We first offered comprehensive advisory services with respect to data protection and the right to privacy in 1997 when the first Polish legislative instrument, the Personal Data Protection Act, was adopted, and we have steadily developed this field of legal practice. We have noted that although the General Data Protection Regulation (GDPR) has been in force since May 2018, due to a dynamic growth of technology and its new uses, a number of questions still call for an answer. The answers may differ, depending on who processes the data and with which IT system.

The rights to privacy and personal data protection are now important factors in any business operations and the market position of businesses often depends on how they handle personal data. This is why every question a client asks is important to us. We help our clients arrange their relations with data subjects, regulators and business partners.

Our Personal Data team is one of the largest in Poland. We have proved on many occasions that we can act in times of difficulty and under time pressure, e.g., when a personal data breach occurs, a data subject files a complaint or demands some action, or a regulator asks questions. We also understand that our clients need up-to-the point answers that take into account the realities of the marketplace. We always find out what is expected of us and we discuss any doubts that arise, so that a solution that is acceptable from both legal and business perspectives can be found.

Our lawyers have gained experience advising also on intellectual property and IT law, which means we can understand the challenges of protecting privacy in the digital era. In order to provide full-range support, we frequently work together with our colleagues specializing in M&As, labour law, IT, banking and finance and criminal law.

We advise on:

  • Internal policies, registers and documents
    We draw up, verify and localize for use in Poland, policies concerning the processing of personal data, such as security policies, policies regulating the use of IT equipment or systems, BYOD policies, data processing registers, and rules of conduct in the case of data breaches.
  • Video surveillance
    We advise on a number of matters relating to the use of CCTV and electronic surveillance in labour and business relations (in shops, in public spaces).
  • Biometrics
    We advise on the implementation of biometric systems, such as those for face, voice or fingerprints recognition, and we evaluate the systems that are already in place as to their compliance with general data protection law and with sectoral laws.
  • Balancing tests
    We prepare balancing tests for our clients in order to check whether they can process personal data based on a legitimate interest pursued by the data controller or a third party.
  • Impact assessment
    We carry out or cooperate with other parties in carrying out assessments of the processing of personal data in the context of our clients’ business operations. We advise as to when an impact assessment should be carried out and what its scope should be.
  • Information on data processing, templates
    We draw up and verify draft communications about personal data processing and declarations of consent to processing, including those concerned with dissemination of one’s image, and of consents applicable in labour relations. LABOUR LAW
  • Data transfers to third countries
    We advise on personal data transfers to third countries, based on Binding Corporate Rules, the Privacy Shield, and standard contract clauses. We draw up notifications and represent clients in proceedings concerned with data transfers to third countries, including those conducted by the supervisory authorities.
  • Reporting breaches
    We analyse data breaches and advise clients as to whether there is a duty to report a breach to the supervisory authority and to the data subjects, and on possible remedial action. We draft and file letters of notification to supervisory authorities and to data subjects, and we represent clients in the ensuing proceedings.
  • IT services, applications, software
    We offer advice on personal data processing in state-of-the-art IT applications and e-services. We also check cookies policies and privacy statements. NEW TECHNOLOGIES
  • Cloud services
    We offer counsel on many questions regarding the processing of personal data in the cloud, such as the nature of the processing, access to the data, data transfers to third countries. We negotiate contracts on cloud services with the service providers or with their clients.
  • Labour relations
    The gravity and the sheer number of legal issues connected with the processing of personal data in labour relations is growing very fast. Employers would like to have solutions that will help them better and more efficiently manage their staff, and to safeguard their security and their companies’ secrets. We advise on all matters relating to the processing of personal data in labour relations, such as whether certain computer systems can be used for this purpose, staff monitoring and vetting, and the way rights under the GDPR can be exercised. LABOUR LAW
  • Complaints by data subjects
    When a complaint by a data subject is not handled as it should, a supervisory authority often gets involved. We not only advise our clients on how to draft replies to requests or complaints, but also help them design strategies and counsel them on how to reduce the risk that regulators will start proceedings.
  • Audits and supervisory proceedings
    We represent clients in proceedings initiated by the supervisory authority or by data subjects. We are present during the audits the supervisory authority makes at our clients’ premises, thus being able to offer assistance on the spot, and we also help clients prepare for such audits. We check the results of the audits, file reservations, and draw up recommendations based on audit results. We also represent clients in court cases concerned with data breaches, including in disputes over compensation.
  • Contracts
    Drafting, negotiating and amending contracts is another field of our practice. These include not only contracts to entrust the processing of data or those to access processed data, but any contracts that address data processing, such as marketing or lease contracts.
  • Due diligence
    Sets of personal data are valuable assets, and any breach of the law that occurs when they are created or used can potentially have a big impact on the valuation of an enterprise or on the seller’s liability. We support our M&A colleagues by focusing on data protection matters in the due diligence process. M&A We identify matters that can determine how the transaction will be structured (whether to make an asset deal or a share deal), and we find ways to reduce the risks. We also lend our expertise to our colleagues from the labour law team, and advise on the personal data of workers in the context of pre-closing steps and post-closing restructuring. LABOUR LAW
  • Internal investigations and whistle-blower hotlines
    We advise on personal data matters that arise in connection with internal investigations. We help launch and maintain whistle-blower communication channels.
Agata Szeliga
Partner, attorney-at-law
Make an appointment