Personal Data Protection


We provide comprehensive assistance to business customers in the fields of protection of personal data and the right to privacy. Most of our direct contacts include data protection officers, in-house and outside counsels, as well representatives of business teams.

Privacy by design or privacy by default? Are employee background checks legal? Can we transfer data to another entity? Will our new IT system or service be compliant with data protection rules? On a day-to-day basis we advise our clients on various privacy related issues from basic questions to sophisticated analyses of cutting edge technologies. We understand that each privacy question is important and we do our best to help our clients navigate Polish privacy law and in their relations with data subjects and regulators.

Our privacy team is one of the largest in Poland and we realize that responsiveness is critical for our customers. We are prepared to meet tight deadlines and work in emergency situations such as data leaks or regulatory inquiries, which require immediate attention. We also understand that clients need a concise and business oriented response. We always try to understand our clients’ business needs and discuss our concerns to find the solution which would be acceptable from both a legal and business perspective.

Our lawyers have previous experience in advising on Intellectual Property and IT which helps them to understand the challenges related to privacy in the digital world. As part of a leading Polish one-stop-shop law firm, we often work with our M&A, employment, IT, banking and finance or criminal law practices as part of a larger team to offer complex and comprehensive legal advice.


We have been advising on privacy issues since 1997 when the first Polish Data Protection Act was adopted, and for the following 20 years we have kept up with all changes and developments.

In particular we provide the following services:

  • Internal policies and documentation:  we prepare/review/localize documentation related to personal data processing, such as: security policies and IT management instructions, registers of authorizations to process personal data or privacy policies for Internet service users.
  • Database/DPO filings to GIODO (the Polish Data Protection Authority): we prepare/update/submit the filings of personal databases and Data Protection Officers; we assess the possibility to apply exemptions from registration obligations.
  • Consent forms/notification: we prepare/review/localize notifications to data subjects and consent forms for the processing of personal data, including consent forms for data transfers to third countries.
  • Data transfers to third countries: we advise on data transfers based on Binding Corporate Rules, Privacy Shield and EU Model Clauses; we prepare applications for the approval of data transfers by the DPA when such approval is required, and represent clients before the DPA in approval proceedings.
  • IT related services and software: we review and provide comments on data processing issues in state-of-the-art IT solutions or services applying them.
  • Cloud computing: we advise on the legal aspects of personal data processing in cloud computing, including data transfers and for purposes of data processing.
  • Employment: the significance of data protection issues in an employment context is growing. Employers are interested in various solutions which optimize and make employment management more efficient. We advise on all issues related to employees’ data processing, including the deployment of employment related software, connection with helpline implementation, employee monitoring, background checks, and the use of a company’s equipment for private purposes or BYOD.
  • Complaint handling and external audits: a data subject’s complaint which is improperly handled often leads to an inspection by the DPA. Therefore, we advise our customers not only on the content of the response but also on strategy. In the case of inspections, we help clients prepare for inspections, collect documents and information, as well as review the inspection’s findings and follow up steps. We are often present on-site during the inspection to be immediately available to the client and inspector and solve problems immediately. This allows us to address any concerns the inspectors might have during the audit and limit the post-inspection findings.
  • Contracts: we assist our clients and our colleagues in drafting, negotiating and making amendments to all possible contracts involving data processing, including both specific data protection contracts such as data processing or data transfer (sharing) agreements, and the contracts in which data processing is only one of the elements of the larger business set up (such as software deployment, marketing, website administration agreements etc.).
  • Due diligence: personal databases have become one of the most valuable assets of an acquired business and some inconsistencies with the law in the process of collecting or processing data in such databases may make them worthless. We assist our M&A practice in the data protection due diligence in various transactions. We focus on issues which are material and take into account the set-up of the transaction (share or asset deals). We advise on potential changes which would mitigate data protection risks. We also support our employment team in matters related to an employment due diligence e.g. with respect to the disclosure of employees’ information during the due diligence and afterwards.
  • Data leaks: we assist our clients in the case of data leaks, preparing letters to the customer, assisting in internal investigations or getting in contact with the regulator.
  • Internal compliance audits and hotlines setup: we advise on data protection matters during internal investigations (e.g. in the course of FCPA or competition law related audits). We also assist in the preparation of hotlines and their operations.