Print   

Amendments

2004-01-01 Journal of Laws of 2002 No. 153, item 1271 Art. 52

2004-05-01 Journal of Laws of 2004 No. 33, item 285 Art. 1

2004-03-01 Journal of Laws of 2004 No. 25, item 219 Art. 181

ACT of August 29, 1997

on the Protection of Personal Data

(original text - Journal of Laws of October 29, 1997, No. 133, item 883)

(unified text – Journal of Laws of July 6, 2002, No. 101, item 926)

CHAPTER 1 General Provisions

Article 1

1. Any person has a right to have his/her personal data protected.

2. The processing of personal data can be carried out in the public interest, the interest of the data subject, or the interest of any third party, within the scope and subject to the procedure provided for by the Act.

Article 2

1. The Act shall determine the principles of personal data processing and the rights of natural persons whose personal data is or can be processed as a part of a data filing system.

2. The Act shall apply to the processing of personal data in:

3. With regard to the personal data files prepared ad hoc, exclusively for technical, training, or higher education purposes, where the data after being used are immediately removed or rendered anonymous, only the provisions of Chapter 5 shall apply.

Article 3

1. The Act shall apply to state authorities, territorial self-government authorities, as well as to state and municipal organisational units.

2. The Act shall also apply to:

- having the seat or residing in the territory of the Republic of Poland or in a third country, if they are involved in the processing of personal data by means of technical devices located in the territory of the Republic of Poland.

Article 3a

1. The Act shall not apply to :

2. Except for the provisions of Art. 14-19 and Art. 36 paragraph 1, the Act shall also not apply to press journalistic activity within the meaning of the Act of January 26, 1984 – Press Law (Journal of Laws No. 5, item 24, with later amendments) and literary and artistic activity, unless the freedom of expression and information dissemination considerably violates the rights and freedoms of the data subject.

Article 4

The provisions of the Act shall apply, save where otherwise provided for by any international agreement to which the Republic of Poland is a party.

Article 5

Should the provisions of any separate laws on the processing of data provide for more effective protection of the data than the provisions hereof, the provisions of those laws shall apply.

Article 6

1. Within the meaning of the Act personal data shall mean any information relating to an identified or identifiable natural person.

2. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.

3. A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.

Article 7

Whenever in this Act a reference is made to any of the following, it shall mean:

CHAPTER 2 Supervisory Authority for Personal Data Protection

Article 8

1. The supervisory authority for the protection of personal data shall be the Inspector General for Personal Data Protection, hereinafter called "the Inspector General".

2. The Inspector General is appointed and dismissed by the Diet of the Republic of Poland with the consent of the Senate.

3. Only a person who meets inclusively the following requirements may be appointed to the position of the Inspector General:

4. With regard to the performance of the duties entrusted to the Inspector General, he/she shall be solely subject to the provisions governed by the Act.

5. The term of office of the Inspector General shall last 4 years following the date of his /her taking the oath. After the expiration of his/her term the Inspector General shall continue to perform his/her duties until the new Inspector General takes over his/her position.

6. The same person may hold the office of the Inspector General for not more than two terms.

7. The term of office of the Inspector General shall expire with his/her death, dismissal or the loss of the Polish citizenship.

8. The Diet, with the consent of the Senate, shall dismiss the Inspector General in case of:

Article 9

Prior to assuming his/her duties, the Inspector General shall take the following oath before the Diet of the Republic of Poland:

"Assuming the post of the Inspector General for Personal Data Protection I hereby solemnly swear to observe the provisions of the Constitution of the Republic of Poland, to safeguard the right for personal data protection, and to perform the duties entrusted to me conscientiously and impartially."

The oath may be taken with the words: „So help me, God".

Article 10

1. The Inspector General may neither hold another position except for a professor of a higher education institution nor perform any other professional duties.

2. The Inspector General may not be a member of any political party or any trade union, or be involved in any public activity which cannot be combined with the honour of the Inspector General's post.

Article 11

The Inspector General may neither be held criminally responsible or deprived of freedom without the prior consent of the Diet. The Inspector General may not be detained or arrested, except in flagrante delicto, and if his/her detention is necessary to secure the due course of proceedings. In such case the Speaker of the Diet has to be notified of the detention forthwith and may order the detainee to be immediately released.

