AI ACT and GDPR: transposition into Polish law

In view of the above, the Personal Data Protection Office and the Ministry of Digitalisation in Poland are preparing the transposition of such an important regulation into Polish law.

Recital 5aa of the AI ACT makes clear that it does not seek to affect the application of existing Union law governing the processing of personal data, including the tasks and powers of the independent supervisory authorities competent to monitor compliance with those instruments. Consequently, the requirements under both the GDPR and the AI ACT will need to be met.

Of course, the legislative acts differ in fundamental ways – the AI ACT also applies to the use of non-personal data and regulates only two categories of AI systems (prohibited systems, high-risk systems), while the GDPR applies to all systems and deals with all aspects of the processing of personal data and thus has a wider scope of application.

Importantly, two provisions of the AI ACT explicitly refer to the processing of personal data on certain grounds:

At the same time, as the regulations overlap in their scope, there is a risk of double penalties for the data controller and the provider or user of the AI system if one event breaches both the GDPR and the AI ACT.

The Polish Ministry of Digitalisation has completed the pre-consultation phase of transposing the AI ACT into the Polish legal system. In this process, they focused on four key issues: 

The President of the Polish Data Protection Authority participates in the meetings of the Standing Sub-committee of the Sejm of the Republic of Poland on Artificial Intelligence and Algorithm Transparency and provides his opinions on the design and adaptation of national law to data protection requirements in relation to the use of artificial intelligence systems. In particular, the President considers it important to analyse the interplay between AI ACT and the data protection legislation already in force in the Polish legal system and to apply solutions ensuring a fair balance of interests. Additionally, the President has indicated the need to ensure compliance of the AI ACT with the personal data and privacy protection laws applicable in Poland, in particular, the Polish Constitution (Article 15 – the right to personal data protection and Article 47 - the right to privacy), the GDPR and the so-called Police Directive.

The Polish Data Protection Office has also issued an opinion on the AI ACT, expressing special support for:

In addition, the President of the Data Protection Authority is currently investigating a complaint concerning ChatGPT, in which the complainant has accused OpenAI of, among other things, processing data unlawfully, including on terms that are not transparent to users. The complainant has pointed out that Open AI did not observe the rights of individuals stipulated by the GDPR. Chat GPT generated false information about the complainant in response to the complainant's enquiry, and the request for rectification was not followed up. This issue had been earlier commented on by, among others, the Italian Data Protection Authority, which indicated the conditions which OpenAI had to meet to process data in compliance with the GDPR.

In sum, the Polish authorities face numerous challenges when it comes to transposing the AI ACT and ensuring appropriate data protection amid the growing popularity of artificial Intelligence.​