This country-specific Q&A provides an overview to technology laws and regulations that may occur in the Poland.
It will cover communications networks and their operators, databases and software, data protection, AI, cybersecurity as well as the author’s view on planned future reforms of the technology market.
This Q&A is part of the global guide to Technology. For a full list of jurisdictional Q&As visit http://www.inhouselawyer.co.uk/index.php/practice-areas/technology
Are communications networks or services regulated? If so what activities are covered and what licences or authorisations are required?
Yes, this area is regulated in the Telecommunications Act of 16 July 2004.
Telecommunications activities which constitute business activities are regulated activities and are subject to entry in the register of telecommunications undertakings, run by the President of the Office of Electronic Communications (Urząd Komunikacji Elektronicznej – UKE). Telecommunications activities conducted by a telecommunications undertaking domiciled in another EU Member State or a state which has concluded with the European Community and its Member States an agreement on the freedom to provide services and which temporarily provides services in the territory of the Republic of Poland under the terms and conditions specified in the provisions of the Treaty establishing the European Community, Agreement on the European Economic Area or another agreement regulating the freedom to provide services, as appropriate, are also subject to entry in the register. As was mentioned above, any telecommunication activities which qualify as business activities are recognised as activities regulated by the Telecommunications Act.
Entry in the register of telecommunications undertakings is made on the basis of a request submitted by the undertaking or another entity authorised to perform business activities under separate provisions.
Operators of public telecommunications networks are also required to fulfil various information obligations, e.g. to submit information on the location and type of owned telecommunications infrastructure or public telecommunications network, on areas covered with the public telecommunications network in the preceding year, on new areas to be covered with the public telecommunications network in the current year, on annual revenues from performing telecommunications activities in the previous financial year, etc.
Is there any specific regulator for the provisions of communications-related services? Are they independent of the government control?
The Telecommunications Act of 16 July 2004 designates the President of the UKE as the regulatory authority responsible for monitoring telecommunications and postal services and managing frequency resources.
The President of the UKE is the central government administration authority. The President of the UKE is appointed by the Parliament – the Sejm (the lower house), with the consent of the Senate (the upper house) – at the request of the Prime Minister. The President of the UKE’s term of office lasts 5 years. Following the expiry of this term of office, the President of the UKE continues to perform his function until a successor is appointed.
Under the Telecommunications Act, the President of the UKE may be dismissed before his term expires only in the event of:
- a flagrant breach of the law;
- a conviction by final judgement for an intentional offence or a fiscal offence;
- a conviction barring from managerial positions or functions involving special responsibility in the state administration;
- illness permanently preventing performance of the duties of the President of the UKE;
Considering the above, it appears that the President of the UKE is not directly controlled by the government in his activities as head of the UKE, but the fact that his appointment is made upon recommendation by the Prime Minister and is dependent on the vote of the Parliament seems worthy of consideration in this respect.
Does an operator need to be domiciled in the country? Are there any restrictions on foreign ownership of telecoms operators?
As was indicated in the answer to Question 1, telecommunications activities may be performed by operators domiciled in Poland and operators with a registered office in another EU Member State or a state which has concluded with the European Community and its Member States an agreement on the freedom to provide services and which temporarily provides services in the territory of the Republic of Poland under the terms and conditions specified in the provisions of the Treaty establishing the European Community, Agreement on the European Economic Area or another agreement regulating the freedom to provide services, as appropriate.
No additional restrictions are imposed on operators from outside of the EU.
Are there any regulations covering interconnection between operators? If so are these different for operators with market power?
Concerning regulations covering interconnection between operators, Act of 7 May 2010 on Supporting the Development of Telecommunications Services and Networks regulates networks’ operator obligation to provide access to technical infrastructure to other telecommunications operators, including the right to utilise it to implement a fast telecommunications network.