Article 12

The duties entrusted to the Inspector General comprise, in particular:

Article 12a

1. Upon a motion of the Inspector General, the Speaker of the Diet may appoint a Deputy Inspector General. The Deputy Inspector General is dismissed under the same procedure.

2. The Inspector General shall determine the scope of tasks of his/her deputy.

3. The Deputy Inspector General shall meet the requirements specified in Art. 8 paragraph 3 point 1, 2 and 4, and have higher education and a proper professional experience.

Article 13

1. The Inspector General shall perform his/her duties assisted by the Bureau of the Inspector General for Personal Data Protection, hereinafter referred to as "the Bureau".

2. Deleted

3. The principles of organisation and functioning of the Bureau shall be determined in its statute, granted, by means of a regulation, by the President of the Republic of Poland.

Article 14

In order to carry out the tasks referred to in Article 12 point 1 and 2, the Inspector General, the Deputy Inspector General or employees of the Bureau, hereinafter referred to as “the inspectors”, authorised by him/her shall be empowered, in particular to:

Article 15

1. The head of the unit and any natural person acting as a controller of personal data subject to the inspection are obliged to enable the inspector to perform the inspection functions, and in particular to perform the activities and meet the requirements referred to in Article 14 point 1 to 4.

2. The inspector performing the inspection of the data filing systems as mentioned in article 43 paragraph 1 point 1a is authorized to consult any file in which personal data are stored only by means of a duly authorized representative of the unit under inspection.

Article 16

1. The inspector who carries out the inspection shall prepare the official report of the inspection. One copy of such an official report shall be delivered to the controller subject to the inspection.

2. The official report shall be signed by the inspector and the controller subject to the inspection. The latter may apply for his/her justified objections and comments being included in the official report.

3. Should the controller subject to inspection refuse to sign the official report, the inspector shall make a relevant entry with regard to such refusal on the official report. Whereas the controller may, within 7 days, present his/her position in writing to the Inspector General.

Article 17

1. Should the inspector, on the basis of inspection results, reveal any breach of the provisions on the protection of personal data, he/she shall request the Inspector General to apply the measures referred to in Article 18.

2. On the basis of the inspection findings, the inspector may demand that disciplinary proceedings or any other action provided for by law be instituted against persons guilty of the negligence and he/she be notified, within the prescribed time, about the outcomes of such proceedings and the appropriate actions taken.

Article 18

1. In case of any breach of the provisions on personal data protection, the Inspector General ex officio or upon a motion of a person concerned, by means of an administrative decision, shall order to restore the proper legal state, and in particular:

2. The Inspector General's decisions referred to in Article 18 paragraph 1 may not restrict the freedom of the subject which nominates candidates or submits lists of candidates for President of the Republic of Poland elections, elections to the Diet, the Senate and territorial self-government bodies, as well as election to the European Parliament between the day when the election is announced and the voting day.

2a. The Inspector General's decisions as mentioned in Article 18 paragraph 1, regarding the filing systems referred to in article 43 paragraph 1 point 1a, cannot order an erasure of personal data collected in inquiry activities carried out on a basis of legal provisions.

3. Should provisions of other laws regulate otherwise the performance of the actions referred to in Article 18 paragraph 1, these provisions are applicable.

Article 19

Should the inspection reveal that the action or failure in duties of the head of an organisational unit, its employee or any other natural person acting as the controller bears attributes of an offence within the meaning of the Act, the Inspector General shall inform about it a proper prosecuting body, enclosing the evidence confirming his/her suspicions.

Article 20

Once a year the Inspector General shall submit to the Diet a report on his/her activities including conclusions with respect to observance of the provisions on personal data protection.

Article 21

1. Any party may apply to the Inspector General for reconsidering its case.

2. The decision by the Inspector General on the application to reconsider the case may be appealed against with the administrative court.

Article 22

The proceedings with respect to the matters regulated by this Act shall be conducted pursuant to the provisions of the Code of Administrative Procedure, unless other provisions of the law state otherwise.

Article 22a

The minister who is responsible for public administration matters shall determine, by way of a regulation, the form of an authorization and a service identity card referred to in Article 14 point 1, considering the need for personal indication of an inspector employed in the Bureau of the Inspector General for Personal Data Protection.

CHAPTER 3 The Principles of Personal Data Processing

Article 23

1. The processing of data is permitted only if:

2. The consent referred to in paragraph 1, point 1 may also be applied to future data processing, on the condition that the purpose of the processing remains unchanged.

