he data protection officer (DPO) has to report to the highest management level and cannot simultaneously perform functions related to IT auditing or security in order to avoid conflicts of interest. Does your organisation comply with these rules?

The text discusses two landmark decisions by the Polish Data Protection Authority (DPA) regarding Meta’s use of data from two public figures in deepfake advertisements on Facebook and Instagram. These cases highlight the strict enforcement of data protection laws in Poland, particularly in the context of unauthorized data use and the impact on individuals’ privacy and reputation.

Asking customers to provide courtesy titles (such as ‘Mr’, ‘Miss’, ‘Mrs.’) is a common business practice, which is particularly popular in the e-commerce sector, where these details, usually collected at the time of purchasing goods or ordering a service, are used for personalisation of any follow-up communication with the customer. Collecting and retaining information concerning the way a particular person wants to be addressed is processing of their personal data. This results in the need to ensure the compliance of such data collection with the EU data privacy law. The recent opinion of the Advocate General of the CJEU in Case C-394/23 can provide crucial guidelines for controllers, who wish to address their customers using the provided titles.

The President of the Polish Personal Data Protection Office has published the annual sector audit plan for 2024. Entities processing personal data using Internet (web) applications and private entities in the extent of fulfilling information obligations under Articles 13-14 of the GDPR should be prepared for the audit.

The scale of online disinformation is widely considered to be one of the most important challenges in terms of providing users with a “safe, predictable, and trusted online environment”.

The Commission’s decision of 10 July, 2023, on the adequate level of protection of personal data under the EU-US Data Privacy Framework restores legal certainty for businesses that transfer personal data to US-based entities in the course of their activity.

Two of the most severe fines ever imposed by the President of the Personal Data Protection Office (DPA) for violations of the General Data Protection Regulation (GDPR) have been overturned in court proceedings. In both cases, the fines concerned a failure to implement adequate safeguards for personal data protection.

New rules on remote work and sobriety checks at the workplace will soon be adopted. Employers will be required to adopt internal regulations on remote work and a procedure for the protection of personal data when work is performed  remotely. As for sobriety checks, employers will need to add sobriety check rules to work regulations and will be allowed to collect limited employee data in this respect.

In September, the Polish DPA issued a decision fining a controller (a cultural institution) PLN 2500 for engaging a processor without concluding a data processing agreement in writing and without verifying whether the processor provided sufficient guarantees for the implementation of appropriate technical measures.

In a decision of 19 January 2022, the President of the PDPO placed an administrative fine of PLN 4 911 732 on Fortum Marketing and Sales Polska SA as a controller, and PLN 250 135 on PIKA sp. z o.o. as a processor. In this case, the President of the PDPO imposed the highest fine yet imposed on a controller. This is an important decision both for users of outsourcing services and service providers.

The NSA has issued a judgment on the competence of the President of the PDPO to adjudicate matters concerning incidents that occurred prior to 25 May 2018.