With respect to operators with significant market power, the Telecommunications Act provides that the President of the UKE may by decision impose on such an operator the obligation to take account of justified requests from telecommunications undertakings to be provided with telecommunications access, including the use of network elements and associated facilities, in particular taking into account the level of competition in the retail market and the interest of end-users. This obligation may consist in:
- 1) ensuring the possibility of managing end-user service by an authorised telecommunications undertaking and making decisions concerning the provision of services for the benefit of that undertaking;
- 2) providing specific telecommunications network elements, including access to non-active network elements or telecommunications equipment, lines, links or local loops; the obligation to make local loops available may relate to a loop or a sub-loop, with full or shared access, together with collocation and access to cable lines and relevant information systems;
- 3) offering wholesale services for the purpose of their resale by another undertaking;
- 4) granting access to interfaces, protocols or other key technologies necessary for interoperability of services, including virtual network services;
- 5) providing telecommunications infrastructure, collocation, and other forms of shared use of buildings;
- 6) providing network functions necessary to ensure full interoperability of services, including the provision of services in intelligent networks;
- 7) providing roaming services on mobile networks;
- 8) providing systems which support operational activities or other software systems necessary for effective competition, including tariff systems, systems for issuing invoices and collecting receivables;
- 9) providing associated facilities in relation to radio and television broadcasting;
- 10) providing network or telecommunications equipment interconnection and related facilities;
- 11) conducting negotiations in good faith with regard to telecommunications access and providing formerly established telecommunications access to specific telecommunications networks, equipment or associated facilities;
- 12) providing telecommunications services taking account of priority;
- 13) ensuring access to associated facilities, including identity, location and presence services.
Additionally, the President of the UKE may by decision specify, within the scope necessary to ensure proper functioning of a telecommunications network, the technical or operational conditions to be met by a telecommunications undertaking providing telecommunications access or by telecommunications undertakings using such access.
In summary, as far as regulations covering interconnection between operators are concerned, the Telecommunications Act provides the basis for the President of the UKE to issue decisions which define the principles of interconnection between operators.
And, finally, specific provisions on consumer protection are, above all, set forth in the Polish Civil Code, which broadly regulates agreements concluded with consumers that apply also in the area of telecommunications.
What are the principal consumer protection regulations that apply specifically to telecoms services?
See Q4 above.
What legal protections are offered in relation to the creators of computer software?
Computer software and its creators are protected under the Act of 4 February 1994 on Copyright and Related Rights. This regulation contains special provisions on computer software, which constitute a separate regime of copyright protection. According to Art. 74(2) of this act, protection accorded to a computer program covers all forms of its expression. Therefore, not only source code, but also object code and documentation are protected.
Creators of computer software have both economic and moral rights to the copyrighted work. As far as the author’s economic rights are concerned, they cover specific forms of exploitations, such as:
- reproducing a computer program permanently or temporarily by any means and in any form, in part or in whole; insofar as loading, displaying, running, transmitting, or storing the computer program necessitate such reproduction, such acts require the rightholder’s permission;
- translating, adapting, arranging, or altering the computer program in any other way, without prejudice to the rights of the person who modifies the program;
- distributing the original computer program or copies thereof to the public, including letting for use or rental.
The author’s moral rights, however, are limited only to the right to claim authorship and to be identified on the work by name or pseudonym or to make the work available anonymously (whereas authors of other copyrighted works also have the right to integrity of the form and content of their work and to the fair use of the work, as well as the right to decide whether and how the work is made available to the public for the first time and to supervise how the work is used).
Do you recognise specific intellectual property rights in respect of data/databases?
The Polish legal system protects databases on the grounds of the Act of 4 February 1994 on Copyright and Related Rights and on the grounds of the Act of 27 July 2001 on the Protection of Databases.
Under the copyright act, a database – provided that it has the characteristics of a copyrighted work – is subject to copyright even if it contains unprotected content. However, its selection, arrangement, or composition must be of a creative nature.
The database protection act provides for sui generis protection, which is accorded regardless of the protection on the grounds of the copyright act. It concerns any database, defined as a collection of data or any other materials and elements arranged systematically or methodically, individually accessible by any means, including electronic means, where substantial investment, evaluated qualitatively and/or quantitatively, is required for its production, revision or presentation of its contents.
The creator of a database has an exclusive and transferable right to collect data and re-use the same in whole or in part in respect of its quality and quantity. Therefore, the creator may demand that a person who has infringed upon his right to the database should cease the activity causing the infringement, restore legality, and return the financial profit gained illegally; the creator of a database may also demand that the injury caused should be remedied in accordance with general law. The creator is entitled to these rights starting from the date of the production of a database for the period of fifteen years following the year in which the database was produced.
What key protections exist for personal data?
In Poland key protections for personal data are established by three (groups of) laws: (1) the General Data Protection Regulation (GDPR), (2) the Act of 10 May 2018 on the Protection of Personal Data (the Data Protection Act), and (3) branch- or sector-specific regulations.
As in all the EU member states, most personal data protections are provided for in the GDPR, which is directly applicable in Poland from 25 May 2018. The GDPR replaced the Act of 29 August 1997 on the Protection of Personal Data, which was in force till 25 May 2018.
