The Act Of 29 August 1997 On The Protection Of Personal Data

Original Language Title: USTAWA z dnia 29 sierpnia 1997 r. o ochronie danych osobowych

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$20 per month, or Get a Day Pass for only USD$4.99.
Chapter 1 General provisions Article. 1. [the protection of personal data and the admissibility of their processing] 1. Everyone has the right to the protection of personal data.

2. the processing of personal data may take place due to the public good, the good of the person, the data subject or the welfare of third parties to the extent and the specified mode.

Article. 2. [scope] 1. The Act sets out the rules of conduct for the processing of personal data and the rights of individuals whose personal data are or may be processed in the collection of the data.

2. The law shall apply to the processing of personal data: 1) cards, skorowidzach, books, catalogs and in other collections costs, 2) in information systems, also in the case of processing of data outside of a set of data.

3. In relation to harvest personal data compiled on an ad hoc basis, solely for technical reasons, the training or in connection with the ultimate teaching experience in higher education, and after their use immediately disposed of or subjected to anonymous, only apply the provisions of Chapter 5.

Article. 3. [scope] 1. The law applies to the State bodies, bodies of local government and to State and municipal organizations.

2. The law shall also apply to: 1) private entities performing public functions, 2) natural persons and legal persons and organizational units which are not legal persons, if you process personal data in connection with the activities of labour, or for the implementation of statutory objectives which are established or resident in the territory of the Republic of Poland, or in a third country, provided that process personal data with the use of technical means on the territory of the Republic of Poland.

Article. 3A. the [exclusion of application of the provisions of the Act] 1. This Act shall not apply to: 1) natural persons who process data exclusively for the purpose of personal or domestic, 2) entities established or resident in a third country, using the technical means on the territory of the Republic of Poland data only.

2. The Act, with the exception of the provisions of article 4. 14 to 19 and article. 36 paragraph 1. 1, shall not apply to the release of journalistic activities within the meaning of the Act of 26 January 1984. r-press law (Journal of laws No. 5, item 24, as amended) and to literary or artistic activities, unless the freedom to express their views and the dissemination of information significantly violates the rights and freedoms of the data subject.

Article. 4. the [exclusion of application of the provisions of the Act] the provisions of the Act not apply if an international agreement to which the community is a party, the Republic of Poland, provides otherwise.

Article. 5. [the application of separate laws] where the provisions of separate laws that relate to the processing of personal data, provide for further reaching their protection, than this is because with this Act, the provisions of these laws.

Article. 6. [the concept of personal data] 1. Within the meaning of the Act for personal information is considered any information relating to an identified or identifiable natural person.

2. identifiable Person is a person, whose identity you can specify, directly or indirectly, in particular by reference to an identification number or one or more specific factors that determine its physical, physiological, mental, economic, cultural or social.

3. Information is not considered to determine the identity of the person, if it would require excessive costs, time or activities.

Article. 7. [Definitions] Whenever the law is talking about: 1) data set is to be understood by everyone who has the structure of a set of personal data, are accessible according to specific criteria, regardless of whether this set is distracted or divided functionally, 2) data processing-shall mean any operation performed upon personal data, such as collection, fixation, storage, development, change, share, and delete and especially those that are carried out in information systems, 2a) information system is to be understood by a team of cooperating devices, programs, procedures, information processing and software tools used to process data, 2b) data in the information system – shall mean the deployment and operation of appropriate technical and organisational measures to protect data against their unauthorised processing, 3) removing data-shall mean the destruction of personal data or their modification that will not allow the identification of the person to whom the data relate, 4) the controller is to be understood by a body, entity, entity or person referred to in article 1. 3, determine the purposes and means of the processing of personal data, 5) consent of the data subject – it is understood by this Declaration of intent, which content is consent to the processing of personal data of who consists of a statement; consent may not be presumed or implied from the declarations of intent about other content; consent may be revoked at any time, 6) data recipients – shall mean anyone who provides personal data, with the exception of: (a)) of the data subject, (b)) a person authorized to process the data, c) representative, referred to in article 2. 31A, d) referred to in article 2. 31, e) State bodies or local government authorities, where the data is provided in connection with the investigation, 7) a third country – it is understood by the State not belonging to the European economic area.



Chapter 2 the authority for the protection of personal data Article. 8. [the appointment and revocation of Inspector General] 1. The authority for the protection of personal data is the Inspector General for the protection of personal data, hereinafter referred to as "Inspector-General".

2. the Inspector General shall appoint and dismiss the Sejm of the Republic of Poland with the consent of the Senate.

3. For the post of Inspector General can be called this, who including meets the following conditions: 1) is a citizen of Polish and permanently resides in the territory of the Republic of Poland, 2) stands out for its high moral authority, 3) has a higher legal education and relevant work experience, 4) was not punished for the crime.

4. The Inspector-General in the exercise of their duties shall be subject to the law only.

5. the term of Office of the Inspector General lasts 4 years, counting from the date of submission of the vows. On expiry of their term of Office Inspector General carry out their duties until the entry for the position by the new Inspector General.

