Polish regulations on personal data protection

January 11th, 2010, Tomasz Rychlicki

I. The law
The main sources of binding laws in the Republic of Poland are the Constitution of 2 April 1997, acts passed by the Parliament, ratified international treaties and regulations issued, for example, by the Prime Minister or the Council of Ministers – Polish government. Regulations are issued for the purpose of implementation of acts. The main legal acts on personal data protection in the Republic of Poland are the following.

I.A. Substantive law

  • The Act of 29 August 1997 on the Protection of Personal Data – PPD – (in Polish: Ustawa o ochronie danych osobowych), Journal of Laws (Dziennik Ustaw) of October 29, 1997, No. 133, item 883, unified text published in Journal of Laws (Dziennik Ustaw) of July 6, 2002, No. 101, item 926, with subsequent amendments.
  • The Civil Code – CC – (in Polish: Kodeks Cywilny) of 23 April 1964, Journal of Laws (Dziennik Ustaw) No. 16, item 93, with subsequent amendments.

I.B. Procedural law

  • Administrative Proceedings Code – APC – (in Polish: Kodeks postępowania administracyjnego) of 14 June 1960, Journal of Laws (Dziennik Ustaw) No. 30, item 168, consolidated text of 9 October 2000, Journal of Laws (Dziennik Ustaw) No. 98, item 1071 with subsequent amendments.
  • Act on proceedings before administrative courts – PBAC – (in Polish:Prawo o postępowaniu przed sądami administracyjnymi) of 30 August 2002, Journal of Laws (Dziennik Ustaw) No. 153, item 1270, with subsequent amendments.
  • Civil Proceedings Code – CPC (in Polish: Kodeks Postępowania Cywilnego) of 17 November 1964, Journal of Laws (Dziennik Ustaw) No. 43, item 296, with subsequent amendments.

I.C. Case law
See “Polish case law on personal data protection“.

I.D. EU law
Since 1 May 2004, which was the accession day to the EU, the Republic of Poland has been bound by all aquis communitaire, including judgments of the Court of Justice of the European Union.

I.E. International law
The Republic of Poland is a party of many International treaties and agreements concerning the protection of personal data.

II. National bodies and procedures
The Inspector General for Personal Data Protection decides cases within its competence under provisions of the Code of Administrative Proceedings, unless provided for otherwise. A party dissatisfied with a decision issued by the GIODO may request for the reconsidering of the case. The decision by the GIODO on the application to reconsider the case may be appealed against with the Voivodeship Administrative Court. The judgment of the VAC may be a subject to a cassation complaint which is decided by the Supreme Administrative Court.