Ikonka home dla okruszków News and events
photo
27.01.2025

Mirosław Wróblewski's first year as President of the Personal Data Protection Office is over

Dear Ladies and Gentlemen,

the modern world is unable to function without personal data. Not only are the services of the State for citizens based on them, but also the development of further services and technologies, including artificial intelligence. This is why it is so important for every controller to protect the data they process in the way they would like to protect information about themselves. And I have been striving to build such awareness since the beginning of my term as President of the Pesonal Data Protection Office, together with my colleagues in the Office. I want the activities of the Personal Data Protection Office to contribute effectively to making the whole society aware of the importance of personal data protection in the modern world.

This is the goal I set when I took the oath of office in the Sejm of the Republic of Poland (lower chamber of the Polish Parliament) a year ago (26 January 2024).

Among other things, I began my term of office with a series of meetings with the heads of constitutional institutions and government offices. I took part in conferences and numerous meetings in an effort to impart knowledge about personal data.

It is not a fringe activity, a matter for IT and data protection officers, as we are used to thinking, but an essential management task. It requires a risk-based approach. Such analyses are the basis for seeking better safeguards and avoiding risks that otherwise become unavoidable - I have reminded at virtually every opportunity.

During 2024, there was also no shortage of meetings with business representatives, including the IT industry, where we discussed, among other things, the problems of using personal data to train artificial intelligence models, which is currently one of the most important topics in the digital security domain.

Artificial intelligence and data protection in this sphere, by the way, remained one of my primary subjects of interest in 2024, not least because of the Artificial Intelligence Act, a regulation that was adopted in the European Union. It represents the world's first such comprehensive legal regulation for artificial intelligence systems and models. The so-called AI Act will certainly remain one of the most discussed data protection issues for a long time, also in the context of the activity of the Polish SA in 2025.

One of the key topics is the protection of personal data in healthcare, as it is from this sector that a huge number of breaches or high-profile data leakages originate.

Thus, my activity and that of my colleagues also manifested itself in trainings and participation in conferences organised, among others, by the medical community. We also organised, in cooperation with the Social Team of Experts to the President of the Personal Data Protection Office, an extremely interesting conference on medical robotics and the use of data in modern medical technologies. These events provided an opportunity to convey knowledge about personal data in a precise way, taking into account the specifics of this sector.

Another area of particular interest for me in 2024 was the protection of minors' personal data. During the conference ‘Challenges for the protection of children's personal data’, held on 26 April 2024 at the Personal Data Protection Office, I signed a cooperation agreement with the Ombudsman for Children Monika Horna-Cieślak on educational and research initiatives concerning the personal data of children and adolescents. The conference, as well as the agreement, gave impetus to cooperation for better protection of the image of minors in the digital age, especially in social media. These activities also resulted in the publication by Polish SA, together with the Orange Foundation, of a handbook ‘The image of a child on the internet. To publish or not to publish?’.

In connection with the questions received by the Polish SA regarding the processing of personal data for the adoption and implementation of the standards for the protection of minors, I also pointed out what aspects to be careful about when applying the so-called Kamilka Act (i.e. the Act on the prevention of the threat of sexual offences and the protection of minors, which entered into force on 15 February 2024) in accordance with the standards for the protection of personal data. We have attempted in the Office to set basic standards of conduct in this matter and, on this basis, I have asked the Minister of Justice, Prof. Adam Bodnar, to initiate amendments to the provisions of the so-called Kamilka Act with a view to bringing them into line with data protection principles.

I systematically strive to make data protection thinking an indispensable element of any legislative process. Thus, the Polish SA participates in giving opinions on drafts at the governmental stage, and also prepares expert opinions for the Sejm, constantly pointing out that a good impact assessment should be complemented by a risk analysis of the introduction of regulations related to data processing.

An increasing number of legislative solutions presuppose the processing of data, be it in the case of animal protection, senior citizen vouchers or waste collection fees. However, care must be taken to ensure that the regulations do not lead to excessive data processing by data controllers and that imprecise laws on the processing of personal data are not created. In order to make the emerging law better and take data protection properly into account, I have established cooperation with experts in the field of legislation - in January this year I signed an agreement on cooperation with the Polish Legislation Association, and we are planning to sign a similar agreement today (27 January 2025) with the President of the Government Legislation Centre.

