POLAND

ACT
of August 29,1997

on the Protection of Personal Data

 

CHAPTER 1
General Provisions

 

Article 1

1. Any person has a right to have his personal data protected.
2. The processing of personal data can be carried out in the public interest, the interest of the data subject, or the interest of any third party, within the scope and subject to the procedure determined by the Act.

Article 2

1. The Act shall determine the code of conduct for the processing of personal data and the rights of natural persons whose personal data is or can be processed as a part of a filing system.
2. The Act shall apply to the processing of personal data of computer systems and other files, indices, books, lists, and other registers.
3. With regard to the personal data files prepared ad hoc, exclusively for technical, training, or higher education purposes, where the data after being used are immediately removed or rendered anonymous, the provisions of Chapter 5 shall apply.

Article 3

1. The Act shall apply to state authorities and local government authorities, as well as to other state and municipal organisation units and non governmental entities involved in public activities.
2. The Act shall also apply to natural and legal persons, and organisational units without the status of a legal person involved in the processing of data as a part of their business or professional activity or the implementation of statutory objectives.
3. The Act shall apply to the entities referred to in paragraph 1 and 2 above having or not having the seat or domiciled or not domiciled on the territory of the Polish Republic involved in the processing of data by means of technical devices located on the territory of the Polish Republic.
4. The Act shall not apply to natural persons involved in the processing of data in the exercise of activities which are exclusively personal or domestic.

Article 4

The provisions of the Act shall apply, unless any international agreement executed by the Polish Republic states otherwise.

Article 5

Should the provisions of any separate laws on the processing of data provide for more effective protection of the data than the provisions hereof, the provisions of those laws shall apply.

Article 6

Within the meaning of the Act, the personal data shall mean any information relating to a natural person which allows for determining the identity of such person.

Article 7

Whenever in this Act the reference is made to any of the following, it shall mean:
1. "data filing system" shalI mean any structured set of personal data which are accessible according to specific criteria, whether centralised, decentralised or dispersed on a functional basis;
2. "processing of data" shall mean any operation which is performed on upon personal data, such as collection, recording, storage, organisation, alteration, disclosure and erasure, and in particular those performed in the computer files;
3. "data erasure" shall mean destruction of personal data or such modification which would prevent determining the identity of the data subject;
4. "controller" shall mean a body, institution, organisational unit, entity or person referred to in Article 3.1 and 3.2 who decides on the purposes and means of the processing of personal data;
5. "the data subject's consent" shall mean a declaration of will by which the data subject signifies his agreement to personal data relating to him being processed; the consent cannot be alleged or presumed on the basis of the declaration of will of other content.


CHAPTER 2

Supervisory Authority for Personal Data Protection

Article 8

1. The supervisory authority for the protection of personal data shall be the General Inspector for Personal Data Protection, hereinafter called "General Inspector".
2. General Inspector is appointed and discharged by the Sejm of the Polish Republic with the consent of the Senate.
3. The candidate for General Inspector has to meet all of the following criteria:

1. be a Polish citizen, residing on the territory of the Polish Republic;
2. have an impeccable morale;
3. be a graduate of law faculty and have an appropriate professional experience;
4. have no criminal record.

4. With regard to the performance of the duties of General Inspector, he shall be responsible solely within the light of the Law.
5. General Inspector is appointed for the period of 4 years commencing on the date of affirmation. After the expiry of his term General Inspector shall continue to perform his duties until the new General Inspector is appointed.
6. The same person cannot perform the duties of General Inspector for more than two consecutive terms.
7. The term of General Inspector shall expire at his death; discharge or the loss of the status of a Polish citizen.
8. The Sejm, with the consent of the Senate may discharge General Inspector in case of:

1) his resignation;
2) his becoming permanently unable to perform his duties due to illness;
3) his being in breach of the provisions of his affirmation;
4) his being sentenced pursuant to a valid in law court decision for committing a crime.

Article 9

Prior to performing his duties, General Inspector shall deliver to the Sejm of the Polish Republic the following affirmation:

"Taking up the post of General Inspector for Personal Data Protection I hereby solemnly promise to observe the provisions of the Constitutional Act of the Polish Republic, to safeguard the right to protection of personal data, and to fulfil the duties of General Inspector with due care and without prejudice."

