Definitions of Polish data protection law

In accordance with art. 6(1) of the Polish Personal Data Act:

Personal data is any information relating to a natural person that can be identified or is at least identifiable.

Art. 27(1), on the other hand, provides for the closed catalogue of these personal data, that are considered sensitive:

Sensitive data are these personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade-union membership, as well as the (…) data concerning health, genetic code, addictions or sex life and data relating to convictions, decisions on penalty, fines and other decisions issued in court or administrative proceedings.

Further definitions of the Polish data protection law are listed in the art. 7 of the Polish Data Protection Act:

  • ‘Data filing system’ any structured set of personal data which is accessible pursuant to specific criteria, whether centralized, decentralized or dispersed on a functional basis
  • ‘Processing of data’ any operation performed upon personal data (collection, recording, storage, organization, alteration, disclosure and erasure) and in particular performed in the computer systems
  • ‘Computer system’ set of co-operating devices, utilities, procedures of data processing and software tools applied for personal data processing
  • ‘Security of data within computer systems’ implementation and usage of appropriate technical and organizational measures applied to protect data against unauthorized processing
  • ‘Data erasure’ destruction of personal data or such modification which would prevent determination of the data subject’s identity
  • ‘Controller’ a body, an organizational unit, an establishment or a person referred to in art. 3, who decides on the purposes and means of the data processing.
  • ‘Data subject’s consent’ a declaration of will by which the data subject signifies his/her agreement to personal data relating to him/her being processed; the consent cannot be alleged or presumed on the basis of the declaration of will of other content; the consent may be revoked at any moment
  • ‘Data recipient’ any person to whom the data are disclosed (exclusive of: data subject, person authorized to data processing, EU representative (art. 31a), data processor (art. 31) and state authorities or territorial self-government authorities to whom the data are disclosed in connection with the proceedings conducted)
  • ‘Third country’ a non-EEA country