The President of the Personal Data Protection Office encourages the journalistic community to draw up a code of conduct
Data anonymisation rules, the archiving of press material from websites, data protection in recordings featuring children, and exercising restraint in disclosing information that may reveal details about individuals who do not hold public office – these are areas that could be regulated in the GDPR Code of Conduct for the media.
Although the media benefit from the so-called ‘journalistic exception’ provided for in Article 2 of the Act of 10 May 2018 on the Protection of Personal Data, they are not entirely exempt from the provisions of the General Data Protection Regulation (GDPR). This is because news organisations are controllers and must implement procedures to protect the personal data of individuals who do not hold public office, in particular, for example, children and victims of crime. At the same time, it must be borne in mind that the rules governing the publication of information containing personal data are also set out in press law and civil law. A code of conduct should provide practical guidance, ideally with examples, drawing on the case law of Polish and European courts.
Therefore, establishing common rules for data processing would make it easier for news organisations that adhere to such a code to apply appropriate safeguards to data collected in the course of preparing news reports, to determine the retention periods for recordings and photographs, and to handle material in which minors or victims of crime are depicted.
Establishing a set of rules in the form of an industry code of conduct approved by the President of the Personal Data Protection Office would help news organisations assess in which situations individuals’ data should be anonymised and how to reconcile the right to information with individuals’ right to privacy. At present, news organisations apply a wide variety of approaches, which do not always guarantee an adequate level of personal data protection. Meanwhile, a jointly developed standard would facilitate compliance with the GDPR.
The issue of the media industry drafting such a code arose during a conference at the Personal Data Protection Office entitled ‘Personal data on air – standards and limits of protection’, which took place on 19 November 2025. A number of issues were discussed at the time, relating to the scope of information disclosed, the difficulty of archiving data, the right to be forgotten, and the security of data storage media.
Agnieszka Grzelak, Deputy Chair of the Personal Data Protection Office, emphasised at the time that the aim was not to restrict media activities, but to ensure the responsible use of personal data.
“The Personal Data Protection Office emphasises the need to select security measures that are proportionate to the risks present in the media. For example, one should consider whether all the information contained in a message is absolutely necessary. In the case of children or the elderly, this should be given extra careful thought,” said Agnieszka Grzelak.
The President of the Personal Data Protection Office encourages the journalistic and media communities to take the initiative to draw up an industry code of conduct. In accordance with the principles of the GDPR, the code should be drawn up with the active involvement of industry representatives, who are best placed to understand the practical realities of editorial operations. The President of the Personal Data Protection Office, for his part, may support this initiative and assess and approve the draft once it has been prepared.
The conclusions from the aforementioned conference, ‘Personal Data on Air – Standards and Limits of Protection’, and the Personal Data Protection Office’s recommendations for the media sector can be found in the attached file below.