POLAND
ACT
of August 29,1997
on
the Protection of Personal Data
CHAPTER
1
General Provisions
Article
1
1. Any
person has a right to have his personal data protected.
2. The processing of personal data can be carried out in the public
interest, the interest of the data subject, or the interest of any third
party, within the scope and subject to the procedure determined by the
Act.
Article
2
1. The
Act shall determine the code of conduct for the processing of personal
data and the rights of natural persons whose personal data is or can
be processed as a part of a filing system.
2. The Act shall apply to the processing of personal data of computer
systems and other files, indices, books, lists, and other registers.
3. With regard to the personal data files prepared ad hoc, exclusively
for technical, training, or higher education purposes, where the data
after being used are immediately removed or rendered anonymous, the
provisions of Chapter 5 shall apply.
Article
3
1. The
Act shall apply to state authorities and local government authorities,
as well as to other state and municipal organisation units and non governmental
entities involved in public activities.
2. The Act shall also apply to natural and legal persons, and organisational
units without the status of a legal person involved in the processing
of data as a part of their business or professional activity or the
implementation of statutory objectives.
3. The Act shall apply to the entities referred to in paragraph 1 and
2 above having or not having the seat or domiciled or not domiciled
on the territory of the Polish Republic involved in the processing of
data by means of technical devices located on the territory of the Polish
Republic.
4. The Act shall not apply to natural persons involved in the processing
of data in the exercise of activities which are exclusively personal
or domestic.
Article
4
The provisions
of the Act shall apply, unless any international agreement executed
by the Polish Republic states otherwise.
Article
5
Should
the provisions of any separate laws on the processing of data provide
for more effective protection of the data than the provisions hereof,
the provisions of those laws shall apply.
Article
6
Within
the meaning of the Act, the personal data shall mean any information
relating to a natural person which allows for determining the identity
of such person.
Article
7
Whenever
in this Act the reference is made to any of the following, it shall
mean:
1. "data filing system" shalI mean any structured set of personal
data which are accessible according to specific criteria, whether centralised,
decentralised or dispersed on a functional basis;
2. "processing of data" shall mean any operation which is
performed on upon personal data, such as collection, recording, storage,
organisation, alteration, disclosure and erasure, and in particular
those performed in the computer files;
3. "data erasure" shall mean destruction of personal data
or such modification which would prevent determining the identity of
the data subject;
4. "controller" shall mean a body, institution, organisational
unit, entity or person referred to in Article 3.1 and 3.2 who decides
on the purposes and means of the processing of personal data;
5. "the data subject's consent" shall mean a declaration of
will by which the data subject signifies his agreement to personal data
relating to him being processed; the consent cannot be alleged or presumed
on the basis of the declaration of will of other content.
CHAPTER 2
Supervisory Authority for Personal Data Protection
Article
8
1. The
supervisory authority for the protection of personal data shall be the
General Inspector for Personal Data Protection, hereinafter called "General
Inspector".
2. General Inspector is appointed and discharged by the Sejm of the
Polish Republic with the consent of the Senate.
3. The candidate for General Inspector has to meet all of the following
criteria:
1. be
a Polish citizen, residing on the territory of the Polish Republic;
2. have an impeccable morale;
3. be a graduate of law faculty and have an appropriate professional
experience;
4. have no criminal record.
4. With
regard to the performance of the duties of General Inspector, he shall
be responsible solely within the light of the Law.
5. General Inspector is appointed for the period of 4 years commencing
on the date of affirmation. After the expiry of his term General Inspector
shall continue to perform his duties until the new General Inspector
is appointed.
6. The same person cannot perform the duties of General Inspector for
more than two consecutive terms.
7. The term of General Inspector shall expire at his death; discharge
or the loss of the status of a Polish citizen.
8. The Sejm, with the consent of the Senate may discharge General Inspector
in case of:
1) his
resignation;
2) his becoming permanently unable to perform his duties due to illness;
3) his being in breach of the provisions of his affirmation;
4) his being sentenced pursuant to a valid in law court decision for
committing a crime.
