitted under the condition that: the subscriber or end-user is first directly and unambiguously informed in an easy and comprehensible manner about the purpose of storing and gaining access to such information; there is the possibility of determining the conditions for storing or gaining access to such information using software settings installed in the telecommunications terminal equipment used by the subscriber or end-user or service configuration; the subscriber or end-user, upon receipt of such information, consents to it and the data stored or accessed does not cause any configuration changes in the subscriber's or end user's telecommunications terminal equipment and software installed in such equipment.

It is important to clarify that, under Article 173 of the Polish Telecommunications Law Act, "information" is any tracking codes (including cookies) and telecommunications devices – such as a computer or mobile device – through which the user accesses the internet.

In the light of the provision described above, installing trackers will, as a rule, be permitted only if the user complies with the relevant information obligation and consents to the use of cookies by the website. Thus, none of the other grounds for processing listed in Article 6(1) of the GDPR (eg, legitimate interest) may be used to legitimise the installation of user tracking codes, even if they contain personal data.

The applicable law in Poland regarding cookies and beacons will change if the ePrivacy Regulation is adopted. The ePrivacy Regulation is a proposal for the regulation of various privacy-related topics in relation to electronic communications within the European Union. The work on adoption of the ePrivacy Regulation is now nearing completion. According to the ePrivacy Regulation, the installation of cookies will require the consent of the end user if the cookies do not jeopardise the privacy of the individual and facilitate the user's use of the website, or if they are used only for analytical purposes – for example, counting the number of visits to a website.

Addressing Hate Speech, Disinformation, Terrorist Propaganda, etc

The Polish government has tried to introduce a new law aiming to prevent social media platforms from deleting content or banning users that have not violated applicable Polish law. The government proposal has met with harsh pushback from national SROs, as the new law would overlap with the Digital Services Act. If the DSA were passed, the Polish law would be automatically repealed to the extent that it was not in compliance with the EU act. Such a situation would cause unnecessary legal uncertainty and costs for the internet industry, which would have to adjust to both laws. It remains unclear if the governmental proposal will be further developed.

Data Subject Rights

The GDPR provides certain rights for individuals whose personal data is being processed by controllers. Under the GDPR, individuals can exercise:

• the right to be informed;
• the right of access;
• the right to rectification or correction;
• the right to be forgotten;
• the right to data portability;
• the right to object to processing; and
• rights in relation to automated decision-making and profiling.

Furthermore, data subjects may lodge a complaint to the supervisory authority if they think that their data is not processed according to the law.

Sending Commercial or Marketing Communications via Electronic Communication Means

In Poland, sending commercial or marketing communications via electronic communication means (eg, email) is regulated by the Act on Rendering Electronic Services. According to the Polish law, sending unsolicited commercial information addressed to a specified recipient (being a natural person) by means of electronic communication, in particular by email, is prohibited. Nevertheless, the legislator considers commercial information as solicited if the addressee expressed their consent to receive such information and provided an electronic address for this purpose. In light of the above, it should be noted that the Polish legislator has introduced a protective opt-in model, the essence of which is that the sending of marketing information by email and other means of electronic communication requires the prior consent of the addressee (recipient) to receive messages of a commercial nature.

According to the draft ePrivacy Regulation, electronic messaging contact data (eg, email), received when sending material to a customer of an individual in connection with the sale of a product or service, will be able to be used for direct marketing of their own similar products/services, provided that customers are given a clear and prominent opportunity to object, free of charge and in an easy manner, to such use (ie, opt-out).

Sending Commercial or Marketing Communications via Telemarketing Calls or Texts

Under the Polish Telecommunication Act, the use of telecommunications terminal equipment and automatic calling systems for direct marketing purposes is prohibited unless the subscribers or end-users have consented to it.

The ePrivacy Regulation, if adopted, will oblige entities using telemarketing to (i) identify the line on which they can be contacted and (ii) use an identifiable number or a special prefix indicating that the call is of a marketing nature.

The GDPR generally applies to data protection in the workplace. In Poland, GDPR rules are specified by the Polish Labour Code of 23 December 1997. The Polish Labour Code provides the legal basis for processing recruitment data and other data necessary for concluding an employment contract. 

The Polish Labour Code also specifies the rules for monitoring employees in the workplace, such as storing the data obtained via monitoring. Employers may monitor the workplace for security purposes. The objectives, scope and manner of application of monitoring shall be laid down in a collective agreement, in work regulations, or in a notice (if the employer is not covered by a collective agreement or is not obliged to establish work regulations). The employers are also obliged to inform employees of the introduction of the specific monitoring to be adopted no later than two weeks prior to its commencement, as well as providing each new employee with information on the purpose, scope and manner of application of monitoring prior to their admission to work. The information for the employees has to be provided in a concise and comprehensible manner, in an easily accessible form and in clear and plain language.

