Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


I. Legal framework

Constitutional privacy and data protection framework

The Polish Constitution recognises the rights of privacy and data protection. Article 47 states, "Everyone shall have the right to legal protection of his private and family life, of his honour and good reputation and to make decisions about his personal life." Article 49 states, "The freedom and privacy of communication shall be ensured. Any limitations thereon may be imposed only in cases and in a manner specified by statute." Article 51 states, "(1) No one may be obliged, except on the basis of statute, to disclose information concerning his person. (2) Public authorities shall not acquire, collect nor make accessible information on citizens other than that which is necessary in a democratic state ruled by law. (3) Everyone shall have a right of access to official documents and data collections concerning himself. Limitations upon such rights may be established by statute. (4) Everyone shall have the right to demand the correction or deletion of untrue or incomplete information, or information acquired by means contrary to statute. (5) Principles and procedures for collection of and access to information shall be  specified by statute."1

The right to privacy is highly respected on constitutional grounds. It is reflected by Article 233(1) which includes the right to privacy as one of the inviolable rights that cannot be limited even by laws enacted in times of martial law and states of emergency. In case of violation of constitutional rights or freedoms the injured party has the right to the following remedies: the right of access to the court,2 the right to complain to the Constitutional Tribunal,3 and the right to apply for assistance to the Commissioner for Citizens' Rights.4

As in other constitutional rights and freedoms, enjoyment of the right to privacy is subject to certain limitations. Article 31(3) stipulates three requirements for imposing such limitations: 1) it can be done only by statute, 2) when it is necessary in a democratic state for the protection of its security or public order, or to protect the natural environment, health or public morals, or the freedoms and rights of other persons, 3) such limitations shall not violate the essence of freedoms and rights.

Privacy and data protection laws and regulations

Comprehensive law

The Law on the Protection of Personal Data (LPPD) was approved in October 1997 and took effect in April 1998.5 The law is based on the European Union (EU) Data Protection Directive 1995/46/EC. Under the Law, personal information relating to identity may only be processed upon the fulfilment of at least one of the conditions the LPPD requires to be met for lawful personal data processing. Special rules are provided for the processing of sensitive data, which is defined as data relating to race, ethnic origin, religion or philosophical beliefs, political opinions, party or trade-union membership, as well as the processing of data concerning health, genetic code, addictions, sexual preferences, and convictions and other decisions issued in court or administrative proceedings. Everyone has the right to control the processing of his other personal data contained in the filing systems, and has the right to be informed whether such databases exist and who administers them. All queries should be answered within 30 days. Upon finding out that data is incorrect, inaccurate, outdated, or collected in a way that constitutes a violation of the Act, citizens have the right to request that the data be corrected, filled in, or withheld from processing.6 Personal information cannot generally be transferred outside of the European Economic Area unless the destination country has "comparable" protections. The law sets out criminal sanctions for violations. A 1998 regulation from the Minister of Internal Affairs and Administration set out standards for the security of information systems that contain personal information,7 but was replaced by the regulation of 2004.8

In August 2001, the Act was amended in order to bring it into full compliance with the EU Data Protection Directive.9 Among other changes, the amendment redefined the term "personal data"; introduced a new provision relating to final decisions issued solely on the basis of automated processing of personal data; introduced a new provision on data processing in relation to performance of a contract; adjusted the lawful processing provision; and inserted a scientific research clause. These amendments also included regulations regarding the prior checking of sensitive data and the transfer of personal data to a third country, as well as further specifying the controller’s duties. Enforcement of the Amendments to the Act on the Protection of Personal data began on 1 May 2004, the day of Poland’s entrance into the European Union.10

In recent years additional changes to the LPPD were introduced in regards to the establishment of the Central Anticorruption Bureau11 and the involvement of Poland in the Schengen Information System and the Visa Information System.12 These legal amendments adversely affected the transparency of data processing.13 On 21 December 2007 the President of Poland introduced a proposal to supplement the existing and largely ineffective14 regime of criminal liability for infringements of personal data protection with administrative sanctions based on heavy fines. The bill proposes pecuniary sanctions (up to €100,000) to be imposed by the Inspector General on data controllers who did not act according to the Inspector's decisions. This proposal faced criticism from the business sector and the government as being "extremely unfavourable for data controllers and incompatible with the law on execution in administrative proceedings".15 Following lengthy debate, reservations raised by the government were accepted by the parliamentary commission, as reflected in its report of 20 May 2010.16 On 24 September 2010, the bill was adopted by the Sejm and passed to the Senat for approval.17 The final version of the bill (with the amendments proposed by the Senat) was adopted on 29 October 2010 and signed by the President on 18 November 2010. Among other amendments to LPPD, the bill provides that data subjects will have the right to withdraw their consent at any time.

Sector-based law

Protection of personal data is also subject to sector-based regulations, the most extensive of which is the Law of 18 July 2002 on Providing Services by Electronic Means (LPSEM).18 This law is based on two EU Directives19 but has not yet been fully implemented.20 Chapter 4 of the LPSEM concerns the protection of personal data of users of electronic services, and explicitly includes an electronic address of the user as a part of the category of personal data. It also addresses the issue of spamming by adopting the opt-in principle, and regulates the liability of ISPs for hosting illegal content on websites to which they provide access. A 15 January 2010 judgement of the Appellate Court in Wrocław shows such liability may also apply if the ISP does not block access to a fake account set up on a social networking service, despite the injured person’s requests to block or remove a profile with his or her personal data from a website.21

The categories of personal information allowed for processing are specified in many legal acts. Among others, there are the Code of Labour,22 the Telecommunications Act,23 the Law on the Police 24 and the Law on Insurance Activities.25

Article 161 of the Telecommunications Act allows providers of publicly available telecommunications services to process the following data concerning users who are natural persons: 1) surnames and first names; 2) parent’s first names; 3) place and date of birth; 4) address of permanent residence; 5) personal number (PESEL) – in the case of a citizen of the Republic of Poland; 6) name, series, and number of documents confirming the identity, and in the case of a foreigner being a citizen of a country which is not a member of the European Union or the European Economic Area – a passport number or a residence card number; 7) data included in documents confirming the ability to perform an obligation towards a provider of publicly available telecommunications services resulting from an agreement for the provision of telecommunications services.

Another important contribution to privacy protection is the notion of "telecommunication secrecy." Article 159 of the Telecommunications Act covers content of communications, subscriber data, traffic data, location data and data on call attempts, including unsuccessful call attempts.26 A breach of telecommunication secrecy is subject to criminal liability (Article 266(1) of the Penal Code) and administrative measures of pecuniary penalty (Article 209(24) of the Telecommunications Act).

Protection of personal data related to health status is also stipulated by the Law on the Medical Profession,27 the Law on the Rights of Patients and the Ombudsman of Patient's Rights,28 and in the Law on Health Care Units.29 Among Polish regulations on the health care system, there is no specific regulation on genetic examination and access to genetic data.30 The Law of 22 May 2003 on Insurance Activities (Article 22(6)), and related Regulation of the Ministry of Health of 2004 (paragraph 3.3)31 forbids the transfer of genetic data to insurance companies by medical institutions and other subjects in possession of such information (e.g., hospitals, health-care personnel).

Data protection authority

The Inspector General for the Protection of Personal Data (Generalny Inspektor Ochrony Danych Osobowych, GIODO) enforces the LPPD.32 Ewa Kulesza was appointed as the first Inspector General by the Polish Parliament in April 1998 and held the post through May 2006. Michał Serzycki acted as Inspector General for Personal Data Protection from 13 July 2006 to 13 July 2010. Wojciech Wiewiórowski was elected by the Parliament to the position of Inspector General in June 2010. According to the Data Protection Act he shall remain in office until 2014.33

The Inspector General has six central duties: to ensure data is processed in compliance with the provisions on the protection of personal data; to consider complaints and issue administrative decisions; to comment on proposed new laws and regulations that impact upon data protection; to maintain a central registry of databases; to initiate and undertake activities to improve the protection of personal data; and to participate in the work of international organisations and institutions involved in personal data protection. Amendments to the LPPD adopted on 29 October 2010 grant the Inspector General the right to formulate his or her position in relation to the protection of personal data, directed at any data controller. The Inspector General for Personal Data Protection is an independent authority and performs his or her duties assisted by the Bureau of the Inspector General (Bureau). The Bureau is regulated by the President of the Republic of Poland.34 The Bureau ensures that the tasks required of the Inspector General under the Act and other provisions are carried out.

Registration details must include the name and address of the data controller, the scope and purpose of the data processing, methods of collection and disclosure, and security measures. An example of the data filing system for registration by the Inspector General is shown in the Appendix to the Regulation of 29 April 2004. An Inspector has the right to access data, check data transfer and security systems, and to determine whether the information gathered is appropriate for its intended purpose.35 The Inspector General’s office monitors the activities of all central government, local government and private institutions, individuals and corporations.

In the years 2007-2009, the Bureau of the Inspector General received 2,831 complaints that were investigated by the employees of the Bureau. In 1,023 cases (36 percent) an administrative decision was issued.36 Administrative proceedings initiated by individual complaints are subject to the requirements stipulated by the Code of Administrative Procedure or by the Act of 9 September 2004 on Stamp Duty. The Code of Administrative Procedure, which by the power of Article 22 of the LPPD is applicable to all proceedings conducted by the Inspector General unless the LPPD states otherwise, provides that any case should be investigated within a one-month period. In complicated cases this period may be prolonged for up to two months.

All proceedings are conducted solely in writing. The authority addresses the entities which according to the complainant have breached provisions of the LPPD with a request for an explanation and for any documents confirming their right to process the personal data of the complainant. Once the documentation has been collected, the evidence is analysed. If there is a recognised breach of provisions on personal data protection, the Inspector General orders, by means of administrative decision, restoration of the proper legal state.

The Inspector General for Personal Data Protection, pursuant to the provisions of the LPPD, may also react to any breach of the Act by initiating disciplinary proceedings or notification of commission of a crime. In the years 2007-2009, the Inspector General issued 76 notifications of commission of a crime.37 In addition, the Complaints Department may, in case of individual complaints and in cases conducted ex officio, request that the Inspection Department inspect the premises of the data controller against whom the complaint has been lodged. The inspectors of the Bureau have carried out 126 inspections to date in 2010. In the years 2007-2009 the number of inspections amounted to 167, 201, and 220 respectively.38 In the Polish personal data protection legal system it is the Inspector General that registers personal data files (also referred to as personal data filing systems) and not the controllers themselves. In the surveyed period (January 2008 to August 2010) the Inspector General issued 16,808 decisions on registration of personal data filing systems,, 1,015 decisions on denial of registration of data filing systems, 221 decisions on discontinuation of  proceedings, and 654 decisions on striking of filing systems from the registry.39

As of 10 February 2009, personal data filing systems shall be required to register with the Inspector General for Personal Data Protection using the new notification form. The introduction of a new simplified notification form is aimed at facilitating the data controller’s proper compliance with their statutory obligation to notify the Inspector General of their data filing systems.40

An electronic platform "e-GIODO" established in 2006 enables data controllers to apply for registration of their personal data filing system via the Internet.41 Since the introduction of this system, the number of applications has increased considerably, up 43 percent between 2005 (5,344) and 2009 (7,688).42

On 1 May 2004, the Inspector General became a member of the Article 29 Working Party. Since 1 November 2004, Poland has also been a party to the Europol Convention and the Europol Joint Supervisory Body. Poland is a party to the Convention on the Use of Information Technology for Customs Purposes which came into force in Poland on 16 February 2006.43 A bill to amend the LPPD has been proposed which increases the powers of the Inspector General.44 According to the bill, the Inspector General will be given more options to ensure that data controllers obey the LPPD.45