The affirmation can end with the words: "and so may God help me."

Article 10

1. General Inspector may not hold any other post except for the post of a university professor,or perform any other profession.
2. General Inspector may not be a member of any political party or trade union, or be involved in any public activity which cannot be combined with the honour of General Inspector post.

Article 11

General Inspector may not be held responsible before criminal court or deprived of liberty without the prior consent of the Sejm. General Inspector may not be detained or arrested, except when apprehended red-handed and his detention is necessary to observe the due course of proceedings. In such case the Marshal of the Sejm has to be notified immediately and may order General Inspector to be immediately released.

Article 12

The duties of General Inspector shall include in particular:

1) ensuring the compliance of data processing with the provisions of the act on the protection of personal data;
2) issuing administrative decisions and consideration of complaints with respect to the enforcement of the regulations on the protection of personal data;
3) keeping the register of data filing systems and providing information on the registered data filing systems;
4) issuing opinions on draft laws and regulations with respect to the protection of personal data;
5) initiating and undertaking activities aimed at more efficient protection of personal data;
6) participating in the work of international organisations and institutions involved in personal data protection.

Article 13

1. General Inspector shall perform his duties assisted by the Bureau of General Inspector for Personal Data Protection, hereinafter called the Bureau.
2. General Inspector and the employees of the Bureau, hereinafter called the inspectors, are obliged to provide sufficient protection of the information constituting state or trade secrets, disclosed to them during the inspection of data processing activities.
3. Organisation and rules of operations of the Bureau shall be determined in the statute of the Bureau, by a regulation of the President of the Polish Republic.

Article 14

To perform the duties referred to in Article 12.1 and 12.2 General Inspector or inspectors authorised by General Inspector shall enjoy the following powers, and in particular:

1) The power to enter, from 6 a.m. through 10 p.m., after presenting the adequate personal authorisation and service identity card, any premises where the registered data filing system is being kept and to perform necessary examination or other inspection activities to assess the compliance of the data processing activities with the Act;
2) The power to demand written or oral explanation and the power to summon and hear any person with regard to determining the actual state of things;
3) The power to demand presentation of documents and any data relating to the subject of the control;
4) The power to demand that any devices, data carriers, and automatic systems of data processing be submitted for the purpose of examination;
5) The power to order expert analysis and opinions to be prepared.

Article 15

The manager of the unit being the subject of the inspection and any natural person acting as a controller of personal data undergoing the inspection are obliged to enable the inspector to perform the inspection, and in particular with regard to the activities referred to in Article 14.1-4.

Article 16

1. The inspector performing the inspection shall prepare the protocol of inspection. One copy of such protocol shall be delivered to the controller being the subject of inspection.
2. The protocol shall be signed by the inspector and the controller being the subject of such inspection. The latter may apply for his justified objections and comments being included in the protocol.
3. Should the controller being the subject of inspection refuse to sign the protocol, the inspector shall make a relevant entry with regard to such refusal on the protocol, whereas the controller may, within 7 days, present his objections in writing to General Inspector.

Article 17

1. Should, on the basis of the results of performed inspection, the inspector reveal any breach of the provisions on the protection of personal data, he shall request General Inspector to apply the measures referred to in Article 18.
2. On the basis of the results of performed inspection, the inspector may demand that disciplinary proceedings be instituted or that any other action provided by law be instituted against persons guilty of the negligence and to be notified, within the prescribed time, about the outcome of such proceedings or actions.

Article 18

1. Should the inspection reveal any breach of the provisions on the protection of personal data, General Inspector, on his own initiative or on request of the interested party, shall order the controller, by means of administrative decision, to restore the state compliant with the law, and in particular:

1) to eliminate any failure;
2) to complete, update, correct, disclose or keep confidential the personal data;
3) to apply additional measures protecting the personal data files;
4) to suspend the transmission of personal data to third countries;
5) to safeguard the data or to transfer them to other entities; or
6) to erase the personal data.

2. The decisions of General Inspector referred to in paragraph 1 above may not restrict the freedom of activities of entities submitting candidates or lists of candidates during the election to the Sejm, the Senate, or local government bodies between the date of the order to hold an election and the date of voting.
3. Should there exist any other legal regulations with regard to the activities referred to in paragraph 1 above, the provisions of such laws shall apply.