Article
9
Prior
to performing his duties, General Inspector shall deliver to the Sejm
of the Polish Republic the following affirmation:
"Taking
up the post of General Inspector for Personal Data Protection I hereby
solemnly promise to observe the provisions of the Constitutional Act
of the Polish Republic, to safeguard the right to protection of personal
data, and to fulfil the duties of General Inspector with due care
and without prejudice."
The affirmation
can end with the words: "and so may God help me."
Article
10
1. General
Inspector may not hold any other post except for the post of a university
professor,or perform any other profession.
2. General Inspector may not be a member of any political party or trade
union, or be involved in any public activity which cannot be combined
with the honour of General Inspector post.
Article
11
General
Inspector may not be held responsible before criminal court or deprived
of liberty without the prior consent of the Sejm. General Inspector
may not be detained or arrested, except when apprehended red-handed
and his detention is necessary to observe the due course of proceedings.
In such case the Marshal of the Sejm has to be notified immediately
and may order General Inspector to be immediately released.
Article
12
The duties
of General Inspector shall include in particular:
1) ensuring
the compliance of data processing with the provisions of the act on
the protection of personal data;
2) issuing administrative decisions and consideration of complaints
with respect to the enforcement of the regulations on the protection
of personal data;
3) keeping the register of data filing systems and providing information
on the registered data filing systems;
4) issuing opinions on draft laws and regulations with respect to
the protection of personal data;
5) initiating and undertaking activities aimed at more efficient protection
of personal data;
6) participating in the work of international organisations and institutions
involved in personal data protection.
Article
13
1. General
Inspector shall perform his duties assisted by the Bureau of General
Inspector for Personal Data Protection, hereinafter called the Bureau.
2. General Inspector and the employees of the Bureau, hereinafter called
the inspectors, are obliged to provide sufficient protection of the
information constituting state or trade secrets, disclosed to them during
the inspection of data processing activities.
3. Organisation and rules of operations of the Bureau shall be determined
in the statute of the Bureau, by a regulation of the President of the
Polish Republic.
Article
14
To perform
the duties referred to in Article 12.1 and 12.2 General Inspector or
inspectors authorised by General Inspector shall enjoy the following
powers, and in particular:
1) The
power to enter, from 6 a.m. through 10 p.m., after presenting the
adequate personal authorisation and service identity card, any premises
where the registered data filing system is being kept and to perform
necessary examination or other inspection activities to assess the
compliance of the data processing activities with the Act;
2) The power to demand written or oral explanation and the power to
summon and hear any person with regard to determining the actual state
of things;
3) The power to demand presentation of documents and any data relating
to the subject of the control;
4) The power to demand that any devices, data carriers, and automatic
systems of data processing be submitted for the purpose of examination;
5) The power to order expert analysis and opinions to be prepared.
Article
15
The manager
of the unit being the subject of the inspection and any natural person
acting as a controller of personal data undergoing the inspection are
obliged to enable the inspector to perform the inspection, and in particular
with regard to the activities referred to in Article 14.1-4.
Article
16
1. The
inspector performing the inspection shall prepare the protocol of inspection.
One copy of such protocol shall be delivered to the controller being
the subject of inspection.
2. The protocol shall be signed by the inspector and the controller
being the subject of such inspection. The latter may apply for his justified
objections and comments being included in the protocol.
3. Should the controller being the subject of inspection refuse to sign
the protocol, the inspector shall make a relevant entry with regard
to such refusal on the protocol, whereas the controller may, within
7 days, present his objections in writing to General Inspector.
Article
17
1. Should,
on the basis of the results of performed inspection, the inspector reveal
any breach of the provisions on the protection of personal data, he
shall request General Inspector to apply the measures referred to in
Article 18.
2. On the basis of the results of performed inspection, the inspector
may demand that disciplinary proceedings be instituted or that any other
action provided by law be instituted against persons guilty of the negligence
and to be notified, within the prescribed time, about the outcome of
such proceedings or actions.