The Data Protection Act contains institutional and procedural safeguards of personal data protection. In particular, it establishes a new independent data protection authority – the President of the Office for Personal Data Protection, who enjoys all the powers vested in a regulatory authority under GDPR. It also specifies civil, criminal, and administrative liability for personal data breaches and limits the application of certain GDPR provisions with regard to processing carried out for journalistic purposes, as well as for the purpose of academic, artistic, and literary expression.
These laws are complemented by branch- and sector-specific regulations. These acts usually specify the legal grounds and retention periods for storing data and provide data subjects with additional guarantees in a given context (e.g. the employment relationship). For example, the most recent amendment to the Polish Labour Code introduced special provisions on employee monitoring that specify permissible grounds for such processing and limits the retention period to a maximum of 3 months from the date of recording. Some sector-specific regulations have already been amended in order to comply with the GDPR; however, most are still to be amended. The draft law amending more than 100 acts in connection with ensuring the proper application of the GDPR is under way and is expected to come into force in the fourth quarter of 2018. The privacy of persons engaged in electronic communication is protected under the provisions of the Telecommunications Act of 16 July 2004 and the Act of 18 July 2002 on Providing Services by Electronic Means.
The EU Directive 2016/680 (the Police Directive), which also provides for personal data protection, has not yet been implemented into Polish law, although the period prescribed for transposition expired on 6 May 2018. Legislative work on the prospective act on the protection of personal data processed in connection with preventing and combating crime is still ongoing.
Are there restrictions on the transfer of personal data overseas?
Transfers of personal data to third countries, i.e. outside the European Economic Area (EEA), are regulated by chapter V of GDPR, which lays down the conditions that must be met in order to make such transfers admissible. These conditions can be divided into four ‘layers’.
Firstly, a transfer of personal data to a third country may take place based upon EU Commission decisions ascertaining an adequate level of protection in a given country in accordance with Art. 45 GDPR (adequacy decisions).
Secondly, such a transfer may take place based on one of the conditions enumerated in Art. 49 GDPR (the so-called derogations, e.g. the data subject’s explicit consent). If any one of the derogations applies, there is no need to ensure the appropriate safeguards set out in Art. 46 GDPR.
Thirdly, if none of the derogations applies, and if the transfer is not repetitive, concerns only a limited number of data subjects, and is necessary for the purposes of compelling legitimate interests pursued by the controller which are not overridden by the interests or rights and freedoms of the data subject, the transfer is admissible without ensuring the appropriate safeguards set out in Art. 46 GDPR provided that the controller:
- has assessed all the circumstances surrounding the data transfer and
- has on the basis of that assessment provided suitable safeguards with regard to the protection of personal data;
- has informed the supervisory authority of the transfer;
- has informed the data subject of the transfer and on the compelling legitimate interests pursued.
Finally, in cases where the above ‘layers’ are not applicable, the transfer of personal data to a third country is admissible provided that the appropriate safeguards set out in Art. 46 GDPR are guaranteed, i.e.:
- a legally binding and enforceable instrument between public authorities or bodies;
- binding corporate rules;
- standard data protection clauses adopted by the Commission;
- standard data protection clauses adopted by a supervisory authority and approved by the Commission;
- an approved code of conduct;
- an approved certification mechanism;
- subject to the authorisation from the competent supervisory – contractual clauses;
- subject to the authorisation from the competent supervisory – provisions to be inserted into administrative arrangements between public authorities or bodies.
What is the maximum fine that can be applied for breach of data protection laws?
Under the GDPR, the maximum fine for breach of data protection laws differs depending on the type of infringement. The GDPR splits the fines into two groups:
- administrative fines up to 20 000 000 EUR or, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be applied in cases of infringement of e.g. basic principles for processing, including conditions for consent, the data subjects’ rights under Art. 12 to 22 GDPR, or transfer of personal data to a recipient in a third country or an international organisation under Art. 44 to 49 GDPR;
- administrative fines up to 10 000 000 EUR or, in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, may be applied in cases of infringement of e.g. the obligations of the controller and the processor pursuant to Art. 8, 11, 25 to 39, 42, and 43 GDPR
The amount of the fine imposed by supervisory authorities depends on the many factors listed in Art. 83(2) GDPR, such as the nature, gravity, and duration of the infringement, intentional or negligent character of the infringement, actions taken by the controller or processor to mitigate the damage suffered by data subjects, etc.
The Data Protection Act limits the maximum amount of the fine that can be imposed on public finance sector entities, research institutes, and the National Bank of Poland to 10 000 PLN.
Are there any restrictions applicable to cloud-based services?
