Important data protection legislation in Poland

Until the EU General Data Protection Regulation (‘GDPR’) takes effect in May 25th 2018, the primary data protection legislation in Poland is the Personal Data Protection Act of 1997 (Ustawa o ochronie danych osobowych). The text of the Personal Data Protection Act is available online at:

In accordance with Art. 5 of the Personal Data Protection Act, if other laws on data processing provide for more effective protection, then the provisions of these laws should apply. This means that in particular cases or in particular fields, other legal acts will need to be obeyed. The examples may be Banking Law Act (Ustawa – Prawo bankowe), Act on Electronically Supplied Services (Ustawa o świadczeniu usług drogą elektroniczną), or Telecommunications Law (Ustawa – Prawo telekomunikacyjne).

As the date of entry into force of the new European Regulation is approaching, the EU Member States started to draft their new national laws adopting the opening clauses of the GDPR. Recently on September 12th, also Poland has published a second project of the new Personal Data Protection Act (available in Polish at:

It must be kept in mind, however, that it is still only a project, so its content may keep on changing.

Personal Data Protection Act of 1997

The Personal Data Protection Act of 1997 (Ustawa z dnia 29 sierpnia 1997 r. o ochronie danych osobowych) is the primary legislation in Poland, that had specified the norms for personal data protection in the country. Until May 1st 2004, so until the accession of Poland to the European Union, it has transposed all the rules of the EU Directive 95/46/EC on the protection of personal data.

The Polish Personal Data Protection Act not only enlists the principles of data processing, but also determines the rights of data subjects. The Act is applicable to both, public and private entities and it applies to the processing of personal data in files, indexes, books, lists and other registers, as well as in computer systems, also in case where data are processed outside from a data filing system. Furthermore, its Chapter 5 (Personal Data Security) alone applies to the personal data filing systems that are prepared on ad hoc basis and which are solely used for technical, training or higher education purposes, provided that the data are immediately removed or anonymized after they have been used.

Outside the scope of the Personal Data Protection Act are natural persons processing data solely for personal or domestic purposes and subjects having the seat or residing outside the European Economic Area, that use technical means located in Poland solely for data transfers. Further cases where the Personal Data Protection Act does not apply include press journalistic (see Polish Press Law Act), literary and artistic activity.

Structure of the Personal Data Protection Act of 1997

The Polish Protection of Personal Data Act is divided into nine Chapters, which include the following provisions:

  • Chapter 1: General Provisions (Przepisy ogólne) (articles 1-7)
  • Chapter 2: Supervisory Authority for Personal Data Protection (Organ ochrony danych osobowych) (articles 8-22a)
  • Chapter 3: The Principles of Personal Data Processing (Zasady przetwarzania danych osobowych) (articles 23-31a)
  • Chapter 4: The Rights of the Data Subject (Prawa osoby, której dane dotyczą) (articles 32-35)
  • Chapter 5: Personal Data Security (Zabezpieczenie danych osobowych) (articles 36-39a)
  • Chapter 6: Registration of Personal Data Filing Systems and of Data Protection Officers /Administrators of Information Security (Rejestracja zbiorów danych osobowych oraz administratorów bezpieczeństwa informacji) (articles 40-46f)
  • Chapter 7: Transfer of Personal Data to a Third Country (Przekazywanie danych osobowych do państwa trzeciego) (articles 47-48)
  • Chapter 8: Sanctions (Przepisy karne) (articles 49-54a)
  • Chapter 9: Amendments to the Binding Regulations, Temporary and Final Provisions (Zmiany w przepisach obowiązujących, przepisy przejściowe i końcowe) (art. 55-62)

Regulation 2004

Since the Personal Data Protection Act describes the rules on data security in a rather vague way, a more specifying act was necessary. Thus, the Minister of Internal Affairs and Administration issued the Regulation on the personal data documentation, as well as technical and organizational conditions, which should be fulfilled by the devices and information systems used for personal data processing (‘Regulation 2004’) (Rozporządzenie w sprawie dokumentacji przetwarzania danych osobowych oraz warunków technicznych i organizacyjnych, jakim powinny odpowiadać urządzenia i systemy informatyczne służące do przetwarzania danych osobowych).

The Regulation 2004 is available at: (Polish)

In accordance with its §1, the Regulation 2004 lays down the rules for the:

  • manner of keeping the documentation and scope of documentation, that describes the personal data processing, as well as technical and organizational means ensuring the protection of personal data processed that are suitable to the threats and categories of data.
  • basic technical and organizational conditions which should be fulfilled by the devices and IT systems used for personal data processing
  • requirements for the personal data disclosure records and the security of the personal data processing

Other Laws

Furthermore, several other regulations that apply to data protection have been issued by the ministries, such as:

  • Regulation of 2008 on the template of the filing notification for the registration by the Inspector General for the Protection of Personal Data (Rozporządzenie w sprawie wzoru zgłoszenia zbioru do rejestracji Generalnemu Inspektorowi Ochrony Danych Osobowych) available at: (Polish)
  • Minister of Administration and Digitalization Regulation of 2015 on the manner of keeping the data filing systems by the data protection officer (Rozporządzenie Ministra Administracji i Cyfryzacji z 11 maja 2015 r. w sprawie sposobu prowadzenia przez administratora bezpieczeństwa informacji rejestru zbiorów danych) available at: (Polish)
  • President Regulation on the statute of the General Bureau of the Inspector for the Protection of Personal Data (Rozporządzenie Prezydenta Rzeczypospolitej Polskiej w sprawie nadania statutu Biuru Generalnego Inspektora Ochrony Danych Osobowych) available at: (Polish)

In addition to the Personal Data Protection Act and its executive regulations, there are also other sources of law that may be applicable in specific fields, or in particular cases. In accordance with art. 5 of the Personal Data Protection Act, if other legislation on data processing provide for more effective protection, then this legislation should apply. The examples are the provisions on personal data protection in the:

These laws do not replace the Personal Data Protection Act, but rather provide for more details and specifications.

The provisions of the Act on the provision of services by electronic means and the Telecommunications Law Act, that are relevant in data protection will be discussed in more detail in Section 5 (E-marketing under Polish data protection law).

Project of the new Personal Data Act

Although the new European Regulation (GDPR) aims at harmonizing the data protection laws in the Member States and it will be directly applicable, it contains over 50 opening clauses. These opening clauses allow the countries to establish their national rules in order to complement the GDPR.

Inevitably, also Poland started preparing for the implementation of the GDPR. The Ministry of Digital Affairs (Ministerstwo Cyfryzacji) has already officially published the project of the new data protection laws in Poland. The first project has been published in March 2017 and the most recent version in September 2017.

The project introduces several significant changes to the current legal order in Poland. The changes, among others, include:

  • replacing the current Data Protection Authority – General Inspector for the Protection of Personal Data – with a newly created Personal Data Protection Office (Urząd Ochrony Danych Osobowych)
  • stricter qualification requirements for the Chairman of the Personal Data Protection Office
  • power of imposing financial fines by the national regulator (as it follows directly from 83 GDPR)
  • criminal responsibility will be limited
  • the rules on the control proceedings/inspections have been described in a greater detail

Text of the project is available (in Polish) at: