III. Privacy topics
Internet and consumer privacy
Legal regulation of e-commerce in Poland comes from the early 2000s and is based on provisions of the amended Civil Code,1 consumer protection laws,2 and laws on electronic services.3 In 2008 the government announced an action programme for advancement of e-commerce and e-services in the years 2009-2010.4 One of the goals of this programme is to improve the legal framework for the development of e-business. New anti-spamming provisions, better protection of consumer's personal data, clear tax regulations of Internet transactions and full implementation of EU Directives into the law on electronic services are thought to be of primary importance by government and legal experts.5
Cybersecurity has become a topical issue for Polish authorities in the last years. On 1 February 2008 the Governmental Computer Security Incident Response Team (CERT.GOV.PL)6 was formed within the framework of the Computer System Security Department at the Internal Security Agency (Agencja BezpieczeÅ„stwa WewnÄ™trzego).7
On 9 March, 2009, the Governmental Program for the Protection of Cyberspace in Poland for 2009-2011 was adopted.8 As a result of cooperation between CERT Polska9 operating within the NASK organisation (Naukowa i Akademicka SieÄ‡ Komputerowa)10 and the Internal Security Agency, an early warning system (ARAKIS) reporting threats arising on the Internet has been developed.11 A modified version of this system â€“ the ARAKIS-GOV12 â€“ was implemented in the .gov domain in order to support protection of government computer networks and information resources. Its system sensors are installed in over 60 offices of central and local administrations. Since the ARAKIS-GOV system became fully operational (mid-2009), 3,367 security incidents have been reported via this system.13
Online behavioural marketing and search engine privacy
There are no specific regulations or research in Poland on behavioural marketing and search engine privacy over the Internet. To date, press and Internet publications on privacy threats related to these developments are scarce, however they may influence public awareness on both subjects.14
Online social networks and virtual communities
No specific information has been provided under this section.
Online youth safety
On 1 January 2005, Dyzurnet, a hotline for reporting illegal content on the Internet, was put into operation in Poland.15 Its mission is to remove any illegal web content that involves child abuse, threatens children's safety, or promotes xenophobia and/or racism. The team's activities are regulated by Polish law and are based on international cooperation with other members of the International Association of Internet Hotline Providers (INHOPE). During its five years of operation DyÅ¼urnet has received thousands of reports from the Internet users, most of them related to child pornography (63 percent).16
According to Article 11 of the Polish Labour Code, employers are obliged to respect the dignity and personal life of their workers.
Unfortunately, Polish law does not regulate monitoring at work. This causes many problems in practice and may result in uncontrolled monitoring and/or legal liability for the employer due to intrusion into employeeâ€™s privacy. Employers are particularly uncertain as to which extent they may access to emails received or sent by workers.
Protection of workplace privacy is therefore based mainly on criminal law, civil law and data protection regulations.
In a judgment dated 1 December 2009,17 the High Administrative Court indicated that the relationship between employer and employee poses a difficulty with regards to employees consenting to monitoring by their employer. As a result the employer may process only the data listed in the Labour Code and other legal acts. In this particular case employees consented to the processing of fingerprints to track time worked. This was held to be unlawful by the court, as the Labour Code does not provide for processing of such data.
Health and genetic privacy
Medical records in Poland are protected as sensitive data. According to the Health Protection Institutions Act 1991, medical institutions are obliged to protect the medical records of their clients (Article 18). Doctors, nurses, and childbirth assistants are obliged to secure information related to their patients18 unless there is a statutory exception to this rule. Special protection is given to medical records related to psychiatric health.19
The 1996 Act on the Profession of a Doctor and a Dentist imposes a duty of confidentiality in regards to patient information for medical professionals, subject to certain exceptions. The Constitutional Tribunal ruled in March 1998 that requiring doctors to identify the disease of the patient on sick leave certificates violated patients' right to privacy.
DNA profiles are regarded as sensitive data in Poland, therefore its processing must take place in line with the requirements of the LPPD. The Police Act regulates the processing of DNA profiles for investigative purposes.
Polish law forbids genetic testing for insurance purposes.20 One unsolved problem in Poland is paternity testing. DNA checks without express consent of the persons involved take place and this may have a significant negative effect on the subjectâ€™s privacy.
Under the Banking Act of 1997,21 a bank, its staff and other persons involved in the performance of banking operations shall be bound by the obligation of banking secrecy, which shall apply to all information concerning a banking operation, where such information is obtained during negotiations, conclusion and performance of an agreement under which the bank performs such operation (Article 104(1)). Numerous exceptions from the rule are provided by the act (Articles 104-106(d)). Broad exemptions are granted to authorities such as the Police, public prosecutors, and courts. Law enforcement shows a tendency to broaden these exceptions, especially to allow identification of unknown perpetrators.
In April 2000, the Constitutional Tribunal dismissed a challenge to the rights of Polish tax authorities to request confidential information about any individual's bank accounts, bonds and securities. The court held that these powers were important in the fight against bribery and money laundering.22 Banks are obliged to inform the authorities in the event of suspicion that its services are being used for terrorist purposes, money laundering or for other crimes (Articles 106 and 106(a) of the Banking Act 1997).
