Data Privacy & Transfer in Investigations: Poland

1. What laws and regulations in your jurisdiction regulate the collection and processing of personal data? Are there any aspects of those laws that have specific relevance to cross-border investigations?

Poland

The EU General Data Protection Regulation (2016/679) (the GDPR) is directly applicable in this jurisdiction. In relation to the GDPR, the new Act on Personal Data Protection of 10 May 2018 (New PPDA) entered into force on 25 May 2018, which, among other things, establishes a new authority competent for the data protection in Poland (ie, the President of the Office for Personal Data Protection). On 4 May 2019, supplementary legislation amending a number of Polish laws to ensure the application of GDPR, including the Labour Code, the Banking Law and insurance regulations, entered into force.

A number of provisions in the GDPR have particular relevance in the context of investigations. For example, processing of personal data must have a valid legal basis under GDPR. Establishing a legal basis in the context of an investigation is not always straightforward, particularly where investigations involve foreign authorities or courts and where the relevant data includes sensitive data.  Restrictions on international transfers create additional complexity in the context of cross-border investigations, both in relation to transfers within an organisation (and with its advisers) and in relation to transfers to foreign authorities, courts and counterparties in litigation. All processing must comply with the data protection principles under the GDPR, including the principle that processing must be fair, lawful and transparent and the principle of data minimisation.  It can be challenging to ensure compliance with these principles in the context of an investigation. 

2. What other laws and regulations, besides data protection laws, may prevent data sharing in the context of an investigation?

Poland

Banking secrecy

The Polish banking law of 29 August 1997 (the Banking Secrecy Law) prevents banks from disclosing bank secrecy information to a separate entity. Bank secrecy information includes all information concerning banking operations and other parties to the contract concluded with the bank, obtained in the course of negotiations or during the conclusion and performance of the contracts on the basis of which the bank performs its operations. It is not only banks that are bound by the obligation of banking secrecy, it also covers bank employees and anyone through whom the bank performs banking acts. 

There are some exceptions that allow the information covered by banking secrecy to be disclosed to third parties, in particular:

• where the client has consented in writing to the transfer of specific information to specified entities;
• where information is provided to the counterparty of any outsourcing agreement, to the extent necessary to perform that outsourcing agreement; and
• disclosure of information covered by banking secrecy to qualified lawyers. 

Blanket authorisation is not permissible. The Banking Secrecy Law can still apply if there are already copies of the data outside Poland.

A similar obligation of secrecy applies to insurance undertakings, investment firms, pension societies, management companies, payment institutions and electronic money institutions as well as individuals obtaining information in connection with the provision of financial services.  

Telecommunication secrecy

The Telecommunication Act of 16 July 2004 also limits access to and processing of information subject to telecommunication secrecy, such as: personal data of user, location data, transmission data and the content of sent messages. 

Classified information

Additional limitations also apply to sharing of information that is classified as confidential under the Classified Information Act of 5 August 2010, which applies not only to governmental authorities, state legal persons and state organisational units but also covers entrepreneurs wishing to apply for or enter into contracts for access to classified information or performing such contracts, or performing tasks related to access to classified information under the law.

Other

There are other laws and regulations relating to the sharing of data in a criminal context, which may be relevant for the purposes of an investigation depending on the specific context. These include the Act of 14 December 2018 (as amended in 2019) on the protection of personal data in connection with the prevention and combating crime and the Code of Criminal Proceedings.

3. What constitutes personal data for the purposes of data protection laws?

Poland

The GDPR defines personal data as any data relating to a living individual who can be identified directly or indirectly from that data, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that living person.

Data that is truly anonymised will not be "personal data" for the purposes of the GDPR, as it does not identify the individual. Data is not truly anonymised if the data could re-identify the individuals to which the data relates by reasonably available means. Personal data protection relate only to natural living persons (individuals). It does not cover legal persons or deceased natural persons.

4. What is the scope of application of data protection laws in your jurisdiction? What activities trigger the application of data protection laws, to whom do they apply and what is their territorial extent?

Poland

The GDPR applies to "processing", which is defined broadly and includes any activity in relation to personal data (whether or not by automated means). A number of examples are provided in the GDPR, including the collection, use, disclosure and destruction or erasure of personal data.

The direct obligations under the GDPR apply primarily to controllers. A controller is defined in the GDPR as a person who (either alone or jointly with others) determines the purposes for which and the manner in which any personal data are processed. However, the GDPR also imposes certain direct obligations on processors. A processor is defined in the GDPR as a person who processes personal data on behalf of the controller.

