Data protection enforcement according to Polish law

Enforcement authority

In Poland, the enforcement authority for the breaches of the Personal Data Protection Act is the Inspector General for Personal Data Protection (Generalny Inspektor Ochrony Danych Osobowych). He/she may issue an administrative decision ordering the addressee to comply with the provisions of the data protection laws. The decisions of the Inspector General may be issued either upon the request of an interested party or ex officio. Principally, he/she may order:

  • the data to be completed, updated, corrected, disclosed or not disclosed
  • suspension of the transfer of data outside the European Economic Area
  • deletion of data
  • additional data protection measures
  • the data to be safeguarded or transferred to other entities

Furthermore, the Inspector General is obliged to report the data processing oriented offences to the competent law enforcement authorities.

Breaches of the Personal Data Protection Act

The following breaches are mentioned under the Personal Data Protection Act:

  • Processing of personal data in a data filing system where such processing is forbidden
  • Not authorized processing
  • Disclosure of the data, that one is obliged to protect
  • Providing an access to the data for unauthorized persons
  • Violation (intentional or not) of the obligation to protect the data against unauthorized takeover, damage or destruction
  • Failure to notify the data filing system for registration
  • Failure to inform the data subject of its rights or to provide him/her with the information which would enable that person to benefit from the provisions of this Act
  • Preventing or hindering the performance of inspection activities by the inspector

Sanctions

For all the breaches of the Polish Personal Data Protection Act, the following sanctions may apply:

  • fine
    • the amount of the fine is regulated by the Administrative Enforcement Act of 1966 (ustawa z 17 czerwca 1966 r. o postępowaniu egzekucyjnym w administracji);
    • single imposed fines cannot exceed 10,000 PLN (natural persons) or

50,000 PLN (legal persons and organizational units without legal personality)

  • multiple fines cannot exceed 50,000 PLN (natural persons) or 200,000 PLN (legal persons and organizational units without legal personality)
  • partial restriction of liberty
  • deprivation of liberty

the length of the deprivation of liberty varies depending on the offence between up to 1-3 years.