Article
18
1. Should
the inspection reveal any breach of the provisions on the protection
of personal data, General Inspector, on his own initiative or on request
of the interested party, shall order the controller, by means of administrative
decision, to restore the state compliant with the law, and in particular:
1) to
eliminate any failure;
2) to complete, update, correct, disclose or keep confidential the
personal data;
3) to apply additional measures protecting the personal data files;
4) to suspend the transmission of personal data to third countries;
5) to safeguard the data or to transfer them to other entities; or
6) to erase the personal data.
2. The
decisions of General Inspector referred to in paragraph 1 above may
not restrict the freedom of activities of entities submitting candidates
or lists of candidates during the election to the Sejm, the Senate,
or local government bodies between the date of the order to hold an
election and the date of voting.
3. Should there exist any other legal regulations with regard to the
activities referred to in paragraph 1 above, the provisions of such
laws shall apply.
Article
19
Should
the inspection reveal that the action or failure of the manager of organisational
unit, its employee or any other natural person acting as the controller
shows all the features of a crime within the meaning of the Act, General
Inspector shall notify the prosecuting agency about the crime, enclosing
the evidence confirming his suspicions.
Article
20
Every year
General Inspector shall submit to the Sejm a report on his activities
including his conclusions with respect to observance of the provisions
of the act on protection of personal data.
Article
21
1. A party
may apply to General Inspector for reconsidering its case.
2. The decision of General Inspector may be appealed against with the
Supreme Administrative Court.
Article
22
The proceedings
with respect to the matters regulated by this Act shall be conducted
according to the provisions of the Code of Administrative Procedure,
unless other provisions of the act state otherwise.
CHAPTER
3
The Principles of Personal Data Processing
Article
23
1. The
processing of data is allowed only if:
1) the
data subject has given his consent, unless the processing consists
in erasure of personal data;
2) processing is allowed by the provisions of law;
3) processing is necessary for the performance of a contract to which
the data subject is a party or in order to take steps on request of
the data subject prior to entering into a contract;
4) processing is necessary for the performance of the task carried
out in the public interest and determined by law;
5) processing is necessary for the purposes of the legitimate interests
pursued by the controller referred to in Article 3.2, provided that
the processing of the data does not violate the rights and freedom
of the data subject.
2. The
consent referred to in paragraph 1.1 may include the data processing
in the future, on the condition that the purpose of the processing remains
the same.
3. Should the processing of data be necessary to protect the vital interests
of the data subject and the condition referred to in paragraph 1.1 cannot
be fulfilled, the data may be processed without the consent of data
subject until such consent can be obtained.
Article
24
1. Collecting
the personal data from the data subject the controller is obliged to
provide a data subject from whom the data are collected with the following
information:
1) the
address of its seat and its full name, and in case the controller
is a natural person about the address of his/her residence and his/her
full name;
2) the purpose of collecting for which the data are intended, and
in particular about the data recipients or categories of recipients,
if known at the date of collecting;
3) the existence of the data subject's right of access and right to
rectify the data concerning him;
4) whether the replies to the questions are obligatory or voluntary,
and in case of existence of the obligation about its legal basis.
2. The
provisions of paragraph 1 above shall not apply, should the law allow
for the processing of data without the obligation to disclose the actual
purpose for which the data are intended.
Article
25
1. Where
the data have not been obtained from the data subject, the controller
is obliged to provide the data subject, immediately after the recording
of his personal data, with the following information:
1) the
address of its seat and its full name, and in case the controller
is a natural person about the address of his/her residence and his/her
full name;
2) the purpose of collecting for which the data are intended and the
scope of data collecting, and in particular about the data recipients
or categories of recipients;
3) the source of data;
4) the existence of the data subject's right of access and right to
rectify the data concerning him;
5) the powers resulting from Article 32 paragraph 1.7 and 1.8.