There are certain statutory restrictions applicable to cloud-based services. They result in limitations or conditions to be met, which apply to the commissioning of cloud-based services. They concern in particular the financial sector, as well as the processing of classified information, i.e. information relevant to national security.
The Banking Act of 29 August 1997 obligates the financial institution that outsources the processing of its confidential banking data, both to the cloud or conventionally, to meet the statutory requirements which may include e.g. obtaining a permission from the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego – KNF) and filing a specification of technical and organisational measures undertaken to adequately protect confidential banking data. The KNF has published its recommendations on the use of cloud-based services by entities subject to its supervision – they include planning, risk assessment, verification of the cloud provider’s reliability (based on applicable certification), etc.
Furthermore, the conditions on processing classified information in any type of information system provided for in the Act of 5 August 2010 on the Protection of Classified Information make it practically impossible to process classified information in a public cloud, because the level of actual surveillance that can be exerted over the processing of data in a public cloud is not sufficient.
Are there specific requirements for the validity of an electronic signature?
The enactment of Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC was aimed at unifying within the EU the requirements regarding electronic identification in order to guarantee mutual recognition of an electronic signature based on a qualified certificate issued in any of the Member States. Under Regulation No 910/2014, Member States are thus not allowed to formulate any mandatory requirements towards qualified certificates exceeding the requirements laid down in this regulation. Consequently, such requirements are not provided for in the Polish legal system. The regulation allows for the introduction in the national legal systems of Member States of additional legal requirements relating to trust services in so far as those services are not fully harmonised by the regulation. There are, however, no country-specific requirements as to the validity of an electronic signature.
In the event of an outsourcing of IT services, would any employees, assets or third party contracts transfer automatically to the outsourcing supplier?
Outsourcing of IT services does not result in automatic transfer of employees, assets, or third-party contracts either to the outsourcing supplier or to the customer. However, the parties to an outsourcing contract may decide otherwise and include in the agreement provisions concerning such a transfer, which e.g. may enter into force on a specific date.
If a software program which purports to be an early form of A.I. malfunctions, who is liable?
The issue of liability for A.I. malfunctions is not regulated in the Polish legal system, therefore the answer to the question is not clear. To our best knowledge, not a single judgment concerning liability for A.I. malfunctions has been made by the Polish judiciary to date. However, the issue is currently being discussed, and the urgent need to regulate it has been recognised.
What key laws exist in terms of obligations as to the maintenance of cyber security?
The key law in this matter is the Act of 5 July 2018 on the National Cybersecurity System, which implements the provisions of EU Directive 2016/1148 (commonly known as the NIS Directive). The said act has just been introduced into the Polish legal system, and it contains a list of requirements and obligations that must be met by entities covered by the Act, i.e. ‘operators of essential services’ (e.g. banks, energy service providers, air carriers, etc.) and digital service providers.
What key laws exist in terms of the criminality of hacking/DDOS attacks?
The key law in this matter is the Criminal Code of 6 June 1997, which criminalises computer sabotage, serious interruption of the functioning of an IT network, and illegal use of computers and data.
What technology development will create the most legal change in your jurisdiction?
In our view, the development of A.I. seems to be the most challenging technology development as far as change in the Polish legal system is concerned. The issue requires thorough analysis of the civil, criminal, and administrative regimes in order to establish specific regulations covering e.g. liability (both civil and criminal) for A.I. malfunctions, submitting declarations of intent, granting copyright. It is therefore, further development of A.I. that is to be expected to create the most legal change in Polish law.
Which current legal provision/regime creates the greatest impediment to economic development/commerce?
One of the greatest impediments to economic development/commerce is the legal uncertainty caused by the sheer number of legal provisions being introduced, amended, or repealed. Therefore, anyone conducting business in Poland must take into account the fast-changing legal environment in order to stay up-to-date with new requirements and obligations. That is especially true with regard to tax provisions, particularly because of the fact that their interpretation may be subject to change even if their wording remains the same.
Do you believe your legal system specifically encourages or hinders digital services?
We do believe that our legal system encourages digital services as the Polish legislature tries to keep up with the fast-changing technology. A case in point is the recent computerisation of public procurement, which is one of the examples of digitising the state–citizen relation. Other examples include e.g. an ever-growing number of administrative matters that can be handled online, without the need to visit the applicable office or agency in person.
To what extent is your legal system ready to deal with the legal issues associated with artificial intelligence?
The Polish legal system does not specifically address the issue of artificial intelligence, and it lacks special regulations in the matter. Therefore, it may not seem to be ready to deal with the legal issues associated with AI.
However, the strong need to introduce new regulations is being recognised, and the matter is currently being discussed.