Legal basis according to Polish data protection law

Principles of personal data processing are covered by the Chapter 3 of the Polish Data Protection Act. This Chapter indicates the situations in which data processing is permitted. The important distinction between the categories of personal data (‘regular’ and sensitive) also exists in Polish regulation.

Data processing

In accordance with art. 23 of the Personal Data Protection Act, personal data processing is permitted only if at least one condition below is fulfilled:

  1. Data subject’s consent is obtained (unless the processing consists in erasure of personal data)
    • Does not need to be written.
    • Such consent may also be applied to future processing, provided that the purpose of the processing will remain the same.
    • In cases where data processing is necessary to protect the data subject’s vital interests and where such consent cannot be obtained, it is permitted to process the data (until such consent can be obtained).
  2. Or it is necessary for the:
    1. exercise of rights and duties resulting from legal provisions
    2. performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract
    3. performance of tasks provided for by law and carried out in the public interest, or
    4. purpose of the legitimate interests pursued by the controllers or data recipients, provided that the processing does not violate the rights and freedoms of the data subject
      • Legitimate interests:
        • Direct marketing of own products or services provided by the controller
        • Vindication of claims resulting from economic activity

Art. 27(2) establishes that in principle, the processing of sensitive data is not permitted unless:

  1. The data subject’s written consent has been obtained (unless the processing consists in erasure of personal data)
  2. Other law provides for their processing without data subject’s consent and provides suitable safeguards
  3. is necessary to protect data subject’s vital interests or another person´s where the data subject is physically or legally incapable of giving his/her consent until the establishing of a guardian or a curator
  4. is necessary for the purposes of carrying out the statutory objectives of churches and other religious unions (…) in connection with their activity and subject to providing appropriate safeguards of the processed data
  5. it relates to the data necessary to pursue a legal claim
  6. is necessary for the purposes of carrying out the obligations of the controller with regard to employment of his/her employees and other persons, and the scope of processing is provided by the law
  7. is required for the purposes of preventive medicine, the provision of care or treatment, where the data are processed by a health professional subject involved in treatment, other health care services, or the management of health care services and subject to providing appropriate safeguards
  8. the data were made publicly available by the data subject itself
  9. is necessary to conduct scientific research (…) (any results of scientific researches shall not be published in a way which allows identifying data subjects)
  10. is conducted by a party to exercise the rights and duties resulting from decisions issued in court or administrative proceedings

Data controllers’ obligations

The obligations of the data controller will differ depending on whether the data has been collected directly from the data subject or not.

Art. 24 requires the controller to provide minimum information to the data subject, in case personal data has been collected directly from the data subject itself. Namely, the controller has an obligation to inform the data subject about the:

  1. controller’s full name and address of its seat
    • If natural person: address of his/her residence and his/her full name
  2. purpose of data collection and the data recipients (if known at the time of its collection
  3. replies to the questions – whether they are obligatory or voluntary
  4. the existence of the right of access to and to rectify one’s own data
    • If obligatory: an information on its legal bases

The abovementioned obligations do not apply if:

  • The data subject already has this information
  • Any provision of other law allows for personal data processing without a disclosure of the real purpose for which the data are collected

In accordance with art. 25, when the data has not been obtained from the data subject, the controller has an obligation to inform, immediately after recording of data subject’s data, about the:

  1. controller’s full name and address of its seat
    • if natural person: address of his/her residence and his/her full name
  2. purpose and scope of data collection and the data recipients
  3. source of data
  4. existence of the right of access to and to rectify one’s own data
  5. powers resulting from art. 32(1) points 7 and 8

The exceptions to these obligations include the following situations:

  • Data subject already has this information
  • Other law provides for data collection without data subject’s prior notification
  • Data are necessary for scientific, didactic, historical, statistic or public opinion research, their processing does not violate the data subject’s rights or freedoms and providing the abovementioned information would involve disproportionate efforts or endanger the success of the research
  • Data are processed by the State authorities, territorial self-government authorities, as well as state and municipal organizational units and non-public bodies carrying out public tasks on the basis of legal provisions

Irrespective from whether the controller has obtained the data from the data subject or not, the controller must also ensure that the data he/she processes is:

  1. processed lawfully
  2. collected for specified and legitimate purposes (and no further processed in a way incompatible with the intended purposes)
  3. relevant and adequate to the purposes for which they are processed
  4. kept in a form permitting data subjects´ identification for no longer than it is necessary for the purposes for which they are processed

Art. 26(2) of the Personal Data Protection Act states, that it is not permitted to process personal data for other purposes than intended at the time of its collection unless it does not violate the rights and freedoms of the data subject, and is either: (1) processed for the purposes of scientific, didactic, historical or statistical research or subject to the provisions of art. 23 and art. 25 of the Personal Data Protection Act.

The data controller may authorize a different entity for the processing of data (data processor) under certain conditions. These conditions will be discussed in Chapter 13 (‘Commissioned processing under Polish data protection law’).

It must be emphasized that in such cases, the controller remains liable for the legal compliance. The processor, however, holds liability only if he/she does not follow the controller’s instructions (art. 31(4) Personal Data Protection Act).

The controller has an obligation of appointing its representative in Poland if the processors do not have a seat nor reside in the European Economic Area (art. 31a Personal Data Protection Act).