On March 30 1998 new legislation on the protection of personal data came into force. The new statute is intended to implement the EC Data Protection Directive of October 24 1995. The Directive balances the interests of individuals with the interest of companies that use personal data in their business. The Directive is not designed to ban the collection of data but rather to control its uses.
The Polish legislation develops the existing guarantees in art. 51 of the new Constitution, and grants everyone the right to the protection of his or her personal data.
The legislation establishes procedural principles in the use of personal data in electronic data bases, files, books and other forms of data storage. The only exemption from the scope of the new statutory provisions is made with respect to data collected temporarily — for technical, training or educational reasons — if the collected data is destroyed immediately after use.
The expression 'personal data' is defined in the new statute as any information on a natural person which allows his or her identification. A legal entity must meet at least one of the following criteria to collect and make use of personal data:
- the person whose data is collected agrees to this;
- there is a specific legal rule permitting the data collection;
- the data collection is necessary to carry out an agreement or a letter of intent to an agreement, to which the interested person is a party;
- it is necessary to carry out activities defined by law as for the public benefit; and
- it is necessary to carry out justified aims of a private company, without violating the civil rights and freedoms of the person whose data is collected.
Entities collecting or using data are under an obligation to inform persons whose data is being collected of the entity's address and the reason for the data collection. The personal data files must be registered with the Inspector General for Personal Data who is obliged to ensure that the statutory provisions are complied with.
Under the new statute, it is prohibited to make data files available to other entities to be used for different reasons to those for which the data was originally collected. There is an exemption to this rule with respect to scientific, educational, historical or statistical uses of the data.
The statute specifically bans the granting of access to data on the racial or ethnic background of a person; philosophical, political or religious affiliation or membership in political parties or unions; and health, genetic code, sexual habits. A person whose data is collected may demand from the data administrator information on the scope, aim and the way in which the data is used, as well as the sources of data. The person may also demand that the data is corrected or removed from a file if its use is illegal, or if the data is no longer needed for the goals for which it was collected. The new statute permits an objection or a demand to stop the data use or the collection of data under certain circumstances. The misuse of personal data may result in penal consequences for the data administrator.