2. The
provisions of Paragraph 1 shall not apply where:
1) the
provisions of other law provide or allow for collecting the personal
data without the need to notify the data subject;
2) the data which are being collected have been manifestly made public;
3) the data are necessary for scientific, didactic, historical, statistic
or public opinion research, the processing of such data does not violate
the rights or freedom of the data subject, and the fulfilment of the
terms and conditions determined in paragraph 1 would involve disproportionate
efforts or endanger the success of the research.
4) the controller does not intend to further processed the collected
data after single use.
Article
26
1. The
controller performing the processing of data should protect the interests
of data subjects with due care, and in particular to ensure that:
1) the
data are processed lawfully;
2) the data are collected for specified and legitimate purposes and
no further processed in a way incompatible with the intended purposes,
subject to the provisions of paragraph 2 below;
3) the data are relevant and adequate to the intended purposes for
which they are processed;
4) the data are kept in form which permits identification of the data
subjects no longer than is necessary for the purposes for which they
are processed.
2. The
processing of data for the purpose other than intended at the time of
data collecting is allowed provided that it does not violate the rights
and freedom of the data subject and is done:
1) for
the purposes of scientific, didactic, historical or statistical research;
2) subject to the provisions of Article 23 and Article 25.
Article
27
1. The
processing of personal data revealing racial or ethnic origin, political
opinions, religious or philosophical beliefs, religious, party or trade-union
membership, as well as the processing of data concerning health, genetic
code, addictions or sex life is prohibited.
2. Processing of the data referred to in paragraph 1 above shall not
constitute a breach of the act where:
1) the
data subject has given his written consent, unless the processing
consists in erasure of personal data;
2) the provisions of other law provide for the processing of such
data without the need to request the data subject's consent and provide
for adequate safeguards;
3) processing is necessary to protect the vital interests of the data
subject or of another persons where the data subject is physically
or legally incapable of giving his consent until the establishing
of a guardian or curator;
4) processing is necessary for the purposes of carrying out the statutory
objectives of churches and other religious unions, associations, foundations,
and other non-profit-seeking organisations or institutions with a
political, scientific, religious, philosophical, or trade-union aim
and on condition that the processing relates solely to the members
of those organisations or institutions or to the persons who have
regular contact with them in connection with their purposes and subject
to providing suitable safeguards of the processed data;
5) processing relates to the data necessary for the establishment
of legal claims;
6) processing is necessary for the purposes of carrying out the obligations
of the controller with regard to employment of his employees and other
persons, and the scope of processing is determined by the law;
7) processing is required for the purposes of preventive medicine,
the provision of care or treatment, where the data are processed by
a health professional subject involved in treatment, other health
care services, or the management of health care services and subject
to providing suitable safeguards;
8) the processing relates to data which are manifestly made public
by the data subject.
Article
28
1. The
processing of data relating to criminal convictions, decisions on penalties,
fines and other security measures issued in court or administrative
proceedings may be carried out only pursuant to national law.
2. Serial numbers applied in the census may include only such features
as sex, date of birth, consecutive number, and control number.
3. Assigning hidden meaning to the elements of serial numbers in the
filing systems of data relating to natural persons is prohibited.
Article
29
1. In case
of providing the access to the data for the purposes other than including
into the data filing system, the controller referred to in Article 3.1
shall disclose the data kept in the filing system to persons or entities
authorised by virtue of law.
2. Personal data, with the exclusion of data referred to in Article
27.1, may also be disclosed for the purposes other than including into
the data filing system to persons and entities other than those referred
to in paragraph 1 above, provided that such persons or entities present
in a reliable manner their reasons for being granted the access to the
data and that granting such access will not violate the rights and freedom
of the data subjects.
3. Personal data are disclosed on written and justified request, unless
the provisions of another law state otherwise. Such request should include
information allowing for identification within the filing system the
requested personal data and indicating their scope and purpose.
4. Disclosed personal data may be used only according to the purpose
for which they have been disclosed.
