Client Alert Client Alert

GDPR – Six months after entry into force – Introduction of GDPR to Polish law

It has been more than half a year since the entry into force of “GDPR”, i.e., Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

Poland adopted a new Polish Personal Data Protection Act on 10 May 2018 in order to begin the process of implementing GDPR into its law. The Provisions Implementing the Personal Data Protection Act (“Amending Act Draft”) is being processed in the Polish Parliament (the first draft was submitted on 26 November 2018). The Amending Act Draft will change over 100 sectoral acts, which include the Labor Code, the Tax Ordinance, the Banking Law, the Public Procurement Law, the Investment Funds Act, the Payment Services Act and the Telecommunications Law.

Moreover, various industry codes have been created that specify how data is to be protected. One example is in the health care sector, where industry codes will describe how personal data contained within patients’ medical records may be shared in accordance with GDPR. These have been submitted for approval to the President of the Office of the Protection of Personal Data.


In general, the new legislation has resulted in changes to how personal data protection is governed. Many beneficial solutions for individuals have been introduced by companies and institutions. The most important and noticeable effects are:

  • increased analysis of personal data processing by companies and institutions;
  • implementation of technical methodology for how personal data processing is organized;
  • improvements in dealing with reactions on motions and requests regarding personal data held by companies and institutions;
  • the appointment of data protection officers at companies and institutions;
  • reformulation of information clauses; simplification and comprehensibility of such clauses for the recipients;
  • notifying data subjects about any violations of their personal data, allowing them to quickly take effective measures to protect their data from any negative consequences.

There are still concerns and uncertainties surrounding the implementation of GDPR. Publicly available data shows that half of Polish entrepreneurs did not fully implement the provisions of GDPR on time.

So far, Poles have submitted over 2,000 complaints regarding the protection of personal data and reported about 2,000 breaches of data protection.

Inspections for compliance with GDPR have already begun. As of November 22, 2018, thirty audits were carried out. The authority indicates that none of the audits have resulted in the imposition of an administrative fine as referred to in art. 83 GDPR. In the private sector, a penalty might be either up to EUR 20 million or up to 4% of the annual global turnover of an enterprise depending on the type of violation. Companies should be aware that in 2019 there will be many more inspections by the Personal Data Protection Office. 

Despite many positive changes, companies still need to work on improving procedures for ensuring compliance with GDPR. Compliance is a continuous process, not a one-off operation.

Read the full text

Download PDF