The GDPR has extraterritorial scope. It covers:

• the processing of personal data in the context of the activities of an establishment of a controller or a processor in the EU, regardless of where the processing takes place; and
• the processing of personal data of data subjects who are in the EU, where the processing activities relate to the offering of goods and services to them or the monitoring of their behaviour in the EU.

An organisation is “established” for the purposes of the first limb where it exercises “any real and effective activity – even a minimal one” through “stable arrangements” in the EU.

5. What are the principal requirements under data protection laws that are relevant in the context of investigations?

Poland

Polish data laws address the processing of personal data in general, not specifically in the context of investigations. For example, the GDPR sets out a number of core data protection principles, with which controllers must comply, including in relation to an investigation.

Controllers must comply with the following data protection principles:

• Principle 1: personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”, see above for further details on transparency requirements);
• Principle 2: personal data should be obtained only for specified, explicit and legitimate purposes and should not be further processed in any manner incompatible with those purposes (“purpose limitation”);  
• Principle 3: personal data should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”);  
• Principle 4: personal data should be accurate and, where necessary, kept up to date (“accuracy”);  
• Principle 5: personal data should be kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”);  
• Principle 6: personal data should be processed in a manner that ensures appropriate security of that personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”); and

The controller must also be able to demonstrate compliance with each of these principles (“accountability”). 

In addition, under Chapter V of the GDPR personal data may not be transferred to a country or territory outside the EEA unless the European Commission has decided that the third country or territory ensures an adequate level of protection or if the controller or processor has provided appropriate safeguards and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

6. Identify the data protection requirements relevant to a company carrying out an internal investigation and to a party assisting with an investigation.

Poland

In the context of an internal investigation, any data processing and transfers need to be analysed in the same way as any other processing and transfers of personal data, and so must be carried out in compliance with the GDPR.

The GDPR sets out a number of data protection principles that controllers must comply with. The first principle is that personal data must be processed "lawfully, fairly and in a transparent manner". This means that data cannot be processed unless there is a legal basis under article 6 of the GDPR. The following legal bases are available:

• the data subject has given his or her consent to the processing for one or more specific purposes;  
• the processing is necessary for the performance of a contract to which the data subject is a party or for the taking of steps at the request of the data subject with a view to entering into a contract;  
• the processing is necessary for compliance with a legal obligation to which the controller is subject;  
• the processing is necessary to protect the vital interests of the data subject or another natural person;  
• the processing is necessary for performing tasks in the public interest or in the exercise of official functions by the controller; or  
• the processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where the processing is unwarranted by reason of prejudice to the interests and fundamental rights and freedoms of the data subject.

In respect of sensitive data (or “special categories of personal data”), the processing must also comply with one of the stricter legal bases set out in article 9 of the GDPR. Sensitive data is defined as information relating to: racial or ethnic origin; political opinions; religious and philosophical beliefs; trade union membership; genetic data and biometric data for the purpose of uniquely identifying a natural person; data concerning health; and sex life and sexual orientation. In an investigations context, relevant conditions for the processing of sensitive data may include where:

• the individual has given their explicit consent to the processing for one or more specified purposes;
• the processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity; or
• the processing is necessary for reasons of substantial public interest, on the basis of Union or member state law, where this is proportionate to the relevant aim and safeguards the rights and interests of data subjects.

The processing of data about criminal convictions and offences is dealt with separately to sensitive data, under article 10 of the GDPR. This provides that such data can only be processed where authorised under national law.

A privacy notice should be provided to the data subject at the time the personal data is obtained (unless an exemption applies). In all circumstances, this must include (articles 13 and 14 of the GDPR):

• the identity and contact details of the controller; 
• the contact details of the data protection officer, where applicable;
• the purposes and legal basis for the processing (including any legitimate interests relied upon where this is the legal basis for processing); 
• the categories of personal data concerned; 
• any recipients or categories of recipients of the personal data; and
• where applicable, the fact that the controller intends to transfer personal data to a third country, the existence (or absence) of an adequacy decision by the European Commission and, if there is no adequacy decision, the safeguards used for the transfer of that personal data.

The controller should also inform the data subject of the period for which their personal data will be stored; the existence of the right to request access, rectification or erasure; the right to restrict the processing; the right to object to the processing; the right to data portability; the existence of automated decision making (including profiling); and the right to lodge a complaint with a supervisory authority.

