The provisions of the GDPR are directly applicable in Poland and in all EU countries to all entities covered by its provisions (including, for example, entrepreneurs).
The legal framework for the processing and protection of personal data is shaped at a fundamental level by the GDPR and at a complementary, narrower level (in certain specific areas) by the national laws of individual Member States, and applies only in those countries.
The provisions of the GDPR have the rights and freedoms of individuals at their core. Therefore, in the event of interpretation doubts in the application of the GDPR, supervisory authorities will often favour an interpretation that is more favourable to data subjects rather than, for example, to entrepreneursacting as data controllers.
In principle, the GDPR does not contain any guidelines, requirements or instructions regarding the use of specific personal data processing or protection techniques. Consequently, the GDPR does not prejudge a priori that any personal data processing or protection technique is either compliant or non-compliant. In other words, in theory, any personal data processing or protecting technology can be GDPR compliant as long as it meets the general requirements set out in the GDPR. As a result, it is up to the entity processing personal data in each case to first assess whether the technological means of processing or protecting personal data that he or she intends to use is compliant with the GDPR.
The GDPR as a directly applicable law
The GDPR is a regulation of the European Union. As a result, its provisions are directly applicable in Poland and in all EU countries to all entities covered by its provisions (including, for example, entrepreneurs).
Furthermore, acts of a local nature, including, for example, Polish laws, must comply with the provisions of the GDPR. However, the GDPR itself allows individual member states to supplement, clarify or modify the provisions of the GDPR at national level in certain areas. In Poland, for example, such additions have been made to the provisions of labour law.
Therefore, the legal framework for the processing and protection of personal data is shaped at a fundamental level by the GDPR and, at a complementary, narrower level in certain specific areas, by the national laws of individual member states and applies only to those states. From the Polish perspective, therefore, the entities to which the GDPR applies (including, for example, entrepreneursregistered in Poland) are required to organise and carry out the processing of personal data primarily in accordance with the GDPR and, to the relevant extent, with the provisions of Polish law supplementing the GDPR on the processing and protection of personal data (if any).
Objectives of the GDPR and their impact on the practice of applying the GDPR
One of the main objectives of the GDPR, in addition to harmonising the rules governing the processing and protection of personal data across the EU and removing obstacles to data flows, was to strengthen the protection of individuals' rights and freedoms in relation to the processing of their personal data.
Accordingly, the focus of the GDPR provisions is precisely on the rights and freedoms of individuals in relation to the processing of their personal data. As a result, when interpretative doubts arise regarding the application of the GDPR, supervisory authorities will often side with interpretations that are more favourable to data subjects rather than, for example, to entrepreneurs acting as controllers. Consequently, a precautionary approach is usually advisable in order to minimise the risks of a GDPR breach.
The GDPR as an act without technical regulation
As stated in Recital 15 to the GDPR,
in order to prevent a serious risk of circumvention, the protection of natural persons should be technologically neutral and should not depend on the techniques used.
In principle, the GDPR does not provide guidance, requirements or instructions on the use of specific techniques for processing or protecting personal data. Thus, the GDPR does not prejudge a priori that certain personal data processing or protecting techniques will be compliant or non-compliant. In other words, in theory, any technical means of processing or protecting personal data can be compliant with the GDPR as long as it complies with the general requirements set out in the GDPR (e.g. with regard to data security [Article 32] or the principles of privacy by design and privacy by default). As a result, it is the responsibility of the entity processing personal data in each case to first assess (and, due to the principle of accountability, to document and justify) whether the technical means of data processing or protection that he or she intends to use comply with the GDPR.
It should be noted that, from the point of view of the entrepreneur, this solution can be both advantageous and disadvantageous. It is advantageous because it does not limit the development of technologies (e.g. electronic services or loT or loB products, including those using artificial intelligence) related to the processing of personal data and, as a rule, does not hinder innovation. It is disadvantageous because it does not provide entities processing personal data with the sometimes desirable certainty that specific technical solutions used for data processing or data protection can be considered compliant a priori, without additional analysis.
To what personal data does the GDPR apply?
The GDPR applies to the personal data of natural persons (including entrepreneurs), but not to the personal data of deceased persons. The GDPR does not apply to the processing of data relating to legal persons.
Commentary on art. 1
Subject matter and objectives
The GDPR as a directly applicable law
The GDPR is a regulation of the European Union. As a result, its provisions are directly applicable in Poland and in all EU countries to all entities covered by its provisions (including, for example, entrepreneurs).
Furthermore, acts of a local nature, including, for example, Polish laws, must comply with the provisions of the GDPR. However, the GDPR itself allows individual member states to supplement, clarify or modify the provisions of the GDPR at national level in certain areas. In Poland, for example, such additions have been made to the provisions of labour law.
Therefore, the legal framework for the processing and protection of personal data is shaped at a fundamental level by the GDPR and, at a complementary, narrower level in certain specific areas, by the national laws of individual member states and applies only to those states. From the Polish perspective, therefore, the entities to which the GDPR applies (including, for example, entrepreneurs registered in Poland) are required to organise and carry out the processing of personal data primarily in accordance with the GDPR and, to the relevant extent, with the provisions of Polish law supplementing the GDPR on the processing and protection of personal data (if any).
Objectives of the GDPR and their impact on the practice of applying the GDPR
One of the main objectives of the GDPR, in addition to harmonising the rules governing the processing and protection of personal data across the EU and removing obstacles to data flows, was to strengthen the protection of individuals' rights and freedoms in relation to the processing of their personal data.
Accordingly, the focus of the GDPR provisions is precisely on the rights and freedoms of individuals in relation to the processing of their personal data. As a result, when interpretative doubts arise regarding the application of the GDPR, supervisory authorities will often side with interpretations that are more favourable to data subjects rather than, for example, to entrepreneurs acting as controllers. Consequently, a precautionary approach is usually advisable in order to minimise the risks of a GDPR breach.
The GDPR as an act without technical regulation
As stated in Recital 15 to the GDPR,
In principle, the GDPR does not provide guidance, requirements or instructions on the use of specific techniques for processing or protecting personal data. Thus, the GDPR does not prejudge a priori that certain personal data processing or protecting techniques will be compliant or non-compliant. In other words, in theory, any technical means of processing or protecting personal data can be compliant with the GDPR as long as it complies with the general requirements set out in the GDPR (e.g. with regard to data security [Article 32] or the principles of privacy by design and privacy by default). As a result, it is the responsibility of the entity processing personal data in each case to first assess (and, due to the principle of accountability, to document and justify) whether the technical means of data processing or protection that he or she intends to use comply with the GDPR.
It should be noted that, from the point of view of the entrepreneur, this solution can be both advantageous and disadvantageous. It is advantageous because it does not limit the development of technologies (e.g. electronic services or loT or loB products, including those using artificial intelligence) related to the processing of personal data and, as a rule, does not hinder innovation. It is disadvantageous because it does not provide entities processing personal data with the sometimes desirable certainty that specific technical solutions used for data processing or data protection can be considered compliant a priori, without additional analysis.
To what personal data does the GDPR apply?
The GDPR applies to the personal data of natural persons (including entrepreneurs), but not to the personal data of deceased persons. The GDPR does not apply to the processing of data relating to legal persons.