Page 1

© Chancellery of the Sejm

p. 1/114

Journal of Laws 2019 item 730

LAW
of February 21, 2019
on amending certain acts in connection with ensuring the application of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(General Data Protection Regulation) 1), 2)
Art. 1. In the Act of 14 June 1960 - Code of Administrative Procedure (Journal of Laws of 2018, item 2096
and of 2019, item 60) is hereby amended as follows:
1) after art. 2, Art. 2a is added as follows:
"Art. 2a. § 1. The Code of Administrative Procedure also regulates the manner of performing the obligation under which
rhyme in art. 13 sec. 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April

1)

This act applies to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
on the protection of individuals with regard to the processing of personal data and on the free movement of such data

2)

data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04.05.2016, p. 1 and
Journal Of UE L 127 of 23/05/2018, p. 2).
This Act amends the following acts: the Act of 14 June 1960 - Code of Administrative Procedure, the Act of
1 December 1961 on maritime chambers, the Act of 17 June 1966 on enforcement proceedings in administration, the Act of
June 26, 1974 - Labor Code, the Act of January 26, 1982 - Teacher's Charter, the Act of May 26, 1982 - Law
on the bar, the act of 6 July 1982 on legal advisers, the act of 6 July 1982 on land and mortgage registers and mortgage,
the Act of September 16, 1982 - Cooperative Law, the Act of October 26, 1982 on upbringing in sobriety and
c inactivating alcoholism, the Act of 14 July 1983 on the National Archival Resources and Archives, the Act of 21 March
1985 on public roads, the act of 18 April 1985 on inland fishing, the act of 15 July 1987 on the
on Civil Rights, the Act of May 17, 1989 - Geodetic and Cartographic Law, the Act of February 14, 1991 Law on notaries, the act of 21 March 1991 on the maritime areas of the Republic of Poland and maritime administration, the act
of May 23, 1991 on resolving collective disputes, the Act of July 20, 1991 on the Inspection of Environmental Protection, the Act
of August 24, 1991 on fire protection, the Act of August 24, 1991 on the State Fire Service, the Act
of September 7, 1991 on the education system, the Act of October 25, 1991 on organizing and conducting cultural activities
tural, the Act of October 16, 1992 on Orders and Decorations, the Act of December 10, 1993 on Provision for
for professional soldiers and their families, the Act of 18 February 1994 on old-age pension provision for Police officers,
Internal Security Agency, Foreign Intelligence Agency, Military Counterintelligence Service, Military Intelligence Service,
Central Anticorruption Bureau, Border Guard, State Protection Service, State Fire Service, Customs and Treasury Service
bowa and the Prison Service and their families, the Act of March 4, 1994 on the Company Social Benefit Fund, the Act
of July 7, 1994 - Construction Law, the Act of August 19, 1994 on the protection of mental health, the Act of October 27,
October 1994 on toll motorways and the National Road Fund, the Act of June 29, 1995 on traffic statistics
bolic, the Act of October 13, 1995 on the principles of registration and identification of taxpayers and remitters, the Act of October 13,
October 1995 - Hunting Law, the Act of May 31, 1996 on persons deported to forced labor and prisoners
in labor camps by the Third Reich and the Union of Soviet Socialist Republics, the Act of July 5, 1996 on counseling
in addition, the Act of August 8, 1996 on the Council of Ministers, the Act of September 13, 1996 on the maintenance of cleanliness and order
in municipalities, the Act of December 5, 1996 on the professions of a doctor and dentist, the Act of April 10, 1997 - Energy Law
getyczne, the Act of June 6, 1997 - Penal Code, the Act of June 20, 1997 - Road Traffic Law, the Act
of August 22, 1997 on the public blood service, the Act of August 27, 1997 on vocational and social rehabilitation, and
employing disabled people, the Act of August 29, 1997 - Tax Ordinance, the Act of August 29, 1997.
on the National Bank of Poland, the Act of August 29, 1997 - Banking Law, the Act of October 13, 1998 on the
social insurance, the Act of 17 December 1998 on pensions and disability pensions from the Social Insurance Fund, the Act
of January 6, 2000 on the Ombudsman for Children, the Act of May 24, 2000 on the National Criminal Register, the Act of
November 29, 2000 - Atomic Law, the Act of December 7, 2000 on the operation of cooperative banks and their association
and affiliating banks, the Act of December 15, 2000 on professional self-governments of architects and construction engineers,
the Act of 21 December 2000 on inland navigation, the Act of 3 February 2001 on the protection of Fryderyk Chopin's heritage,
the Act of July 6, 2001 on detective services, the Act of July 27, 2001 on probation officers, the Act of
August 11, 2001 on special rules for the reconstruction, renovation and demolition of damaged or damaged buildings
23/04/2019