6. The same person cannot be Inspector-General of more than two terms.

7. the term of Office of the Inspector General shall expire upon his death, cancellation or loss of Polish citizenship.

8. The Sejm, with the consent of the Senate, referenced by the Inspector General, if: 1) abdicated his position, 2) became permanently unable to carry out duties due to illness, 3) abandonned composed ślubowaniu, 4) has been convicted by a court for committing a crime.

Article. 9. [Oath of Inspector] before performing the duties of Inspector General is composed of the Sejm the following oath: "Embracing the position of Inspector General for personal data protection solemnly I swear that I will be faithful to the provisions of the Constitution of the Republic of Poland, to guard the right to protection of personal data, and entrusted to me to fulfill obligations conscientiously and impartially."

The oath can be complex with the addition of the words "so help me God".

Article. 10. [the prohibition of dealing with other posts, perform other activities and party membership] 1. Inspector General cannot deal with another post, except for the position of Professor of higher education, or engage in other activities.

2. the Inspector General may not belong to a political party, trade union or unforeseeable public activities incompatible with the dignity of his Office.

Article. 11. [Immunity Inspector General] Inspector General cannot be without the prior consent of the Sejm held liable criminally or deprived of his liberty. Inspector General may not be arrested or detained, except for shots of him red-handed offence and in which his detention is necessary to ensure the proper course of proceedings. On detention shall immediately notify the speaker of the Sejm, who may order an immediate release of the detained.

Article. 12. [the task Inspector General] to the tasks of the Inspector in particular: 1) the control of compliance of data processing with the provisions on the protection of personal data, 2) issuance of administrative decisions and the handling of complaints in matters of implementation of the provisions on the protection of personal data, 3) to ensure the implementation of the required non-pecuniary obligations arising from the decisions referred to in paragraph 2, by the application of enforcement measures provided for in the Act of 17 June 1966 on enforcement proceedings in administration (Journal of laws of 2005, no. 229 , item. 1954, as amended. d.), 4) keeping a register of data collections and providing information about the registered collections, 5) reviewing draft laws and regulations on the protection of personal data.


6) initiate and undertake projects in terms of improving the protection of personal data, 7) to participate in the work of international organisations and institutions dealing with issues related to the protection of personal data.

Article. 12A. [Deputy Inspector General] 1. At the request of the Inspector General of the Marshal of the Sejm may appoint a Deputy Inspector General. A reference to the Deputy Inspector General in the same mode.

2. the Inspector General determines the scope of the tasks your assistant.

3. Deputy Inspector General shall comply with the requirements referred to in article 1. 8 paragraph 1. 3 paragraphs 1, 2 and 4, and have a higher education and relevant work experience.

Article. 13. the [Office of the Inspector General] 1. Inspector General performs its tasks with the help of the Office of the Inspector General for the protection of personal data, hereinafter referred to as the Office.

1a. the Inspector General in cases justified by the nature and number of cases from the scope of protection of the personal data on the site could do its job by means of long distance units.

2. (repealed).

3. The President of the Republic of Poland, after obtaining the opinion of the Inspector General, by way of regulation, the Statute of the Office, by specifying its organization principles and established long distance units, and the extent of their territorial jurisdiction, with a view to creating optimal conditions for the Organization to undertake the tasks of the Office.

Article. 14. [powers of Inspector General] in order to carry out the tasks referred to in article 1. 12 (1) and (2), the Inspector General, the Deputy Inspector General or authorized by employees of the Office, hereinafter referred to as "inspectors", have the right: 1) introduction, from 600 to 2200, on presentation of personal authority and legitimacy, to the room, which is a collection of data, and the room in which the data is processed outside of a set of data, and carry out the necessary studies or other control activities in order to assess the compliance of data processing with the law , 2) require submission of written or oral explanations and call and hear the person to the extent necessary to establish the facts, 3) to inspect any documents and any data with a direct link to the subject matter of the control and for their copy 4) carry out a Visual inspection of the equipment, and information systems for data processing, 5) have the preparation of expert opinions and reviews.

Article. 15. [obligations of the controlled entity] 1. The head of the controlled organizational unit and controlled natural person which is the administrator of personal data are required to enable the Inspector to carry out inspections, and, in particular, to allow the conduct of operations and fulfill the request referred to in article 1. 14 paragraphs 1 to 4.

2. In the course of the checks referred to in article Collections. 43 paragraph 1. 1, paragraph 1a, the inspection, the Inspector has the right to inspect the collection that contains personal data only through authorized representative the controlled OU.

3. the check shall be carried out upon presentation of personal authority along with a business card.

4. Personal authorisation should include: 1) an indication of the legal basis of the checks, 2) the designation of the inspection authority, 3) your first and last name, job title of the person authorized to carry out the checks and the number of her business card, 4) determination of the scope of control, 5) designation of an entity controlled or data set, or the place in question, 6) an indication of the start date and the anticipated date of the completion of the inspection, 7) the signature of the Inspector General 8) instruction controlled entity of his rights and obligations, 9) date and place of issue of the roll.