Where workplace monitoring is introduced, the employer is legally obliged to mark the premises and the area to be monitored in a visible and legible manner, by means of appropriate signs or audio announcements, no later than the day before the start of the monitoring.

The objectives, scope and manner of application of monitoring shall be laid down in a collective agreement, in work regulations or in a notice (if the employer is not covered by a collective agreement or is not obliged to establish work regulations).

The employer may also put the employees’ work emails under surveillance as long as such action is necessary to ensure effective work organisation and to allow full use of the working time and proper use of the working tools made available to the employee. Employers are also authorised to install software dedicated to monitoring employees’ activity on their professional devices.

As of 1 March 2022, the Directive (EU) 2019/1937 of the European Parliament and of the Council of 23 October 2019 on the protection of persons who report breaches of EU law has not yet been implemented to the Polish law. Thus, there are no applicable privacy-specific rules in Poland regarding whistle-blower hotlines and anonymous reporting.

Poland has not adopted the concept of e-discovery as it is understood in common law jurisdictions.

Enforcement

If the Polish DPA finds that the controller or the processor has not complied with the GDPR, this can result in administrative fines.

Administrative fines can be up to EUR20 million or 4% of the worldwide annual turnover, whichever is higher. The Polish DPA can decide to publish its decision. Furthermore, the Polish DPA is entitled to use its corrective powers, such as issuing warnings.

The Polish law also stipulates criminal responsibility for natural persons who process personal data without a legal basis. Whoever processes personal data, although their processing is not permitted or they are not authorised to process such data, shall be subject to a fine, the penalty of restriction of liberty or the penalty of deprivation of liberty for up to two years.

Private Litigation

Under Article 77 GDPR, data subjects are entitled to complain to a supervisory authority if they find their data processed in a way that violates the GDPR. Based on the complaint, the supervisory authority may initiate proceedings regarding potential GDPR infringement.

One of the most significant penalties imposed by the Polish DPA was due to the prior data subject’s complaint. The case concerned Silesian Medical University, which had not implemented appropriate technical and organisational safeguards to secure data processing. As a result, an unauthorised third party could access the recording of remote exams.

Under Article 82 GDPR, any person who has suffered material or non-material damage due to an infringement of the regulation shall have the right to receive compensation from the controller or processor for the damage sustained. Individuals may seek redress based on Article 82 GDPR before competent courts. Class actions for suffering material or non-material damage resulting from an infringement of the GPDR are not allowed under Polish Law. There are only a few cases regarding the right to compensation and liability that the Polish courts have adjudicated.

Law enforcement access to data for serious crimes is regulated in statutes regarding law enforcement agencies (police, customs, etc). Processing of personal data by such entities is also regulated by the Act on the protection of personal data processed in connection with preventing and combating crime; this transposed to Polish law the Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data, repealing Council Framework Decision 2008/977/JHA.

The Polish law stipulates that to prevent or detect criminal offences, fiscal offences crimes, to save human life or health or to support search and rescue operations, the law enforcement agency may obtain data not constituting the content of a telecommunication transmission or a postal item or a transmission of an electronically supplied service without the data subject’s consent. In Polish law, the object scope of the offences and crimes for which law enforcement is authorised to request data has not been specified.

Independent judicial supervision is needed if law enforcement agencies want to undertake surveillance of data subjects.

Processing of personal data by such law enforcement agencies is also regulated by the Act of 14 December 2018 on the protection of personal data processed in connection with preventing and combating crime; this is applicable to government access to data for intelligence, anti-terrorism or other national security purposes.

Furthermore the provisions of the Act on Anti-terrorist Activities and the Act on the Military Counterintelligence Service and the Military Intelligence Service are also applicable to accessing data for such purposes in Poland.

The Polish law does not include statutes that would expressly allow the controller to invoke a foreign government access request as a legitimate basis for the collection and transfer of personal data to a third country, except when the secret services or other governmental agencies may have certain rights to share data with foreign governmental agencies.

The third country’s government access request makes data transfers more risky, requiring the controller to implement additional technical and organisational measures to mitigate the risks associated with the data transfer.

No information has been supplied.

Pursuant to Articles 44 to 50 of the GDPR, transfers of personal data outside the European Union are unlawful unless the third country recipient of the personal data ensures an adequate level of protection, or appropriate guarantees are applied.

The European Commission has so far recognised Andorra, Argentina, Canada (commercial organisations), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, Switzerland, Uruguay, the UK and South Korea as countries providing adequate levels of data protection.

If a non-EAA country is not recognised as providing an adequate level of protection, appropriate safeguards must be applied by the data exporters, such as standard contractual clauses and binding corporate rules. These safeguards are stipulated in Article 46 GDPR. In the absence of an adequacy decision or appropriate safeguards pursuant to Article 46, including binding corporate rules, a transfer or a set of transfers of personal data to a third country or an international organisation shall take place only on one of the conditions stipulated in Article 49 GDPR.