If the personal data has been obtained directly from the data subject, article 13 of the GDPR will apply and the controller must also inform the data subject whether the provision of personal data is subject to a statutory or contractual requirement and of any potential consequences of failing to provide that personal data.

It may be the case in an investigations context that personal data has not been obtained directly from the data subject. If this is the case, article 14 of the GDPR will apply and the fair processing information given to data subject must also include the categories of personal data processed, the source of personal data and details of any personal data obtained from directly accessible sources.

Additional provisions of the GDPR apply where the data are processed by a processor on behalf of the controller (eg, or legal process outsource provider, forensic accountants or consultants, external document reviewers). The primary factor considered is control of the data rather than its possession, so the controller must ensure that the third-party processor is complying with the requirements on the security of data set out in the GDPR. A written contract to this effect must be entered into between the processor and controller (article 28 of the GDPR).

The GDPR also imposes certain direct obligations on processors. These include an obligation to: (i) maintain a written record of processing activities carried out on behalf of each controller; (ii) designate a data protection officer where required; (iii) appoint a representative (when not established in the EU) in certain circumstances; and (iv) notify the controller without undue delay on becoming aware of a personal data breach.

Law firms usually act as a separate data controller when providing advice in relation to internal investigation and are subject to the same obligations as mentioned above. Law firms may seek to rely on the exclusion from the obligation to provide a privacy notice to data subjects by virtue of article 14.5(d) GDPR (in which case the personal data must remain confidential subject to an obligation of professional secrecy regulated by Polish law, including a statutory obligation of attorney’s secrecy).

7. Is the consent of the data subject mandatory for the processing of personal data as part of an investigation?

Poland

The consent of the data subject is one legal basis for processing of personal data under the GDPR. Data subject consent is therefore not mandatory for the processing of personal data, but consent must be obtained if no other legal basis exists.

8. If not mandatory, should consent still be considered when planning and carrying out an investigation?

Poland

Consent may be considered as an enabling action when planning an investigation. However, obtaining consent to the processing of personal data can be practically challenging, and proceeding with processing of personal data in reliance solely on this ground is rarely appropriate. One reason is that consent must be capable of being withdrawn at any time (a right which it is not possible to contract out of, which would be difficult to manage in the context of the investigation).

9. Is consent given by employees likely to be valid in an investigation carried out by their employer?

Poland

Consent included within an employment contract, or obtained generally by an employer from an employee, is unlikely to be valid due to a clear imbalance between the parties.

Urząd Ochrony Danych Osobowych (or UODO), the Polish supervisory authority, has emphasised on numerous occasions that consent should not be a basis for processing where there is a significant inequality between the controller and the data subject. UODO states that the relationship between an employer and employee is an example of such inequality (eg, UODO’s guidance 5/2020 on using biometric data of employees for time recording). Particular caution should be exercised when relying upon consent as the basis for processing of employee’s personal data in the context of investigations, specifically in terms of demonstrating that it was freely given.

10. How can consent be given by a data subject? Is it possible for data subjects to give their consent to processing in advance?

Poland

There is no prescribed form for the consent, but it should be freely given, specific, informed and unambiguous. In addition, to the extent relied upon as a basis for international transfers, consent must also be explicit. Consent can also be withdrawn at any time and must be as easy to withdraw as to give.

In the case of sensitive data, where consent is relied on to provide a legal basis under article 9 GDPR, it must also be explicit. A controller may therefore wish to obtain consent by means of an additional formality to demonstrate “explicit” consent (eg, a wet ink signature or a tick box that expressly uses the word “consent”).

Consent can be obtained through a website or other electronic means.

Whether consent given in advance, such as through general terms and conditions or account opening information, is sufficient for the purposes of the GDPR depends, among other things, on the balance of power between the controller and data subject. Consent is not freely given (and so is invalid) if a data subject has no genuine or free choice or cannot refuse or withdraw consent without detriment, or there is a clear imbalance between the parties.

Written requests for consent must be clearly distinguishable from other matters, be intelligible, be easily accessible and use clear and plain language. This means that consent should not be hidden among other terms and conditions. In any event, there is a risk that a generic consent provided through general terms and conditions is not specific and informed, and so not validly given by the data subject.

11. What rights do data subjects have to access or verify their personal data, or to influence or resist the processing of their personal data, as part of an investigation?

