07 Jul 2022

Is the use of cookie walls acceptable? A few words about the new CNIL position

The use of cookies and other trackers by website operators is of interest to supervisory authorities. The French supervisory authority, the Commission Nationale Informatique et Libertés, recently commented on this in detail. In this article I set out the authority's position.

29 Apr 2022

Data controllers have to verify processors under GDPR – some remarks on Fortum case

In a decision of 19 January 2022, the President of the PDPO placed an administrative fine of PLN 4 911 732 on Fortum Marketing and Sales Polska SA as a controller, and PLN 250 135 on PIKA sp. z o.o. as a processor. In this case, the President of the PDPO imposed the highest fine yet imposed on a controller. This is an important decision both for users of outsourcing services and service providers.

27 Apr 2022

A former employee is not a trusted data recipient – the Polish DPA ruling in the Santander Bank Polska SA case

The President of the PDPO has imposed an administrative fine on Santander Bank Polska SA of PLN 545 000 for a breach of article 34(1) of the GDPR. The President of the PDPO stated that a former employee is not a trusted data recipient and that although the persons affected by this breach are not specifically defined, this does not hinder compliance with article 34 of the GDPR.

21 Dec 2021

Processing of personal data on the Internet – the Polish regulator’s perspective

Over the last few years, the European Court of Justice has issued a number of important judgments relating to the processing of personal data on the Internet (Wirtschaftsakademie, Fashion ID, and Planet49). The European Data Protection Board has also issued a number of guidelines in this area (for example for processing personal data of social […]

08 Jun 2021

Court ruling confirms that an inspection by the DPA cannot be questioned or impeded

The court ruling confirms that the inspected entity cannot question the reasons for the inspection of the DPA or its scope. The Voivodship Administrative Court in Warsaw confirmed the DPA’s decision to impose a fine of PLN 100,000 (around EUR 22,000) on the Surveyor General for preventing the DPA from conducting an inspection at the […]

01 Jun 2022

The Polish DPA fines both the controller and the processor for the first time

In January 2022, the Polish DPA issued a decision in which it imposed an administrative fine on both a controller (Fortum Marketing and Sales SA) and a processor (Pika sp. z o.o.). The controller was fined over PLN 4,900,000 (around EUR 1,050,000) – the highest fine imposed by the Polish DPA yet – and the […]

28 Apr 2022

Is the Polish DPA competent to adjudicate matters concerning incidents that occurred prior to 25 May 2018?

The NSA has issued a judgment on the competence of the President of the PDPO to adjudicate matters concerning incidents that occurred prior to 25 May 2018.

04 Apr 2022

Sectoral inspections planned by the President of the Personal Data Protection Office in 2022

Banks and entities providing mobile applications should prepare for possible inspections by the Personal Data Protection Office (DPA). We present the scope of potential inspections and tips on how to prepare below. Following the approved sectoral inspections plan, the President of the Personal Data Protection Office intends to perform inspections, primarily in two areas: processing […]

05 Nov 2021

Legal uncertainty over collection of information on vaccination against COVID-19 by employers

Although a significant number of SARS-CoV-2 infections occur in the workplace, there are still no regulations in Poland allowing employers to collect information on their employees’ vaccine status. This creates legal uncertainty for employers. Information on a person’s vaccine status is an element of information on health, and thus is a special category of data […]