On 4 June 2021, the European Commission adopted two sets of standard contractual clauses (SKUs), one for use between controllers and processors and one for transfers of personal data to third countries. The new SKUs have been aligned with the provisions of the RODO and take into account the content of the judgment of the Court of Justice of the European Union (CJEU) of 18 July 2020 in the Schrems II case. Work on the new set of clauses had been ongoing since November 2020, when the Commission published a draft of both decisions. Data processing agreements that include the old SCC continue to be a valid mechanism for data transfers until 27 December 2022.

The Polish Data Protection Act does not include provisions requiring personal data to be localised in Poland. GDPR rules for transfers of personal data are applicable in Poland, and no stricter rules are imposed by the national law.

The Polish Data Protection Act does not include provisions requiring personal data to be localised in Poland. GDPR rules for transfers of personal data are applicable in Poland, and no stricter rules are imposed by the national law.

The Polish Data Protection Act does not include provisions requiring to share technical details. GDPR rules for transfers of personal data are applicable in Poland, and no stricter rules are imposed by the national law.

After the CJEU’s judgement in the Schrems II case, data exporters are required to implement additional technical and organisational safeguards.

The general GDPR rules regarding data transfers are applicable in Poland. The national law does not include blocking statutes regarding data transfers.

As of 1 March 2022, the Polish DPA has not adopted any opinions regarding: big data analytics and automated decision-making; profiling or microtargeting; artificial intelligence (including machine learning); the internet of things (IoT) or ubiquitous sensors; autonomous decision-making (including autonomous vehicles); facial recognition; geolocation; disinformation, deepfakes or other online harms; "dark patterns” or online manipulation; and fiduciary duty for privacy or data protection.

Biometric Data

Biometric data falls under the term of “special categories of personal data” stipulated in Article 9 GDPR. The processing of such data has to meet at least one of the conditions stipulated in this provision.

Facial Recognition

Facial recognition is not prohibited under the applicable law in Poland. However, data processed by facial recognition technologies are considered biometric data. Thus, they can only be legally processed if one of the conditions stipulated in Article 9 GDPR is met. To some extent, the problem of facial recognition in the context of data privacy law is addressed in the Guidelines 3/2019 on processing of personal data through video devices published by the EDPB.

Drones

There is no privacy-specific law provision in Poland dedicated to drones, except for the legal statues that allow environmental inspections – with the help of drones – to monitor behaviour that harms nature. The Polish DPA has recommended introducing privacy-specific provisions in Poland dedicated to drones used by public bodies.

Artificial Intelligence (AI)

On 21 April 2021, the European Commission presented a draft EU Regulation on the Artificial Intelligence Act (the "AI Act"). The AI Act aims to make the European Union a global centre for trustworthy artificial intelligence and to play a major role in its development. This is the first legal framework in the EU on artificial intelligence that takes into account the risks associated with it. The proposed legislation aims to make artificial intelligence systems used in the EU safe, transparent, ethical, impartial and human-controlled. The work on the AI Act is in progress.

Automated Decision-Making

According to Article 22 (1) GDPR, the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. The automated decision making is only lawful if the data subject consents to it, if such operation is necessary for entering into, or performance of, a contract between the data subject and a data controller, or if it is authorised by applicable law that lays down suitable measures to safeguard the data subject's rights, freedoms and legitimate interests.

A decision based solely on automated processing falls under the prohibition stipulated in Article 22 (1) GDPR if it produces legal effects concerning a data subject or similarly significantly affects them.

Profiling

Under Article 4 (4), "profiling" means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. Thus, all automated actions that leads to the classifying data subjects may fall under that term. Profiling that does not lead to automated decision making is not prohibited under the GPDR, and can be performed if at least one of the legal basis stipulated in Article 6 or in Article 9 GDPR apply.

Organisations in Poland are not required to establish protocols for digital governance or fair data practice review boards or committees to address the risks of emerging or disruptive digital technologies.

Please see 2.5 Enforcement and Litigation.

Entities conducting due diligence will be, in principle, separate and independent controllers of the personal data provided by the acquired company. Therefore, they may be obliged to fulfil informational obligations stipulated in Article 14 GDPR against data subjects.

If a personal data breach related to cybersecurity occurs, the controllers are obliged to notify the Polish DPA. If a personal data breach is likely to result in a high risk of harm to the rights or freedoms of individuals, the controller shall without undue delay notify the data subjects of such breach.

The Polish DPA announced that, in 2022, it plans to inspect the following categories of controllers:

• entities that process personal data using mobile applications – to establish how personal data processed in connection with the use of these applications is secured and shared;
• banks – regarding processing of personal data in connection with profiling the personal data of customers and potential customers and to establish how banks inform credit applicants of their credit assessment;
• public authorities – in relation to processing personal data in the Schengen information system and the visa information system.