Below we discuss Polish data protection regulations and common mistakes made by organisations with offices in Poland, where specific solutions are implemented by the headquarters in another country. In addition, we point out the potential consequences and how they can be prevented through the implementation of recommended solutions.
Cookies and other tracking technologies
In Poland, the use of cookies and other tracking technologies is strictly regulated by the Electronic Communication Act (ECA) (Articles 399–400 ECA). Under these provisions, cookies may only be placed on the user’s terminal equipment with the user’s prior, active and express consent. Users must be able to have an option to consent to different categories of files (e.g. those necessary for the operation of the service, analytics, marketing) separately, and to easily withdraw their consent at any time.
The regulations require keeping a clear record of the consents given, including information on who, when and to what gave a consent, and specifying the maximum retention periods for each type of data. During an audit, the supervisory authority (Electronic Communication Office or Personal Data Protection Office) verifies, among other things, whether the consent banner allows all files to be rejected and whether the logs really archive the consent history in a way that guarantees full auditability.
Common mistake: global soft opt-in banner – one “Accept all” button, no option to opt-out or disable analytics cookies, consent recognised “by further use”, no consent record or retention tables.
Marketing communications (email, sms, push, instant messaging)
Any communication of a commercial nature – even if sent to a business address – requires the prior express consent of the recipient (Article 398 ECA). The consent must be:
- separate from the acceptance of the terms and conditions or privacy policy,
- clearly documented (date, time, source),
- easy to withdraw, and the organisation is obliged to recognise the opt-out within 48 h,
- separate for each communication channel e.g. SMS, push, email, phone call).
Common mistake: mass B2B cold mailing based on “legitimate interest” or a single combined checkbox for marketing consents. Lack of a central consent register and unsubscribe history.
Monitoring of employees and visitors (CCTV and email)
Any form of workplace monitoring – including CCTV image recording, GPS location tracking and control of a business inbox – must be formally included in the work regulations in accordance with Article 22² of the Labour Code. The employer must inform employees of the planned implementation of the monitoring at least 14 days in advance and place appropriate signs in the areas covered by the monitoring. The purpose of the monitoring must be clearly defined (e.g. ensuring security, protecting property, maintaining the confidentiality of information) and any action must be proportionate to the intended purpose and in compliance with data protection regulations.
Common mistake: mail scanning tools used centrally in a corporate group, without considering the local legal environment for these technologies. Reading employees’ emails without their consent through the IT team, without implementing monitoring. A CCTV system without clear signage. GPS in cars without restriction of use. Monitoring of business phones without clear information.
Private devices and communication tools (BYOD)
In the Polish legal environment, the employer may only authorise the processing of business data on employees’ private devices after obtaining their written consent and conducting an appropriate risk assessment, considering the requirements of the GDPR and Article 22¹ of the Labour Code. It is also necessary to implement MDM (Mobile Device Management) solutions or other mechanisms to secure private devices, and the employment termination procedure must regulate the recovery or deletion of company data located on these devices.
Common mistake: employees use private phones and computers for business purposes (BYOD), but the company has no established policy or written consent for this (no MDM). These devices are not adequately secured, and there is no procedure for recovering the company data stored on them if an employee leaves.
Whistleblowers
The Polish Whistleblowing Act from 2024 requires that all whistleblowing reports are received and handled by a dedicated unit operating in Poland. The organisation must provide appropriate organisational and technical safeguards, and in the case of using an external SaaS platform, should enter into additional agreements to ensure that reports are handled in line with Polish regulations and that timely feedback is provided to the whistleblowers.
Common mistake: a whistleblower channel operated only in the headquarter (e.g. Germany), with no local procedure, no Polish decision-making team and no timely feedback.
Data protection policies and individual authorisations
The supervisory authority (Personal Data Protection Office) in its decisions repeatedly emphasises that each employee must have an individual authorisation to process personal data, specifying the scope of activities and the systems they are authorised to process. The data protection policy should reflect the organisational structure of the company, define the persons responsible for handling requests from data subjects (response time – 30 days), the incident management procedure (response within up to 72 hours) and be implemented separately in each company. This documentation is key evidence of accountability in the event of an audit.
Common mistake: a global policy implemented “by email”, without a resolution of the management board of a Polish company and without individual authorisations; no incident register.
Data Protection Officer (DPO)
In Poland, a DPO must be a designated natural person reported to the Personal Data Protection Office by a Polish company. If this role is entrusted to an external organisation, it is necessary to designate a specific employee of this organisation as the responsible DPO. His or her contact details – including forename and surname – must be provided in Polish on the website and in privacy notices. The DPO should report directly to the management board and have the resources necessary to fulfil his or her duties, and should speak Polish or have the support of a Polish-speaking team.
Common mistake: one person acting as a global DPO is not formally reported in Poland; no contact details in Polish on the website; DPOs also performing other roles – conflict of interest.
Annual review of the data protection system
Pursuant to the accountability principle under Article 24 GDPR, each organisation is required to conduct a documented review of the effectiveness of the implemented data protection measures annually or after any significant change in the IT environment (e.g. new system, company acquisition). According to the Personal Data Protection Office’s decisions, it is required to have an audit report with recommendations for corrective measures approved by the management board, to demonstrate full compliance during a possible inspection.
Common mistake: policies implemented in 2023 have not been updated and new applications and providers have not been assessed at all; internal audit is limited to a “copy-paste” checklist.
In our newsletter “GDPR – Global compliance, local risks”, we discuss the potential consequences of the mistakes described above and how they can be prevented by implementing appropriate tools.
You have questions? Feel free to get in touch with us!
Contact:
Anna Matusiak-Wekiera – Attorney-at-law | Counsel, Head of Data Protection & Compliance
Krzysztof Brant – Attorney-at-law counsel | Senior Associate, Data Protection & Compliance