Support Centre

Poland

Summary

Law: Act of 10 May 2018 on the Protection of Personal Data (the Act) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Polish data protection authority (UODO)

Summary: Poland implemented the GDPR in 2018 through the Act of 10 May 2018 on the Protection of Personal Data (the Act) which came into effect on May 25, 2018. The Act does not contain major derogations from the GDPR. Additionally, the Act establishes the Polish data protection authority (UODO) as the primary supervisory authority and its functions include conducting audits of compliance and issuing administrative decisions and publishing guidance. Further to the same, the UODO has published guidance on employment and data protection, cookies, and Data Protection Impact Assessments. Notably, to the UODO, a violation of data protection rules may result in action being taken by other authorities, such as the President of the Office of Competition and Consumer Protection or the President of the Office of Electronic Communications.

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview of the rules and guidelines for DPO contact registration across Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, and the UK.