Poland

Poland Image
LEG-01:

Legislation enacted specifically for data privacy?
– Act of August 29, 1997 on the Protection of Personal Data (PPD).
Notes: Article 5–“Should the provisions of any separate laws on the processing of data provide for more effective protection of the data than the provisions hereof, the provisions of those laws shall apply”.

LEG-02:

Other legislation enacted that has sections that have some effect on data privacy?
– The Constitution of the Republic of Poland of 2nd APRIL, 1997 (Constitution).
– Telecommunications Act 2004.
– Act of 18 July, 2002 on Providing Services by Electronic Means (SEM).
– The Act of 7 May 2010 on supporting the development of telecommunications services and networks (TSN).

LEG-03:

The Country is a member of an organisation that implements guidelines for data privacy. Note: These guidelines are guidelines ONLY, each country which agrees and signs then needs to incorporate into legislation in some form.
– OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
– EU Data Protection Directive 1995/46/EC (DPD).
– EU Privacy and Electronic Communications Directive 2002/58/EC (EUPEC).
– EU Regulation 45/2001/EC (CIB).
Notes: “Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ” is full title of DPD.
“Regulation (Ec) No 45/2001 of the European Parliament and of the Council Of 18 December2000.
On the Protection of Individuals With Regard to the Processing of Personal Data by the Community.
Institutions and Bodies and on the Free Movement of Such Data” is the full title of CIB.

LEG-04:

Local government has any Bills going through the legislative process.

LEG-05:

Regulations, standards or guidelines that are implemented and followed that have relation to data privacy.
– Convention on Cyber-crime 2001.
Notes: Signed but not implemented.

LEG-06:

Has other state laws related to privacy.

PRI-01:

There is a requirement to establish a privacy authority to oversee privacy issues.
Notes: Bureau of the Inspector General for Personal Data Protection.

PRI-02:

There is a requirement to establish a privacy commissioner.
– PPD Article 8 1.
Notes: Inspector General for Personal Data Protection (GIODO).

PRI-03:

The functions of the authority clearly set out.
– PPD Article 12, 14.
– CIB Article 46.

PRI-04:

There is a requirement each company establishes their own privacy officer to ensure the company complies with policy.
– PPD Article 36a 1.
Notes: No longer compolsory, if a data protection officer is appointed and registered with the General Inspector, the data controller is not obliged to register the data filing system with the General Inspector.

PRI-05:

Contact details of the privacy officer are made available.

PRI-06:

Each company to have an internal privacy policy proposed and displayed.

PRI-07:

An internal audit process is outlined for each company.

PCP-01:

“Personal Information” is defined which gives examples and a clear outline .
– Personal Data Protection Act 2007 Article 6.
Notes: Personal Data.

PCP-02:

“Sensitive Information” is defined which gives examples and a clear outline

PCP-03:

Other types of information are defined that is viewed differently to personal or sensitive information.

PCP-04:

Consent is required from the individual involved.
– Personal Data Protection Act 2007 Article 7 5), 23 1 1).
– CIB Article 5 (d).

PCP-05:

Type of consent required is either explicit or implicit.

PCP-06:

Consent needs to be written or verbal.

PCP-07:

Level of consent different for different age groups .

PCP-08:

Consent may be withdrawn at any time.
– Personal Data Protection Act 2007 Article 7 5).

PCP-09:

The purpose is explained to the individual which must be a lawful purpose.
– Personal Data Protection Act 2007 Article 24 1 2).

PRO-01:

Individual has the ability to access their data by request.
– Constitution Article 51 3.
– Personal Data Protection Act 2007 Article 24 1 3).
– SEM Article 32 1 .
– CIB Article 13.

PRO-02:

Individual has the ability to update or amend their data for accuracy.
– Constitution Article 51 4.
– Personal Data Protection Act 2007 Article 24 1 3).
– SEM Article 32 1 .
– CIB Article 14.

PRO-03:

Data can be sent to a third party for processing.
– Personal Data Protection Act 2007 Article 31 .
– CIB Article 9 1, 6.

PRO-04:

Data is only used for the purposed outlined at pre collection stage.
– Personal Data Protection Act 2007 Article 23 2.
– CIB Article 6 1.