3. Should the processing of data be necessary to protect the vital interests of the data subject and the condition referred to in paragraph 1, point 1 cannot be fulfilled, the data may be processed without the consent of the data subject until such consent can be obtained.

4. The legitimate interests, referred to in paragraph 1, point 5 in particular, are considered to be:

Article 24

1. In case where personal data are collected from the data subject, the controller is obliged to provide a data subject from whom the data are collected with the following information:

2. The paragraph 1 shall not apply if:

Article 25

1. In case where the data have not been obtained from the data subject, the controller is obliged to provide the data subject, immediately after the recording of his/her personal data, with the following information:

2. The provisions of paragraph 1 shall not apply where:

Article 26

1. The controller performing the processing of data should protect the interests of data subjects with due care, and in particular to ensure that:

2. The processing of data, for the purpose other than intended at the time of data collection is allowed provided that it does not violate the rights and freedoms of the data subject and is done:

Article 26a

1. It is inadmissible whenever a final decision in an individual case of the data subject is to be issued if solely based on automated processing of personal data in a computer system.

2. The provision of paragraph 1 does not apply if the decision is taken in the course of entering into or performance of a contract and the request lodged by the data subject has been satisfied.

Article 27

1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade-union membership, as well as the processing of data concerning health, genetic code, addictions or sex life and data relating to convictions, decisions on penalty, fines and other decisions issued in court or administrative proceedings shall be prohibited.

2. Processing of the data referred to in paragraph 1 above shall not constitute a breach of the Act where:

Article 28

1. Deleted

2. Serial numbers applied in the census may include only such features as: sex, date of birth, consecutive number, and control number.

3. Assigning any hidden meaning to the elements of serial numbers in the filing systems of data relating to natural persons shall be prohibited.

Article 29

1. In case of providing the access to the data for the purposes other than including into the data filing system, the controller shall disclose the data kept in the data filing system to persons or subjects authorised by the law.

2. Personal data, exclusive of data referred to in Article 27 paragraph 1, may also be disclosed, for the purposes other than including into the data filing system, to persons and subjects other than those referred to in paragraph 1 above, provided that such persons or subjects present reliably their reasons for being granted the access to the data and that granting such access will not violate the rights and freedoms of the data subjects.

3. Personal data are disclosed at written and justified requests, unless the provisions of another law state otherwise. Such requests should include information allowing for identification of the requested personal data within the filing system and indicating their scope and purpose.

4. Disclosed personal data shall be used only pursuant to the purpose for which they have been disclosed.

Article 30

The controller shall refuse the access to the personal data of the filing system to subjects and persons other than those referred to in Article 29 paragraph 1, if it would:

Article 31

1. The controller may authorise another subject to carry out the processing of personal data pursuant to a contract concluded in writing.

2. The subject, referred to in paragraph 1 above, may process the data solely within the scope and for the purpose determined in the contract.

3. The subject, referred to in paragraph 1, prior to processing the data shall be obliged to provide security measures protecting the data filing system, as defined in Articles 36 – 39, and to meet the requirements specified in the provisions referred to in Article 39a. With regard to the observance of these provisions the data subject shall bear the liability as the controller.

4. In cases referred to in paragraphs 1 to 3, the liability for compliance with the provisions hereof shall remain with the controller, whereas the contracting party shall not be exempted from the liability in case the data are processed in a way incompatible with the contract.

5. The provisions of Articles 14 – 19 shall apply respectively to supervision over ensuring the compliance of data processing conducted by the subject referred to in paragraph 1 with the provisions on the protection of personal data.

Article 31a

In case of the processing of personal data by the subjects having the seat or residing in a third country, the controller shall be obliged to appoint its representative in the Republic of Poland.

CHAPTER 4 The Rights of the Data Subject

Article 32

1. The data subject has a right to control the processing of his/her personal data contained in the filing systems, and in particular he/she has the right to:

2. In case of the demand referred to in paragraph 1 point 7 the controller shall immediately stop the processing of the questioned data or without undue delay transmit the demand to the Inspector General who shall make an appropriate decision.

3. In case of the objection referred to in paragraph 1 point 8 further processing of the questioned data shall be prohibited. However, the controller is allowed to leave in filing system forename or forenames and a surname of a person with a PESEL identification number or address solely for the reason to avoid the data being used once more for the purposes to which the data subjects objected.

