We are pleased to present the annual study “New Technologies (2026) – Legislation and Regulation in Poland and the European Union (A to Z),” prepared by Xawery Konarski.
10 Key Judgments of the Supreme Administrative Court and the Court of Justice of the European Union
We are pleased to present the annual study “New Technologies (2026) – Legislation and Regulation in Poland and the European Union (A to Z),” prepared by Xawery Konarski.
he data protection officer (DPO) has to report to the highest management level and cannot simultaneously perform functions related to IT auditing or security in order to avoid conflicts of interest. Does your organisation comply with these rules?
The text discusses two landmark decisions by the Polish Data Protection Authority (DPA) regarding Meta’s use of data from two public figures in deepfake advertisements on Facebook and Instagram. These cases highlight the strict enforcement of data protection laws in Poland, particularly in the context of unauthorized data use and the impact on individuals’ privacy and reputation.
Asking customers to provide courtesy titles (such as ‘Mr’, ‘Miss’, ‘Mrs.’) is a common business practice, which is particularly popular in the e-commerce sector, where these details, usually collected at the time of purchasing goods or ordering a service, are used for personalisation of any follow-up communication with the customer. Collecting and retaining information concerning the way a particular person wants to be addressed is processing of their personal data. This results in the need to ensure the compliance of such data collection with the EU data privacy law. The recent opinion of the Advocate General of the CJEU in Case C-394/23 can provide crucial guidelines for controllers, who wish to address their customers using the provided titles.
The President of the Polish Personal Data Protection Office has published the annual sector audit plan for 2024. Entities processing personal data using Internet (web) applications and private entities in the extent of fulfilling information obligations under Articles 13-14 of the GDPR should be prepared for the audit.
The scale of online disinformation is widely considered to be one of the most important challenges in terms of providing users with a “safe, predictable, and trusted online environment”.
The Commission’s decision of 10 July, 2023, on the adequate level of protection of personal data under the EU-US Data Privacy Framework restores legal certainty for businesses that transfer personal data to US-based entities in the course of their activity.
Two of the most severe fines ever imposed by the President of the Personal Data Protection Office (DPA) for violations of the General Data Protection Regulation (GDPR) have been overturned in court proceedings. In both cases, the fines concerned a failure to implement adequate safeguards for personal data protection.
New rules on remote work and sobriety checks at the workplace will soon be adopted. Employers will be required to adopt internal regulations on remote work and a procedure for the protection of personal data when work is performed remotely. As for sobriety checks, employers will need to add sobriety check rules to work regulations and will be allowed to collect limited employee data in this respect.
In September, the Polish DPA issued a decision fining a controller (a cultural institution) PLN 2500 for engaging a processor without concluding a data processing agreement in writing and without verifying whether the processor provided sufficient guarantees for the implementation of appropriate technical measures.