Article 19

Should the inspection reveal that the action or failure of the manager of organisational unit, its employee or any other natural person acting as the controller shows all the features of a crime within the meaning of the Act, General Inspector shall notify the prosecuting agency about the crime, enclosing the evidence confirming his suspicions.

Article 20

Every year General Inspector shall submit to the Sejm a report on his activities including his conclusions with respect to observance of the provisions of the act on protection of personal data.

Article 21

1. A party may apply to General Inspector for reconsidering its case.
2. The decision of General Inspector may be appealed against with the Supreme Administrative Court.

Article 22

The proceedings with respect to the matters regulated by this Act shall be conducted according to the provisions of the Code of Administrative Procedure, unless other provisions of the act state otherwise.

CHAPTER 3
The Principles of Personal Data Processing

Article 23

1. The processing of data is allowed only if:

1) the data subject has given his consent, unless the processing consists in erasure of personal data;
2) processing is allowed by the provisions of law;
3) processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps on request of the data subject prior to entering into a contract;
4) processing is necessary for the performance of the task carried out in the public interest and determined by law;
5) processing is necessary for the purposes of the legitimate interests pursued by the controller referred to in Article 3.2, provided that the processing of the data does not violate the rights and freedom of the data subject.

2. The consent referred to in paragraph 1.1 may include the data processing in the future, on the condition that the purpose of the processing remains the same.
3. Should the processing of data be necessary to protect the vital interests of the data subject and the condition referred to in paragraph 1.1 cannot be fulfilled, the data may be processed without the consent of data subject until such consent can be obtained.

Article 24

1. Collecting the personal data from the data subject the controller is obliged to provide a data subject from whom the data are collected with the following information:

1) the address of its seat and its full name, and in case the controller is a natural person about the address of his/her residence and his/her full name;
2) the purpose of collecting for which the data are intended, and in particular about the data recipients or categories of recipients, if known at the date of collecting;
3) the existence of the data subject's right of access and right to rectify the data concerning him;
4) whether the replies to the questions are obligatory or voluntary, and in case of existence of the obligation about its legal basis.

2. The provisions of paragraph 1 above shall not apply, should the law allow for the processing of data without the obligation to disclose the actual purpose for which the data are intended.

Article 25

1. Where the data have not been obtained from the data subject, the controller is obliged to provide the data subject, immediately after the recording of his personal data, with the following information:

1) the address of its seat and its full name, and in case the controller is a natural person about the address of his/her residence and his/her full name;
2) the purpose of collecting for which the data are intended and the scope of data collecting, and in particular about the data recipients or categories of recipients;
3) the source of data;
4) the existence of the data subject's right of access and right to rectify the data concerning him;
5) the powers resulting from Article 32 paragraph 1.7 and 1.8.

2. The provisions of Paragraph 1 shall not apply where:

1) the provisions of other law provide or allow for collecting the personal data without the need to notify the data subject;
2) the data which are being collected have been manifestly made public;
3) the data are necessary for scientific, didactic, historical, statistic or public opinion research, the processing of such data does not violate the rights or freedom of the data subject, and the fulfilment of the terms and conditions determined in paragraph 1 would involve disproportionate efforts or endanger the success of the research.
4) the controller does not intend to further processed the collected data after single use.

Article 26

1. The controller performing the processing of data should protect the interests of data subjects with due care, and in particular to ensure that:

1) the data are processed lawfully;
2) the data are collected for specified and legitimate purposes and no further processed in a way incompatible with the intended purposes, subject to the provisions of paragraph 2 below;
3) the data are relevant and adequate to the intended purposes for which they are processed;
4) the data are kept in form which permits identification of the data subjects no longer than is necessary for the purposes for which they are processed.

2. The processing of data for the purpose other than intended at the time of data collecting is allowed provided that it does not violate the rights and freedom of the data subject and is done:

1) for the purposes of scientific, didactic, historical or statistical research;
2) subject to the provisions of Article 23 and Article 25.

