Data Protection in Poland: Difference between revisions

From GDPRhub
(links updata)
 
(5 intermediate revisions by 4 users not shown)
Line 1: Line 1:
  {| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
  [[Category:Country Overview]]
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;"
! colspan="2" |Data Protection in Poland
! colspan="2" |Data Protection in Poland
[[Category:Country Overview]]
[[Category:Country Overview]]
Line 7: Line 8:
|Data Protection Authority:||[[UODO (Poland)]]
|Data Protection Authority:||[[UODO (Poland)]]
|-
|-
|National Implementation Law (Original):||[http://prawo.sejm.gov.pl/isap.nsf/download.xsp/WDU20180001000/U/D20181000Lj.pdf Ustawa o ochronie danych osobowych]
|National Implementation Law (Original):||[https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20180001000/U/D20181000Lj.pdf Ustawa o ochronie danych osobowych]
|-
|-
|English Translation of National Implementation Law:||[https://uodo.gov.pl/en/file/307 English Translation]
|English Translation of National Implementation Law:||[https://uodo.gov.pl/en/file/307 English Translation]
Line 13: Line 14:
|Official Language(s):||Polish
|Official Language(s):||Polish
|-
|-
|National Legislation Database(s):||[http://isap.sejm.gov.pl/ Link]
|National Legislation Database(s):||[https://www.dziennikustaw.gov.pl/DU Link]
|-
|-
|English Legislation Database(s):||n/a
|English Legislation Database(s):||n/a
Line 26: Line 27:
Personal Data Protection Act of August 29, 1997 (UODO).
Personal Data Protection Act of August 29, 1997 (UODO).


On May 10, 2018, the Parliament of the Republic of Poland adopted the new act "General Data Protection Regulation" (RODO), which replaced the 1997 law.
On May 10, 2018, the Parliament of the Republic of Poland adopted the new Personal Data Protection Act, which replaced the 1997 law.


The Act ensures the application of Regulation (EU) 2016/679 of the European Parliament and of the European Council, which was directly applicable in the Polish legal order and has been in force since May 25, 2018.  
The Act ensures the application of Regulation (EU) 2016/679 of the European Parliament and of the European Council, which was directly applicable in the Polish legal order and has been in force since May 25, 2018.  
Line 47: Line 48:
Poland has been a member of the European Union since May 1, 2004.
Poland has been a member of the European Union since May 1, 2004.
===National GDPR implementation law===
===National GDPR implementation law===
In Poland the GDPR is implemented by the ''Ustawa o ochronie danych osobowych''.
In Poland the GDPR is implemented by the [https://isap.sejm.gov.pl/isap.nsf/download.xsp/WDU20180001000/U/D20181000Lj.pdf Personal Data Protection Act of May 10, 2018.]


''You can help us fill this section!''
By the Act of amendments to sectoral regulations of February 21, 2019. - changes were made to over 160 acts regulating various sectors and areas of the economy (including: public administration, education, human resources, telecommunications market, banking, medical activities, insurance activities, legal and advisory activities) in connection with application of Regulation (EU) 2016/679 of the European Parliament and of the European Council of April 27, 2019 on protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC .


====Age of consent====
====Age of consent====
''You can help us fill this section!''
16 years


====Freedom of Speech====
====Freedom of Speech====
Line 58: Line 59:


====Employment context====
====Employment context====
''You can help us fill this section!''
In particular, the abovementioned Act of amendments to sectoral regulations of February 21, 2019 introduced changes to the Polish Labour Code (Act of 26 June 1974 as amended). The Labour Code regulates:
 
*what personal data a potential employer requests from a job applicant
 
*what data an employer requests from an employee
*under which conditions it is permissible to process an employee's personal data on the basis of consent
*when it is permissible for the employer to use video surveillance and other forms of monitoring in the workplace
 
According to Article 22(1) of the Labour Code, the employer '''requires from a person applying for employment''' to provide personal data including: name(s) and surname; date of birth; contact details indicated by such person; education; professional qualifications; employment history.
 
An employer demands personal data concerning '''education, professional qualifications and previous employment only if it is necessary''' for the performance of a specific job or a specific position.
 