Article
30
The controller
may refuse the access to the personal data of the filing system to entities
and persons other than those referred to in Article 29.1, if it would:
1) result
in the disclosure of the information constituting a state secret;
2) pose a threat to national defence or security of the state, human
life and health, public property, security, or order;
3) pose a threat to fundamental economic or financial interests of
the state;
4) result in a substantial breach of personal rights of the data subjects
or other persons.
Article
31
1. The
controller may appoint other entity to carry out the processing of personal
data pursuant to a contract executed in writing.
2. The entity, referred to in paragraph 1 above, may process the data
solely within the scope and for the purpose determined in the contract.
3. The entity, referred to in paragraph 1, prior to processing the data
shall be obliged to provide sufficient security measures protecting
the data filing system, as defined in Articles 36-39.
4. In cases referred to in paragraphs 1-3, the liability with respect
to compliance with the provisions hereof shall remain with the controller,
which shall not release the entity executing the contract from the liability
in case of processing the data in a manner incompatible with the contract.
CHAPTER
4
The Rights of the Data Subject
Article
32
1. The
data subject has a right to control the processing of personal data
relating to him and included in the filing systems, and in particular
he has the right to:
1) obtain
exhaustive information whether such system exists and who is controlling
the system, obtain the address of its seat and its full name, and
in case the controller is a natural person to obtain his address and
his full name;
2) obtain information with respect to the purpose, scope, and the
manner of processing of the data included in such system;
3) obtain information about the date of processing his personal data
and access to such data presented in an easy to understand form;
4) obtain information about the source of his personal data, unless
the controller is obliged to keep it confidential as a state, trade
or professional secret;
5) obtain information about the manner of disclosing the data, and
in particular about the recipients or categories of recipients of
the data;
6) demand that his personal data are amended, updated or corrected,
temporarily or permanently suspend their processing or demand their
erasure in case they are not complete, they are outdated, untrue or
collected with the violation of the act, or in case they are no longer
required for the purpose for which they have been collected;
7) apply in writing, in cases referred to in Article 23.1.4 and 23.1.5,
that the processing of his personal data be stopped, due to particular
situation;
8) object against the processing of his personai data in cases referred
to in Article 23.1.4 and 23.1.5, should the controller intend to process
the data for marketing purposes or to object against the transfer
of the data to another controller.
2. In case
of the demand referred to in paragraph 1.7 the controller shall immediately
stop the processing of the questioned data or without undue delay notify
General Inspector who shall make an appropriate decision.
3. In case of objection referred to in paragraph 1.8 further processing
of the questioned data is prohibited.
4. In case of data processed for scientific, didactic, historical, statistical
or archival research the controller may not notify the data subject
about the processing of his personal data, if the provision of such
information involves disproportionate efforts.
5. The interested party may exercise his right of access to data referred
to in paragraph 1.1-1.5 at most twice a year.
Article
33
1. On request
of the data subject, within the period of 30 days, the controller shall
be obliged to notify the data subject about his rights, and in particular
specify in an easy to understand manner:
1) the
kind of personal data included in the file;
2) the manner in which the data have been collected;
3) the purpose and the scope of processing of the data;
4) the recipients of the data and the scope of access they have been
granted.
2. On request
of the data subject, the information referred to in paragraph 1 may
be given in writing.
Article
34
In all
matters related to notification and disclosure of the data to the data
subject the provisions of Article 30 shall apply.
Article
35
1. Should
the data subject prove that the personal data relating to him are not
complete, they are outdated, untrue or collected with the violation
of the act, or in case they are no longer required for the purpose for
which they have been collected, the controller shall be obliged, without
undue delay, to amend, update, or correct the data, or to temporarily
or permanently suspend the processing of the questioned data, or to
have them erased from the system, unless the above refers to the personal
data amended, updated or corrected according to the principles determined
by other laws.
2. Should the controller fail to fulfil the obligation referred to in
paragraph 1 above, the data subject may apply to General Inspector to
issue a relevant order to the controller.