Page 2
© Chancellery of the Sejm

pp. 2/114

as a result of the disaster, the Act of August 24, 2001 on the Military Police and military law enforcement agencies
the Act of 6 September 2001 on road transport, the Act of 3 July 2002 - Aviation Law, the Act of 5 July
2002 on the provision of legal assistance by foreign lawyers in the Republic of Poland, the Act of 18 July 2002.
on the provision of electronic services, the Act of March 27, 2003 on spatial planning and development, the Act
of March 28, 2003 on rail transport, the Act of May 22, 2003 on compulsory insurance, Insurance
the Guarantee Fund and the Polish Motor Insurers' Bureau, the Act of June 13, 2003 on employment
social security, the Act of 23 July 2003 on the protection of monuments and the care of monuments, the Act of 11 September 2003 on
military professional soldiers, the Act of 17 October 2003 on the performance of underwater works, the Act of 28 November
it is falling 2003 on family benefits, the Act of January 29, 2004 ̶ Public Procurement Law, the Act of March 12
2004 on social assistance, the Act of April 16, 2004 on construction products, the Act of April 20, 2004 on
employment power and labor market institutions, the Act of 30 April 2004 on pre-retirement benefits, the Act of
On April 30, 2004 on proceedings in matters relating to state aid, the Act of May 27, 2004 on investment funds
investment funds and management of alternative investment funds, the Act of July 16, 2004 - Telecommunications Law,
the Act of 27 August 2004 on health care services financed from public funds, the Act of 25 November
is falling 2004 on the profession of a sworn translator, the Act of 17 December 2004 on liability for violation of financial discipline
public finance, the Act of February 17, 2005 on the computerization of the activities of entities performing public tasks,
the Act of April 21, 2005 on Subscription Fees, the Act of July 29, 2005 on Counteracting Domestic Violence
no, the Act of July 29, 2005 on Trading in Financial Instruments, the Act of July 13, 2006 on Passport Documents,
regulations, the Act of July 21, 2006 on the supervision of the financial market, the Act of August 25, 2006 on biocomponents and bioliquid fuels, the Act of September 8, 2006 on the State Medical Rescue, the Act of January 12, 2007.
on special purpose road companies, the Act of 26 April 2007 on Crisis Management, the Act of
On June 15, 2007 on the license of a restructuring advisor, the Act of September 7, 2007 on assistance to persons entitled to
alimony, the Act of 17 October 2008 on the change of name and surname, the Act of 6 November 2008 on the rights of patients
and the Patient's Rights Ombudsman, the Act of 21 November 2008 on the Civil Service, the Act of 23 January 2009 on the National School
Of the Judiciary and the Public Prosecutor's Office, the Act of April 2, 2009 on Polish Citizenship, the Act of May 7, 2009 on
to the families of victims of collective liberties in the years 1956–1989, the Act of June 25, 2009 on organic agriculture
logical, the Act of 17 July 2009 on the system of managing emissions of greenhouse gases and other substances, the Act of
On November 5, 2009 on cooperative savings and credit unions, the Act of March 4, 2010 on information infrastructure
spatial, the Act of April 9, 2010 on the provision of economic information and exchange of economic data,
the Act of August 6, 2010 on ID Cards, the Act of September 24, 2010 on the Population Register, the Act of
December 16, 2010 on public collective transport, the Act of February 4, 2011 on the care of children up to 3 years of age, the Act
of April 15, 2011 on medical activities, the Act of April 28, 2011 on the information system in health care,