The Inspector-General has also inspected and approved the social networking site "Nasza-klasa" for meeting all requirements provided by the LPPD.46

An agreement between the Inspector General and the Direct Marketing Association has been reached which aims to ensure cooperation for improvement of protection of personal data and citizens' right to privacy. The Association has pledged to require marketing organisations to apply a Direct Marketing Code of Practice which defines notions of direct marketing, obligations of data controllers, and other provisions related to collection and use of personal data.47

Major privacy and data protection case law

On 12 October 2004, the Supreme Administrative Court delivered a significant judgment concerning the transfer of personal data.48 This judgment followed the cassation claim against the decision of the Regional Administrative Court examining the legality of the decision of the Inspector General for Personal Data Protection. The Court affirmed the illegality of the transfer of debtor's personal data (as a result of the transfer of receivables) to a debt collection company without prior approval from the debtor. The Inspector General has decided that any transfer of personal data must be preceded by an individual consent of the debtor. The fact that Polish law allows for the transfer of receivables does not constitute a sufficient justification for making personal data available to third parties without the approval of the debtor. It is also impermissible to reserve such a right contractually. Both the Regional and Supreme Administrative Courts have shared this view.

In a subsequent judgment dated 16 December 2004 the Supreme Administrative Court adopted a different standpoint. The Court decided that transfer of receivables can be considered as a legitimate interest of the data controller and the transfer of the subject’s personal data is allowed without his or her consent. However, after long deliberation the Supreme Administrative Court (comprised of seven judges) in a final judgment dated 6 June 2005 revoked this view, and established that the processing or the transfer of personal data within the transfer of receivables does require the consent of the data subject. The lack of consent cannot be justified by a legitimate interest of the data controller.49

In the last years, the administrative courts considered issues related to personal data protection over the Internet. A growing number of cases concern website – a popular Polish social networking service which enable classmates to be in touch and search for old friends. The judgments pronounced in these matters contribute, inter alia, to an interpretation of the notion of "personal data" in a network environment. On 18 November 2009 the Supreme Administrative Court ruled that a 30-year-old photograph of the complainant, listed with class year, name, and surname on constitutes personal data within the meaning of Article 6(2) of the LPPD.50

In a judgment dated 3 February 2010, the Voivodeship Administrative Court in Warsaw (i.e., the court of the second instance), stated that an IP address constitutes personal data under Article 6(2) of the LPPD. The Court admitted that usually an IP address as such is not a sufficient basis for identification of an individual who uses it. However, in combination with other information, particularly those at the disposal of the requested party (an ISP), an IP address enables identification of its user without unreasonable cost or expenditure of time and manpower.51


