HWW Hewelt Wojnowski Lindner i Wspólnicy
News 11 March 2024 approx. 5 min read

Privacy policies on target for the DPA. Sectoral control plan for 2024 adopted.

Zuzanna Bokina-Kielbasa Author Zuzanna Bokina-Kielbasa Radca prawny, Managing Associate
Privacy policies on target for the DPA. Sectoral control plan for 2024 adopted.

The plan sets out to monitor:

  • Authorities processing personal data in the Schengen Information System and the Visa Information System – the processing of SIS/VIS personal data pursuant to the provisions of the Act of 24 August 2007 on the participation of the Republic of Poland in the Schengen Information System and the Visa Information System (Journal of Laws of 2023, item 1355), implementing acts and European Union regulations.
  • Entities processing personal data using web applications – methods of securing and making available personal data processed in connection with the use of the applications – continuation of the 2023 inspection
  • Private entities – compliance with the information obligation set out in Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 4 May 2016, p. 1, as amended)

All the entities listed above should therefore take steps to verify whether they comply with the obligations imposed on them by the GDPR, Polish data protection regulations and the regulations specified above.

Private entities that process personal data in any way, regardless of the nature of their business, are covered by the above plan and may be subject to inspection regarding compliance with the information obligation set out in Articles 13 and 14 of the GDPR. In the case of operating a website or web application, this obligation is most commonly fulfilled through the provision of a privacy policy.

The concept of a privacy policy is widely known and understood, yet there remains considerable uncertainty as to whether it should be implemented. However, this policy contains a set of legally required information which specifies the purposes and legal bases for the processing of personal data (for example, of users, customers, subscribers) and provides them with information on who will process their data and when.

Article 13 of the GDPR applies to situations where the personal data of the data subject is collected from that person, whilst Article 14 of the GDPR applies where the personal data of the data subjects has not been obtained from the data subject.

What information, then, must the controller provide to fulfil this obligation?

  • their identity and contact details and, where applicable, the identity and contact details of their representative;
  • where applicable, the contact details of the data protection officer;
  • the purposes of the processing of personal data and the legal basis for the processing (as set out in Article 6 of the GDPR);
  • if the processing is carried out on the basis of Article 6(1)(f) – that is, where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party – the legitimate interests pursued by the controller or by a third party;
  • information about the recipients of personal data (i.e. to whom the data is further disclosed) or about the categories of recipients, if any;
  • where applicable – information on the intention to transfer personal data to a third country or an international organisation and on the Commission’s determination or lack thereof of an adequate level of protection, or, in the case of a transfer referred to in Article 46, Article 47 or the second subparagraph of Article 49(1), a reference to the appropriate or suitable safeguards and information on how to obtain a copy of the safeguards or where they are made available;
  • the period for which the personal data will be stored, and where this is not possible, the criteria for determining that period;
  • information on the right to request from the controller access to personal data concerning the data subject, their rectification, erasure or restriction of processing, or the right to object to processing, as well as the right to data portability;
  • where processing is based on Article 6(1)(a) or Article 9(2)(a) – information regarding the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent prior to its withdrawal;
  • information regarding the right to lodge a complaint with a supervisory authority;
  • information as to whether the provision of personal data is a statutory or contractual requirement or a condition for entering into a contract, and whether the data subject is obliged to provide such data and what the possible consequences of failure to provide the data are;
  • information on automated decision-making, including profiling, as referred to in Article 22(1) and (4), and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
  • if the controller intends to further process personal data for a purpose other than that for which the personal data were collected, prior to such further processing, the controller shall inform the data subject of that other purpose and provide the data subject with any other relevant information referred to above.

Where personal data is processed in relation to individuals from whom the data was not obtained directly, the data subject must also be informed of the source of the personal data and, where applicable, whether it originates from publicly available sources.

Therefore, to avoid the risk of the Personal Data Protection Office (UODO) taking action following an inspection, any entity operating a website, sub-page, online shop or web application that comes into possession of users’ personal data should first verify whether a privacy policy has been posted on the site (something which, unfortunately, businesses often overlook).

It should be borne in mind that breaches of personal data protection are subject to heavy financial penalties, as well as the possibility of criminal liability. Furthermore, every data subject has the right to an effective legal remedy before a court if they consider that their rights under the GDPR have been infringed as a result of the processing of their personal data in breach of the GDPR.

You can read more about the penalties for breaches of personal data protection HERE.

Zuzanna Bokina-Kielbasa
Author
Zuzanna Bokina-Kielbasa
Radca prawny, Managing Associate

Specializes in corporate services for business entities and personal data protection. Assists the firm's clients in the preparation of all corporate documentation, including the registration of commercial companies and the further registration of changes, and provides ongoing and comprehensive advice on business. Provides advice in carrying out transformation processes of commercial companies, including transformations and mergers. Prepares and gives opinions on contracts, regulations and current documentation…

View profile →
Do you have questions on this topic?

HWW lawyers offer consultations in Warsaw and online.

Send us a message

Related practice areas
Corporate and business law Tax law Energy law
Monthly Legal Check

Do not miss the next analysis

Key legal changes and their business impact, once a month to your inbox.

By subscribing you accept the privacy policy. Unsubscribe with one click.

Related publications

News 2 April 2024

Building permit

When is a planning permission required? As a general rule, the start of: commencing construction, carrying out construction work, carrying out construction works other than the …

Agata Bączkowska
Agata Bączkowska
2 min read

Book a consultation

Book a consultation with one of our lawyers.

Book a consultation → +48 22 100 42 24