the Act of May 12, 2011 on the National Council of the Judiciary, the Act of May 12, 2011 on Consumer Credit, the Act
of June 9, 2011 on supporting the family and foster care system, the Act of July 15, 2011 on inspection in administration
governmental, the Act of August 18, 2011 on the safety of persons residing in water areas, the Act of August 18
2011 on safety and rescue in the mountains and organized ski areas, the Act of August 19, 2011.
on Payment Services, the Act of August 19, 2011 on Veterans of Activities Outside the State, the Act of August 19
2011 on the transport of dangerous goods, the Act of 28 June 2012 on the repayment of certain unpaid receivables
entrepreneurs resulting from the implementation of awarded public contracts, the Act of August 31, 2012 on the State
Marine Accident Investigation Mission, the Act of 14 December 2012 on waste, the Act of 11 October 2013 on mutual
assistance in the recovery of taxes, customs duties and other monetary receivables, the Act of 22 November 2013 on the system
emergency notification, the act of 30 May 2014 on consumer rights, the act of 11 July 2014 on the principles of
implementation of cohesion policy programs financed under the 2014–2020 financial perspective, the Act of August 29
2014 on the energy performance of buildings, the Act of 28 November 2014 - Law on civil status records, the Act
of November 28, 2014 on medical boards subordinate to the minister competent for internal affairs, the Act of December 5
on the Large Family Card, the Act of December 19, 2014 on Sea Fishing, the Act of February 20, 2015 on
renewable energy sources, the Act of March 20, 2015 on the activists of the anti-communist opposition and
for political reasons, the Act of 12 June 2015 on the greenhouse gas emission allowance trading scheme,
the Act of 25 June 2015 on the treatment of infertility, the Act of 10 July 2015 on supporting the sustainable development of the sector
with the participation of the European Maritime and Fisheries Fund, the Act of September 11, 2015 on the activity inand reinsurance, the Act of 9 October 2015 on the performance of the Agreement between the Government of the Republic of Poland
and the Government of the United States of America on improving compliance with international tax obligations; and
implementation of the FATCA legislation, the Revitalization Act of October 9, 2015, the Revitalization Act of February 11, 2016
states in raising children, the Act of February 25, 2016 on the re-use of public sector information,
the Act of 29 April 2016 on specific rules for performing certain tasks in the field of computerization of the activities of
of the National Revenue Administration, the Act of May 13, 2016 on counteracting the threat of crime in the context of secoptional, the Act of 10 June 2016 on the Bank Guarantee Fund, the deposit guarantee system and the
compulsory restructuring, the Act of 21 October 2016 on the concession for construction works or services, the Act of
November 16, 2016 on the National Tax Administration, the Act of December 14, 2016 - Education Law, the Act of
On December 15, 2016 on the General Prosecutor's Office of the Republic of Poland, the Act of December 16, 2016 on the principles of city management
state, the Act of 16 December 2016 - Regulations introducing the Act on the principles of state property management the Act of March 9, 2017 on the exchange of tax information with other countries, the Act of March 9, 2017 on
the monitoring of road and rail freight transport, the Act of 21 April 2017 on combating doping in sport,
the Act of May 11, 2017 on Statutory Auditors, Audit Firms and Public Oversight, the Act of October 27

