Last review date: 10 January 2025
Yes.
☒ general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒ requirement to undertake third party due diligence (security assessment of third party providers)
☒ other
The PUODO recommends that data controllers issue authorizations for specific employees to process personal data on its behalf. Authorizations are considered an example of security means under Article 32 of the GDPR.
Last review date: 10 January 2025
☒ network information security requirements (broader than telecommunications)
☒ health regulatory requirements
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
If yes, please provide brief details of the relevant law or regulation.
EU Regulations 2017/745 and 2017/746 on medical devices and in vitro diagnostic medical devices, which update the rules on placing, making available and putting into service medical devices and in vitro medical devices for human use and their accessories on the European Union (EU) market. The new regulations lay down certain new essential safety requirements for all medical devices that incorporate electronic programmable systems and software that are medical devices in themselves. They require manufacturers to develop and manufacture their products in accordance with the state of the art taking into account the principles of risk management, including information security, as well as to set out minimum requirements concerning IT security measures, including protection against unauthorized access.
On 24 September 2020, the European Commission published a draft Digital Operational Resilience Act (DORA) regulation. Digital operational resilience refers to the ability of companies to build, secure and verify their operational integrity from a technological point of view, so that they are resilient to all types of threats and disruptions with respect to information and communication technologies. The directive regulates, among other things, the management of risks associated with the ICT industry, the management, classification and reporting of incidents, and the testing of digital operational resilience.
Directive (EU) 2018/1972 establishing the European Electronic Communications (“EECC”) Code, which, among others, establishes a set of updated rules to regulate electronic communications (telecoms) networks, telecoms services, and associated facilities and services and aims to stimulate competition and increased investment in 5G and very high capacity networks, so that every citizen and business in the EU can enjoy high-quality connectivity, a high level of consumer protection and an increased choice of innovative digital services. In the Polish legal system there is also the Act of 26 April 2007 on Crisis Management, which introduces provisions aimed at protecting critical infrastructure and regulates all activities aimed at ensuring the functionality, continuity of operations and integrity of critical infrastructure in order to prevent threats, risks or vulnerabilities, and to reduce and neutralize their effects, as well as to quickly restore such infrastructure in the event of failures, attacks and other events that disrupt its proper functioning. Critical infrastructure includes, but is not limited to, systems for (i) communications, (ii) information and communications networks, and (iii) financial systems. The Act on Crisis Management requires operators of critical infrastructure to include cybersecurity documentation for information systems used to provide key services in critical infrastructure protection plans. In this regard, the Act on Crisis Management refers to the aforementioned Act of 5 July 2018 on the National Cybersecurity System.
☒ Data privacy
Last review date: 10 January 2025
Yes.
Last review date: 10 January 2025
☒ data protection authorities
- in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
- without undue delay and, where feasible, not later than 72 hours after having become aware of it
☒ cybersecurity authorities
- serious and material incidents within the meaning of the Act of 5 July 2018 on the National Cybersecurity System shall be notified by the operators of essential services or providers of digital services within 24 hours
☒ affected individuals
- without undue delay
- if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:
- the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption, or
- the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize
☒ other
There shall be public communication or similar measures whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects individually) if the communication to the data subject would involve disproportionate effort. Polish law does not provide any timeline for such communication. Additional duties might apply for specific sectors (e.g. telecommunication).
Last review date: 10 January 2025
☒ controller/ owner
- in case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
- after becoming aware of it
☒ cybersecurity authorities
Last review date: 10 January 2025
Yes.
☒ public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)
☒ cybersecurity authorities
☒ health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
☒ other
Details regarding the identified data security breach notification requirements
According to the Telecommunications Law, telecommunications undertakings must notify the President of the Office of Electronic Communications ("UKE"), without delay, of any breach of network and service security or integrity ("security or integrity incident") that significantly affects the functioning of the networks or services, of the preventive and corrective measures taken, and of any measures referred to in Articles 175 and 175c taken by the undertaking. The President of the UKE must notify the regulatory authorities in other Member States and the European Network and Information Security Agency ("ENISA") of network and service security or integrity incidents, in a case where such incidents are considered significant. The President of the UKE shall publish this information on the UKE website, or shall impose, by decision, an obligation on the telecommunications undertaking concerned to publish that information, specifying the manner of its publication, if the President of the UKE considers it to be in the general public interest.
Possible monetary penalties for non-compliance with the Telecommunications Law may amount to up to 3% of the revenue generated by the entity concerned in the previous calendar year. The decision on the imposition of a financial penalty is not declared immediately enforceable.\
According to the Electronic Communications Law, being a local law implementing the European Electronic Communications Code, providers of electronic communication services are under a duty to report personal data breaches, within 24 hours following detection, to the President of the Office for Personal Data Protection (“UODO”), pursuant to rules and requirements laid down in the Commission Regulation (EU) No 611/2013 on the measures applicable to the notification of personal data. Where a personal data breach is likely to adversely affect the rights of a subscriber or end-user who is a natural person, the service provider shall also – subject to some exceptions - immediately notify that subscriber or end-user of the breach.
Additionally, the Act on the National Cybersecurity System (implementing the NIS Directive) provides additional rules regarding information duties pertaining to incidents related to cybersecurity for certain categories of entities (essential service operators and digital service providers).
As regards public companies, according to EU Regulation No 596/2014 ("MAR Regulation"), public companies may be obliged to publicly disclose data security incidents if they would be classified as "insider information". No timeline is indicated. This will be the case if the information about the incident, when disclosed, would be likely to "have a significant effect on the price of the issuer's financial instrument or related financial instruments". This would be possible in the case of publicly traded IT companies, online retailers, etc.
According to the EU medical devices regulations (MDR and IVDR Regulations) certain safety incidents, which may include also cybersecurity-related incidents, must be reported to the relevant competent authorities. As a general rule, the period for the reporting shall take account of the severity of the serious incident. Serious incidents need to be reported immediately after the manufacturer has established the causal relationship between that incident and the device in question or that such causal relationship is reasonably possible, but not later than 15 days after they become aware of the incident. Incidents constituting a serious public health threat or those that have resulted in death or serious deterioration in a person's state of health, should be handled within tighter deadlines (2 or 10 days, depending on the case).
Cybersecurity incidents in financial entities shall be reported to dedicated Computer Security Incident Response Services (CSIRT) established under the Polish Financial Supervision Authority.
The Act on Artificial Intelligence Systems will complement the EU AI Act with respect to notifying incidents related to AI systems to national authority.