Article 27

1. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade-union membership, as well as the processing of data concerning health, genetic code, addictions or sex life is prohibited.
2. Processing of the data referred to in paragraph 1 above shall not constitute a breach of the act where:

1) the data subject has given his written consent, unless the processing consists in erasure of personal data;
2) the provisions of other law provide for the processing of such data without the need to request the data subject's consent and provide for adequate safeguards;
3) processing is necessary to protect the vital interests of the data subject or of another persons where the data subject is physically or legally incapable of giving his consent until the establishing of a guardian or curator;
4) processing is necessary for the purposes of carrying out the statutory objectives of churches and other religious unions, associations, foundations, and other non-profit-seeking organisations or institutions with a political, scientific, religious, philosophical, or trade-union aim and on condition that the processing relates solely to the members of those organisations or institutions or to the persons who have regular contact with them in connection with their purposes and subject to providing suitable safeguards of the processed data;
5) processing relates to the data necessary for the establishment of legal claims;
6) processing is necessary for the purposes of carrying out the obligations of the controller with regard to employment of his employees and other persons, and the scope of processing is determined by the law;
7) processing is required for the purposes of preventive medicine, the provision of care or treatment, where the data are processed by a health professional subject involved in treatment, other health care services, or the management of health care services and subject to providing suitable safeguards;
8) the processing relates to data which are manifestly made public by the data subject.

Article 28

1. The processing of data relating to criminal convictions, decisions on penalties, fines and other security measures issued in court or administrative proceedings may be carried out only pursuant to national law.
2. Serial numbers applied in the census may include only such features as sex, date of birth, consecutive number, and control number.
3. Assigning hidden meaning to the elements of serial numbers in the filing systems of data relating to natural persons is prohibited.

Article 29

1. In case of providing the access to the data for the purposes other than including into the data filing system, the controller referred to in Article 3.1 shall disclose the data kept in the filing system to persons or entities authorised by virtue of law.
2. Personal data, with the exclusion of data referred to in Article 27.1, may also be disclosed for the purposes other than including into the data filing system to persons and entities other than those referred to in paragraph 1 above, provided that such persons or entities present in a reliable manner their reasons for being granted the access to the data and that granting such access will not violate the rights and freedom of the data subjects.
3. Personal data are disclosed on written and justified request, unless the provisions of another law state otherwise. Such request should include information allowing for identification within the filing system the requested personal data and indicating their scope and purpose.
4. Disclosed personal data may be used only according to the purpose for which they have been disclosed.

Article 30

The controller may refuse the access to the personal data of the filing system to entities and persons other than those referred to in Article 29.1, if it would:

1) result in the disclosure of the information constituting a state secret;
2) pose a threat to national defence or security of the state, human life and health, public property, security, or order;
3) pose a threat to fundamental economic or financial interests of the state;
4) result in a substantial breach of personal rights of the data subjects or other persons.

Article 31

1. The controller may appoint other entity to carry out the processing of personal data pursuant to a contract executed in writing.
2. The entity, referred to in paragraph 1 above, may process the data solely within the scope and for the purpose determined in the contract.
3. The entity, referred to in paragraph 1, prior to processing the data shall be obliged to provide sufficient security measures protecting the data filing system, as defined in Articles 36-39.
4. In cases referred to in paragraphs 1-3, the liability with respect to compliance with the provisions hereof shall remain with the controller, which shall not release the entity executing the contract from the liability in case of processing the data in a manner incompatible with the contract.

CHAPTER 4
The Rights of the Data Subject

Article 32

1. The data subject has a right to control the processing of personal data relating to him and included in the filing systems, and in particular he has the right to:

1) obtain exhaustive information whether such system exists and who is controlling the system, obtain the address of its seat and its full name, and in case the controller is a natural person to obtain his address and his full name;
2) obtain information with respect to the purpose, scope, and the manner of processing of the data included in such system;
3) obtain information about the date of processing his personal data and access to such data presented in an easy to understand form;
4) obtain information about the source of his personal data, unless the controller is obliged to keep it confidential as a state, trade or professional secret;
5) obtain information about the manner of disclosing the data, and in particular about the recipients or categories of recipients of the data;
6) demand that his personal data are amended, updated or corrected, temporarily or permanently suspend their processing or demand their erasure in case they are not complete, they are outdated, untrue or collected with the violation of the act, or in case they are no longer required for the purpose for which they have been collected;
7) apply in writing, in cases referred to in Article 23.1.4 and 23.1.5, that the processing of his personal data be stopped, due to particular situation;
8) object against the processing of his personai data in cases referred to in Article 23.1.4 and 23.1.5, should the controller intend to process the data for marketing purposes or to object against the transfer of the data to another controller.

