Sat, May
62 New Articles

Poland: Web Apps and Privacy Notices in the Crosshairs of Polish Data Regulator

Poland: Web Apps and Privacy Notices in the Crosshairs of Polish Data Regulator

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The Polish Data Protection Authority (PUODO) has recently published its new sectoral inspection plan for 2024. Every year, the authority indicates which business sectors or specific processing operations will be subject to increased regulatory scrutiny and potential enforcement for failure to comply. This year, the plan includes three points, one of which relates to public authorities processing personal data in the Schengen Information System (SIS) and Visa Information System (VIS). However, the other two points of the plan are relevant to businesses across all sectors in the private sector.

1. Personal data processing through web applications 

The list includes entities processing personal data using Internet (web) applications. The PUODO specifies that it will verify the method of securing and sharing personal data processed in connection with the use of these web applications. 

A web application is any software that runs via a web browser. It is difficult to imagine a business in 2024 which does not use any web apps. Web applications are used by businesses across various domains to manage operations, communication, sales, and much more. They often play a crucial role in the digital infrastructure of modern businesses, enabling them to be more efficient and customer focused. Here are some examples of commonly used web applications for various use cases:

  • Communication and video conferencing (e.g., Zoom, Microsoft Teams, Webex, Slack), 
  • Document management and storage (e.g., Google Drive, Dropbox, Evernote Business),
  • Customer relationship management (e.g., Salesforce, Microsoft Dynamics, Pipedrive).

The PUODO’s plan includes not only manufacturers of web apps but also all entities processing personal data via such web apps, making the scope of the plan very broad.

2. Privacy notices - transparency obligations

The Polish regulator will also focus this year on verifying the correct fulfilment of information obligations by private sector entities. 

Under the GDPR, a data controller must provide data subjects with a privacy notice setting out how the individual’s personal data will be processed. The privacy notice must contain the enhanced transparency information. Article 12 of the GDPR provides general rules on transparency, whereas Articles 13 and 14 of the GDPR set out specific information which needs to be provided to data subjects where data is collected directly from them or from third parties.

This point of the PUODO’s inspection plan, in practice, covers all private sector businesses, regardless of the industry they operate in. All controllers need to comply with the GDPR transparency obligations, and all businesses use various privacy notices tailored to their processing operations. 


Looking at the inspection plans published by the PUODO in the last few years, we can see that the regulator’s approach has clearly shifted towards very broad categories of processing operations across all sectors, making most private businesses open to inspection by the PUODO under the sectoral inspection plan this year. 

The new inspection plan could therefore affect all businesses in Poland who will need to double down on their compliance in order to avoid enforcement.

Next steps

Businesses operating in Poland should take stock and assess the GDPR compliance of their privacy notices and their use of web applications.

By Szymon Sieniewicz, Head of TMT/IP, Linklaters Warsaw

Our Latest Issue