3a. In case of the demand referred to in Article 32 paragraph 1 point 9 the controller without undue delay shall consider the case or transmit it, together with his/her reasoned stand, to the Inspector General who shall issue an appropriate decision.

4. In case where data processing is for scientific, didactic, historical, statistical or archival purposes the controller may not notify the data subject about the processing of his/her personal data, if the provision of such information involves disproportionate efforts.

5. The concerned party may exercise his/her right to obtain information referred to in paragraph 1 point 1 to 5 once every six months.

Article 33

1. At the request of the data subject, within the period of 30 days, the controller shall be obliged to notify the data subject about his/her rights, and provide him/her with the information referred to in Article 32 paragraph 1 point 1-5a as regards his/her personal data, and in particular specify in an intelligible form:

2. At the request of the data subject, the information referred to in paragraph 1 shall be given in writing.

Article 34

The provisions of Article 30 shall apply in all matters related to notification and disclosure of the data to the data subject.

Article 35

1. Should the data subject prove that the personal data relating to him/her are not complete, they are outdated, untrue or collected with the violation of the Act, or in case they are no longer required for the purpose for which they have been collected, the controller shall be obliged, without undue delay, to amend, update, or correct the data, or to temporarily or permanently suspend the processing of the questioned data, or to have them erased from the filing system, unless the above refers to the personal data which shall be amended, updated or corrected pursuant to the principles determined by other laws.

2. Should the controller fail to fulfil the obligation referred to in paragraph 1 above, the data subject may apply to the Inspector General to issue a relevant order to the controller.

3. The controller shall be obliged to inform without undue delay other controllers, to whom he/she disclosed a data file, that some data have been updated or corrected.

CHAPTER 5 Protection of Personal Data

Article 36

1. The controller shall be obliged to implement technical and organisational measures to protect the personal data being processed, appropriate to the risks and category of data being protected, and in particular to protect data against their unauthorised disclosure, takeover by an unauthorised person, processing with the violation of the Act, any change, loss, damage or destruction.

2. The controller shall keep the documentation describing the way of data processing and measures referred to in paragraph 1.

3. The controller shall appoint an administrator of information security who supervises the compliance with security principles referred to in paragraph 1, unless the controller performs these activities by himself.

Article 37

Exclusively persons who were granted an authorisation by the controller shall be allowed to carry out the processing of data.

Article 38

The controller shall be obliged to ensure supervision over the following: which data, when and by whom have been entered into the filing system and to whom they are transferred.

Article 39

1. The controller shall keep the register of persons authorised to carry out the processing of data, which should contain the following:

2. The persons authorised to carry out the processing of data shall be obliged to keep these personal data and the ways of their protection confidential.

Article 39a

The minister responsible for public administration matters in consultation with the minister responsible for informatisation shall determine, by way of a regulation, a way of keeping and scope of documentation referred to in Article 36 paragraph 2, as well as basic technical and organisational conditions which should be fulfilled by devices and computer systems used for the processing of personal data, considering ensuring the protection appropriate to the risks and category of data being protected, as well as the requirements with regard to keeping record of disclosure of personal data and security of the processed data.

CHAPTER 6 Registration of Personal Data Filing Systems

Article 40

The controller shall be obliged to notify a data filing system to registration by the Inspector General. The above shall not apply in cases referred to in Article 43 paragraph 1.

Article 41

1. The notification, concerning the data filing system submitted to the registration, should contain the following:

2. The controller shall be obliged to notify the Inspector General about any changes affecting the information referred to in paragraph 1, within 30 days following the date of the change introduced to the filing system. The provisions on registration of personal data filing systems shall apply respectively to the notification about changes.

Article 42

1. The Inspector General shall keep a national, open register of personal data filing systems. The register should contain the information referred to in Article 41 paragraph 1 point 1 – 4a and point 7.

2. The register referred to in paragraph 1 may be inspected by any person.

3. At the request, the controller may obtain the certificate of registration of data filing system notified by the controller, subject to the provisions of paragraph 4.

4. The Inspector General shall issue to the controller referred to in Article 27 paragraph 1 the certificate of registration of data filing system immediately after the registration.

