E-marketing under Polish data protection law

In Poland, the rules on e-marketing can be found in the following three legislative acts:

  • Personal Data Protection Act (Ustawa o ochronie danych osobowych)
  • Act on Electronically Supplied Services (Ustawa o świadczeniu usług drogą elektroniczną), that implements the European E-Commerce Directive 2000/31/EC
  • Telecommunication Law Act (Ustawa – Prawo telekomunikacyjne), that implements (inter alia) the European E-Commerce Directive 2000/31/EC and E-Privacy Directive 2002/58/EC

The Polish Personal Data Protection Act lays down the principal rules on processing of personal data. Although obtaining data subject’s consent is often required, the controllers are also allowed for processing data subjects’ data for the purpose of direct marketing of their own products or services without his/her prior consent. However, if the data subject objects the processing of his/her data, the controller is not permitted anymore to continue the processing.

The Act on Electronically Supplied Services (hereinafter ‘ESS’) regulates the commercial information sent electronically. It determines the rules on the expression and withdrawal of consent for receiving marketing e-mails, as well as the sanctions for their violations.

Chapter 4 specifies the rules on the data protection of individuals, who use the services provided electronically. Art. 18 provides a full list of personal data that may be collected from the service user. In principle, after the end of using the service, the customer’s data cannot be further processed by the service provider. However, in accordance with art. 19, he/she may use the data that are necessary for the:

  • billing and payment purposes,
  • advertising, market research, as well as the behavior and users’ preferences for improving the quality of the services (after obtaining users’ consent)
  • clarification of the circumstances of unauthorized use of the service, or:
  • are permitted for processing under separate laws or agreements

It must be remembered, that the recipient’s personal data may be processed solely for the purpose and scope specified in this law.

Finally, the Telecommunication Law Act (hereinafter ‘TL’)prohibits to use any automated calling systems for direct marketing without customer’s prior consent (art. 172 TL). Moreover, because of the increasing amount of personal data use for telemarketing purposes, the Telecommunication Law Act has been amended to contain provisions on personal data protection.

Sending (unsolicited) commercial information

In accordance with art. 10(1) of the Act on Electronically Supplied Services, sending any unsolicited commercial communications electronically (i.e. via e-mail) to a designated recipient who is a natural person is forbidden.

Art. 172 (1) of the Telecommunications Law Act provides that prior consent of the service subscriber or end-user is necessary for the use of telecommunications terminal devices and automatic calling systems for direct marketing purposes

  • ‘telecommunications terminal device’ (art. 2(43) TL) is any telecommunication device that is connected to a network (phone, fax, computer connected to the Internet)

Consequently, it means that before sending any commercial offer, three separate consents from the recipient must be obtained. Firstly, the consent to send unsolicited commercial communications by electronic means; secondly, the consent to use a telecommunications terminal device for direct marketing, and thirdly – the consent for the processing of personal data, which is regulated by the Personal Data Protection Act.

The consent to send unsolicited commercial offer cannot be obtained during the first contact with the customer. Furthermore, it must be emphasized that the consent must be expressed clearly and explicitly, it cannot be implied. Moreover, it must always be possible for the customer to withdraw his/her consent at any time (Art. 4 ESS and art. 174 TL). It should also be fixed, in a meaning that the e-service provider should be able to show the confirmation of the customer’s consent (art. 174(2) TL).

Although no official guidelines have been issued, a statement by the authority on what is SPAM and what are the sanctions for sending SPAM can be found at the Inspector’s General website: http://www.giodo.gov.pl/pl/361/8304  (in Polish).


Art. 25 of the Act on Electronically Supplied Services provides for fines for unsolicited commercial communications by electronic means. Furthermore, art. 210 of the Telecommunication Law Act provides for fines as high as 3% of the previous annual income, or even up to 500 000 PLN if the entity did not operate during the full previous calendar year.  Finally, in accordance with art. 49(1) of the Personal Data Protection Act the processing of data without prior consent may be not only punished with a fine, but also with a partial restriction of freedom or even a prison sentence of up to 2 years.