The two crucial legislative acts for the online data protection are the Personal Data Protection Act and the Act on Electronically Supplied Services (Ustawa o świadczeniu usług drogą elektroniczną). Specifically, the Chapter 4 of the latter contains the rules on the protection of personal data in connection with the provision of services by electronic means.
The ‘provision of a service by electronic means’ is defined as: an execution of a service without the simultaneous presence of the parties (at a distance), by transmission of data at the individual request of the user, transmitted and received by means of electronic processing equipment including digital compression and storage of data which is wholly transmitted, received or transmitted via the telecommunication network (within the meaning of the Telecommunication Law Act)
Obligations of the e-service provider
Chapter 2 of the Act on Electronically Supplied Services determines the obligations of the e-service provider towards the user. He/she must provide the user with the basic information determined in art. 5(2-5) explicitly, non-ambiguously and directly available through the IT system used by the recipient. Furthermore, according to Art. 6 the provider has an obligation to provide the access to an updated information on:
- threats connected to the use of e-services
- function and purpose of the software or of the data that are not part of the service’s content introduced by the service provider to the teleinformatic system used by the recipient.
As regards the data processing, Chapter 4 of the Act on Electronically Supplied Services establishes the rules applicable for provision of e-services. Art. 18 allows the service provider toprocess the data, that are necessary for establishing, shaping, changing or terminating a legal relationship between the service provider and its user, namely:
- User’s names and surname
- PESEL number (Polish personal identification number), or – if not assigned – passport number, identity card or other identity document
- Permanent residence address
- Correspondence address (if different from permanent residence address)
- Data serving user’s electronic signature verification
- User’s e-mail
It is important to note, that the service provider is not allowed to continue processing of the user’s data after using the e-service.
Processing of user’s personal data electronically means, that the user must have a guarantee to access the information on:
- the existing options of using the e-service anonymously or with using a pseudonym
- the undertaken measures, restricting the acquisition of unauthorized data
- the subject, to whom the user entrusts his/her personal data and possible data transfers to another entity
In Poland, the conditions for using ‘cookies’ are covered by the Telecommunications Law Act, namely its art. 173. Accordingly, the users must be previously directly informed in an unambiguous, easy and understandable way about:
- the purpose of storing and accessing the information
- user’s ability to determine the conditions for storing or accessing the information using the software settings or service configuration
Furthermore, before the cookies may be used, the user must consent on their installation and use.
The exception from the information obligation is provided in art. 173 (3) of the Telecommunications Law Act and it covers the cookies of a technical nature.