Besides bank information, other kinds of financial information are protected by general regulations (LPPD) and sector regulations, for example insurance law.
- 1. Ustawa z dnia 23 kwietnia 1964 r. kodeks cywilny, Dz. U. Nr 16, poz. 93 ze zm. (Law of 23 April 1964 â€“ the Civil Code, Journal of Laws 1964 No. 16 item 93, with amendments).
- 2. Ustawa z dnia 2 marca 2000 r. o ochronie niektÃ³rych praw konsumentÃ³w oraz odpowiedzialnoÅ›ci za szkodÄ™ wyrzÄ…dzonÄ… przez produkt niebezpieczny, Dz. U. 2000, Nr 22, poz.271 ze zm. (Law of 2 March 2000 on the Protection of Certain Consumer Rights and on the Liability for Damage Caused by a Dangerous Product, Journal of Laws 2000 No. 22 item 271 with amendments), at http://konsument.gov.pl/files/act_on_protection.pdf.
- 3. Ustawa z dnia 18 lipca 2002 r. o Å›wiadczeniu usÅ‚ug drogÄ… elektronicznÄ…, Dz. U. Nr 144, poz. 1204 ze zm. (The Law of 18 July 2002 on Providing Services by Electronic Means, Journal of Laws 2002 No. 144 item 1204, with amendments).
- 4. Program dziaÅ‚aÅ„ na rzecz wspierania elektronicznego handlu i usÅ‚ug na lata 2009-2010, Ministerstwo Infrastruktury, Warszawa, grudzieÅ„ 2008 r. (Action Programme for an Advancement of the E-commerce and E-services in the Years 2009-2010, Ministry of Infrastructure, Warsaw, December 2008), at http://www.e-handel.org.pl/Programdzialannarzeczwspieraniaelektroniczneg....
- 5. ProtokÃ³Å‚ ze spotkania nt. Nowelizacji ustawy o Å›wiadczeniu usÅ‚ug drogÄ… elektronicznÄ…zorganizowanego przez Ministerstwo Spraw WewnÄ™trznych i Administracji w dniu 6 kwietnia 2009r . (Minutes of the meeting on the Amendment to the Law on Providing Services by Electronic Means organised by the Ministry of Interior Affairs and Administration, 6 April 2009).
- 6. CERT.GOV.PL, at http://www.cert.gov.pl/portal/cee/38/77/About_us.html.
- 7. Agencja BezpieczeÅ„stwa WewnÄ™trznego (Internal Security Agency) is a governmental agency responsible for the internal security of the Republic of Poland, at http://www.abw.gov.pl/portal/en/17/14/Our_Mission.html.
- 8. RzÄ…dowy program ochrony cyberprzestrzeni RP na lata 2009-2011 -zaÅ‚oÅ¼enia, Warszawa , marzec 2009 (Governmental Program for the Protection of Cyberspace in Poland for 2009-2011 â€“ guidelines, Warsaw, March 2009).
- 9. CERT Polska, at http://www.cert.pl/, is Polandâ€™s first Computer Emergency Response Team, established in 1996.
- 10. NASK (Naukowa i Akademicka SieÄ‡ Komputerowa), at http://www.nask.pl/nask_en/.
- 11. ARAKIS aggregates and correlates data from various sources, including honeypots, darknets, firewalls and antivirus systems in order to detect new threats. It does not in any way monitor the content of the data exchanged by the secured institution with the Internet. It is possible due to the fact that system sensors are installed beyond the secured internal network of the institution, on the Internet side.
- 12. ARAKIS-GOV, at http://www.cert.gov.pl/portal/cee/39/78/ARAKISGOV_system.html.
- 13. Internal Security Agency â€“ ABW, Annual Report 2009, Poland 2010, at http://www.abw.gov.pl/portal/en/16/577/Annual_report_2009.html.
- 14. "W internecie nikt nie jest anonimowy, ale mamy prawo do prywatnoÅ›ci, wydanie internetowe" ("No One is Anonymous Over the Internet, However, We Have the Right to Privacy"),Gazeta Prawna (Legal Newspaper Internet edition), 1 February 2010), at http://prawo.gazetaprawna.pl/artykuly/394495,w_internecie_nikt_nie_jest_....
- 15. DyÅ¼urnet.pl is the team acting within the framework of the Research and Academic Computer Network (NASK), at http://www.dyzurnet.pl/en.
- 16. Reports of DyÅ¼urnet.pl activity, in English at http://www.dyzurnet.pl/en/about_us/download.html.
- 17. Case number I OSK 249/09.
- 18. See Article 40 of the Act on Profession of a Doctor and a Dentist 1996 and Article 21 of the Nurse and Childbirth Assistant Act 1996.
- 19. See Articles 50-52 of the Psychiatric Health Protection Act 1994.
- 20. Article 21 (1) Insurance Act 2003, Journal of Laws of 2010 No. 11 item 66.
- 21. English version available at http://www.nbp.pl/homen.aspx?f=en/aktyprawne/prawo.html.
- 22. "Constitutional Tribunal Allows Treasury to Screen Bank Accounts," Polish News Bulletin, 12 April 2000.