Personal data protection law

About this practice area

Personal data protection has been our forte for years. With the entry into force of the General Data Protection Regulation (GDPR), the legal issues relating to data protection have gained paramount importance. The GDPR has entirely changed the approach to personal data protection, making entrepreneurs and public entities take specific, extensive measures. The requirements increase with the spread of new technologies that use personal data. Activities in this area must be adapted to comply with personal data protection laws.

We provide a wide range of services related to the implementation and application of the GDPR. We treat personal data as one of the essential assets of an enterprise or information resources of a public entity, requiring protection which invariably depends on the specifics of a particular organization. Our approach brings tangible results to our Clients. We have successfully implemented the GDPR in more than 100 organizations. We have also acted in many proceedings before the President of the Polish Personal Data Protection Office (UODO, formerly the Inspector General for Personal Data Protection) and in judicial and administrative proceedings.

What we do?
  • We carry out compliance audits and internal training,
  • We prepare the full documentation, including the privacy policy, data protection policy, security policy, instructions, and internal regulations of an organization,
  • We assist with devising management processes and advise on innovative projects, including cloud computing, big data, data anonymization or the use of biometric data,
  • We draft agreements on the protection of personal data and databases, including agreements on data processing, data sharing, data transfer, intra-corporate contracts, brokerage contracts, etc.,
  • We play a role in the fulfillment of specific data protection obligations, such as managing data breaches or conducting balancing tests,
  • We advise on the implementation of data protection and privacy with regard to the provision of services by electronic means,
  • We develop a strategy for the cross-border transfer of personal data and binding corporate rules and data transfer agreements, and provide support in obtaining relevant authorizations from the supervisory authority.
Cooperation benefits

Expert support means that a Client can significantly reduce or even completely eliminate the risk of violating personal data processing rules. With the help of our experts, your organization can quickly identify areas which require additional attention. It will also take measures based on informed decisions, knowing that every effort is made to ensure that personal data are secure and processed in accordance with the law.

Our team ensures the highest quality of service. Our knowledge and skills have been repeatedly recognized in prestigious legal rankings. In 2020, we were mentioned with distinction in The Legal 500 in the category Data Privacy and Data Protection. Xawery Konarski, attorney at law, earned an individual distinction in the 2020 Chambers Europe ranking on the protection of personal data.

With the support of experts, every company can be confident that it processes personal data in an entirely legal manner.

There is no point in risking severe fines, which – as practice has shown – are actually imposed.

Why choose us?

We provide:

  • a comprehensive approach to data protection,
  • extensive experience – implementation of the GDPR in more than 100different entities,
  • professional support in proceedings before the President of the PersonalData Protection Office and in judicial and administrative proceedings,
  • constant control over the timeliness of the proposed solutions,
  • the possibility of obtaining rapid emergency consultation and supportduring an inspection
  • expertise and professional experience confirmed by high positions inlegal rankings.

Advisers

Related articles

23 Aug 2024

Asking Customers to Provide Courtesy Titles and GDPR - Conclusions from the CJEU Advocate General's Opinion concerning Case C-394/23

Asking customers to provide courtesy titles (such as ‘Mr’, ‘Miss’, ‘Mrs.’) is a common business practice, which is particularly popular in the e-commerce sector, where these details, usually collected at the time of purchasing goods or ordering a service, are used for personalisation of any follow-up communication with the customer. Collecting and retaining information concerning the way a particular person wants to be addressed is processing of their personal data. This results in the need to ensure the compliance of such data collection with the EU data privacy law. The recent opinion of the Advocate General of the CJEU in Case C-394/23 can provide crucial guidelines for controllers, who wish to address their customers using the provided titles.

14 Mar 2024

Sector audit plan: How to prepare for the audit carried out by the President of the PPDPO?

The President of the Polish Personal Data Protection Office has published the annual sector audit plan for 2024. Entities processing personal data using Internet (web) applications and private entities in the extent of fulfilling information obligations under Articles 13-14 of the GDPR should be prepared for the audit.

12 Sep 2023

The European Commission has issued a decision on the adequate level of protection under the EU-US Data Privacy Framework

The Commission’s decision of 10 July, 2023, on the adequate level of protection of personal data under the EU-US Data Privacy Framework restores legal certainty for businesses that transfer personal data to US-based entities in the course of their activity.

22 Jun 2023

XXI Rzeczpospolita Law Firm Ranking

TKP named among leading law firms in XXI Rzeczpospolita ranking. TKP had no less than nine leaders across four disciplines, placing it fourth in the TOP 11 law firm listing.

The jury in the ranking named TKP as the top law firm in Poland in four categories:

05 Jun 2023

DPA decisions imposing administrative fines annulled

Two of the most severe fines ever imposed by the President of the Personal Data Protection Office (DPA) for violations of the General Data Protection Regulation (GDPR) have been overturned in court proceedings. In both cases, the fines concerned a failure to implement adequate safeguards for personal data protection.

25 May 2023

The GDPR five years later: Five successes, and five failures

It has now been five years since the EU data protection regulation came into effect – and thus it is time for a summary of what works well, and what needs fixing. We have prepared a brief overview of the successes and failures of the GDPR.

What has worked?

28 Jan 2023

The GDPR and new technologies law – the ten most significant trends and legislative developments in 2023

Below are details of the ten most significant initiatives of data protection authorities, legislative proposals, and trends that are expected to have major implications as regards application of the GDPR in the new technologies sector in 2023.

21 Dec 2022

Privacy issues in new rules on remote work and sobriety checks

New rules on remote work and sobriety checks at the workplace will soon be adopted. Employers will be required to adopt internal regulations on remote work and a procedure for the protection of personal data when work is performed  remotely. As for sobriety checks, employers will need to add sobriety check rules to work regulations and will be allowed to collect limited employee data in this respect.

15 Nov 2022

Deadline for switching to new SSCs for data transfer of 27 December, 2022

EC new standard contractual clauses (SCC) for data transfer to third countries were adopted in June 2021. Institutions that transfer personal data to third countries are required to replace the current clauses, based on the old rules, with the new updated templates published by the EC by 27 December, 2022. A range of measures are required for controllers or processors to implement the SCCs correctly, such as selecting the appropriate clause module.

28 Oct 2022

The Polish DPA fines a controller for not verifying a processor and for not concluding a data processing agreement

In September, the Polish DPA issued a decision fining a controller (a cultural institution) PLN 2500 for engaging a processor without concluding a data processing agreement in writing and without verifying whether the processor provided sufficient guarantees for the implementation of appropriate technical measures.

29 Apr 2022

Data controllers have to verify processors under GDPR – some remarks on Fortum case

In a decision of 19 January 2022, the President of the PDPO placed an administrative fine of PLN 4 911 732 on Fortum Marketing and Sales Polska SA as a controller, and PLN 250 135 on PIKA sp. z o.o. as a processor. In this case, the President of the PDPO imposed the highest fine yet imposed on a controller. This is an important decision both for users of outsourcing services and service providers.

28 Apr 2022

Is the Polish DPA competent to adjudicate matters concerning incidents that occurred prior to 25 May 2018?

The NSA has issued a judgment on the competence of the President of the PDPO to adjudicate matters concerning incidents that occurred prior to 25 May 2018.