23/04/2019

Page 3
© Chancellery of the Sejm

p. 3/114

2016 on the protection of individuals with regard to the processing of personal data and on the free
the flow of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of
UE L 119 of 04/05/2016, p. 1, as amended d. 3) ), hereinafter referred to as "Regulation 2016/679", in
provided in Art. 1 and art. 2.
§ 2. The performance of the obligation referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679, is carried out independently
depending on the obligations of public administration bodies provided for in the Code of Administrative Procedure
and does not affect the course and result of the proceedings.
§ 3. Making a request referred to in Art. 18 sec. 1 of the Regulation 2016/679, does not affect the course and
the conductor. ”;
2) in art. 54 after § 1, § 1a is added as follows:
"§ 1a. The request also contains the information referred to in Art. 13 sec. 1 and 2 of the Regulation
2016/679, unless the summoned person has this information and its scope or content has not changed. ”;
3) in art. 61, § 5 is added as follows:
“§ 5. A public administration body shall provide the information referred to in Art. 13 sec. 1 and 2 of the Regulation
2016/679, at the first action addressed to the page, unless the page has this information, and its scope or content
have not changed. ”;
4) in art. 61a in § 1, the following second sentence is added:
"The provision of art. 61 § 5 shall apply accordingly. ”;
5) in art. 65 after § 1, § 1a is added as follows:
"§ 1a. The notification of the transfer of the case also contains the information referred to in Art. 13 sec. 1
and 2 of Regulation 2016/679, in the scope of data processed by the transferring authority, unless the applicant provides
does not have this information, and its scope or content has not changed. ”;
6) in art. 66 in § 1, a third sentence is added as follows:
"The provision of Art. 65 § 1a. ";
7) in art. 73 after § 1a, § 1b is added as follows:
"§ 1b. Access to the case files in the case referred to in Art. 236 § 2, occurs without personal data
other persons submitting the complaint. ”;
8) after art. 74, art. 74a is added as follows:
"Art. 74a. The provision of art. 73 § 1 does not infringe the data subject's right to exercise the rights resulting from
of art. 15 of the Regulation 2016/679. ”;
9) after art. 122g, art. 122h as follows:
"Art. 122h. § 1. In matters handled silently, the public administration body provides information about
as referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679, in the Public Information Bulletin on its website,
towa, on its website and in a prominent place at its premises.
§ 2. Provision of the information referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679, as specified
in § 1, does not exempt the public administration body from the obligation to provide them at the first directed action
to the page. ”;
10) after art. 217, the following Art. 217a is added:
"Art. 217a. A public administration body provides the information referred to in Art. 13 sec. 1 and 2 of
dzenia 2016/679, at the first action addressed to the page, unless the party has this information and its scope
or the content has not changed. ”;

2017 on primary health care, the Act of March 1, 2018 on counteracting money laundering and financing of
roryzmu, the Act of March 6, 2018 on the Central Register and Information on Economic Activity and the Information Point for
Entrepreneurs, the Act of March 22, 2018 on bailiffs, the Act of May 9, 2018 amending the Act - Law
on road traffic and some other acts, the Act of May 10, 2018 on the protection of personal data and the Act of
3)

July 20, 2018 - Law on Higher Education and Science.
The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 4
© Chancellery of the Sejm

