Select Country Guide
Poland Data Protection
Last published date:

As of 25 May 2018, the General Data Protection Regulation (GDPR) applies in the EU. The GDPR is a horizontal privacy legislation that applies across sector and to companies of all sizes.  It replaces the previous data protection Directive 1995/46. The overall objectives and underlying principles of the legislation remain the same.  Businesses must inform consumers that they are collecting personal data, have a legal basis to process and retain the data. 

However, there are significant differences in definitions of key terminology.  The GDPR creates a number of new requirements for organizations that process EU individuals’ personal data.  Companies have an obligation to demonstrate their compliance, in part through a number of documentation obligations.  Data subjects have a number of rights which include access, correct, erasure of their personal data.   

The GDPR has extra-territorial reach, which means that it might be applicable to U.S. entities even if they do not have physical presence in Europe.  In that case, such organizations need to have a representative based in Europe, or in certain cases need to appoint a Data Protection Officer.   

Fines in case of non-compliance can reach up to 4% of the annual worldwide revenue or 20 million euros – whichever is higher.  Companies of all sizes and sectors should consider GDPR as part of their overall compliance effort with assistance of legal counsel.  

The European Commission and Data Protection Authorities are releasing official guidelines to help companies with their compliance process (see resources below).  

Note: the EU is currently updating its e-privacy legislation governing confidentiality of communications.  This legislative instrument once enacted will add a number of requirements in addition to the GDPR.  We encourage U.S. exporters to monitor this situation as it evolves through the EU legislative process.  

For more information:  

Full GDPR text 

European Commission guidance: 

http://ec.europa.eu/justice/smedataprotect/index_en.htm 

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en 

Transferring Customer Data to Countries outside the EU 

The General Data Protection Regulation (GDPR) provides for the free flow of personal data within the EU but also for its protection when it leaves the region’s borders.  

The GDPR (Chapter 5 - Article 44 onwards) sets out obligations on data controllers (those in charge of deciding what personal data is collected and how/why it is processed), on data processors (those who act on behalf of the controller) and gives rights to data subjects (the individuals to whom the data relates). These rules were designed to provide a high level of privacy protection for personal data, and were complemented by measures to ensure the protection is maintained when data leaves the region, whether it is transferred to controllers, processors or to third parties (e.g. subcontractors).  EU legislators put restrictions on transfers of personal data outside of the EU, specifying that such data could only be exported if “adequate protection” is provided.  

The European Commission (EC) is responsible for assessing whether a country outside the EU has a legal framework that provides sufficient protection for it to issue an “adequacy finding” to that country. The U.S. has never sought to be found adequate by the EC. This means that U.S. companies can only receive personal data from the EU if they:  

•Join the EU-U.S. Privacy Shield program, or  

•Provide appropriate safeguards (e.g. contractual clauses, binding corporate rules), or, 

•Refer to one of the GDPR’s derogations, 

 

European Commission’s webpage on transfers outside the EU and all mechanisms outlined below:  

Data Transfers Outside of EU  

Important note

The legal environment for data transfers to the United States continues to evolve. Companies that transfer EU citizen data to the United States as part of a commercial transaction should consult with an attorney, who specializes in EU data privacy law, to determine what options may be available for a particular transaction. 

About the EU-U.S. Privacy Shield  

The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.  

For more information on the EU-U.S. Privacy Shield  

For more information about other mechanisms of transfer, please refer to: 

Transferring Personal Data from EU to U.S. 

×

Global Business Navigator Chatbot Beta

Welcome to the Global Business Navigator, an artificial intelligence (AI) Chatbot from the International Trade Administration (ITA). This tool, currently in beta version testing, is designed to provide general information on the exporting process and the resources available to assist new and experienced U.S. exporters. The Chatbot, developed using Microsoft’s Azure AI services, is trained on ITA’s export-related content and aims to quickly get users the information they need. The Chatbot is intended to make the benefits of exporting more accessible by understanding non-expert language, idiomatic expressions, and foreign languages.

Limitations

As a beta product, the Chatbot is currently being tested and its responses may occasionally produce inaccurate or incomplete information. The Chatbot is trained to decline out of scope or inappropriate requests. The Chatbot’s knowledge is limited to the public information on the Export Solutions web pages of Trade.gov, which covers a wide range of topics on exporting. While it cannot provide responses specific to a company’s product or a specific foreign market, its reference pages will guide you to other relevant government resources and market research. Always double-check the Chatbot’s responses using the provided references or by visiting the Export Solutions web pages on Trade.gov. Do not use its responses as legal or professional advice. Inaccurate advice from the Chatbot would not be a defense to violating any export rules or regulations.

Privacy

The Chatbot does not collect information about users and does not use the contents of users’ chat history to learn new information. All feedback is anonymous. Please do not enter personally identifiable information (PII), sensitive, or proprietary information into the Chatbot. Your conversations will not be connected to other interactions or accounts with ITA. Conversations with the Chatbot may be reviewed to help ITA improve the tool and address harmful, illegal, or otherwise inappropriate questions.

Translation

The Chatbot supports a wide range of languages. Because the Chatbot is trained in English and responses are translated, you should verify the translation. For example, the Chatbot may have difficulty with acronyms, abbreviations, and nuances in a language other than English.

Privacy Program | Information Quality Guidelines | Accessibility