A Comprehensive Guide to Data Processing Obligations in Poland

1. Introduction – Territorial Scope of the GDPR

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, commonly known as the GDPR (General Data Protection Regulation), constitutes the foundation of the European data protection framework. For foreign companies planning to operate in Poland or targeting Polish consumers, understanding the obligations arising from this regulation is absolutely essential.

Pursuant to Article 3 of the GDPR, the regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or processor in the Union, regardless of whether the processing takes place in the Union or not. Importantly, the GDPR also applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services to such data subjects or the monitoring of their behaviour as far as their behaviour takes place within the Union.

This extraterritorial jurisdiction of the GDPR means that companies from third countries, including the United States, China, the United Kingdom, and other states outside the European Economic Area, must comply with European data protection rules if their activities concern natural persons located within the EU territory, including Poland.

2. Fundamental Principles of Personal Data Processing

Article 5 of the GDPR establishes seven fundamental principles that must guide every personal data processing operation. These principles form the basis of the entire data protection system, and their violation may result in severe administrative sanctions.

2.1. Lawfulness, Fairness and Transparency

Personal data must be processed lawfully, fairly, and in a transparent manner in relation to the data subject. In practice, this means having a valid legal basis for processing as specified in Article 6 of the GDPR, such as consent of the data subject, performance of a contract, compliance with a legal obligation incumbent on the controller, protection of vital interests, performance of a task carried out in the public interest, or legitimate interests pursued by the controller. Transparency requires providing data subjects with comprehensive information about the processing in a clear and understandable form.

2.2. Purpose Limitation

Personal data may only be collected for specified, explicit, and legitimate purposes and not further processed in a manner incompatible with those purposes. An exception applies to further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes, which pursuant to Article 89(1) of the GDPR shall not be considered incompatible with the initial purposes. Any change in the purpose of processing requires conducting a compatibility test or obtaining a new legal basis.

2.3. Data Minimisation

The controller should process data that is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed. This principle requires foreign companies to critically assess what data they actually need to achieve their business objectives and to refrain from collecting excessive information. In a cross-border context, it is particularly important to adapt data collection practices to European standards, which are often more restrictive than regulations in companies’ countries of origin.

2.4. Accuracy

Personal data must be accurate and, where necessary, kept up to date. The controller is obliged to take every reasonable step to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay. This obligation requires implementing procedures for data verification and updating, as well as enabling data subjects to easily report inaccuracies.

2.5. Storage Limitation

Personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. This requires controllers to develop a data retention policy specifying concrete retention periods for different categories of data, justified by processing purposes or legal requirements. Upon expiry of the retention period, data should be permanently deleted or anonymised.

2.6. Integrity and Confidentiality

Personal data must be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage, using appropriate technical or organisational measures. Foreign companies must implement a comprehensive security system encompassing both technical measures (encryption, access control, monitoring) and organisational measures (employee training, security policies, incident response procedures).

2.7. Accountability

The controller is responsible for compliance with all the principles listed above and must be able to demonstrate such compliance. This principle reverses the burden of proof – the controller must prove compliance with the GDPR, rather than the supervisory authority having to prove a violation. This requires maintaining detailed documentation, including records of processing activities, data protection impact assessments, evidence of consent obtained, and documentation of implemented security measures.

3. Key Obligations of the Data Controller

3.1. Information Obligations

Articles 13 and 14 of the GDPR impose extensive information obligations on the controller towards the individuals whose data it processes. When collecting data directly from the data subject (Article 13), the controller must provide its identity and contact details, the contact details of the data protection officer (if designated), the purposes of processing and the legal basis, the legitimate interests pursued by the controller (if processing is based on this ground), recipients or categories of recipients of the data, and information about the intention to transfer data to a third country along with the safeguards applied.

Additionally, the controller must inform about the period for which data will be stored or the criteria used to determine that period, the rights available to the data subject (access, rectification, erasure, restriction, portability, objection), the right to withdraw consent at any time (if processing is based on consent), the right to lodge a complaint with a supervisory authority, information about automated decision-making including profiling, and whether the provision of data is a statutory or contractual requirement or a requirement necessary to enter into a contract, as well as the consequences of failing to provide such data.

3.2. Records of Processing Activities

Pursuant to Article 30 of the GDPR, the controller and processor are obliged to maintain records of processing activities. This obligation applies to enterprises employing at least 250 persons, or conducting processing that is likely to result in a risk to the rights and freedoms of data subjects, processing that is not occasional, or processing that includes special categories of data (Article 9(1)) or data relating to criminal convictions (Article 10).