p. 4/114

11) after art. 226, the following Art. 226a is added as follows:
"Art. 226a. The authorities competent to deal with complaints and requests shall provide the information referred to
in art. 13 sec. 1 and 2 of Regulation 2016/679, the complainant or the applicant at the first action addressed to
these people. ";
12) in art. 231, the current content is marked as § 1 and § 2 is added as follows:
“§ 2. Information referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679, in terms of data processed
by the authority transmitting the complaint shall be attached to the notice of transfer of the complaint. ”;
13) in art. 236, the current content is marked as § 1 and § 2 and 3 are added as follows:
“§ 2. In the event of initiation or reopening of the proceedings, annulment of the decision, its annulment
or changes as a result of a complaint referred to in Art. 233, second sentence, Art. 234 paragraph 2 or article. 235, relative to the party
and a participant in the procedure, the provision of art. 15 sec. 1 lit. g of the Regulation 2016/679 shall not apply.
§ 3. At each stage of the proceedings referred to in § 2, the complainant may allow the authority to disclose
their details to the party to the proceedings. ”.
Art. 2. In the Act of December 1, 1961 on maritime chambers (Journal of Laws of 2016, item 1207), in section I, a section
Chapter III, reading as follows:
"Chapter III
Processing of personal data by maritime chambers
Art. 19a. Maritime chambers provide the information referred to in Art. 13 sec. 1 and 2 of the Regulation of the Parliament
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to
with the processing of personal data and on the free movement of such data, and repealing the directive
95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended4 ) ),
hereinafter referred to as "Regulation 2016/679", at the first action addressed to a person, unless he has these
information, and their scope or content has not changed.
Art. 19b. 1.The supervision over the processing of personal data in proceedings before maritime chambers is exercised by:
with regard to the activities of the Maritime Chamber in Gdańsk and the Maritime Chamber in Szczecin - Chairman of the Appeals Chamber

1)

The Maritime Chamber;
with regard to the activity of the Maritime Chamber of Appeal - President of the District Court in Gdańsk.

2)

2. As part of the supervision referred to in para. 1, competent authorities:
1)

consider complaints related to the processing of personal data;

2)

undertake activities aimed at disseminating among supervised data administrators and entities
ts processing knowledge about the obligations arising from Regulation 2016/679;

3)

cooperate with other authorities supervising the processing of personal data as part of the
proceedings conducted by courts and tribunals as well as with supervisory authorities within the meaning of Art. 51 sec. 1 of
2016/679, including sharing information and providing mutual assistance to ensure consistency
application of Regulation 2016/679.
3. The authorities referred to in para. 1 are entitled to:

1) ordering the data controller or the processor or their representatives to provide
all information needed to carry out the tasks of these bodies;
2)

notifying the data controller or the processor of suspected infringement of the provisions of
decree 2016/679;

3)

obtaining access to personal data and information from the data controller or processor
necessary for the performance of the supervisory authority's tasks;

4)

gaining access to the premises of the data controller or processor, including equipment
and data processing measures;

4)

5)

issuing warnings to the data controller or processor about options
infringement of the provisions of Regulation 2016/679;

6)

to issue reminders to the data controller or processor in the event of a breach of
the provisions of Regulation 2016/679;

The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 5
© Chancellery of the Sejm

p. 5/114

summoning the data controller or the processor to adapt the data processing to
provisions of Regulation 2016/679.

7)

4. To receive and investigate complaints related to the processing of personal data by maritime chambers
the provisions of Chapter I, Chapter 5a of the Act of 27 July 2001 - Law on the Organization of Courts of
universal. "
Art. 3. In the Act of 17 June 1966 on enforcement proceedings in administration (Journal of Laws of 2018,
item 1314, as amended d. 5) ) after art. 5, art. 5a is added as follows:
"Art. 5a. Personal data processed in order to perform tasks under the Act are subject to protection
to prevent abuse or unlawful access or transmission consisting of at least
less on:
allowing the data controller to process personal data only of persons authorized to do so

1)

related;
a written commitment of persons authorized to process personal data to keep them confidential
natures;

2)

3) testing and improving the applied technical and organizational measures;
4) ensuring secure communication in ICT networks, in particular through acquisition
personal data and their transfer to external entities using cryptographic techniques;
5)

ensuring protection against unauthorized access to IT systems of the authorities;

6)

ensuring data integrity in the IT systems of the authorities;

7)

defining the security rules for the processed personal data. ”.