Poland

Right of access

A data subject has a right to request information regarding whether their personal data is being processed, known as a data subject access request (DSAR). The information that can be requested includes a description of the data, the purpose for which it is being processed and to whom it may be disclosed. The controller must also provide a copy of the personal data to the data subject.

A controller is not required to provide personal data in response to a “manifestly unfounded or excessive” request from a data subject (article 12(5) of GDPR). If relying on this exemption, a controller should retain evidence to demonstrate why it considers the request to be unfounded or excessive. If a controller refuses to act on a request, they must also inform the data subject of the reason why and tell the data subject that they can complain to their relevant supervisory authority and enforce their right through judicial remedy.

Right of erasure

Data subjects have the right to request rectification of any personal data relating to them that is inaccurate, and completion of any incomplete data, including by way of a supplementary statement. There is an obligation on a controller under the GDPR to ensure the personal data it keeps is accurate.

Data subjects have the right to obtain from the controller the erasure of their personal data without undue delay if one of the specified grounds applies. This includes where the data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or where the data subject has withdrawn consent (and there is no other legal ground for the processing).

Right to object

In certain circumstances, such as when a controller is relying upon their legitimate interests (or those of a third party) or the processing is necessary for performing tasks in the public interest or in the exercise of official functions, data subjects have a right to object to the processing of personal data concerning them at any time. A controller must adhere to this objection unless it can demonstrate a legitimate basis for the processing that overrides the interests of the data subject, or if the processing is necessary within legal proceedings.

A data subject also has a right to obtain a restriction of processing from the controller where it believes the relevant personal data is inaccurate, the processing is unlawful or the controller no longer needs the data for the purposes of the processing. If the latter is the case, the data subject can require the controller to limit the processing to that required in the context of legal proceedings.

Note that where data is processed by the controller performing a public task, pursuant to articles 3-5 of the New PPDA certain rights of data subjects are excluded or restricted. For example, data subjects have no right to object to processing by a controller for this purpose. Moreover, data subjects’ rights to receive information, rights of access, rights to rectification and rights to erasure or restriction may be limited or restricted where necessary and proportionate, if the provision of such information renders impossible or seriously impairs the proper performance of a public task or undermines the protection of non-public information.

In addition, where a controller has obtained personal data from a data subject in the performance of a public task, the controller may refrain from complying with its obligations referred to in article 15(1) to article 15(3) of GDPR, where to do so would impair its performance of a public task aimed at:

• preventing crime, detection or prosecution of torts or enforcing penalties, including protection against hazards to public safety and preventing such hazards;
• protecting the economic and financial interests of the state covering in particular:
• • collection and pursuing tax proceeds, proceeds from fees, non-tax budgetary dues as well as other dues;
  • enforcement of administrative execution of receivables and execution of security of cash and non-cash receivables;
  • prevention of using banks' and financial institutions' activities for purposes involving fiscal frauds;
  • disclosing and recovery of the property threatened by forfeiture as a result of offences; and
  • conducting inspections, including customs and revenue inspections.

Finally, the competent authorities processing personal data for criminal law enforcement purposes must adhere to slightly different requirements under Part 4 of the Act of 14 December 2018 (as amended in 2019) on the protection of personal data in connection with the prevention and combating crime. For example, with regards to Principle 1 of GDPR (transparency of the processing), these authorities are entitled to limit or restrict the data subjects’ rights to receive information, rights of access, rights to rectification and rights to erasure or restriction where necessary and proportionate in order to, for example, protect national or public security, or avoid prejudicing a criminal investigation or prosecution.

12. Are there specific requirements to consider where third parties are appointed to process personal data in connection with an investigation?

Poland

There may be additional requirements under the GDPR where third parties are appointed to process personal data in connection with an investigation if they are data processors as opposed to controllers. Whether the third party is a processor or (joint) controller will depend on a number of factors including their role in and degree of influence over the processing activity.

In certain circumstances third parties (eg, forensic accountants or consultants) may act as data processors depending on their independency in determining the purposes and means of data processing. In such case the data processing agreement that meets requirements set out in article 28(3) of GDPR will be required.