CHAPTER
5
Protection of Personal Data Filing Systems
Article
36
The controller
shall be obliged to implement appropriate technical and organisational
measures to protect the processed personal data, and in particular to
protect personal data against their unauthorised disclosure, removal,
damage or destruction.
Article
37
The computer
system or devices constituting the system used for the processing of
data may be operated solely by persons authorised by the controller.
Article
38
The controller
of the data processed in computer files shall control the kind of personal
data introduced into the system, the dates of such introduction, the
persons making the introduction, and the recipients of the data, in
particular where the data is transferred by means of teletransmission.
Article
39
1. The
controller shall keep the register of persons involved in the processing
of personal data.
2. The persons referred to in paragraph 1 above, who have the access
to personal data, shall be obliged to keep them confidential. The obligation
shall exist also after the termination of their contract of employment.
CHAPTER
6
Registration of Personal Data Filing Systems
Article
40
The controller
shall be obliged to register a data filing system with General Inspector.
The above shall not apply in cases referred to in Article 43.1.
Article
41
1. The
notification of the data filing system should contain the following
information:
1) application
for entering the personal data filing system into the register of
filing systems;
2) the name of the controller and the address of its seat or place
of residence, including the identification number in the register
of entities conducting economic activity, if applicable, and legal
basis of keeping the data filing system;
3) the scope and purpose of the processing of personal data;
4) the manner of collecting and disclosing the data;
5) the description of technical and organisational measures applied
for the purposes referred to in Article 36-39;
6) information about the manner of fulfilling technical and organisational
requirements referred to in Article 45.1.
2. The
controller shall be obliged to notify General Inspector about any change
affecting the information referred to in paragraph 1 within 30 days
of the date of amending the filing system.
Article
42
1. General
Inspector shall keep a national open register of personal data filing
systems notified for the purpose of registration. The register should
contain information referred to in Article 41.1.
2. The register referred to in paragraph 1 may be inspected by any person.
3. On request, the interested party may obtain the certificate of registration
of the filing system.
Article
43
1. The
obligation of registration of filing system shall not apply to the controllers
of the data:
1) constituting
a state secret due to the reasons of national security or defence
of the state, human life and health, public property, security, or
order;
2) processed by relevant bodies for the purpose of court proceedings;
3) relating to the members of churches or religious unions with regulated
legal status;
4) relating to the persons employed by them, their members or trainees;
5) relating to the persons availing themselves of their health care
services, notarial or legal advice;
6) created on the basis of electoral regulations concerning the Sejm,
Senate, municipal councils, the act on the election of the President
of the Polish Republic, and the acts on referendum and municipal referendum;
7) relating to persons deprived of liberty under the relevant law
within the scope required for temporary detention or deprivation of
liberty;
8) processed for the purpose of issuing an invoice or for accounting
purposes;
9) rendered public;
10) processed to prepare the thesis required to graduate from a university
or be granted a scientific title;
11) processed with regard to current everyday affairs.
2. General
Inspector may not exercise the powers granted in Article 12.2, Article
14.1, Article 14.3-14.5, and Article 15-18 with regard to the filing
systems referred to in paragraph 1.1 and 1.3.
Article
44
1. General
Inspector may, by means of administrative decision refuse to register
the data filing system if:
1) the
requirements specified in Article 41.1 have not been fulfilled;
2) the processing may violate the rules determined in Article 23-30;
3) the devices and systems of automatic data processing of the system
notified for registration do not meet fundamental technical and organisational
criteria defined at Article 45.1;
2. Refusing
the registration General Inspector shall order the suspension of further
processing of data of the relevant filing system or order the data to
be erased.
3. The order to suspend further processing of data or to erase the data
shall be effective immediately.
4. After the removal of the defects which resulted in the refusal of
registration of the data filing system, the controller may again notify
the system for registration.
5. In case of repeated notification of the system the controller may
start the processing of data after registration.
