Search for:

On 4 May 2019, further amendments to the rules on processing personal data came into force. They concern over 150 legal statutes and refer to both the private and public sector. Below we present the most important changes in the legal statutes that will be significant for the majority of companies:

  • Labour Code
  • The Act on Electronic Provision of Services (AEPS)
  • Telecommunications Law
  • Personal Data Protection Act

Among other significant changed laws there are the Banking Law (e.g., with respect to providing written explanations on the conclusions of the assessment of clients’ creditworthiness and decisions based solely on automated processing, including profiling) and the Penal Code.

Labour Code: Employee and candidate data and written authorisations

These changes will affect the types of data that can be required from a candidate for a job. Good news for employers comes in the form of certain practical simplifications, e.g., the possibility to request contact details such as telephone number or email – which was not clearly allowed before.

However, there will also be some significant limitations. The employer will be able to require the candidate to provide data on their education, qualifications or previous employment only when it is necessary to perform a job of a specific type or at a set position. Thus, employers who employ workers for jobs which do not require special qualifications or experience should no longer collect this information.

An important change will be the possibility for the employer to obtain the employee’s or candidate’s consent to process personal data other than those specified in the statutory catalogue. So far, the processing of employee data based on their consent has been questioned both by the courts and in the legal doctrine. However, it will still not be permitted to ask for the employee’s consent in order to collect data on the employee’s criminal record. Also, the rules regarding collecting consent for processing special categories of data (so-called sensitive data) will be more strict. Employers should keep in mind that under no circumstances can withholding consent or its withdrawal lead to unfavourable treatment or negative consequences for the employee or the candidate (e.g., refusal to employ or termination of the employment contract).

The Labour Code will also enable the collection of biometric data of employees, although only in specific situations. This is a noticeable change, because the courts have questioned the processing of biometric data (e.g., finger scans), despite acceptance from the employees.

Companies will also be required to comply with a new obligation to issue written authorisations for data processing to employees who have access to the data processed by the company.

AEPS: Consent to email marketing under the terms and conditions set out in the FAMILY

Some provisions of the Act on Electronic Provision of Services (AEPS) will be amended. The consent for receiving e-marketing messages required under the AEPS will have to meet the requirements of the data protection regulations (GDPR). Therefore, it will not be permitted to use checkboxes ticked by default to collect such consents. The AEPS will continue to contain specific rules for the processing of data concerning the recipient of the service provided to them by electronic means that are not necessary for the purposes of providing the service. The provisions of the AEPS will therefore be more restrictive in this respect than GDPR.

Telecommunications Law: Consent to telemarketing on new terms

There will also be certain amendments to the Telecommunications Law (TL). The vast majority of the changes will apply only to telecommunications undertakings. The amendment introduces, among other things, data security requirements for these companies, as well as additional penalties that may be imposed on them by the President of the Office for Personal Data Protection (DPA).

Other businesses must however watch out for amended provisions on consent collected from subscribers or end users. Further to the changed rules, the consent must meet the requirements of data protection law. This will affect, among other things, obtaining permission for direct marketing by phone or for placing cookies. However, there have been no changes to Article 173 of the TL, which provides, among other things, for the possibility of consenting to cookies through browser settings.

Personal Data Protection Act: The deputy DPO and the requirement to provide documentation to the DPA

There will be some additions to the Personal Data Protection Act adopted in May 2018. The controller will be allowed to appoint a deputy data protection officer (DPO) for periods of absence of the designated DPO. The introduction of the deputy DPO to the regulations is not provided for in the GDPR and raises some questions about the dispersion of control over personal data processing in the company and doubts about the deputy’s duties.

The Polish DPA will also obtain additional powers. As part of the proceedings for imposing an administrative penalty, the DPA will be able to demand from the controller any information necessary to determine the basis for calculating the penalty. The scope of required information will be determined by the DPA, who may request, for example, financial data of the company. Failure to provide the data will be subject to criminal sanctions.

The Act amending the above mentioned laws was announced in the Journal of Laws of 19 April. Its full wording can be found here (in Polish only).


Magdalena Kogut-Czarkowska is a counsel in the IP/IT department of Baker McKenzie Warsaw. She is seasoned in personal data protection and intellectual property law, focusing on e-commerce and consumer protection issues. Ms. Kogut-Czarkowska is a Certified Information Privacy Professional (CIPP/E). Between 2011 and 2012, she went on a 12-month part-time secondment in a high-profile global management consulting, technology services and outsourcing company, where she handled IT and privacy matters.