The plan sets out to monitor:
- Authorities processing personal data in the Schengen Information System and the Visa Information System – the processing of SIS/VIS personal data pursuant to the provisions of the Act of 24 August 2007 on the participation of the Republic of Poland in the Schengen Information System and the Visa Information System (Journal of Laws of 2023, item 1355), implementing acts and European Union regulations.
- Entities processing personal data using web applications – methods of securing and making available personal data processed in connection with the use of the applications – continuation of the 2023 inspection
- Private entities – compliance with the information obligation set out in Articles 13 and 14 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119, 4 May 2016, p. 1, as amended)
All the entities listed above should therefore take steps to verify whether they comply with the obligations imposed on them by the GDPR, Polish data protection regulations and the regulations specified above.
Private entities that process personal data in any way, regardless of the nature of their business, are covered by the above plan and may be subject to inspection regarding compliance with the information obligation set out in Articles 13 and 14 of the GDPR. In the case of operating a website or web application, this obligation is most commonly fulfilled through the provision of a privacy policy.
The concept of a privacy policy is widely known and understood, yet there remains considerable uncertainty as to whether it should be implemented. However, this policy contains a set of legally required information which specifies the purposes and legal bases for the processing of personal data (for example, of users, customers, subscribers) and provides them with information on who will process their data and when.
Article 13 of the GDPR applies to situations where the personal data of the data subject is collected from that person, whilst Article 14 of the GDPR applies where the personal data of the data subjects has not been obtained from the data subject.
What information, then, must the controller provide to fulfil this obligation?
- their identity and contact details and, where applicable, the identity and contact details of their representative;
- where applicable, the contact details of the data protection officer;
- the purposes of the processing of personal data and the legal basis for the processing (as set out in Article 6 of the GDPR);
- if the processing is carried out on the basis of Article 6(1)(f) – that is, where processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party – the legitimate interests pursued by the controller or by a third party;
- information about the recipients of personal data (i.e. to whom the data is further disclosed) or about the categories of recipients, if any;
- where applicable – information on the intention to transfer personal data to a third country or an international organisation and on the Commission’s determination or lack thereof of an adequate level of protection, or, in the case of a transfer referred to in Article 46, Article 47 or the second subparagraph of Article 49(1), a reference to the appropriate or suitable safeguards and information on how to obtain a copy of the safeguards or where they are made available;
- the period for which the personal data will be stored, and where this is not possible, the criteria for determining that period;
- information on the right to request from the controller access to personal data concerning the data subject, their rectification, erasure or restriction of processing, or the right to object to processing, as well as the right to data portability;
- where processing is based on Article 6(1)(a) or Article 9(2)(a) – information regarding the right to withdraw consent at any time without affecting the lawfulness of processing carried out on the basis of consent prior to its withdrawal;
- information regarding the right to lodge a complaint with a supervisory authority;
- information as to whether the provision of personal data is a statutory or contractual requirement or a condition for entering into a contract, and whether the data subject is obliged to provide such data and what the possible consequences of failure to provide the data are;
- information on automated decision-making, including profiling, as referred to in Article 22(1) and (4), and – at least in those cases – meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject;
- if the controller intends to further process personal data for a purpose other than that for which the personal data were collected, prior to such further processing, the controller shall inform the data subject of that other purpose and provide the data subject with any other relevant information referred to above.
Where personal data is processed in relation to individuals from whom the data was not obtained directly, the data subject must also be informed of the source of the personal data and, where applicable, whether it originates from publicly available sources.
Therefore, to avoid the risk of the Personal Data Protection Office (UODO) taking action following an inspection, any entity operating a website, sub-page, online shop or web application that comes into possession of users’ personal data should first verify whether a privacy policy has been posted on the site (something which, unfortunately, businesses often overlook).
It should be borne in mind that breaches of personal data protection are subject to heavy financial penalties, as well as the possibility of criminal liability. Furthermore, every data subject has the right to an effective legal remedy before a court if they consider that their rights under the GDPR have been infringed as a result of the processing of their personal data in breach of the GDPR.
You can read more about the penalties for breaches of personal data protection HERE.
Frequently asked questions
Can my company be inspected by the Personal Data Protection Office this year?
Yes, the inspection plan for 2024 includes private entities processing personal data, including those operating websites or applications. The Personal Data Protection Office (UODO) verifies whether the information obligation specified in personal data protection regulations is fulfilled.
Why should my website have a privacy policy?
A privacy policy is the most commonly used form of fulfilling the information obligation towards users. It contains legally required information about the purposes of data processing and the identity of the controller, which is crucial for legal compliance.
What specific information must I provide to individuals whose data I process?
The controller should provide their identity, purposes of data processing, legal basis, and the period of information storage. It is also necessary to inform about the rights of the data subject, such as the right to access, rectification, or to object.
Do I face penalties for lacking a privacy policy on my company website?
High financial sanctions are provided for violations of personal data protection, and in extreme cases, criminal liability. Additionally, the data subject may file a complaint to court if they believe their rights have been violated.
What must I do if I obtain personal data not directly from the individuals?
In such cases, it is additionally necessary to inform the data subject about the source of their personal data. If the data comes from publicly available sources, this should also be mentioned as part of the information obligation.
Running a company with a matter to resolve?
That is where most conversations with a lawyer begin. A consultation is paid, PLN 600 net. You pay for a real opinion: whether you have a legal problem, what you can do about it and roughly what it costs. It ties you to nothing further, and you do not need to know the law, that part is on us.
- 1 Talk
You tell us what is going on, in your own words.
- 2 What next
We tell you your options and what it costs.
- 3 We act
You give the go-ahead and the matter is ours.
Specializes in corporate services for business entities and personal data protection. Assists the firm's clients in the preparation of all corporate documentation, including the registration of commercial companies and the further registration of changes, and provides ongoing and comprehensive advice on business. Provides advice in carrying out transformation processes of commercial companies, including transformations and mergers. Prepares and gives opinions on contracts, regulations and current documentation…
View profile →