This contract must include a description of the data processing activities and require the processor, among other things, to:

• act only on the documented instructions of the controller (including with regard to international transfers of data to a third country); 
• ensure that persons who process the data have committed to confidentiality or are under a statutory duty of confidentiality; 
• implement appropriate security measures in accordance with the GDPR; 
• engage a sub-processor only with the prior authorisation of the controller; 
• assist the controller in carrying out its obligations to respond to requests by data subjects to exercise their rights under the GDPR; and 
• assist the controller in ensuring its compliance with its data security obligations.

Where a processor engages a sub-processor, the contract between them must reflect the same data protection obligations as set out in the contract between the controller and the processor.

These provisions of the GDPR apply to processors within the same corporate group in the same way as to other third-party processors.

13. Is it permitted to share personal data with law firms for the purpose of providing legal advice?

Poland

Yes, it is permitted. However, a transfer of personal data to a third-party law firm of personal data for the purposes of providing legal advice needs to be analysed in the same way as any other transfer of personal data, and so must be carried out in compliance with the GDPR and the principles relating to the processing of personal data.

14. What is the position and status of law firms under data protection laws? Are law firms directly accountable for data processing under data protection laws, or is responsibility for processing by law firms shared between the law firm and the client?

Poland

Law firms usually act as a separate data controller when providing advice in relation to internal investigation and are subject to the same obligations as mentioned above. Provided that the law firm can rely on exclusion from the obligation to provide a privacy notice to the data subject based on article 14.5(d) GDPR, in that case the personal data must remain confidential subject to an obligation of professional secrecy regulated by Polish law, including a statutory obligation of attorney’s secrecy.

15. What is the position and status of legal process outsourcing firms under data protection laws?

Poland

In certain circumstances, legal process outsourcing firms may act as data processors depending on their independence in determining the purposes and means of data processing.

16. Are there any additional requirements, beyond those specified above, that regulate the disclosure of data to third parties within your jurisdiction for the purpose of reviewing the content of documents, etc?

Poland

The Labour Code of 10 June 1974 (Labour Code) introduces restrictions with respect to email correspondence monitoring conducted by the employers. Monitoring of email company accounts may be introduced when it is necessary to ensure proper use of the working hours by an employee and proper use of equipment provided to the employee. However, such monitoring cannot infringe the secrecy of correspondence and the personal rights of the employees (such as privacy). For this reason, review of the content of such email correspondence by the employer and disclosure of such information to third parties may be difficult in practice.

Under the Labour Code, the employer is obliged to regulate the purposes, scope and the method of use of the monitoring of email correspondence in collective agreements with trade unions or in the internal workplace policies. The above rules should be described in a notice addressed to the employees if there is no collective agreement or the employer is exempted from the obligation to set workplace regulations. The above information has to be provided in writing to each employee before the employee starts work. The employer is also obliged to inform employees on the actual introduction of the email correspondence surveillance within two weeks before the launch of such monitoring.

The above obligations are without prejudice to the obligations regarding data subjects’ rights set forth in articles 12 and 13 of the GDPR.

Certain additional requirements have been set by the Polish courts and the former data protection authority (General Inspector for Personal Data Protection) for such monitoring to be lawful:

• the monitoring must be proportionate (ie, if there are less restrictive means enabling the employer to accomplish the same objective, such less restrictive means should be used instead);
• the employer should have clear evidence of the employees having fully read and understood the policy with regards to possible monitoring; and
• the monitoring must respect employees’ dignity. It would be hard to justify a review of emails marked as ‘personal’ and which are obviously personal in nature as this may be regarded as not respecting the employee’s dignity and right to privacy. Respecting the personal rights of workers is a basic obligation of the employer.

These rules remain valid also under the GDPR.

Financial institutions in Poland must also comply with, among other requirements:

• the guidelines on material outsourcing, the guidelines concerning the management of information technology and ICT environment security and communication of 23 January 2020 concerning the processing of information by supervised entities in a public or hybrid cloud, established by the Polish Financial Supervision Authority (UKNF). These principles require financial institutions to take various measures to protect client and employee data.
• the guidelines on material outsourcing established by the European Banking Authority (EBA). The EBA’s guidelines (which apply since 30 September 2019) set out a series of recommendations that providers of financial services must adhere to in respect of any outsourcing to the cloud, including in respect of the security of data, where geographically data is located and processed and the importance of contingency planning.

17. What rules regulate the transfer of data held in your jurisdiction to a third party in another country for the purpose of reviewing the content of documents, etc?

Poland

The GDPR distinguishes between transfers to other jurisdictions within the EEA and transfers of data to jurisdictions outside the EEA.