Article. 16. [Protocol with steps controlled] 1. The inspection, the inspector shall draw up minutes of which one copy shall be delivered to the administrator-controlled data.

1a. Control Protocol should contain: 1) the name of the controlled entity in full and his address, 2) your first and last name, job title, business card number and authorization number Inspector 3) name and surname of the person representing the controlled entity and the name of a body representing the entity, 4) start and end date controls, with details days breaks in control, 5) indicating the purpose and scope of control 6) description of the facts observed in the course of checks and other information which is essential for assessment of compliance of data processing with the provisions on the protection of personal data, 7) specify the annexes which includes part of the Protocol, 8) discussion made in Protocol amendments, deletions and additions, 9) parafy Inspector and the person representing the controlled entity on each side of the Protocol, 10) mention of the receipt of a copy of the Protocol, the person representing the controlled entity , 11) mention of the lodging or niewniesieniu objections and comments to the Protocol, 12) date and place of signature of the Protocol by the Inspector and the person or body that represents the controlled entity.

2. the Protocol shall be signed by the Inspector and controlled data controller that can make to the motivated objections or comments.

3. in the event of refusal to sign the Protocol by controlled by the controller, the Inspector makes mention of this in the minutes, and refusing a signature may, within 7 days, present their views in writing to the General Inspector.

Article. 17. [the consequences of infringement of the provisions on the protection of personal data] 1. If, on the basis of the results of the inspection the Inspector finds violations of the provisions on the protection of personal data, the Inspector General for measures referred to in article 1. 18.2. On the basis of the findings of the inspection the Inspector may require the initiation of disciplinary proceedings or any other proceedings law provided for against persons guilty of admission to shortcomings and to inform it, within a specified period, of the results of this investigation and the measures taken.

Article. 18. [Decision ordering the restoration of the lawful] 1. In the event of a breach of the provisions on the protection of personal data from the Office of Inspector General or at the request of the person concerned, by means of an administrative decision, orders the restoration of the lawful, and in particular: 1) the removal of shortcomings, 2) supplement, update, rectification, or if personal data, 3) the application of additional safeguards personal data collected, 4) suspend the transfer of personal data to a third country, 5) protection of data or share it with others 6) deletion of personal data.

2. the decisions of the Inspector General, referred to in paragraph 1. 1, may not restrict the freedom of action of the notifying party candidates or lists of candidates for election to the Office of the President of the Republic of Poland, the Sejm, the Senate and local government authorities, as well as in elections to the European Parliament, between the date of the order of the elections and the day of the vote.

2A. the decisions of the Inspector General, referred to in paragraph 1. 1, in relation to harvest referred to in article 1. 43 paragraph 1. 1, paragraph 1a, may not require deletion of personal data collected in the course of the emergency activities of reconnaissance conducted on the basis of the provisions of the law.

3. Where the provisions of other laws regulate separately executing activities referred to in paragraph 1. 1, the provisions of these laws.

Article. 19. [notification of crime] in the event of a finding that the Act or omission of the head of the organizational unit, its employee or any other natural person data controller exhausts offences specified in the Act. Inspector General directs the body to the prosecution notice of crime, including evidence documenting the suspicion.



Article. 19A. [an instance of the Inspector General to ensure an effective protection of personal data] 1. In order to carry out the tasks referred to in article 1. 12 paragraph 6, the Inspector General may direct you to the State bodies, local government bodies, State and municipal organizational units, private entities performing public functions, natural and legal persons, organizational units which are not legal persons and other entities an instance to ensure an effective protection of personal data.

2. the Inspector General may also occur to the competent authorities with requests to take the legislative initiative or for the issue or amendment of legal acts in matters relating to the protection of personal data.

3. The entity to which you directed the instance or request referred to in paragraph 1. 1 and 2, is obliged to respond to this instance or application in writing within 30 days from the date of its receipt.

Article. 20. [report on the activities of the Inspector General] Inspector General is composed of the Sejm, once a year, a report on its activities together with the conclusions resulting from compliance with the provisions on the protection of personal data.

Article. 21. [request for retrial] 1. Party may request the Inspector General with a request to reconsider the case.

2. The decision of the Inspector General on the application for reconsideration shall have an appeal to the administrative court.


Article. 22. [the application of the provisions of the code of administrative procedure] Proceedings in matters governed by this Act shall be conducted according to the provisions of the administrative procedure code, in so far as the provisions of the Act does not provide otherwise.

Article. 22A. [Delegation] Minister responsible for public administration shall determine, by regulation, the pattern of the authority and legitimacy of the work referred to in article 1. 14 paragraph 1, having regard to the need to roll the indication of the Inspector of the Office of the Inspector General for personal data protection.