The controller’s records must contain the name and contact details of the controller, joint controllers, and the representative and data protection officer, the purposes of processing, a description of the categories of data subjects and categories of personal data, categories of recipients (including in third countries), information about transfers to third countries along with documentation of safeguards, envisaged time limits for erasure of different categories of data, and a general description of technical and organisational security measures.

3.3. Data Protection Impact Assessment (DPIA)

Article 35 of the GDPR introduces the obligation to carry out a Data Protection Impact Assessment (DPIA) prior to processing that, by virtue of its nature, scope, context, and purposes, is likely to result in a high risk to the rights and freedoms of natural persons. A DPIA is mandatory in cases of systematic and extensive evaluation of personal aspects relating to natural persons, based on automated processing including profiling, processing on a large scale of special categories of data or data relating to criminal convictions, and systematic monitoring on a large scale of a publicly accessible area.

The President of the Personal Data Protection Office (PUODO) has published a list of the types of processing operations requiring a DPIA in Poland. This list includes, among others, processing of biometric data for identity verification, processing of genetic data, employee geolocation, profiling for marketing purposes using data from external sources, and large-scale processing of CCTV monitoring data.

4. Designation of a Representative in the European Union

Article 27 of the GDPR imposes on controllers and processors not established in the Union but subject to the GDPR pursuant to Article 3(2) the obligation to designate in writing a representative in the Union. The representative must be established in one of the Member States where the data subjects whose personal data are processed are located.

The function of the representative is of fundamental importance for the effective enforcement of the GDPR against entities outside the EU. The representative serves as a point of contact for both supervisory authorities and data subjects in all matters relating to processing. They are also the addressee of enforcement measures, meaning that administrative fines can be imposed through them.

The obligation to designate a representative does not apply to public authorities or bodies, or to processing that is occasional, does not include large-scale processing of special categories of data or data relating to criminal convictions, and is unlikely to result in a risk to the rights and freedoms of natural persons. The designation of a representative does not affect the liability of the controller or processor, nor the possibility of initiating proceedings against them.

5. Data Protection Officer (DPO)

Articles 37-39 of the GDPR regulate the institution of the Data Protection Officer (DPO). Designation of a DPO is mandatory in three cases: when processing is carried out by a public authority or body (except for courts acting in their judicial capacity), when the core activities of the controller or processor consist of processing operations which by virtue of their nature, scope, or purposes require regular and systematic monitoring of data subjects on a large scale, or when the core activities consist of processing on a large scale of special categories of data or data relating to criminal convictions.

The DPO may be an employee of the controller or processor or perform their tasks on the basis of a service contract. The controller and processor must ensure that the DPO is involved properly and in a timely manner in all issues relating to the protection of personal data, has the resources necessary to carry out their tasks, and does not receive instructions regarding the exercise of their tasks. The DPO reports directly to the highest management level and is protected against dismissal or penalty for performing their tasks.

The tasks of the DPO include informing the controller and employees of their obligations under data protection legislation, monitoring compliance with the GDPR and the controller’s policies, providing advice on data protection impact assessments and monitoring their performance, cooperating with the supervisory authority, and acting as a contact point for the supervisory authority. The contact details of the DPO must be published and communicated to the supervisory authority. In Poland, notification is made to the PUODO.

6. Transfers of Personal Data to Third Countries

Chapter V of the GDPR (Articles 44-49) establishes detailed rules for the transfer of personal data to third countries, i.e., countries outside the European Economic Area. For foreign companies operating in Poland and transferring data to their headquarters or other organisational units outside the EU, this issue is of fundamental importance.

6.1. Adequacy Decisions

The simplest basis for transferring data to a third country is a decision by the European Commission stating that the country ensures an adequate level of protection (Article 45 GDPR). Currently, adequacy decisions cover, among others, Andorra, Argentina, Canada (for commercial organisations subject to PIPEDA), the Faroe Islands, Guernsey, Israel, the Isle of Man, Japan, Jersey, New Zealand, the Republic of Korea, Switzerland, the United Kingdom, and the United States (for entities participating in the EU-US Data Privacy Framework).

Of particular significance is the decision concerning the United States – the EU-US Data Privacy Framework adopted in July 2023. US companies that have joined this programme and been certified by the US Department of Commerce may receive personal data from the EU without the need to apply additional safeguards. The certification status of specific companies can be verified on the programme’s website maintained by the Department of Commerce.

6.2. Standard Contractual Clauses (SCCs)

In the absence of an adequacy decision, data transfers may take place on the basis of standard contractual clauses adopted by the European Commission (Article 46(2)(c) GDPR). The current standard contractual clauses were adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021. These clauses are modular in nature and cover four scenarios: controller-to-controller transfer, controller-to-processor transfer, processor-to-processor transfer, and processor-to-controller transfer.