Art. 4. In the Act of 26 June 1974. - Labor Code (Dz. U. of 2018. Pos. 917, as amended. D. 6) ) is introduced
the following changes:
1) art. 22 1 is replaced by the following:
"Art. 22 1 . § 1. The employer requests the person applying for employment to provide personal data, including
people:
1)

first name (names) and surname;

2)

date of birth;

3)

contact details indicated by such a person;

4)

education;

5) professional qualifications;
6) the course of previous employment.
§ 2. The employer requests the personal data referred to in § 1 points 4-6, when it is necessary to
performing work of a certain type or in a specific position.
§ 3. The employer requires the employee to provide additional personal data, including:
1) residential address;
2) PESEL number, and in the absence of such number - the type and number of the document confirming identity;
3) other personal data of the employee, as well as personal data of the employee's children and other members of his immediate family
family, if providing such data is necessary due to the use by an employee
rights provided for in labor law;
4)

education and the course of previous employment, if there was no basis for their request from the person
applying for employment;

5)

the payment account number, if the employee has not submitted an application for payment of remuneration personally.

§ 4. The employer requests personal data other than those specified in § 1 and 3, when it is necessary to
exercising an entitlement or fulfilling an obligation resulting from a legal provision.
§ 5. The personal data is made available to the employer in the form of the data subject's declaration.
The employer may request documentation of the personal data of the persons referred to in § 1 and 3, to the extent necessary
to confirm them. ”;

5)

Amendments to the uniform text of the aforementioned Act were announced in the Journal Of Laws of 2018, item 1356, 1499, 1629, 2192, 2193 and 2432.

6)

Amendments to the uniform text of the aforementioned Act were announced in the Journal Of Laws of 2018, item 1000, 1076, 1608, 1629, 2215, 2244, 2245,
2377 and 2432.
23/04/2019

Page 6
© Chancellery of the Sejm

p. 6/114

2) after art. 22 1 the following Art. 22 1a and art. 22 1b along with:
"Art. 22 1a . § 1. The consent of the person applying for employment or the employee may constitute the basis for processing
by the employer of personal data other than those listed in art. 22 1 § 1 and 3, with the exception of personal data,
referred to in Art. 10 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
on the protection of individuals with regard to the processing of personal data and on the free transfer
the flow of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation) (Journal of
UE L 119 of 04/05/2016, p. 1, as amended d. 7) ), hereinafter referred to as "Regulation 2016/679".
§ 2. Lack of consent referred to in § 1, or its withdrawal, may not be the basis for unfavorable treatment
a person applying for employment or an employee, and may not cause any negative
tive consequences, especially it cannot be a reason justifying the refusal of employment, termination
employment contract or its termination without notice by the employer.
§ 3. The processing referred to in § 1 concerns personal data provided by the applicant
apply for employment or an employee at the employer's request or personal data provided to the employer at the
job seeker or employee.
Art. 22 1b . § 1. The consent of the person applying for employment or the employee may constitute the basis for processing
by the employer of the personal data referred to in art. 9 sec. 1 of Regulation 2016/679, only in connection with
in the event that the transfer of such personal data takes place at the initiative of the person applying for employment or
coworker. The provision of art. 22 1a § 2 shall apply accordingly.
§ 2. The processing of the employee's biometric data is allowed also when providing such data
data is necessary to control access to particularly important information that may be disclosed
expose the employer to damage, or access to premises requiring special protection.
§ 3. Only persons who
pending written authorization to process such data issued by the employer. Persons admitted to
processing of such data is obliged to keep it secret. ”;
3) in art. 22 2 :
a) after § 1, § 1 1 is added as follows:
"§ 1 1 . Monitoring does not include rooms made available to the company trade union organization. ",
b) § 2 is given the following wording:
“§ 2. Monitoring does not include sanitary rooms, cloakrooms, canteens and smoking rooms, unless used
monitoring in these rooms is necessary to achieve the goal specified in § 1 and it will not violate the dignity
and other personal rights of the employee, in particular through the use of techniques that prevent the
getting to know people staying in these rooms. Monitoring of sanitary rooms requires obtaining
prior consent of the company trade union organization, and if the employer does not have a company organization
trade union - prior consent of employee representatives elected in accordance with the procedure adopted by a given employer. ",
c) § 10 is given the following wording:
“§ 10. The provision of § 9 does not infringe the provisions of Art. 12 and art. 13 of Regulation 2016/679. ”;
4) in art. 229:
a) in § 1 1 item 2 shall be replaced by the following:
"2) admitted to work for another employer for a given position within 30 days after the termination or expiry
a previous employment relationship, if they have a valid medical certificate stating that there is no
cwindications to work in the working conditions described in the referral for medical examinations and this employer
states that these conditions correspond to the conditions prevailing at the workplace, excluding
people hired to perform particularly dangerous work. ",
b) after § 1 2 , § 1 3 is added as follows:
"§ 1 3 . The employer requires a current medical certificate from the person referred to in § 1 1 point 2 and in § 1 2 .
stating that there are no contraindications to work in a given position and referrals for examinations under
the basis for issuing this judgment. ",
c) § 7 is given the following wording:
“§ 7. The employer stores the decisions issued on the basis of medical examinations referred to in § 1, 2
and 5, decisions and referrals obtained pursuant to § 1 3 and referrals referred to in § 4a. ”,

