Poland’s Act amending its Telecommunications Law and Certain Other Laws of November 16, 2012, came into effect on March 22, 2013. The law relates specifically to telecommunications companies, and therefore other sectors such as service providers and third-party advertisers are not affected by the amendment. With respect to cookies, it implements the EU Cookie Directive and switches the requirement from “opt-out” to “opt-in.” In other words, consent of the user must be obtained before cookies are stored and accessed. The penalties for non-compliance can be up to 3% of a company’s annual profits. Informed consent requires disclosure of the purpose of storing and gaining access to cookies and the option of using browser settings to control the access and storing of cookies. However, the expression of consent may be manifested by leaving the default browser setting as-is.
The amendment also imposes a breach notification requirement on wherein public telecommunications providers must report to the Polish Inspector General for the Protection of Personal Data (in Poland, this is abbreviated as “GIODO”) within three days if the breach is considered to be incidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access. If the breach has a negative impact on users’ service, those users must be notified as well—also within three days. The Polish Data Inspector General spoke with DataGuidance and indicated that administrative decisions as well as sanctions to companies not in compliance with administrative decisions will take place.