Last review date: 10 January 2025
There is one regulator responsible for data privacy. The data protection authority in Poland is the President of the Office for Personal Data Protection ("PUODO") but for telecommunication related issues (outside of personal data) the Office for Electronic Communication ("UKE") may also be involved.
For cybersecurity matters there are more regulators. These issues are handled by various entities for relevant sectors, the main one being the minister responsible for informatization (Ministry for Digital Affairs).
A new market supervisory authority is planned for models and artificial intelligence systems, which will be the Commission for the Development and Security of Artificial Intelligence.
It has not been decided yet which authority will be responsible for ensuring compliance with the non-personal data regulation, i.e. the EU Data Act.
Last review date: 10 January 2025
PUODO's priorities for the coming year are usually published mid-January, therefore no PUODO sectoral inspection plan for 2025 has yet been released as of the date of this update. Other regulators (competent in cybersecurity matters) do not tend to publish the list of issues they plan to focus on in the next year.
Last review date: 10 January 2025
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Staying the same
Class actions/group actions under data or cyber regulation are:
☒ Staying the same
Last review date: 10 January 2025
There are:
☒ administrative remedies / civil penalties applied by regulators and law enforcement
Up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher
☒ criminal penalties from regulators and law enforcement
Pursuant to Articles 107 and 108 of the Polish Personal Data Protection Act, certain data protection infringements are considered criminal offenses:
- processing personal data, despite such processing being disallowed or despite not having the authorization to process the same, is punishable by a fine (up to EUR 250,000) or restriction of liberty for up to 2 years
- processing personal data referred to in article 9 of the GDPR (sensitive data) is punishable by a fine (up to EUR 250,000), or restriction or limitation of liberty or imprisonment for up to 3 years
- ••obstructing or preventing the performance of control acts by an inspector is punishable by a fine (up to EUR 250,000), restriction of liberty or imprisonment for up to 2 years
☒ private remedies
Individuals may, for example,
- file complaints with the data protection authorities
- claim damages for material or non-material damages
Certain non-governmental organizations are entitled to initiate and/or participate in proceedings before the data protection authority, but only with the data subject's consent and on the data subject's behalf.