Article
45
The Minister
for administrative matters shall determine, by a regulation:
1) fundamental
technical and organisational requirements for the devices and systems
of automatic processing of personal data;
2) the form of application referred to in Article 29.3;
3) the form of notification referred to in Article 41.1;
4) the form of authorisation and service identity card referred to
in Article 14.1.
Article
46
The controller
may start the processing of data in the data filing system after notification
of the system to General Inspector unless the law liberates the controller
from this obligation.
CHAPTER
7
Transfer of Personal Data to Third Countries
Article
47
1. Transfer
of personal data to third countries may take place only if a third country
in question ensures at least the same level of protection of personal
data as that in force on the territory of the Polish Republic.
2. The provision of paragraph 1 above shall not apply to the transfer
of personal data required by law or by the provisions of ratified international
agreement.
3. Nevertheless the controller may transfer the personal data to third
countries on the condition that:
1) the
data subject has granted his written consent;
2) the transfer is necessary for the performance of a contract between
the data subject and the controller or takes place in response to
the data subject's request;
3) the transfer is necessary for the performance of a contract concluded
in the interests of the data subject between the controller and third
party;
4) the transfer is necessary or legally required on public interests
grounds or for the establishment of legal claims;
5) the transfer is necessary in order to protect the vital interests
of the data subject;
6) the transfer relates to data which have been rendered public.
Article
48
In cases
other than those referred to in Article 47.2 and 47.3 the transfer of
persona! data to a third country which does not ensure at least the
same level of protection as that in force on the territory of the Polish
Republic may take place subject to prior consent of General Inspector.
CHAPTER
8
Sanctions
Article
49
1. A person
who processes personal data from a data filing system where such processing
is forbidden or where he is not authorised to carry out such processing
shall be liable to a fine, a partial restriction of freedom or a prison
sentence of up to two years.
2. Where the offence mentioned at point 1 of this article relates to
information on racial or ethnic origin, political opinions, religious
or philosophical beliefs, party or trade-union membership, health records,
genetic code, addictions or sexual life, the person who processes the
data shall be liable to a fine, a partial restriction of freedom or
a prison sentence of up to three years.
Article
50
A person
who, being the controller of a filing system, stores personal data incompatible
with the intended purpose for which the system has been created, shall
be liable to a fine, the penalty of restriction of liberty or deprivation
of liberty up to one year.
Article
51
1. A person
who, being the controller of a data filing system or being obliged to
protect the personal data, discloses them or provides access to unauthorised
persons, shall be liable to a fine, the penalty of restriction of liberty
or deprivation of liberty up to two years.
2. In case of unintentional character of the above offence, the offender
shall be liable to a fine, the penalty of restriction of liberty or
deprivation of liberty up to one year.
Article
52
A person
who, being the controller of a filing system, violates, whether intentionally
or unintentionally, the obligation to protect the data against unauthorised
transfer, damage or destruction, shall be liable to a fine, the penalty
of restriction of liberty or deprivation of liberty up to one year.
Article
53
A person
who, regardless of the obligation, fails to notify the filing system
for registration, shall be liable to a fine, the penalty of restriction
of liberty or deprivation of liberty up to one year.
Article
54
A controller
who fails to inform the party to which the data relates, of its rights
or of information which would enable that person to benefit from the
provisions of this Act is liable to a fine, partial restriction of freedom
or prison sentence of up to one year.
CHAPTER
9
Amendments to the Binding Regulations,
Temporary Provisions, and Final Provisions
Article
55
In Article
2.2 of the Act of July 30, 1981 on the remuneration of persons holding
management posts in state administration (Journal of Laws No. 20, item
101; of 1982 No. 31, item 214; of 1985 No. 22, item 98, and No. 50,
item 262; of 1987 No. 21, item 123; of 1989 No. 34, item 178; of 1991
No. 100, item 443; of 1993 No.1, item 1; of 1995 No. 34, item 163, and
No.142, item 701; of 1996 No. 73, item 350, No. 89, item 402, No.106,
item 496, and No. 139, item 647) after the words "Commissioner
for Citizens' Rights Protection" the words "General Inspector
for Personal Data Protection" shall be added.