Within the EEA

A transfer of personal data from this jurisdiction to a processor or controller in another EEA member state must comply with the same requirements as if the transfer was made within the jurisdiction.

Outside the EEA

Personal data subject to the GDPR cannot be transferred to a country or territory outside the EEA unless that third country or territory provides an adequate level of protection for personal data.

The European Commission has determined that certain non-EEA countries and recipients ensure an adequate level of protection for personal data and so a transfer can be made to such countries in compliance with the rules that provide restrictions on transfers outside the EEA. Currently, these countries are Andorra, Argentina, Canada (commercial organisations), Faeroe Islands, Guernsey, Israel, Isle of Man, Japan, Jersey, New Zealand, Republic of Korea, Switzerland, United Kingdom under the GDPR and the LED and Uruguay. 

Alternatively, the controller as transferor could ensure an adequate level of protection through:

• entering into standard contractual clauses approved by the European Commission for both controller-to-processor and controller-to-controller transfers; or 
• for transfers within the same group, adoption of binding corporate rules.

In a judgment issued on 16 July 2020 (Schrems II), the CJEU held that the standard contractual clauses should be viewed as offering only the basic level of protection and they may only be used where the protection provided by the contract is not undermined in the particular circumstances. This means that controllers exporting personal data and looking to rely on standard contractual clauses approved by the European Commission (or another article 46 GDPR international transfer mechanism) must assess on a case-by-case basis whether additional safeguards are needed to remedy any identified deficiency and ensure adequate data protection.

On 4 June 2021, the European Commission issued modernised standard contractual clauses under the GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the GDPR) (the Commission Implementing Decision (EU) 2021/914). These modernised SCCs will replace the three sets of SCCs that were adopted under the previous Data Protection Directive 95/46.

Data can otherwise be transferred if one of the following derogations, among others, applies:

• the data subject has consented to the transfer (as noted above, this consent should be explicit as well as freely given, specific, informed and unambiguous); 
• the transfer is necessary for the performance of a contract between the data subject and controller or the implementation of pre-contractual measures taken at the data subject’s request; 
• the transfer is necessary for the conclusion of a contract between the controller and a person other than the data subject, which is entered into in the data subject’s interests; 
• the transfer is necessary for important reasons of public interest; 
• the transfer is necessary for the establishment, exercise or defence of legal claims; or 
• the transfer is necessary to protect the vital interests of the data subject.

Where none of the above derogations are available, a transfer to a third country may take place if the transfer is not repetitive, concerns only a limited number of data subjects, is necessary for the purposes of compelling legitimate interests of the controller (which are not overridden by the interests or rights and freedoms of the data subject), and the controller has assessed all the circumstances surrounding the transfer and has, on the basis of that assessment, provided suitable safeguards with regard to protection of personal data. This ground for processing may only be relied upon where no other legal basis is available. The controller shall inform the supervisory authority of the transfer and, in addition to providing the information referred to in articles 13 and 14 of the GDPR, shall inform the data subject of the transfer and on the compelling legitimate interests pursued. As such, this derogation is unlikely to be of practical application in the context of an investigation.

18. Are there specific exemptions, derogations or mechanisms to enable international transfers of personal data in connection with investigations?

Poland

No, there are no such specific exemptions, derogations or mechanisms that would apply in the context of investigations.

19. Under what circumstances is the transfer of personal data to regulators or enforcement authorities within your jurisdiction permissible?

Poland

The transfer of personal data to regulators and enforcement authorities within the jurisdiction must comply with the GDPR in the same way as any other processing. In particular, a legal basis must be established under article 6 GDPR. 

20. Under what circumstances is the transfer of personal data held within your jurisdiction to regulators or enforcement authorities in another country permissible?

Poland

The rules applying to cross-border data transfer generally also apply to the transfer of data to regulators and law enforcement authorities out of the jurisdiction. Any transfer to an overseas regulator would have to comply with the GDPR in the same way as any other processing.

Any disclosure of personal data to an overseas regulator or law enforcement authority would engage the first data protection principle (including the requirement to establish a legal basis under article 6 GDPR) and prohibitions on cross-border transfers of personal data. In particular, the first principle provides that processing of personal data must be fair, lawful and transparent.

Any transfer of personal data to an overseas regulator or law enforcement authority may breach this principle if this is not a purpose of processing or recipient of data about which the data subjects will have been sufficiently informed. The GDPR sets out exemptions to providing a privacy notice where this is impossible or would involve disproportionate effort on the part of the controller, but these exemptions are interpreted narrowly.

