Criminal liability under Polish Personal Data Protection Act

​The GDPR does not stipulate explicitly criminal liability for the processing of personal data in breach of the regulation. The main type of penalties provided for in the GDPR are administrative fines. Also, EU Member States are not obliged to amend their legislation to include provisions on criminal liability for unlawful personal data processing.

Nonetheless, pursuant to recital 149 of the GDPR Preamble, "Member States should be able to lay down the rules on criminal penalties for infringements of this Regulation, including for infringements of national rules adopted pursuant to and within the limits of this Regulation." Furthermore, pursuant to Article 84(1) GDPR, "Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular for infringements which are not subject to administrative fines pursuant to Article 83, and shall take all measures necessary to ensure that they are implemented. Such penalties shall be effective, proportionate and dissuasive."

The above means that Member States were free to introduce criminal liability for unlawful personal data processing at their own discretion. Polish lawmakers took that opportunity and added provisions on criminal liability to the Personal Data Protection Act (of 10 May 2018, Journal of Laws of 2018, item 1000).

​The Polish Personal Data Protection Act (PDPA) includes two provisions penalising certain personal data processing practices.

Pursuant to Article 107(1) PDPA, anyone who processes personal data where it is not allowed or without being authorised to process the data, is subject to a fine, restriction of liberty or imprisonment for up to 2 years.

Article 107(2) PDPA provides for penalties for not allowed/unlawful processing of data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation (the so-called special categories of personal data in the meaning of Article 9(1) GDPR). This crime is subject to a fine, restriction of liberty or imprisonment for up to 3 years.

The crime under Article 107 PDPA may be common (anyone can commit it) and factual (criminal liability does not depend on consequences).

Furthermore, the lawmakers have decided to punish the preventing or hindering of inspections.

Pursuant to Article 108 PDPA, anyone who prevents the inspector from checking the compliance with data protection laws, or hinders the inspection, is subject to a fine, restriction of liberty or imprisonment for up to 2 years.

The crime under Article 108 PDPA may be common (anyone can commit it) and material (criminal liability depends on the effect, that is the inspection being prevented or hindered).

​The criminal liability under the PDPA applies in addition to the administrative fines under the GDPR. Criminal liability does not replace the fines – instead, it exists in addition to them, as another type of liability, though different in terms of the origin and grounds for its application.

As regards the provisions of criminal law, when assessing the liability one should take into consideration a number of conditions for criminal liability and the principle of subsidiarity of criminal law. This leads to an assumption that the provisions of Article 107 and 108 PDPA will be applied only to more serious cases of infringements on the rules of handling personal data and the rules of inspection.

When it comes to administrative penalties, grounds for the liability are different and have been set out in Article 83(2) GDPR. Pursuant to that provision, in each individual case due regard shall be given to the following:

• the nature, gravity and duration of the infringement taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage suffered by them,
• the intentional or negligent character of the infringement,
• actions taken by the controller or processor to mitigate the damage suffered by data subjects,
• the degree of responsibility of the controller or processor taking into account technical and organisational measures implemented by them,
• any relevant previous infringements by the controller or processor, 
• the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement,
• the categories of personal data affected by the infringement,
• the manner in which the infringement became known to the supervisory authority, in particular whether, and if so – to what extent, the controller or processor notified the infringement,
• where corrective measures have previously been ordered against the controller or processor concerned with regard to the same subject-matter – compliance with those measures,
• adherence to approved codes of conduct or approved certification mechanisms and
• any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits gained, or losses avoided, directly or indirectly, from the infringement.

Application of the above provisions in practice raises reasonable doubts. It is worth noting that the list of punishable offences was longer in the previous PDPA of 1997 than in the PDPA of 2018. However, the old regulations were applied very rarely, regardless of the popular practice of commercial entities using them to threaten enterprises. Therefore, it was reasonable for the lawmakers to limit the number of offences subject to criminal liability. All in all, the addition of provisions on criminal liability to the act should be assessed positively, and we should hope for their rational application and interpretation by law enforcement authorities and the judiciary.