Key focuses of the Polish data protection authority

Like in every other GDPR jurisdiction, in Poland the Data Protection Authority ("DPA") is obliged to prepare its annual statement by the end of August every year. An analysis of the DPA's reports and statements as well as of its daily work reveals which issues Polish data controllers and processors are struggling with the most.

Marketing

A frequent subject of complaints submitted to the DPA is the processing of personal data for marketing purposes, mainly in terms of noncompliance with information obligations or failure to consider the data subject's objections. In one case, a complainant alleged that a company sent him numerous marketing e-mails and text messages even though he was not bound to the company by any contract. The complainant requested that his personal data be deleted. The company originally processed the complainant's data for the purpose of executing a contract to which the complainant was a party. However, the DPA determined that the lapse of a few years after the agreement terminated and the lack of any additional connections between the parties negated "legitimate interest" as the basis for data processing.

In another case, a complainant objected against the processing of his personal data for the purposes of marketing, despite filing a request for it to stop. The company obtained personal data directly from the complainant and processed the data for marketing purposes based on the consent provided by the complainant. The electronic marketing was carried out by a third party acting on behalf of the controller. The DPA stated that despite indicating the recipients' scope, time of the action, content and other elements, the commissioning company is not the controller in this relationship. According to the DPA, "the company had no role in the processing of the complainant's personal data with regard to the correspondence indicated in the complaint."

Report

According to a report published by the DPA in September 2022 titled "Tasks of controllers and data protection officers in the context of secure processing of personal data", 70 % of Poles do not know who should deal with the negative consequences of a personal data leak, and one in three respondents  believe it is the victim himself/herself. The remainder point to the police, the DPA and data protection inspectors, and expect them to provide details about the incident and recommend further action. Only 51 % of employed Poles are aware how their employers process and safeguard their personal data. The report could contribute to a higher awareness amongst data subjects and data processors about actions taken in case of a breach.

The DPA also issued many decisions regarding online transfers of data, especially via cookies and widgets.

Courts

On 12 October 2022, the DPA issued guidance on "Processing of Personal Data by Courts in the Context of Data Protection Breach Notification". Supervisory authorities are not competent to supervise processing operations carried out by courts during their administration of justice. The GDPR allows for the possibility of Member State law to specify the operations and procedures for the processing of personal data by courts.

The Polish legislator applied this possibility in the Law on the System of Common Courts. Namely, it specified that controllers of personal data processed in court proceedings in the exercise of justice or the performance of legal protection tasks are courts. The guide presents helpful information when assessing situations related to the processing of personal data by courts especially in case of violations requiring notification to the supervisory authority. It is hoped that this publication will contribute to ensuring consistent application of the GDPR with regard to processing by courts.

author: Daria Rutecka