Data subjects’ rights according to Polish data protection law

Data subjects’ rights are enlisted in the Chapter 4 of the Polish Data Protection Act (‘The Rights of the Data Subject’, ‘Prawa osoby, której dane dotyczą’).

  1. The data subject has the right to information and to control processing of his/her data (art. 32 PDPA):
    • the obligation to provide information lays with the controller, which is obliged to respond to the data subject’s request within 30 days and, if requested, in writing (art. 33 PDPA).
    • Not complying with this obligation results in liability to a fine, partial restriction or deprivation of liberty of up to 2 years (art.54 PDPA)
    • The data subject may exercise his/her right to obtain information once every six months

    The data subject has a right to know:

      • whether the filing systems exist
      • the controller’s identity, its address of seat and full name
      • the purpose, scope and the means of processing
      • since when his/her personal data are being processed and communication to him/her in an intelligible form of the content of the data
      • the source of his/her personal data (unless the controller is obliged to keep it confidential as a state, trade or professional secrecy)
      • the means in which the data are disclosed and the (categories of) data recipients
      • the prerequisites of taking the decision referred to in art. 26a(2)

    The controller can refuse to provide the data subject the information on the above-mentioned matters only if they are confidential or if they would create a threat to national defense or security, life and health of other persons, or to public security and order, or vital economic or financial interest of the state or it would constitute a significant breach of data subject’s or others personal rights (art. 34 PDPA).

  2. Right to correct data, to request suspension of data processing or erasure of data (art. 35 PDPA)
    • the obligation to correct, suspend the processing or erase the data lays with the controller
    • failure to comply may result in a relevant order from the Inspector General upon the data subject’s application
    • burden of proof lays with the data subject

    the data subject may demand his personal data to be completed, updated, rectified, temporally or permanently suspended or erased in two cases:

      • Data are not complete, outdated, untrue or collected with the violation of the act
      • Data are no longer required for the purpose for which they have been collected

    When the data subject is able to prove the above (and unless other laws require the data to be amended, updated or corrected), the controller is obliged to:

      • amend, update, or correct the data
      • temporally or permanently suspend the processing
      • erase the data from the filing system
      • inform other controllers, to whom he/she disclosed a data file, about the update of correction of data
  3. The right to object the processing of his/her personal data
    • The controller’s obligation to stop further processing of data
    • The controller may nevertheless keep: name and surname with PESEL identification number/address, so it can avoid using the data again for the purposes objected by the data subject.

    Data subjects can object their data processing in cases when the processing is permitted:

    • for the performance of legal tasks for the public good reasons
    • for the fulfillment of the controller’s/recipient’s legally justified purpose, which does not violate the data subject’s rights and freedoms
  4. Request for the blocking of the data processing, due to the person’s particular situation
    • The provisions do not specify what the ‘particular situations’ are
    • Every person can write a justified demand for having his/her data processing blocked in the same cases as with the right to object:
      • for the execution of legal tasks performed for the public good
      • to fulfill the legally justified purpose pursued by the controller or data recipients and does not infringe the data subject’s rights and freedoms
    • The controller should either stop the data processing or forward such a request to the Inspector General for taking an appropriate decision
  5. Demand that the controller reconsiders the individual case settled, that was solely based on automated processing in a computer system
    • The controller must then:
      • Reconsider the case
      • Transmit it with his/her reasoned stand to the Inspector General to issue an appropriate decision