  • 1. The Constitution of Poland of 2 April 1997,Journal of Laws of 1997 No. 78 item 483, English version available at
  • 2. Id., Article 45.
  • 3. Id., Article 79.
  • 4. Id., Article 80.
  • 5. Law on the Protection of Personal Data, Dz.U. nr 133, poz. 833, 29 October 1997. Unified text available in the Journal of Laws of 2002 No. 101, item 926 with later amendments. See also
  • 6. "The Info Boom's Murky Side," Warsaw Voice, 9 November 1997.
  • 7. The Regulation of 3 June 1998, by the Minister of Internal Affairs and Administration as regards Establishing Basic Technical and Organisational Conditions Which Should Be Fulfilled by Devices and Information Systems Used for the Personal Data Processing, Journal of Laws 30 June 1998 No. 80 item 521.
  • 8. Regulation of 29 April 2004, by the Minister of Internal Affairs and Administration as regards personal data processing documentation and technical and organisational conditions which should be fulfilled by devices and computer systems used for the personal data processing, Journal of Laws 2004 No. 100 item 1024.
  • 9. Act of 25 August 2001, amending the Act on Personal Data Protection, Journal of Laws No. 100 item 1087.
  • 10. See The text of the Amendment to the Act is available on the website at
  • 11. Law of 9 June 2006 on the Central Anticorruption Bureau, Journal of Laws of 2006 No. 104 item 708.
  • 12. Law of 12 February 2010 amending the Law on the Participation of the Republic of Poland in the Schengen Information System and Visa Information System and the Law on the Protection of Personal Data, Journal of Laws, 17 March 2010 No. 41, item 233.
  • 13. For instance, pursuant to legal provisions added to the LPPD (Article 43. 1.2b) Polish authorities were exempted from the obligation of registering data filing systems used for processing of personal data for the purposes of the Schengen Information System and the Visa Information System.
  • 14. Out of 462 notificationson the commission of crime against personal data protection which were addressed by the Inspector General to the prosecution authorities (1999-2006) only in 58 cases (12.5 percent) an indictment was brought to the court, after. Explanatory statement to a draft amendment of the Law on Personal Data Protection (Print No. 488) presented by the President of the Republic of Poland on 21 December 2007, available in Polish at
  • 15. Stanowisko RzÄ…du z 17 wrzeÅ›nia 2008 r. w sprawie prezydenckiego projektu ustawy o zmianie ustawy o ochronie danych osobowych (druk nr 488) (Position of the Government of 17 September 2008 on the President's bill on amendments of the Law to the Protection of Personal Data, print No. 488), available at$file/488-s.pdf.
  • 16. Sprawozdanie Podkomisji Nadzwyczajnej z 20 maja 2010 r. o przedstawionym przez Prezydenta RP projekcie ustawy o zmianie ustawy o ochronie danych osobowych (druk nr 488) (Report of the Extraordinary Subcommission of 20 May 2010 on the President's bill on amendments to the Law on the Protection of Personal Data, print No. 488), at
  • 17. Ustawa z 24 wrzeÅ›nia 2010 o zmianie ustawy o ochronie danych osobowych i niektórych innych ustaw (Law of 24 September 2010 amending the Law on Personal Data Protection and some other laws), at$file/488_u.pdf.
  • 18. Ustawa z dnia 18 lipca 2002 r. o Å›wiadczeniu usÅ‚ug drogÄ… elektronicznÄ…, Dz. U. Nr 144, poz. 1204 ze zm.(The Law of 18 July 2002 on Providing Services by Electronic Means, Journal of Laws 2002 No. 144 item 1204 with amendments), in English at
  • 19. Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (Directive on electronic commerce), Brussels, 8 June 2000, OJ L 178/1 of 17 July 2000;Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), Brussels, 12 July 2002, OJ L 201, 31July 2002. In case of the latter instrument, the Law of 18 July 2002 was based on its draft.
  • 20. PaweÅ‚ LitwiÅ„ski, Åšwiadczenie usÅ‚ug drogÄ… elektronicznÄ… (Providing of services by electronic means), PaweÅ‚ Podrecki (ed.), Prawo Internetu (Law of the Internet) 222 (LexisNexis 2004).
  • 21. Tomasz Rychlicki, Social networking sites, case IACa 1202/09, 3 March 2010, at