The use of SCCs requires conducting a Transfer Impact Assessment (TIA), in which the parties must assess whether the law of the third country ensures a level of protection essentially equivalent to that guaranteed in the EU. If the assessment reveals that the law of the third country may interfere with the effectiveness of the clauses, it is necessary to implement additional supplementary measures (technical, organisational, or contractual) or refrain from the transfer.

6.3. Binding Corporate Rules (BCRs)

For international corporate groups, Binding Corporate Rules (BCRs) provided for in Article 47 of the GDPR are a particularly useful instrument. BCRs are internal data protection policies adopted by a group of undertakings engaged in joint economic activity, which, after approval by the competent supervisory authority, constitute a basis for lawful transfer of personal data between group entities, including to third countries.

The process of obtaining BCR approval is time-consuming and costly, as it requires preparing comprehensive documentation, conducting a cooperation procedure between supervisory authorities, and obtaining approval from the lead supervisory authority. However, once approved, BCRs constitute a flexible and effective tool for managing intra-group data transfers without the need to conclude separate agreements for each transfer.

7. Rights of Data Subjects

The GDPR grants natural persons a broad catalogue of rights regarding the protection of their personal data. Foreign companies operating in Poland must implement procedures enabling the effective exercise of these rights within the time limits specified in the regulation.

7.1. Right of Access

Article 15 of the GDPR grants the data subject the right to obtain from the controller confirmation as to whether personal data concerning them are being processed, and if so, the right to access those data and information about the purposes of processing, the categories of data, the recipients, the envisaged period of storage, the rights available, the source of data (if not collected from the data subject), automated decision-making, and transfers to third countries. Upon request, the controller is obliged to provide a copy of the personal data undergoing processing.

7.2. Right to Rectification

Pursuant to Article 16 of the GDPR, the data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them and the completion of incomplete data, including by providing a supplementary statement. The controller must implement mechanisms enabling effective verification and correction of data.

7.3. Right to Erasure (“Right to Be Forgotten”)

Article 17 of the GDPR establishes the right to obtain the erasure of personal data where the data are no longer necessary for the purposes for which they were collected, the data subject withdraws consent on which processing is based, the data subject objects successfully, the data have been unlawfully processed, erasure is required by EU or Member State law, or the data were collected in relation to the offer of information society services to a child. This right is subject to limitations, including on grounds of freedom of expression, legal obligations incumbent on the controller, public interest in the field of public health, archival purposes, or the establishment, exercise, or defence of legal claims.

7.4. Right to Restriction of Processing

Under Article 18 of the GDPR, the data subject may request restriction of processing where the accuracy of the data is contested (for the period of verification), processing is unlawful and the data subject opposes erasure, the controller no longer needs the data but they are required by the data subject for the establishment, exercise, or defence of legal claims, or the data subject has objected to processing (pending the determination of whether the legitimate grounds of the controller override those of the data subject). During the period of restriction, data may only be stored or processed with the data subject’s consent, for the establishment or defence of legal claims, for the protection of the rights of another person, or for reasons of important public interest.

7.5. Right to Data Portability

Article 20 of the GDPR introduces the right to receive personal data provided to the controller in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance. This right applies where processing is based on consent or a contract and processing is carried out by automated means. At the data subject’s request, data should be transmitted directly to another controller where technically feasible.

7.6. Right to Object

Pursuant to Article 21 of the GDPR, the data subject has the right at any time to object to processing of their data based on the legitimate interests of the controller or on the performance of a task in the public interest. The controller must cease processing unless it demonstrates compelling legitimate grounds for processing that override the interests, rights, and freedoms of the data subject, or grounds for the establishment, exercise, or defence of legal claims. In the case of processing for direct marketing purposes, the objection is absolutely effective, and the controller must immediately cease such processing.

7.7. Time Limits for Exercising Rights

The controller is obliged to provide the data subject with information on action taken on a request without undue delay, and in any event within one month of receipt of the request. This period may be extended by a further two months where necessary, taking into account the complexity of the request or the number of requests, provided the controller informs the data subject of such extension and its reasons within the first month. Information and actions are free of charge as a rule; however, in the case of manifestly unfounded or excessive requests, the controller may charge a reasonable fee or refuse to act on the request.

8. Personal Data Breaches – Procedures and Obligations

The GDPR defines a personal data breach as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored, or otherwise processed. Articles 33 and 34 of the GDPR establish rigorous procedures for dealing with breaches.