The employer '''requires from the employee''' additionally (i.e. apart from the data provided during the recruitment) personal data including: address of residence; PESEL (national identification) number, and in the absence thereof - the type and number of a document confirming identity; other personal data of the employee, as well as personal data of the employee's children and other members of his/her family, if the provision of such data is necessary due to the employee exercising special rights provided for in the labour law; education and the course of previous employment, if there was no basis to require such data from the person applying for employment; the number of the payment account if the worker has not requested that the remuneration be paid in his/her own hands.
 
Both at the stage of recruitment and for the purpose of employment, in addition to the data indicated above, the employer '''requires the provision of other personal data when this is necessary for the exercise of a right or performance of an obligation resulting from a legal provision'''.
 
The Labour Code clearly indicates that the provision of personal data to the employer takes place in the form of declaration of the data subject. The employer may request documentation of the personal data of candidates or employees, to the extent necessary to confirm them. In practice, this means that even if an employer asks an applicant or employee to provide documents proving, for example, qualifications, the employer is not allowed to keep such documents or make copies of them. Verification should only consist of inspection of the documents.
 
As far as the processing of personal data on the basis of the candidate's or employee's consent is concerned, the Labour Code provides that this is permissible with regard to other data than those expressly indicated in Article 22(1), with the exception of personal data referred to in [[Article 10 GDPR]]. This means that data concerning criminal records may be processed only if this is provided for in specific legal provisions (e.g. the exercise of certain professions requires a clean criminal record - such as attorneys-at-law or police officers).
 
What is important, the Labour Code strictly stipulates that the lack of consent or its withdrawal shall not give rise to unfavourable treatment of an applicant for employment or an employee, nor shall it give rise to any adverse consequences for them. In particular, it may not constitute a reason justifying a refusal to employ, termination of an employment contract or its termination without notice by the employer. The processing of '''ordinary personal data''' may take place with the consent of the candidate or employee, irrespective of whether the personal data is provided by those persons '''at the request of the employer''' or when communicated to the employer '''on the initiative of the applicant for employment or the employee'''. The situation is different when '''special categories of data (sensitive data) are processed on the basis of consent'''. The consent of an applicant for employment or an employee may constitute the basis for the processing of the sensitive data by the employer '''only if the communication of such personal data takes place on the initiative of the applicant for employment or the employee'''.
 
The cases where an employer may process an '''employee's biometric data''' are also clearly regulated. This is allowed also when (i.e. apart from the situation when the employee provides the data on his own initiative and gives his consent - in practice such a case does not occur) the provision of such data i'''s necessary in order to control the access to particularly important information, the disclosure of which may expose the employer to damage, or access to premises requiring special protection'''.


====Research====
====Research====

Latest revision as of 16:58, 18 May 2021

Data Protection in Poland
Pl.png
Data Protection Authority: UODO (Poland)
National Implementation Law (Original): Ustawa o ochronie danych osobowych
English Translation of National Implementation Law: English Translation
Official Language(s): Polish
National Legislation Database(s): Link
English Legislation Database(s): n/a
National Decision Database(s): Link

Legislation

History

The first legal act in Poland regulating the protection of personal data was:

Personal Data Protection Act of August 29, 1997 (UODO).

On May 10, 2018, the Parliament of the Republic of Poland adopted the new Personal Data Protection Act, which replaced the 1997 law.

The Act ensures the application of Regulation (EU) 2016/679 of the European Parliament and of the European Council, which was directly applicable in the Polish legal order and has been in force since May 25, 2018.

The same act also establishes a new data protection authority - the President of the Personal Data Protection Office (UODO).

The act entered into force on May 25, 2018.

National constitutional protections

Everyone has the right to the protection of their personal data.

This right is guaranteed in Art. 51 of the Polish Constitution, Art. 8 of the EU Charter of Fundamental Rights, as well as Art. 16 of the Treaty on the Functioning of the EU.

The Constitution of the Republic of Poland - the highest legal act of the Republic of Poland, adopted on April 2, 1997 by the National Assembly, approved in a national referendum on May 25, 1997, announced in the Journal of Laws: Journal of Laws No. of 1997 no. 78, pos. 483.

Poland joined the Council of Europe on November 26, 1991, at the same time signing the European Convention on Human Rights.

The Convention was ratified on January 19, 1993 and entered into force on the same day in Poland.

Poland has been a member of the European Union since May 1, 2004.