  • 22. Ustawa z dnia 26 czerwca 1974 r. – Kodeks pracy, Dz.U.1998, Nr 21, poz. 94 ze zm. (Law of 26 June 1974 – the Code of Labour, Journal of Laws of 1998 No. 21 item 94, with amendments).
  • 23. Ustawa z dnia 16 lipca 2004 Prawo telekomunikacyjne, Dz.U.2004, Nr 171, poz. 1800 ze zm. (Act of 16 July 2004 on Telecommunication, Journal of Laws of 2004 No. 171 item 1800, with amendments). unofficial consolidated English translation at
  • 24. Ustawa z dnia 6 kwietnia 1990 r. o Policji, Dz. U. 2002, Nr 7, poz.58 ze zm. (Law of 6 April 1990 on the Police, Journal of Laws of 2002 No. 7 item 58 with amendments), in English at
  • 25. Ustawa dnia 22 maja 2003 r. o dziaÅ‚alnoÅ›ci ubezpieczeniowej,Dz. U. 2003, Nr 124, poz. 1151 ze zm. (Law of 22 May 2003 on the Insurance Activity, Journal of Laws of 2003 No. 124 item 1151 with amendments).
  • 26. Article 159 of the Telecommunications Act, supra.
  • 27. Ustawa z dnia z dnia 5 grudnia 1996 r.o zawodach lekarza i lekarza dentysty, Dz. U. z 2005 r. Nr 226, poz. 1943 (Law of 5 December 1996 on the Professions of Medical Doctor and Dentist, Journal of Laws 2005 No. 226 item 1943, with amendments).
  • 28. Ustawa z dnia 6 listopada 2008 r. o prawach pacjenta i Rzeczniku Praw Pacjenta, Dz.U. 2009, Nr 151, poz.1217 ze zm.(Law of 6 November 2008 on the Rights of Patient and the Ombudsman of Patient's Rights, Journal of Laws 2009, No.151, item 1217 with amendments).
  • 29. Ustawa z dnia 30 sierpnia 1991 r. o zakÅ‚adach opieki zdrowotnej, Dz. U. z 2007 r. Nr 14, poz. 89, ze zm.(Law of 30 August 1991 on Health Care Units, Journal of Laws 2007 No.14 item 89, with amendments).
  • 30. Jacek. A. PiÄ…tkiewicz, National Regulations on Ethics and Research in Poland, European Commission, Brussels 2005, at
  • 31. RozporzÄ…dzenie Ministra Zdrowia z dnia 23 marca 2004 r. w sprawie szczegółowego zakresu i trybu udzielania zakÅ‚adom ubezpieczeÅ„ informacji o stanie zdrowia ubezpieczonych lub osób, na rzecz których ma zostać zawarta umowa ubezpieczenia, oraz sposobu ustalania wysokoÅ›ci opÅ‚at za udzielenie tych informacji, Dz. U. 2004, Nr 71, poz. 654 (Regulation of the Ministry of Health of 23 March 2004 on the Detailed Scope and Procedure of Communication to the Insurance Companies of Information on the State Health of the Insured Persons or Persons in Favourof Whom  an Insurance Contract Will be Made, Journal of Laws 2004 No. 71 item 654).
  • 32. GIODO' website (in English)
  • 33. Curriculum vitae of the Inspector General Mr. Wojciech Wiewiórowski, at
  • 34. The Regulation of 3 November 2006 by the President of the Republic of Poland. As regards granting the statutes to the Bureau of the Inspector General for the Protection of Personal Data, Journal of Laws of 2006 No. 203 item 1494 available at
  • 35. "A One-Woman Orchestra," Warsaw Voice, 21 June 1998.
  • 36. Bureau of the Inspector General Statistics page, at ; Annual reports of the Inspector General, available at
  • 37. Annual reports of the Inspector General at
  • 38. Bureau of the Inspector General Statistics page, supra.
  • 39. Id.
  • 40. Inspector General for Personal Data Protection, Simplified notification of personal data filing systems, available at
  • 41. Files registration at
  • 42. Bureau of the Inspector General Statistics pageat
  • 43. Convention drawn up on the basis of Article K.3 of the Treaty on European Union, on the use of information technology for customs purposes, Brussels, 26 July 1995, Ratification Details. See
  • 44. Amendments to the Polish Data Protection Law, January 2008, at
  • 45. Id.
  • 46. IWG Country Report – Poland, 43rd Meeting of the Working Group, March 2008.
  • 47. Id.
  • 48. Number of the judgment: OSK 769/04.
  • 49. Number of the judgment: sygn. I OPS 2/05.
  • 50. Wyrok NSA z dnia 18 listopada 2009 (I OSK 667/09), at (in Polish); Tomasz Rychlicki, "Personal data protection, case I OSK 667/09", 13 February 2010, at
  • 51. Wyrok WSA w Warszawie z dnia 3 lutego 2010 r. (II SA/Wa 1598/09), at ; Tomasz Rychlicki, "IP address is personal data says Polish Court," at