8.1. Notification of Breach to Supervisory Authority

In the case of a personal data breach, the controller shall without undue delay, and where feasible not later than 72 hours after having become aware of it, notify the breach to the supervisory authority competent in accordance with Article 55 of the GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. In Poland, the supervisory authority is the President of the Personal Data Protection Office (PUODO). Notifications are made via an electronic form available on uodo.gov.pl.

The notification must describe the nature of the breach, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned. Furthermore, the notification includes the name and contact details of the data protection officer or other contact point, a description of the likely consequences of the breach, and a description of the measures taken or proposed by the controller to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.2. Communication of Breach to Data Subject

Where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the breach to the data subject without undue delay. The communication must describe in clear and plain language the nature of the breach and contain information and recommendations similar to those communicated to the supervisory authority.

Communication to the data subject is not required where the controller has implemented appropriate technical and organisational protection measures (e.g., encryption) that render the data unintelligible to unauthorised persons, the controller has taken subsequent measures which ensure that the high risk is no longer likely to materialise, or communication would involve disproportionate effort (in which case a public communication or similar measure is required enabling equally effective notification).

8.3. Documentation of Breaches

Regardless of the notification obligation, the controller must document any personal data breaches, comprising the facts relating to the breach, its effects, and the remedial action taken. This documentation serves to enable the supervisory authority to verify compliance with Article 33 of the GDPR. The documentation obligation applies to all breaches, not only those subject to notification.

9. Sanctions for GDPR Violations

Article 83 of the GDPR introduces a two-tier system of administrative fines. For infringements concerning, among others, the obligations of the controller and processor, certification requirements, and the obligations of the monitoring body, fines may reach up to EUR 10 million or, in the case of an undertaking, up to 2% of its total worldwide annual turnover of the preceding financial year, whichever is higher.

For more serious infringements concerning the basic principles for processing, the conditions for consent, the rights of data subjects, transfers of data to third countries, or Member State legislation adopted under Chapter IX of the GDPR, fines may reach up to EUR 20 million or up to 4% of the undertaking’s total worldwide annual turnover. As with the lower threshold, the higher amount applies.

When determining the amount of the fine, the supervisory authority takes into account a number of factors, including the nature, gravity, and duration of the infringement, the intentional or negligent character of the infringement, actions taken to mitigate damage, the degree of responsibility taking into account technical and organisational measures implemented, any previous infringements, the degree of cooperation with the supervisory authority, the categories of personal data affected, the manner in which the supervisory authority became aware of the infringement, compliance with previously applied measures, and adherence to approved codes of conduct or certification mechanisms.

In addition to administrative fines, the GDPR provides for civil liability of the controller and processor towards persons who have suffered damage as a result of an infringement of the regulation. Any person who has suffered material or non-material damage as a result of an infringement of the GDPR has the right to receive compensation from the controller or processor for the damage suffered. In Poland, such claims are heard by common courts under general principles, with the burden of proof resting on the controller, who must demonstrate that it is not responsible for the event giving rise to the damage.

10. Summary – Key Steps for Foreign Companies

For foreign companies planning to operate in Poland or offering products and services to Polish consumers, ensuring GDPR compliance requires a systematic approach encompassing several key areas. First and foremost, a comprehensive assessment of the entity’s status under the GDPR is necessary – whether it is a controller, joint controller, or processor, and which legal bases for processing apply to particular data operations.

Next, the company should implement the required documentation, including a privacy policy meeting the requirements of Articles 13-14 of the GDPR, records of processing activities, procedures for exercising data subject rights, and breach management procedures. It is also crucial to resolve the issue of data transfers – whether the company can rely on an adequacy decision or whether it is necessary to apply standard contractual clauses or other safeguards.

Companies from outside the EU must consider designating a representative in the Union and assess whether there are grounds for the mandatory appointment of a data protection officer. Finally, it is essential to implement appropriate technical and organisational measures ensuring the security of processing and to conduct training for personnel with access to personal data.

11. Support for Foreign Investors

Our law firm offers comprehensive data protection advisory services for foreign companies operating in Poland. We specialise in conducting GDPR compliance audits, preparing documentation required by the regulation, including privacy policies, records of processing activities, data processing agreements, and standard contractual clauses for international transfers.

We provide outsourcing services for the function of Data Protection Officer and EU representative, ensuring professional support without the need to employ dedicated personnel. We represent clients in proceedings before the President of the Personal Data Protection Office and assist in managing personal data breaches, including preparing notifications to the PUODO and communication with data subjects.

Our multilingual team, fluent in Polish, English, and other foreign languages, ensures effective communication and full understanding of the specific needs of international clients. By combining expertise in Polish law with an understanding of international data protection standards, we help foreign companies safely conduct business in the Polish market.