2. In case of the demand referred to in paragraph 1.7 the controller shall immediately stop the processing of the questioned data or without undue delay notify General Inspector who shall make an appropriate decision.
3. In case of objection referred to in paragraph 1.8 further processing of the questioned data is prohibited.
4. In case of data processed for scientific, didactic, historical, statistical or archival research the controller may not notify the data subject about the processing of his personal data, if the provision of such information involves disproportionate efforts.
5. The interested party may exercise his right of access to data referred to in paragraph 1.1-1.5 at most twice a year.

Article 33

1. On request of the data subject, within the period of 30 days, the controller shall be obliged to notify the data subject about his rights, and in particular specify in an easy to understand manner:

1) the kind of personal data included in the file;
2) the manner in which the data have been collected;
3) the purpose and the scope of processing of the data;
4) the recipients of the data and the scope of access they have been granted.

2. On request of the data subject, the information referred to in paragraph 1 may be given in writing.

Article 34

In all matters related to notification and disclosure of the data to the data subject the provisions of Article 30 shall apply.

Article 35

1. Should the data subject prove that the personal data relating to him are not complete, they are outdated, untrue or collected with the violation of the act, or in case they are no longer required for the purpose for which they have been collected, the controller shall be obliged, without undue delay, to amend, update, or correct the data, or to temporarily or permanently suspend the processing of the questioned data, or to have them erased from the system, unless the above refers to the personal data amended, updated or corrected according to the principles determined by other laws.
2. Should the controller fail to fulfil the obligation referred to in paragraph 1 above, the data subject may apply to General Inspector to issue a relevant order to the controller.

CHAPTER 5
Protection of Personal Data Filing Systems

Article 36

The controller shall be obliged to implement appropriate technical and organisational measures to protect the processed personal data, and in particular to protect personal data against their unauthorised disclosure, removal, damage or destruction.

Article 37

The computer system or devices constituting the system used for the processing of data may be operated solely by persons authorised by the controller.

Article 38

The controller of the data processed in computer files shall control the kind of personal data introduced into the system, the dates of such introduction, the persons making the introduction, and the recipients of the data, in particular where the data is transferred by means of teletransmission.

Article 39

1. The controller shall keep the register of persons involved in the processing of personal data.
2. The persons referred to in paragraph 1 above, who have the access to personal data, shall be obliged to keep them confidential. The obligation shall exist also after the termination of their contract of employment.

CHAPTER 6
Registration of Personal Data Filing Systems

Article 40

The controller shall be obliged to register a data filing system with General Inspector. The above shall not apply in cases referred to in Article 43.1.

Article 41

1. The notification of the data filing system should contain the following information:

1) application for entering the personal data filing system into the register of filing systems;
2) the name of the controller and the address of its seat or place of residence, including the identification number in the register of entities conducting economic activity, if applicable, and legal basis of keeping the data filing system;
3) the scope and purpose of the processing of personal data;
4) the manner of collecting and disclosing the data;
5) the description of technical and organisational measures applied for the purposes referred to in Article 36-39;
6) information about the manner of fulfilling technical and organisational requirements referred to in Article 45.1.

2. The controller shall be obliged to notify General Inspector about any change affecting the information referred to in paragraph 1 within 30 days of the date of amending the filing system.

Article 42

1. General Inspector shall keep a national open register of personal data filing systems notified for the purpose of registration. The register should contain information referred to in Article 41.1.
2. The register referred to in paragraph 1 may be inspected by any person.
3. On request, the interested party may obtain the certificate of registration of the filing system.

Article 43

1. The obligation of registration of filing system shall not apply to the controllers of the data:

1) constituting a state secret due to the reasons of national security or defence of the state, human life and health, public property, security, or order;
2) processed by relevant bodies for the purpose of court proceedings;
3) relating to the members of churches or religious unions with regulated legal status;
4) relating to the persons employed by them, their members or trainees;
5) relating to the persons availing themselves of their health care services, notarial or legal advice;
6) created on the basis of electoral regulations concerning the Sejm, Senate, municipal councils, the act on the election of the President of the Polish Republic, and the acts on referendum and municipal referendum;
7) relating to persons deprived of liberty under the relevant law within the scope required for temporary detention or deprivation of liberty;
8) processed for the purpose of issuing an invoice or for accounting purposes;
9) rendered public;
10) processed to prepare the thesis required to graduate from a university or be granted a scientific title;
11) processed with regard to current everyday affairs.