Chapter 3 rules for the processing of personal data Article. 23. [the admissibility of data processing] 1. Data processing is permissible only if: 1), the data subject's consent, except in the case of accidental deletion of data relating to him, 2) it is necessary to complete or fulfill the obligation arising from law, 3) it is necessary for the implementation of the agreement, where the person, the data subject is a party or when it is necessary to take action before the conclusion of the contract at the request of the person the data subject, 4) is necessary for the performance of a specific law tasks for the public good, 5) it is necessary to fill legally justified the objectives pursued by the data controllers or data recipients, and processing does not affect the rights and freedoms of the data subject.

2. the consent referred to in paragraph 1. 1 paragraph 1, may also include the processing of data in the future, if it does not change the purpose of the processing.

3. If the processing is necessary for the protection of the vital interests of the data subject, a condition referred to in paragraph 1. 1 paragraph 1 is not possible, you can process the data without the consent of that person, to the time when the agreement will be possible.

4. Legally justified the objective referred to in paragraph 1. 1, paragraph 5, shall be deemed to be, in particular: 1) direct marketing of their own products or services of the controller, 2) claims in respect of business operation.

Article. 24. [the information given to the data subjects collected] 1. If you collect personal information from the person concerned, the data controller is obliged to inform this person about the: 1) the address of its headquarters and the full name, and where the data controller is a natural person – on the place of your residence and named, 2) to collect data, and in particular, known at the time of the provision of information or the anticipated recipients or categories of recipient data 3) almost to access their data and to correct them, 4) voluntary or obligation to provide data, and if such a duty exists, its legal basis.

2. The provisions of paragraph 1. 1 shall not apply if: 1) the provision of another Act allows processing of data without disclosing the actual purpose of their collection, 2) person, the data subject has the information referred to in paragraph 1. 1. Article. 25. [collection of data not from the person concerned] 1. In the case of the collection of personal data from the person concerned, the data controller is obliged to inform this person immediately after the fixation of the collected data, of: 1) the address of its headquarters and the full name, and where the data controller is a natural person – on the place of your residence and named, 2) purpose and scope of data collection, and in particular on the recipients or categories of recipients of the data 3) data source, 4) almost to access their data and to correct them, 5) rights arising under article 3 (4). 32 paragraph 1. 1 paragraph 7 and 8.

2. The provisions of paragraph 1. 1 shall not apply if: 1) the provision of another law or permits collection of personal information without the knowledge of the person to whom the data relate, 2) (repealed), 3) these data are necessary for scientific research, educational, historical, statistical, or opinion polls, their processing does not affect the rights or freedoms of the person to whom the data relate, and to comply with the requirements referred to in paragraph 1. 1 would require excessive effort or compromise the objective of the study, 4) (repealed), 5) data are processed by the controller referred to in article 2. 3 paragraphs 1 and 2. 1 and paragraph 2. 2, paragraph 1, on the basis of the provisions of the law, 6), the data subject has the information referred to in paragraph 1. 1. Article. 26. [obligation to special care to protect the interests of the people] 1. The data controller data processor should take special care to protect the interests of the data subject and, in particular, shall ensure to these data were: 1) processed in accordance with the law, 2) collected for identified, legitimate purposes and not further processing not in compliance with these objectives, subject to paragraph 2. 2, 3) factually correct and adequate in relation to the purposes for which they are processed, 4) stored in a form which permits identification of subjects for no longer than is necessary to achieve the purpose of the processing.

2. The processing of data for a purpose other than that for which it was collected, it is acceptable, if it does not violate the rights and freedoms of the data subject and the following: 1) for the purposes of research, teaching, historical or statistical, 2) with the provisions of article 4. 23 and 25.

Article. 26A. [final determination of the individual case] 1. Unacceptable is the final determination of the individual case of the person to whom the data relate, if its content is exclusively the result of operations on personal data in the information system.

2. [1] the provisions of paragraph 1. 1 shall not apply if the decision was taken during the conclusion or performance of the contract and shall take into account the request of the data subject, or if permitted by the law, which also provide for measures to protect the legitimate interests of the data subject.

Article. 27. [admissibility of certain data processing] 1. It is prohibited to the processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious affiliation, or the Union, as well as data on the State of health, genetic code, addictions or sex life and data relating to the skazań, these decisions and mandates, as well as other judgments in judicial or administrative proceedings.

2. the processing of the data referred to in paragraph 1. 1, however, it is acceptable if: 1), the data subject's consent in writing, unless the deletion of data relating to him, 2) special provision of another Act permits the processing of such data without the consent of the data subject, and provides full guarantees for their protection, 3) the processing of such data is necessary to protect the vital interests of the data subject or of another person When a person, the data subject is physically or legally incapable of giving consent, until a legal guardian or a guardian, 4) it is necessary to perform the statutory tasks of the churches and other religious societies, associations, foundations or other non-commercial organisations or institutions for purposes of political, scientific, religious, philosophical or trade union, provided that the processing relates solely to the members of those organisations or institutions or persons maintaining contacts with them in connection with their activities and are provided full guarantees of protection the processed data, 5) processing relates to data which are necessary for the assertion of rights before the courts, 6) processing is necessary for the performance of tasks of the controller relating to the employment of staff and other persons, and the scope of the data being processed is specified in the law, 7) the processing is carried out in order to protect the health, the provision of medical services or treatment of patients by persons engaged in professional treatment or other medical services , providing management of medical services and are full guarantees for the protection of personal data, 8) the processing relates to data which have been made public by the data subject, 9) it is necessary to carry out scientific research, including for the preparation of the hearing to obtain a diploma of completion of high school or degree; publication of results of research may not be in a manner that allows the identification of the persons whose data have been processed, 10) the processing of data is carried out by the party to implement the rights and obligations resulting from the judgment in judicial or administrative proceedings.