Article
56
The Act
of September 16, 1982 on the employees of state administration (Journal
of Laws No. 31, item 214; of 1984 No. 35, item 187; of 1988 No.19, item
132; of 1989 No. 4, item 24, No. 34, item 178 and 182; of 1990 No. 20,
item 121; of 1991 No. 55, item 234, No. 88, item 400, and No. 95, item
425; of 1992 No. 54, item 254, and No. 90, item 451; of 1994 No.136,
item 704; of 1995; No 132, item 640; and of 1996 No. 89, item 402, and
No.106, item 496) shall be altered as follows:
1) In
Article 1, the following paragraph 13 shall be added:
"in the Bureau of General Inspector for Personal Data Protection
"
2) In Article 36, paragraph 5.1 after the words "The State Labour
Inspectorate" a comma is inserted and the following words shall
be added nThe National Election Bureau and the Bureau of General Inspector
for Personal Data Protection "
3) In Article 48, paragraph 1.1 after the words "The Bureau of
Commissioner for Citizens' Rights Protection" the following words
shall be added "The Bureau of General Inspector for Personal
Data Protection "
Article
57
In Article
31, paragraph 3.2 of the Act of January 5, 1991 - the Budgetary Law
(Journal of Laws of 1993 No. 72, item 344; of 1994 No. 76, item 344,
No. 121, item 591, and No.133, item 685; of 1995 No. 78, item 390, No.124,
item 601, and No.132, item 640; of 1996 No. 89, item 402, No.106, item
496, No. 132, item 621, and No.139, item 647; and of 1997 No. 54, item
348), after the words "the Supreme Chamber of Control" the
following words shall be added
"General Inspector for Personal Data Protection".
Article
58
The Article
4 of the Act of December 23, 1994 on the Supreme Chamber of Control
(Journal of Laws of 1995 No. 13, item 59, and of 1996 No. 64, item 315
and No. 89, item 402; and of 1997 No. 28, item 153) shall be altered
as follows:
1)
In paragraph 1 after the words "The National Council for Radio
and Television Broadcasting" the words "General Inspector
for Personal Data Protection" shall be added.
2) In paragraph 2 after the words "The National Councll for Radio
and Television Broadcasting" a comma and the words "General
Inspector for Personal Data Protection" shall be added.
Article
59
In Article
2, paragraph 2 of the Act of December 23, 1994 on the measures allocated
to the state budgetary sector remuneration and on amendments to certain
laws (Journal of Laws of 1995 No. 34, item 163 and of 1996 No. 106,
item 496 and No. 139, item 647) after the words "The National Election
Bureau" the words "General Inspector for Personal Data Protection"
shall be added.
Article
60
In the
Act of April 26, 1996 on the Prison Service (Journal of Laws No. 61,
item 283 and No. 106, item 496, and of 1997 No. 28, item 153) the following
Article 23a shall be added:
"Article
23a. Prison Service may collect and process information and personal
data, also without the consent of the data subject, necessary to perform
tasks referred to in Article 1.3 of the law.".
Article
61
1. Entities
referred to in Article 3, being on the effective date of the Act the
controllers of personal data automatic filing systems, shall be obliged
to file an application for registration of the systems according to
the provisions of Article 41, within the period of 18 months of the
effective date of the Act, unless they are released from this obligation
by virtue of law.
2. Until the personal data filing systems are registered pursuant to
the provisions of Article 41, the entities referred to in paragraph
1 may operate the systems without the registration.
Article
62
The Act
takes effect after 6 months from the date of its publication, with the
exclusion of:
1) Article
8-11, Article 13 and Article 45 which come into force after 2 months
from the date of publication,
2) Article 55-59 which come into force after 14 days from the date
of publication.
President
of Polish Republic: A. Kwasniewski
Document
loaded June 8, 2000