Last year, I also pointed out the need for amendments to the Act on the Protection of Whistleblowers (which came into force on 15 September 2024). The comments mainly concerned inconsistencies in the provisions touching on the anonymity of whistleblower data processing. Doubts concerning this matter were discussed in detail during the seminar ‘Practical problems in the application of the provisions of the Act on the Protection of Whistleblowers from the perspective of GDPR’, organised in August 2024 at the Personal Data Protection Office.

In the past year, I have also submitted numerous comments on legislative initiatives and existing laws, including the draft Act on the National Fiscal Administration, the Criminal Code and the Criminal Procedure Code, the draft Act on Electronic Communications, and the Act on the National Register of Persons Performing Certain Public Functions.

In this context, comments submitted to the ‘Digitisation Strategy of Poland until 2035’ should be regarded as extremely important, among which the issues of insufficient protection of biometric and behavioural data in legal regulations, the performance of IT services concerning the circulation of personal data by entities not belonging to the European Economic Area, the accelerated expansion of the so-called Internet of Things in recent years, or the use by the private sector of personal data administered by the public sector were raised. I have also recently submitted comments to the ‘Cyber Security Strategy of the Republic of Poland’, in the hope that taking them into account will help to improve this document.

The case of the ban imposed on Meta Platforms following a complaint by Mr Rafal Brzoska, CEO of InPost, stopping the display of advertisements using the real data of Rafal Brzoska and his wife, Omena Mensah, on Facebook and Instagram in the Republic of Poland, gained a social dimension. Meta soon appealed the order to the Voivodeship Administratrative Court, which, however, refused to suspend the orders of the President of the Polish SA.

Last year, I also fined mBank - more than PLN 4 million - for failing to notify those affected by the data leakage. The bank failed to comply with its obligations under GDPR, after a group of customers' personal data went to an unauthorised recipient in 2022.

The fine imposed on the National Public Prosecutor's Office for disclosing the data of a crime victim (PLN 85 000) was also of crucial social significance. The case concerned a press conference at which Tomasz Szafrański, prosecutor of the National Public Prosecutor's Office, and Zbigniew Ziobro, Prosecutor General - Minister of Justice, discussed the case of one of the district public prosecutor's offices. During the conference, the personal data of a person with the status of a victim in criminal proceedings and information on the facts of the case contained in the district court's judgment were disclosed.

In 2024, we and our colleagues have carried out a number of initiatives to promote the subject of data protection and the Personal Data Protection Office itself. Among them is a new venture called ‘The Polish SA on tour across Poland”, which aims to better understand local data protection issues. During this campaign, we hold nationwide meetings with local residents and voivodeship and local authorities. This allows the staff of the Polish SA to better understand the data protection problems faced by local communities in different regions of Poland.

In June last year, I set up a Social Team of Experts to support the supervisory authority in the performance of its tasks set out in the law, in particular to advise and express opinions on matters submitted to the Team. It is thanks to the Team that we are sorting out and updating the sectoral guides on personal data protection. I would like to thank all the experts very much for their activities within this extremely important Team.

In 2024, I also attended eleven meetings of the European Data Protection Board - including its 100th formal plenary meeting. Participation in these meetings helps to ensure that Poland has a real influence on the solutions and opinions of this European body in the area of personal data protection.

I hope that the next year of my term will be just as fruitful and interesting. We have started the new 2025 with an overhaul of the structure of the Personal Data Protection Office to make our work even more effective. This year we are facing further changes related to the implementation of the EU Data Governance Act - we are waiting for the adoption of the Polish Data Governance Act. Its adoption will mean new tasks for the Polish SA, primarily concerning data intermediary services and the registration of data altruism institutions. Priorities will be the effective enforcement of data protection legislation and further education and awareness-raising activities on the rights of data subjects, especially in the context of new technologies. Knowing that we have a growing number of allies in this important mission, both in the public and private sectors, receiving support from experts and Polish SA’s staff tomorrow's Data Protection Day and the whole year 2025 promises to be a good one.

 

Mirosław Wróblewski,

President of the Personal Data Protection Office

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stawki 2, 00-193 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.