Article. 28. [numbers] 1. (deleted).

2. Reference numbers used in the population register may only contain the designation of the gender, date of birth, number of the posting, and the number of the control.

3. it is forbidden to broadcast the hidden meanings of the elements of numbers on ewidencjonujących individuals.

Article. 29. (repealed).

Article. 30. (repealed).

Article. 31. [Agreement for entrust to another entity data processing] 1. The data controller may be entrusted to another body, by way of a contract concluded in writing, data processing.

2. the body referred to in paragraph 3. 1, may process the data only to the extent and purpose of the provided for in the contract.


3. the Entity referred to in paragraph 1. 1, is required prior to processing the data taken precautionary measures collection of the data referred to in the article. 36 – 39, and meet the requirements laid down in the provisions referred to in article 1. 39A. In compliance with those provisions of the operator's liability as an administrator.

4. In the cases referred to in paragraph 1. 1-3, responsible for compliance with the provisions of this Act rests with the controller, which does not exclude the responsibility of the entity that has entered into an agreement for the processing of data in accordance with this agreement.

5. To check compliance of data processing by the body referred to in paragraph 3. 1, with the provisions on the protection of personal data shall apply mutatis mutandis the provisions of article 4. 14-19.

Article. 31A. [Representative] in the case of the processing of personal data by the entities established or resident in a third country, the data controller is obliged to appoint a representative in the Republic of Poland.



Chapter 4 rights of the data subject Article. 32. [the right to control the processing of the data] 1. Every person shall have the right to control the processing of data concerning him contained in the collection of data, and in particular the right to: 1) obtain exhaustive information, whether such a collection exists, and to determine the controller, his office address and full name, and where the data controller is a natural person – her place of residence, and your first and last name, 2) obtain information about the purpose, scope and how to process the data contained in this collection , 3) for information, since its data collection processes, and administration in an intelligible form of the data content of these commonly 4) obtain information about the source from which the data came from her about, unless the data controller is obliged to keep in secret classified information or professional secrecy, 5) to obtain information about how to share data and in particular information on the recipients or categories of recipient , where these data are available, 5a) for information about considerations when the decision referred to in article 2. 26A ust. 2, 6) requests for additions, updates, rectification of personal data, temporarily or permanently suspend their processing or remove them if they are incomplete, out of date, inaccurate or were collected in contravention of this Act or are unnecessary for the purpose for which they were collected, 7) bringing, in the cases listed in article 1 (2). 23 paragraph 1. 1, paragraphs 4 and 5, the written, reasoned request to stop processing its data because of its special situation, 8) oppose the processing of the data in the cases referred to in article 1. 23 paragraph 1. 1, paragraphs 4 and 5, when the data controller intends to process for marketing purposes or to transfer the personal data to another data controller, 9) bring a data controller request, individual examination of the case settled in violation of article 86. 26A ust. 1.2. If the request referred to in paragraph 1. 1 paragraph 7, the data controller shall cease processing the personal data in question or, without undue delay, forwards the request to the General Inspector, which seems like a decision thereon.

3. in the event of an objection referred to in paragraph 1. 1 paragraph 8, further processing of the data in question is inadmissible. The data controller may, however, leave in the collection of the name or names of the person and the social security number or address only in order to avoid the reuse of data of that person for the purposes covered by the opposition.

3A. If the lodging of the request referred to in article 2. 32 paragraph 1. 1, point 9, the data controller shall, without undue delay, the case or passes it and the reasons for its position to the General Inspector, which seems like a decision thereon.

4. Where data are processed for the purposes of scientific, educational, historical, statistical, or archived, the data controller may withdraw from informing people about the processing of their data in cases where this would entail disproportionate effort with its intended purpose.

5. The person concerned may exercise the right to information referred to in paragraph 1. 1 paragraphs 1 to 5, not more than once every 6 months.

Article. 33. [obligation to inform the person of his rights] 1. At the request of the data subject, the data controller is obliged, within 30 days, inform you of the rights and remedies available to grant, with respect to his or her personal data, the information referred to in article 1. 32 paragraph 1. 1 paragraphs 1 to 5a.

2. at the request of the data subject, the information referred to in paragraph 1. 1, shall be given in writing.

