Protection of personal data in Poland - main facts

The most important legal act concerning protection of personal data in Poland is the Act on of 29 August 1997 on the Protection of Personal Data. The act establishes the Inspector General and determines framework of the personal data processing. Inspector General is competent in the issues concerning personal data protection and may inspect any subject who process personal data. Entities which belong to the EEA (European Economic Area) are obliged to comply with the Act on the Protection of Personal Data only if they operate in the territory of Poland. This means that almost every company registered in Polish National Court Register have to comply with the Act.

The main requirements for the data controller (in most cases – your company operating in Poland) are:

• To process personal data on the basis of legal prerequsites

• To inform data subject about its rights and the data controller status

• To register the data files in the Inspector General Office

• To secure the personal data from uncontrolled access

• To remove the personal data in case of request from data subject

Personal data usually can not be transferred outside of EEA (European Economic Area) without prior approval of the data subject. However, it can be transferred without restrictions in the European Union and few other countries (e.g. Norway, Island, Lichtenstein).

Not applying the provisions of the Polish Act on Personal Data Protection can lead to criminal responsibility, in some cases even to three years of imprisonment. More often it leads to the administrative proceeding.

In case of any questions please contact the author.