2. General Inspector may not exercise the powers granted in Article 12.2, Article 14.1, Article 14.3-14.5, and Article 15-18 with regard to the filing systems referred to in paragraph 1.1 and 1.3.

Article 44

1. General Inspector may, by means of administrative decision refuse to register the data filing system if:

1) the requirements specified in Article 41.1 have not been fulfilled;
2) the processing may violate the rules determined in Article 23-30;
3) the devices and systems of automatic data processing of the system notified for registration do not meet fundamental technical and organisational criteria defined at Article 45.1;

2. Refusing the registration General Inspector shall order the suspension of further processing of data of the relevant filing system or order the data to be erased.
3. The order to suspend further processing of data or to erase the data shall be effective immediately.
4. After the removal of the defects which resulted in the refusal of registration of the data filing system, the controller may again notify the system for registration.
5. In case of repeated notification of the system the controller may start the processing of data after registration.

Article 45

The Minister for administrative matters shall determine, by a regulation:

1) fundamental technical and organisational requirements for the devices and systems of automatic processing of personal data;
2) the form of application referred to in Article 29.3;
3) the form of notification referred to in Article 41.1;
4) the form of authorisation and service identity card referred to in Article 14.1.

Article 46

The controller may start the processing of data in the data filing system after notification of the system to General Inspector unless the law liberates the controller from this obligation.

CHAPTER 7
Transfer of Personal Data to Third Countries

Article 47

1. Transfer of personal data to third countries may take place only if a third country in question ensures at least the same level of protection of personal data as that in force on the territory of the Polish Republic.
2. The provision of paragraph 1 above shall not apply to the transfer of personal data required by law or by the provisions of ratified international agreement.
3. Nevertheless the controller may transfer the personal data to third countries on the condition that:

1) the data subject has granted his written consent;
2) the transfer is necessary for the performance of a contract between the data subject and the controller or takes place in response to the data subject's request;
3) the transfer is necessary for the performance of a contract concluded in the interests of the data subject between the controller and third party;
4) the transfer is necessary or legally required on public interests grounds or for the establishment of legal claims;
5) the transfer is necessary in order to protect the vital interests of the data subject;
6) the transfer relates to data which have been rendered public.

Article 48

In cases other than those referred to in Article 47.2 and 47.3 the transfer of persona! data to a third country which does not ensure at least the same level of protection as that in force on the territory of the Polish Republic may take place subject to prior consent of General Inspector.

CHAPTER 8
Sanctions

Article 49

1. A person who processes personal data from a data filing system where such processing is forbidden or where he is not authorised to carry out such processing shall be liable to a fine, a partial restriction of freedom or a prison sentence of up to two years.
2. Where the offence mentioned at point 1 of this article relates to information on racial or ethnic origin, political opinions, religious or philosophical beliefs, party or trade-union membership, health records, genetic code, addictions or sexual life, the person who processes the data shall be liable to a fine, a partial restriction of freedom or a prison sentence of up to three years.

Article 50

A person who, being the controller of a filing system, stores personal data incompatible with the intended purpose for which the system has been created, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year.

Article 51

1. A person who, being the controller of a data filing system or being obliged to protect the personal data, discloses them or provides access to unauthorised persons, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to two years.
2. In case of unintentional character of the above offence, the offender shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year.

Article 52

A person who, being the controller of a filing system, violates, whether intentionally or unintentionally, the obligation to protect the data against unauthorised transfer, damage or destruction, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year.

Article 53

A person who, regardless of the obligation, fails to notify the filing system for registration, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year.

Article 54

A controller who fails to inform the party to which the data relates, of its rights or of information which would enable that person to benefit from the provisions of this Act is liable to a fine, partial restriction of freedom or prison sentence of up to one year.