Article 43

1. The obligation to register data filing systems shall not apply to the controllers of such data which:

2. As regards data filing systems referred to in Article 43 paragraph 1 point 1 and 3 and those referred to in Article 43 paragraph 1 point 1a processed by Internal Security Agency, Foreign Intelligence Agency and Military Information Services the Inspector General is not entitled to the powers stipulated in Article 12 point 2 and Article 14 point 1, 3 to 5 and Articles 15 to 18.

Article 44

1. The Inspector General shall, by means of an administrative decision refuse to register the data filing system if:

2. Should the Inspector General refuse to register a data filing system, he/she shall order by means of an administrative decision to:

3. Deleted.

4. After the removal of the defects which resulted in the refusal to register a data filing system, the controller may again submit the system for registration.

5. Should a data filing system be re-submitted for the registration, the controller may start the processing of data after its registration.

Article 44a

Striking off an entry in the register of the data filing systems shall be done by means of an administrative decision, in case where:

Article 45

Deleted.

Article 46

1. The controller may, subject to the provision of paragraph 2, start the processing of data in the data filing system after notification of the system to the Inspector General, unless the controller is exempted from this obligation by virtue of the Act.

2. The controller of data referred to in Article 27 paragraph 1 may start the processing of these data in the data filing system after registration of the file, unless the controller is exempted from the obligation to submit the system for registration by virtue of the Act.

Article 46a

The minister who is responsible for public administration matters shall determine, by way of a regulation, the form of a notification referred to in Article 41 paragraph 1, considering the obligation to include the information necessary to confirm the compliance of data processing with the requirements of the Act.

CHAPTER 7 Transfer of Personal Data to a Third Country.

Article 47

1. The transfer of personal data to a third country may take place only, if the country of destination ensures at least the same level of personal data protection in its territory as that in force in the territory of the Republic of Poland.

2. The provision of paragraph 1 above shall not apply to the transfer of personal data required by legal provisions or by the provisions of any ratified international agreement.

3. Nevertheless the controller may transfer the personal data to a third country provided that:

Article 48

In cases other than those referred to in Article 47 paragraph 2 and 3 the transfer of personal data to a third country which does not ensure at least the same level of personal data protection as that in force in the territory of the Republic of Poland, may take place subject to a prior consent of the Inspector General, provided that the controller ensures adequate safeguards with respect to the protection of privacy, rights and freedoms of the data subject.

CHAPTER 8 Sanctions

Article 49

1. A person, who processes personal data in a data filing system where such processing is forbidden or where he/she is not authorised to carry out such processing, shall be liable to a fine, a partial restriction of freedom or a prison sentence of up to two years.

2. Where the offence mentioned in point 1 of this article relates to information on racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade-union membership, health records, genetic code, addictions or sexual life, the person who processes the data shall be liable to a fine, a partial restriction of freedom or a prison sentence of up to three years.

Article 50

A person who, being the controller of a data filing system, stores personal data incompatibly with the intended purpose for which the system has been created, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year.

Article 51

1. A person who, being the controller of a data filing system or being obliged to protect the personal data, discloses them or provides access to unauthorised persons, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to two years.

2. In case of unintentional character of the above offence, the offender shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year.

Article 52

A person who, being the controller of a data filing system violates, whether intentionally or unintentionally, the obligation to protect the data against unauthorised takeover, damage or destruction, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year.

Article 53

A person who, regardless of the obligation, fails to notify the data filing system for registration, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year.

Article 54

A person who, being the controller, fails to inform the data subject of its rights or to provide him/her with the information which would enable that person to benefit from the provisions of this Act, shall be liable to a fine, partial restriction of freedom or prison sentence of up to one year.

CHAPTER 9 Amendments to the Binding Regulations, Temporary Provisions, and Final Provisions

Article 55

Ommited.

Article 56

Ommited.

Article 57

Ommited.

Article 58

Ommited.

Article 59

Ommited.

Article 60

Ommited.

Article 61

1. Parties referred to in Article 3, being on the date of entry into force of the Act the controllers of personal data automatic filing systems, shall be obliged to file an application for registration of the systems pursuant to the provisions of Article 41, within the period of 18 months of the date of entry into force of the Act, unless they are released from this obligation by virtue of law.

2. Until the personal data filing systems are registered pursuant to the provisions of Article 41, the subjects referred to in paragraph 1 may operate the systems without the registration.

Article 62

The Act shall enter into force after 6 months from the date of its publication, with the exclusion of: