The Act of 14 December 2018 on the Protection of Personal Data Processed in Connection with the Prevention and Combating of Crime (hereinafter referred to as the " GDPR ") was enacted to regulate an area that was excluded from the jurisdiction of the GDPR, i.e., the prevention and combating of crime. The Act differs from the GDPR primarily in the following aspects:

1. the basis for processing personal data;
2. fulfillment of the information obligation;
3. the need to appoint a data protection officer;
4. the rights of data subjects, as well as
5. documentation maintained.

It should be emphasized that the provisions of the Act, pursuant to Article 1, point 1, are applied exclusively by competent authorities for the purpose of recognizing, preventing, detecting, and combating prohibited acts. These authorities include courts, the Prosecutor's Office, the Prison Service, bailiffs conducting enforcement activities in criminal proceedings, as well as other authorities such as the Military Police or the Border Guard.

1. Legal basis for data processing in accordance with the GDPR

As indicated above, the GDPR has a limited legal basis for processing personal data, which is described in Article 13 for ordinary data and Article 14 for special category data. Therefore, data processing may only take place when necessary to exercise a right or fulfill an obligation under the law. If the conditions specified in the Act are met, processing of data originally collected for other purposes is permissible. Similar to the GDPR, the GDPR prohibits the processing of special category data unless such processing is legally permitted, necessary to protect the life, health, or interests of the data subject or another person, or such data has been made public by the data subject.

2. Obligation to implement and maintain documentation

The GDPR also regulates the obligation for the controller to develop and implement a personal data protection policy, and also requires the controller to maintain a register of categories of processing activities, a list of categories of processing activities performed on behalf of the controller, the obligation to record processing operations carried out in automated systems, and the obligation to keep records of persons authorized to process data.

3. Absolute obligation to appoint an IOD

It should be emphasized that each of the data controllers defined in the GDPR is obliged to appoint a data protection officer, which is also a specific difference compared to the GDPR, where the appointment of a data protection officer is necessary only when certain conditions are met.

4. Rights of data subjects

The rights of data subjects, as set out in Articles 22-25 of the GDPR, are somewhat different. Data subjects have the right to obtain information about the processing of their personal data, the right to access their data and obtain a copy or extract thereof, the right to amend, update, or rectify their personal data, the right to erase their personal data, or to restrict processing, as well as the right to lodge a complaint with a supervisory authority.

5. Fulfillment of the information obligation

Certain differences also arise in the fulfillment of the information obligation. Under the GDPR, the controller provides basic information about their identity, registered office, data and/or origin, the purpose for which the data will be used, and the rights of the data subject. This catalog is therefore largely similar to the layered fulfillment of the information obligation. In this respect, the controller makes data available on a website, in the Public Information Bulletin, on the website of the relevant authority or office, or at its headquarters. In specific cases, the controller provides the data subject with information about the legal basis for data processing, the duration of processing, and the recipients of the data to enable the exercise of their rights. Upon request, the data subject is entitled to obtain a broad range of information about the processed data, partially consistent with the scope of Article 13 of the GDPR. However, under the GDPR, fulfilling the information obligation does not constitute an active obligation on the part of the controller.

This article is for informational purposes only and does not constitute legal advice.

Legal status as of April 8, 2025

|

Mateusz Grosicki

Attorney, partner
+48 506 367 109 | m.grosicki@kglegal.pl

Be the first to receive our articles and legal alerts, straight to your inbox! Sign up for our newsletter by clicking the link or contact us at social@kglegal.pl to personalize your content.