CHAPTER 9
Amendments to the Binding Regulations,
Temporary Provisions, and Final Provisions

Article 55

In Article 2.2 of the Act of July 30, 1981 on the remuneration of persons holding management posts in state administration (Journal of Laws No. 20, item 101; of 1982 No. 31, item 214; of 1985 No. 22, item 98, and No. 50, item 262; of 1987 No. 21, item 123; of 1989 No. 34, item 178; of 1991 No. 100, item 443; of 1993 No.1, item 1; of 1995 No. 34, item 163, and No.142, item 701; of 1996 No. 73, item 350, No. 89, item 402, No.106, item 496, and No. 139, item 647) after the words "Commissioner for Citizens' Rights Protection" the words "General Inspector for Personal Data Protection" shall be added.

Article 56

The Act of September 16, 1982 on the employees of state administration (Journal of Laws No. 31, item 214; of 1984 No. 35, item 187; of 1988 No.19, item 132; of 1989 No. 4, item 24, No. 34, item 178 and 182; of 1990 No. 20, item 121; of 1991 No. 55, item 234, No. 88, item 400, and No. 95, item 425; of 1992 No. 54, item 254, and No. 90, item 451; of 1994 No.136, item 704; of 1995; No 132, item 640; and of 1996 No. 89, item 402, and No.106, item 496) shall be altered as follows:

1) In Article 1, the following paragraph 13 shall be added:
"in the Bureau of General Inspector for Personal Data Protection "
2) In Article 36, paragraph 5.1 after the words "The State Labour Inspectorate" a comma is inserted and the following words shall be added nThe National Election Bureau and the Bureau of General Inspector for Personal Data Protection "
3) In Article 48, paragraph 1.1 after the words "The Bureau of Commissioner for Citizens' Rights Protection" the following words shall be added "The Bureau of General Inspector for Personal Data Protection "

Article 57

In Article 31, paragraph 3.2 of the Act of January 5, 1991 - the Budgetary Law (Journal of Laws of 1993 No. 72, item 344; of 1994 No. 76, item 344, No. 121, item 591, and No.133, item 685; of 1995 No. 78, item 390, No.124, item 601, and No.132, item 640; of 1996 No. 89, item 402, No.106, item 496, No. 132, item 621, and No.139, item 647; and of 1997 No. 54, item 348), after the words "the Supreme Chamber of Control" the following words shall be added
"General Inspector for Personal Data Protection".

Article 58

The Article 4 of the Act of December 23, 1994 on the Supreme Chamber of Control (Journal of Laws of 1995 No. 13, item 59, and of 1996 No. 64, item 315 and No. 89, item 402; and of 1997 No. 28, item 153) shall be altered as follows:

1) In paragraph 1 after the words "The National Council for Radio and Television Broadcasting" the words "General Inspector for Personal Data Protection" shall be added.
2) In paragraph 2 after the words "The National Councll for Radio and Television Broadcasting" a comma and the words "General Inspector for Personal Data Protection" shall be added.

Article 59

In Article 2, paragraph 2 of the Act of December 23, 1994 on the measures allocated to the state budgetary sector remuneration and on amendments to certain laws (Journal of Laws of 1995 No. 34, item 163 and of 1996 No. 106, item 496 and No. 139, item 647) after the words "The National Election Bureau" the words "General Inspector for Personal Data Protection" shall be added.

Article 60

In the Act of April 26, 1996 on the Prison Service (Journal of Laws No. 61, item 283 and No. 106, item 496, and of 1997 No. 28, item 153) the following Article 23a shall be added:

"Article 23a. Prison Service may collect and process information and personal data, also without the consent of the data subject, necessary to perform tasks referred to in Article 1.3 of the law.".

Article 61

1. Entities referred to in Article 3, being on the effective date of the Act the controllers of personal data automatic filing systems, shall be obliged to file an application for registration of the systems according to the provisions of Article 41, within the period of 18 months of the effective date of the Act, unless they are released from this obligation by virtue of law.
2. Until the personal data filing systems are registered pursuant to the provisions of Article 41, the entities referred to in paragraph 1 may operate the systems without the registration.

Article 62

The Act takes effect after 6 months from the date of its publication, with the exclusion of:

1) Article 8-11, Article 13 and Article 45 which come into force after 2 months from the date of publication,
2) Article 55-59 which come into force after 14 days from the date of publication.

President of Polish Republic: A. Kwasniewski

Document loaded June 8, 2000