Article. 34. [refusal of information to the data subject] a data controller refuses the person, the data subject, the information referred to in article 1. 32 paragraph 1. 1 paragraphs 1 to 5a, if this would result in: 1) disclosure of messages that contain classified information, 2) threat to the defense or the security of the State, the life and health of people or the safety and public order, 3) a threat to the basic economic or financial interest of the State, 4) a material breach of the personal interests of the data subject or other persons.

Article. 35. [Request to improve the content of personal data] 1. In the event of the person whose personal concern, that they are incomplete, out of date, inaccurate or were collected in contravention of this Act or are unnecessary for the purpose for which they were collected, the data controller is obliged without undue delay, to supplement, update, rectification, temporarily or permanently suspend the processing of the data in question or their removal from the collection, unless this concerns personal data for which the mode of their supplement, update or rectification shall specify a separate Act.

2. in the event of failure by the data controller the obligation referred to in paragraph 1. 1, the person, the data subject can ask the Inspector General with the request to order the completion of this obligation.

3. the data controller is obliged to inform without delay the other administrators, which released the data set of the upgrade or rectification of data.



Chapter 5 Protection of personal data Article. 36. [obligation to use technical and organisational measures to protect] 1. The data controller is obliged to apply the technical and organisational measures to ensure the protection of the processed personal data relevant to the risks and categories of protected data and, in particular, should secure the data against their unauthorized disclosure, takeover by an unauthorized person, in violation of the Act and the alteration, loss, damage or destruction.

2. the data controller shall document that describes how to process data and measures referred to in paragraph 1. 1.3. The data controller shall designate information security administrator, supervising observance of the principles of protection referred to in paragraph 1. 1, unless he performs these steps.

Article. 37. [Authorization to the processing of personal data] To data processing may be permitted only with the authorization given by the data controller.

Article. 38. [control], the data controller is obliged to provide control over what personal information, when and by whom they were to harvest made, and to whom are submitted.

Article. 39. [records of the persons authorised to process the data] 1. The data controller shall keep a register of persons authorized to their processing, which should contain: 1) the name of the authorized person, 2) date of dispatch and termination of and the scope of authorization to the processing of personal data, 3) ID, if the data are processed in the information system.

2. persons who are authorised to process the data, are obliged to keep secret the personal data and ways of their protection.

Article. 39A. [Delegation] the competent Minister of the public administration in consultation with the competent Minister for information technology will define, by regulation, the conduct and scope of the documentation referred to in article 1. 36 paragraph 1. 2, and the basic technical and organizational conditions, which should correspond to the device and it systems for the processing of personal data, taking into account to ensure the protection of personal data processed for risks and categories of data protection, as well as requirements for the recording of personal data sharing and security of data being processed.



Chapter 6 Registration of collections of personal data Article. 40. [Registration data collection], the data controller is obliged to report the data set for the registration of General Inspector, except in the cases referred to in article 1. 43 paragraph 1. 1. Article. 41. [Notification of a data set to register] 1. Application for registration of the data collection should include: 1) an application for inclusion in the register of personal data sets collection,


2) the designation of the controller and the address of its registered office or place of residence, including the identification number of the register of entities of the national economy, if it was given, and the legal basis authorising the pursuit of the collection and, in the case of entrusting data processing entity referred to in art. 31, or designate the entity referred to in art. 31A, the subject and address of its registered office or place of residence, 3) purpose of data processing, 3a) a description of the category of persons, data subjects, and the scope of the data being processed, 4) way to collect and share data, 4a) the recipients or categories of recipients to whom the data may be communicated, 5) a description of the technical and organisational measures taken for the purposes set out in article 1. 36 – 39, 6) information about how to fill technical and organisational conditions, laid down in the provisions referred to in article 1. 39A, 7) information on the possible transfer of data to a third country.

2. the data controller is obliged to report to the General Inspector of any change of information referred to in paragraph 1. 1, within 30 days from the date of the change in data collection, subject to paragraph 2. 3.3. If you change the information referred to in paragraph 1. 1 paragraph 3a, concerns the extension of the scope of the data processed with the data referred to in article 1. 27 paragraph. 1, the data controller is obliged to its filing before making changes to the collection.

4. To propose modifications shall apply mutatis mutandis the provisions of registration data sets.

Article. 42. [a record of collections of personal data] 1. Inspector General leads nationwide, public record of personal data sets. The registry shall contain the information referred to in article 1. 41 paragraph 1. 1 paragraph 1-4a and 7.

2. everyone has the right to view the register referred to in paragraph 1. 1.3. At the request of the data controller may be issued certificate of registration by the data set, subject to paragraphs 2 and 3. 4.4. Inspector General it seems the controller referred to in article 1. 27 paragraph. 1 certificate of registration data set immediately after registration.

