The Inspector General of Data Protection (“Inspector General”) has the power to investigate any complaints and cases. In case of any breach of the data protection law (DPL), the Inspector General may order to restore the proper legal state, and in particular: to remedy the negligence; to complete, update, correct, disclose or not to disclose personal data; to apply additional measures protecting the collected personal data; to suspend the flow of personal data to a third country; to secure personal data, or to transfer it to other subjects; and to delete the personal data. These orders can be appealed to the courts. In case of non-compliance with the decisions, the Inspector General may impose administrative penalties/fines in order to enforce them – in case of repeated non-compliance up to 50.000 PLN (approx. €12,000) with respect to an individual or up to 200,000 PLN (approx. €47,600) with respect to an entity.
Individuals may file actions in court (in particular request damages caused by infringement of privacy).
Fines of up to 1,080.000 PLN (approx. €257,000); restriction of liberty and imprisonment of up to 3 years. Additionally DPL provides that a person who prevents or impedes an inspector in execution of its control activity will be subject to a fine, restriction of liberty or imprisonment of up to 2 years.
Corporate officers and in some cases, employees of the data controller may face personal criminal liability.
Selected Enforcement Actions / General Comments
Some examples of recent enforcement action in Poland include:
- In 2013 the Inspector General submitted 16 motions to the public prosecutor for the institution of criminal proceedings (there were 12 motions in 2012, 10 in 2011, 23 in 2010)
- In 2013 the Inspector General conducted 318 audits and monitored 338 IT systems (in which personal data are processed). In the said year there were 1879 complaints submitted related to breach pf personal data law, in particular relate to public administration, finance and marketing areas.