The cross-border transfer of personal data would additionally require safeguards for the relevant transfer and a legal basis for processing. There is no clear exemption or derogation from either the first principle, the requirement for a legal basis for processing, or the prohibition on cross-border transfers that will routinely cover requests for data by a foreign regulator or law enforcement authority.

The transfer may lack a legal basis, depending on the circumstances of the processing. The possible legal bases that a controller may rely on in this context include:

• the consent of each affected data subject to the disclosure and transfer. However, as noted above, this can be problematic to obtain, can be withdrawn at any time and (in the case of sensitive data) consent must be explicit;
• that the processing is necessary for the establishment, exercise or defence of legal claims, depending on the circumstances;
• that the processing is in the legitimate interests of the controller; or
• that the processing is necessary for the performance of a task carried out in the public interests.

The prohibition on cross-border transfers provides that personal data should not be transferred to a country outside the EEA that does not provide an adequate level of protection, unless an exemption applies or safeguards for the personal data are in place. Article 49 of the GDPR provides for derogations to the requirement for an adequacy decision or implementing safeguards in certain circumstances, including where the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims. This article 49 provides that, without prejudice to other grounds for international transfers, a decision from a third country authority, court or tribunal does not in itself justify the transfer of personal data to a non-EEA country. This is the case unless the transfer is based on an international agreement, such as a mutual legal assistance treaty. The European Data Protection Board guidelines state, in relation to article 48 GDPR: "In situations where there is an international agreement, such as a mutual legal assistance treaty (MLAT), EU companies should generally refuse direct requests and refer the requesting third country authority to existing MLAT or agreement.”

21. What are some recommended steps to take on receipt of a request from a regulator for disclosure of personal data?

Poland

The recipient of such a request may consider taking the following steps, among others:

• consider if there is a legal obligation to respond to the request and, if so, to what extent;
• seek further information in writing from the requesting regulator to evaluate the purpose of the request;
• if possible, negotiate the scope of the request: for example, to target the specific information required for the purposes of the regulatory investigation;
• in accordance with principles of data minimisation and anonymisation, limit the scope of any data disclosed and transferred to that necessary for the purpose;
• consider whether it is practicable to obtain data subject consent and/or giving notice as it may be possible, in some cases, to obtain a valid consent from individuals to undertake a particular disclosure and transfer;
• put in place a data processing agreement if data will be transferred to an affiliate or third party (acting as a processor);
• consider transfer via domestic authority as, in some cases, it may be possible to request that the requesting regulator request data via a domestic regulator of the data controller; and
• consider transfer via an MLAT as, in some cases, it may be possible to request that the requesting court or regulator requests data via an MLAT or other international agreement.

22. What are the sanctions and penalties for non-compliance with data protection laws?

Poland

There is a tiered approach to penalties for breaches of the GDPR. This permits data protection authorities to impose fines for some infringements of up to the higher of 4 per cent of annual worldwide turnover and €20 million (eg, for breach of requirements relating to cross-border transfers or the principles for processing, such as conditions for consent). Other specified infringements attract a fine of up to the higher of 2 per cent of annual worldwide turnover and €10 million.

The GDPR contains a list of points to consider when imposing fines, such as the nature, gravity and duration of the infringement.

A data subject who suffers material or non-material damage as a result of a breach of the GDPR by a controller may bring a civil claim for compensation.

New PPDA provides for criminal sanctions for prohibited and unauthorised processing and for jeopardising or impeding an inspection by the supervisory authority.

A criminal fine, restriction of personal liberty or imprisonment of up to two years (three years if processing concerns specific categories of data) can be imposed on an individual as a result of unlawful data processing (ie, processing of personal data even though its processing is not admissible or without authorisation).

A criminal fine, restriction of personal liberty or imprisonment of up to two years may be also imposed on persons hindering inspection proceedings.

23. Provide a list of relevant materials, including any decisions or guidance of the data protection authority in your jurisdiction regarding internal and external investigations, and transfers to regulators or enforcement authorities within and outside your jurisdiction.

Poland

EU General Data Protection Regulation (2016/679).

Statement of the Polish Supervisory Authority on consent as legal basis for data processing (in Polish only).

Guidelines of the Polish Supervisory Authority on personal data processing in the context of employment (in Polish only).