Article. 43. [Exemption from registration data set] 1. From the obligation to register a data set are exempt controllers: 1) containing classified information, 1a) that have been obtained as a result of the emergency activities of reconnaissance by officers of the bodies entitled to these steps, 2) processed by the competent authorities for the purpose of judicial proceedings and on the basis of the provisions of the national criminal record, 2a) processed by the General Inspector of financial information, 2b) processed by the competent authorities for the purpose of the participation of the Republic of Poland in the Schengen information system and the visa information system ,] 2 c) [2] are being processed by the competent authorities on the basis of the provisions on the exchange of information with the law enforcement authorities of the Member States of the European Union, 3) relating to persons belonging to the Church or other religious, therefore, governed by the legal situation, processed for the purposes of this church or Association of religion, 4) processed in connection with employment with them, the provision of the services under civil-law contracts, as well as for people affiliated with them or learning 5) about people using their medical services, handle the notaries, lawyers, legal, patent attorney, tax advisor or auditor, 6) created on the basis of the provisions concerning the elections to the Sejm, Senate, European Parliament, municipal councils, District Councils and assemblies, the election for the Office of the President of the Republic of Poland, the Mayor, the Mayor, the Mayor of the city and on the referendum nationwide and local referendum, 7) concerning persons deprived of freedom under the law to the extent necessary for the execution of detention or imprisonment, 8) processed solely for the purpose of issuance of the invoice, Bill or carry out financial reporting, 9) commonly available, 10) processed in order to prepare the hearing required to give the diploma school or degree, 11) processed in small current affairs of daily life.

2. [3] in relation to harvest referred to in paragraph 1. 1 paragraphs 1 and 3, and collections, referred to in paragraph 1. 1, paragraph 1a, processed by the internal security agency, the Intelligence Agency, the Military Counterintelligence Service, military intelligence Service and the Central Anti-corruption Office, the Inspector General does not have the powers referred to in article 1. 12 paragraph 2, art. 14, paragraphs 1 and 3 to 5 and article. 15-18.

Article. 44. [the decision to refuse the registration of a data set] 1. Inspector General shall issue a decision not to register the data set if: 1) have not been met the requirements referred to in article. 41 paragraph 1. 1, 2) processing would violate the principles referred to in article 7. 23 – 28, 3) devices and systems used to process the data set to registration does not meet the basic technical and organizational conditions, laid down in the provisions referred to in article 1. 39A. 2. By refusing the registration of a data set. Inspector General, by way of an administrative decision, orders: 1) the restriction of the processing of all or certain categories of data only to store them or 2) the other means referred to in article 1. 18 paragraph 1. 1.3. (repealed).

4. the data controller may report data set again to register after the removal of the defects, which were the reason for the refusal.

5. In the event of a rethrow collection to register the data controller may begin processing after you have registered.

Article. 44a. [the deletion from the register of personal data sets] Deletion from the register sets of personal data is carried out by way of an administrative decision, if: 1) ceased processing in registered, 2) the registration was made in violation of the law.

Article. 45. (repealed).

Article. 46. [to begin processing the data in the ECR] 1. The data controller may, subject to paragraphs 2 and 3. 2, begin their processing in a data set after the Declaration that set the General Inspector, unless the law frees him from this obligation.

2. the data controller, referred to in article 1. 27 paragraph. 1, may begin processing in a data set when you register a collection, unless the law frees him from the obligation to notify set for registration.

Article. 46A. [Delegation] Minister responsible for public administration shall determine, by regulation, the pattern of the notification referred to in article 2. 41 paragraph 1. 1, having regard to the obligation to publish the information necessary to determine compliance with the requirements of the data processing Act.



Chapter 7 the transfer of personal data to a third country Article. 47. [transfer of personal data to a third country] 1. [4] the transfer of personal data to a third country may take place if the target State provides on its territory an adequate level of protection of personal data.

1a. (5) adequate level of protection for personal data as referred to in paragraph 1. 1, is evaluated taking into account all the circumstances surrounding a data transfer operation, in particular taking into account the nature of the data, the purpose and duration of the proposed processing operation, the country of origin and country of final destination and the provisions of law in force in a third country and used in that State security measures and trade policies.

2. (6) the provisions of paragraph 1. 1 shall not apply when sending personal data arises from the obligation imposed on the controller the law or the provisions of a ratified international agreement, ensuring an adequate level of protection of these data.

3. the data controller may, however, pass personal data to a third country, if: 1) a person to whom the data relate has given permission in writing, 2) the transfer is necessary for the performance of a contract between the data controller and the data subject or is taken on its request, 3) the transfer is necessary for the performance of a contract concluded in the interest of the data subject between the controller and another entity 4) the transfer is necessary for the sake of the public good or to demonstrate the legitimacy of the legal claims, 5) the transfer is necessary to protect the vital interests of the data subject, 6) the data are generally available.

Article. 48. [obligation to obtain the consent of the Inspector General] in cases other than those referred to in article 1. 47 paragraph 1. 2 and 3 the transfer of personal data to a third country which does not guarantee the protection of personal data at least such as those on the territory of the Republic of Poland, may be issued after obtaining the consent of the Inspector General, provided that the data controller ensures privacy protection and the rights and freedoms of the data subject.