National GDPR implementation law

In Poland the GDPR is implemented by the Personal Data Protection Act of May 10, 2018.

By the Act of amendments to sectoral regulations of February 21, 2019. - changes were made to over 160 acts regulating various sectors and areas of the economy (including: public administration, education, human resources, telecommunications market, banking, medical activities, insurance activities, legal and advisory activities) in connection with application of Regulation (EU) 2016/679 of the European Parliament and of the European Council of April 27, 2019 on protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC .

Age of consent

16 years

Freedom of Speech

You can help us fill this section!

Employment context

In particular, the abovementioned Act of amendments to sectoral regulations of February 21, 2019 introduced changes to the Polish Labour Code (Act of 26 June 1974 as amended). The Labour Code regulates:

  • what personal data a potential employer requests from a job applicant
  • what data an employer requests from an employee
  • under which conditions it is permissible to process an employee's personal data on the basis of consent
  • when it is permissible for the employer to use video surveillance and other forms of monitoring in the workplace

According to Article 22(1) of the Labour Code, the employer requires from a person applying for employment to provide personal data including: name(s) and surname; date of birth; contact details indicated by such person; education; professional qualifications; employment history.

An employer demands personal data concerning education, professional qualifications and previous employment only if it is necessary for the performance of a specific job or a specific position.

The employer requires from the employee additionally (i.e. apart from the data provided during the recruitment) personal data including: address of residence; PESEL (national identification) number, and in the absence thereof - the type and number of a document confirming identity; other personal data of the employee, as well as personal data of the employee's children and other members of his/her family, if the provision of such data is necessary due to the employee exercising special rights provided for in the labour law; education and the course of previous employment, if there was no basis to require such data from the person applying for employment; the number of the payment account if the worker has not requested that the remuneration be paid in his/her own hands.

Both at the stage of recruitment and for the purpose of employment, in addition to the data indicated above, the employer requires the provision of other personal data when this is necessary for the exercise of a right or performance of an obligation resulting from a legal provision.

The Labour Code clearly indicates that the provision of personal data to the employer takes place in the form of declaration of the data subject. The employer may request documentation of the personal data of candidates or employees, to the extent necessary to confirm them. In practice, this means that even if an employer asks an applicant or employee to provide documents proving, for example, qualifications, the employer is not allowed to keep such documents or make copies of them. Verification should only consist of inspection of the documents.

As far as the processing of personal data on the basis of the candidate's or employee's consent is concerned, the Labour Code provides that this is permissible with regard to other data than those expressly indicated in Article 22(1), with the exception of personal data referred to in Article 10 GDPR. This means that data concerning criminal records may be processed only if this is provided for in specific legal provisions (e.g. the exercise of certain professions requires a clean criminal record - such as attorneys-at-law or police officers).

What is important, the Labour Code strictly stipulates that the lack of consent or its withdrawal shall not give rise to unfavourable treatment of an applicant for employment or an employee, nor shall it give rise to any adverse consequences for them. In particular, it may not constitute a reason justifying a refusal to employ, termination of an employment contract or its termination without notice by the employer. The processing of ordinary personal data may take place with the consent of the candidate or employee, irrespective of whether the personal data is provided by those persons at the request of the employer or when communicated to the employer on the initiative of the applicant for employment or the employee. The situation is different when special categories of data (sensitive data) are processed on the basis of consent. The consent of an applicant for employment or an employee may constitute the basis for the processing of the sensitive data by the employer only if the communication of such personal data takes place on the initiative of the applicant for employment or the employee.

The cases where an employer may process an employee's biometric data are also clearly regulated. This is allowed also when (i.e. apart from the situation when the employee provides the data on his own initiative and gives his consent - in practice such a case does not occur) the provision of such data is necessary in order to control the access to particularly important information, the disclosure of which may expose the employer to damage, or access to premises requiring special protection.

Research

You can help us fill this section!

Other relevant national provisions and laws

You can help us fill this section!

National ePrivacy Law

You can help us fill this section!

Data Protection Authority

The Personal Data Protection Office (Urząd Ochrony Danych Osobowych) is the national data protection authority for Poland.

→ Details see UODO (Poland)

Judicial protection

Civil Courts

You can help us fill this section!

Administrative Courts

You can help us fill this section!

Constitutional Court

You can help us fill this section!