PRO-05:

Encryption used for processing of data to ensure anonymity
– Personal Data Protection Act 2007 Article 36 1.
– Telecommunications Act 2004 Article 175.
Notes: Although encryption is not specified, encryption may be used if it is seen as a useful precaution.

PRO-06:

Unique identifiers can be used .

PRO-07:

Information may not be disclosed, sold or interfered with.
– Personal Data Protection Act 2007 Article 36 1.
– SEM Article 20 1 2).
– Telecommunications Act 2004 Article 180a 1 3).
– CIB Article 22 2.

PRO-08:

Offences are set out to deal with disclosure or other interference with data during the processing stage.
– Personal Data Protection Act 2007 Chapter 8.
– SEM Chapter 5.
– Telecommunications Act 2004 Article 209, 210.

PRO-09:

A complaints process is setup to deal with any breach of privacy.
– SEM Article 8 3 4).
– Telecommunications Act 2004 Article 101 2.
Notes: Chapter 4 of the Telecommunications Act 2004 sets out “Dispute Resolution Methods”.

STO-01:

All data is stored with at least a “reasonable” level of security.
– Personal Data Protection Act 2007 Article 36 1, 36a.
– Telecommunications Act 2004 Article 175.
– CIB Article 22 1.
Notes: Personal Data Protection Act 2007 Article 36a sets out duties of an “Administrator of Information Security”.

STO-02:

Encryption techniques used to store data.
– Personal Data Protection Act 2007 Article 36 1.
– Telecommunications Act 2004 Article 175.
– CIB Article 4 1 (e).
Notes: Although encryption is not specified, encryption may be used if it is seen as a reasonable protection method.

STO-03:

Data can be transferred to third-parties to use.
– Personal Data Protection Act 2007 Article 31 .
– CIB Articles 7 – 9.

STO-04:

Data can be stored off shore in different Country.
– Personal Data Protection Act 2007 Chapter 7.
– CIB Articles 22 1.

STO-05:

Data can be stored off site but in same Country.
– Personal Data Protection Act 2007 Article 36 1.
– CIB Articles 22 1.
Notes: Although storage is not specified, storage may be off site if it is seen as a useful precaution.

STO-06:

Information is only kept by the collection agency for the least amount of time necessary needed for the outlined purpose to be fulfilled.
– Personal Data Protection Act 2007 Article 35.
– SEM Article 12 3.
– Telecommunications Act 2004 Article 180a 1 1).
– CIB Article 4 1 (e).

STO-07:

Policies in place for destroying of data once consent is withdrawn or data is no longer needed.

STO-08:

Offences are set out to deal with disclosure or other interference with data while it is stored.
– Personal Data Protection Act 2007 Chapter 8.
– SEM Chapter 5.
– Telecommunications Act 2004 Article 209, 210.

STO-09:

Notification has to be given to individuals in case of a data breach.
– Telecommunications Act 2004 Article 174a 3, 5.

STO-10:

Policy in place in case data collection agency ceases to operate.

STO-11:

Policy in place in case data collection agency is sold.

SPM-01:

A clear unsubscribe feature is available.

SPM-02:

Commercial electronic messages contain clear and accurate contact information about the sender.
– SEM Article 9 1, 2.

SPM-03:

Subject line to be clear and not misleading.
– SEM Article 9 1, 2.

SPM-04:

Addresses are obtained legally, not using means such as address harvesting tools and other software to obtain them.

SPM-05:

A form of a “Do Not Call” register is in place.

SPM-06:

Unsolicited commercial electronic messages are prohibited within the country.
– SEM Article 10 1.

SPM-07:

Unsolicited commercial electronic messages are prohibited to other countries.

INT-01:

A data collection agency required to notify the individual if they have been requested to hand over personal information.

INT-02:

A data collection agency can refuse to turn over personal information.

INT-03:

A warrant is needed to have the ability to intercept personal data.

INT-04:

Network operators and service providers have network design guidelines to follow to allow for interception execution.
– Telecommunications Act 2004 Article 137, 138.

INT-05:

External countries have the ability to intercept data with permission from the host country.
– Telecommunications Act 2004 Article 176a 2 2).