Data protection laws are legal principles that have significantly impacted Poland as an EU-member state implementing the GDPR. Polish enforcement of data protection law has the potential to impact developing economies around the world. This is because Poland’s economy is more similar to developing economies, such as those in Africa, Asia and South America, than the economies of developed Europe. Let’s chat about why data protection laws matter to Poland and how Poland has implemented those laws so that we can distil some insights to help your organisation – whether in Poland or elsewhere in the world.

Why data protection law matters to Poland

The Republic of Poland is on the easternmost side of Central Europe on the Baltic Sea. It has existed in its current form since 1918 (despite many threats to its existence) and is home to more than 37 million people. It is a popular destination for outsourcing, being third in the world for outsourced software development according to certain metrics. This is because of a combination of factors.

  • Poland has a well-educated workforce, with more than 80% of young people studying at universities.
  • A significant percentage of people speak English as an additional language in Poland (more than 35% according to certain estimates).
  • Poland has implemented the General Data Protection Regulation (GDPR) as an EU-member state that allows for lawful cross-border transfers of personal data from elsewhere in the EU.

As a result, Poland is a prosperous nation on a global scale with a GDP per capita well above the global average (taking into account the relative cost of living). It is sometimes called ‘emerging Europe’ from an economic perspective, together with the Czech Republic, Greece, Hungary and Turkey. Its people are also renowned for being hard-working and resilient, having survived occupation by foreign powers and various wars. The Polish diaspora is also significant, with Polish people living in many more developed countries around the world, including the United States, the United Kingdom and Ireland and sending work home to Poland.

How Poland has implemented data protection law

Data protection laws are legal principles that regulate how organisations process personal data. Poland has had a data protection law since 1997 and has implemented the GDPR by enacting it into local law on 10 May 2018. It is, therefore, subject to the same data protection regime as better-known EU countries, such as Germany, France or the Netherlands.

The relevant supervisory authority that oversees compliance with the GDPR in Poland is the Urząd Ochrony Danych Osobowych (Polish National Personal Data Protection Office or UODO). They have made several significant decisions and issued a number of fines. Let’s discuss some interesting and noteworthy ones.

There was the Morele.net case from 2019, where UODO fined one of the largest online stores for consumer electronics in Poland more than 640 thousand Euro for allowing unauthorised access to the personal data of 2.2 million people by not having sufficient organisational and technical safeguards.

Then there was the ENEA case from 2021, where UODO fined a power industry company 30 thousand Euros for failure to report a security compromise and held that the unauthorised disclosure of personal data in an email attachment requires notification of a security compromise (even if the recipient deleted that attachment timeously), where the attachment contained the personal data of a significant number of people (two hundred and fifty-nine in this case) and was not encrypted.

And the Fortum case from 2022, where UODO fined an electric utility company one million Euros for failure to take appropriate technical and organizational measures to prevent unauthorised access to personal data in the wake of reporting a data breach where UODO found that the company had:

  • stored a customer database on a server with insufficient security measures that allowed unauthorised people to exfiltrate customer data; and
  • neglected to pseudonymize or encrypt the data.

From these cases, we can see that the UODO has taken quite a strict approach to GDPR compliance – particularly when it comes to utility companies. Perhaps they take a dim view of organisations that provide consumers with the basic necessities of modern life, such as electricity and consumer electronics, and are protecting the average Polish citizen. This could act as an example for supervisory authorities in other emerging countries.

What we can do to help you with data protection law in Poland and beyond

We at Michalsons are global data protection experts with experience across multiple jurisdictions, particularly emerging ones.

  • We can explain how Polish enforcement of data protection law impacts developing economies worldwide, such as those in developing Europe, Africa, Asia and South America.
  • We can guide your data protection project using Polish data protection law insights.
  • We can help you understand the GDPR and other relevant data protection laws through our online data protection programme.
  • We can advise you on how to comply with the GDPR in Poland or other countries through our specialist consulting services.
  • We can help you apply the learnings from the decisions of the supervisory authority in Poland to your jurisdiction through a bespoke privacy impact assessment.

Please contact us for more information or to discuss how we can help you.