Chapter 8 penal legislation Article. 49. [the processing of personal data in a manner contrary to the law] 1. Who processes the personal data collection, although their processing is not allowed, or that the processing is not authorized, is subject to a fine, the penalty of restriction of liberty or imprisonment for 2 years.


2. where an act referred to in paragraph 1. 1 data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious affiliation, or Union membership, data on the State of health, genetic code, addictions or sexual life, the perpetrator shall be subject to a fine, the penalty of restriction of liberty or imprisonment for 3 years.

Article. 50. (repealed).

Article. 51. [sharing information with unauthorized] 1. Who is administering a collection of data or being obliged to protect personal data provides or allows access to them to unauthorized persons, shall be subject to a fine, the penalty of restriction of liberty or imprisonment for 2 years.

2. If the perpetrator acts unintentionally, is subject to a fine, the penalty of restriction of liberty or imprisonment for a year.

Article. 52. [Failure of the obligation to secure data] Who by administering data violates even unintentionally required to protect them from being intercepted by an unauthorized person, damage or destruction, shall be subject to a fine, the penalty of restriction of liberty or imprisonment for a year.

Article. 53. [Failure notification data for registration] Who being obliged to do does not report to the registration data set, is subject to a fine, the penalty of restriction of liberty or imprisonment for a year.

Article. 54. [Negligence the obligation for the award of certain information] Who by administering a set of data does not fulfill the obligation to inform the data subject about his rights or transfer that person information to the use of the rights conferred upon it by this Act, shall be subject to a fine, the penalty of restriction of liberty or imprisonment for a year.



Article. 54A. [help foil or obstructing the implementation of the control activity Inspector] Who the Inspector thwarts or impedes the control activity execution, shall be subject to a fine, the penalty of restriction of liberty or imprisonment for 2 years.



Chapter 9 changes in the legislation in force, transitional and final provisions Article. 55. (omitted).

Article. 56. (omitted).

Article. 57. (omitted).

Article. 58. (omitted).

Article. 59. (omitted).

Article. 60. (omitted).

Article. 61. [obligation to submit an application for registration] 1. The entities referred to in article 1. 3, on the date of entry into force of the law of personal data in information systems, are required to submit applications for registration of these collections as specified in art. 41, within 18 months from the date of its entry into force, unless the law exempts them from this obligation.

2. time of recording a collection of personal data as specified in art. 41, the entities referred to in paragraph 1. 1, can lead these collections without registration.

Article. 62. [entry into force] this Act comes into force after 6 months from the date of the notice, except that: 1) art. 8 – 11, art. 13 and 45 shall enter into force after the expiry of 2 months from the date of the notice, 2) art. 55-59 come into force after 14 days from the date of the notice.



 

1) this Act shall be made in its regulation of the implementation of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ. EC-L 281 of 23.11.1995, p. 31, as amended. d.; Oj. EU Polish Special Edition, chapter. 13, t 15, p. 355, as amended. d.).

[1] Article. 26A ust. 2 in the version established by art. 30 paragraph 1 of the law of September 16, 2011 on the exchange of information with the law enforcement authorities of the Member States of the European Union (OJ No. 230, item. 1371). the change entered into force on 1 January 2012.

[2] Article. 43 paragraph 1. 1 paragraph 2 c added by art. 30 paragraph 2 of the Act of September 16, 2011 on the exchange of information with the law enforcement authorities of the Member States of the European Union (OJ No. 230, item. 1371). the change entered into force on 1 January 2012.

[3] on the basis of the judgment of the Constitutional Court of 23 June 2009 (OJ l. No. 105, item. 880) art. 43 paragraph 1. 2 as amended by article. 178 of the Act of 9 June 2006 at Central Office «(OJ # 104, item. 708; OST. d.: OJ 2009. # 18, item. 97), is compatible with article. 2, art. 47 and article. 51 in connection with art. 31 para. 3 of the Constitution of POLAND and with the preamble and article. 6 of the Convention No 108 of the Council of Europe for the protection of individuals with regard to automatic processing of personal data, done at Strasbourg on 28 January 1981 (Journal of laws of 2003 No. 3, item 25; ost.: Journal of laws of 2006. # 3, item 15).

[4] Article. 47 paragraph 1. 1 in the version established by art. 30 paragraph 3 (b). a) of the Act of September 16, 2011 on the exchange of information with the law enforcement authorities of the Member States of the European Union (OJ No. 230, item. 1371). the change entered into force on 1 January 2012.

[5] Article. 47 paragraph 1. 1A by art. 30 paragraph 3 (b). (b)) of the Act of September 16, 2011 on the exchange of information with the law enforcement authorities of the Member States of the European Union (OJ No. 230, item. 1371). the change entered into force on 1 January 2012.

[6] Article. 47 paragraph 1. 2 in the version established by art. 30 paragraph 3 (b). (c)) of the Act of September 16, 2011 on the exchange of information with the law enforcement authorities of the Member States of the European Union (OJ No. 230, item. 1371). the change entered into force on 1 January 2012.

Related Laws