7)

The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 7
© Chancellery of the Sejm

p. 7/114

d) after § 7, § 7 1 is added as follows:
"§ 7 1 . If it is found that the conditions specified in the referral referred to in § 1 3 do not meet
they know the conditions prevailing at the given position, the employer reimburses the hired person
this referral and the medical report issued as a result of that referral. ”.
Art. 5. In the Act of 26 January 1982 - Teacher's Charter (Journal of Laws of 2018, items 967 and 2245) in art. 85w
paragraph 4 is replaced by the following:
"4. The administrator of the data collected in the register is the minister responsible for education. ”.
Art. 6. In the Act of May 26, 1982 - Law on the Bar (Journal of Laws of 2018, items 1184, 1467, 1669 and 2193) after
Chapter I, Chapter Ia is added as follows:
"Division Ia
Processing of personal data
Art. 16a. 1. The provisions of Art. 15 sec. 1 and 3, art. 18 and art. 19 of the Regulation of the European Parliament and of the Council (EU)
2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended8 ) ) shall apply to the extent that they do not infringe
an advocate's obligation to keep the secrecy referred to in Art. 6.
2. The provision of Art. 21 sec. 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and on the free
the flow of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation) in connection with
the case of personal data obtained by an advocate in connection with the provision of legal aid does not apply.
Art. 16b. The obligation of secrecy referred to in art. 6, does not cease, where with the request
disclosure of information obtained by an advocate in connection with the provision of legal aid is issued by the President
Personal Data Protection Office.
Art. 16c. 1. The period of storage of personal data is:
1) 5 years from the end of the year in which the procedure in which the personal data was collected ended in the case of personal data processed by the authorities of the bar and the authorities of bar chambers in the
the extent necessary for the proper performance of public tasks specified in the Act and personal data
processed under the supervision of the Bar;
2) 10 years from the end of the year in which the procedure in which the personal data was collected ended in the case of personal data processed:
a) in the course of proceedings conducted by the authorities of the bar and the bodies of bar chambers:
- administrative,
- in the field of complaints and requests,
- other provided for by the Act or legal acts of self-government bodies issued on the basis of the Act
attorney-at-law regarding attorneys-at-law, advocate trainees or persons applying for entry on
a list of attorneys or a list of advocate trainees, as well as persons taking the entrance examination
for the barrister apprenticeship and bar exam,
b) as part of the supervision of the proceedings referred to in point (a). and,
c) by advocates in the exercise of their profession;
3) 15 years from the end of the year in which the procedure in which the personal data was collected ended in the case of personal data processed in the course of conducted by the authorities of the bar and authorities
bar associations, disciplinary proceedings against advocates and advocate trainees and during
exercising supervisory powers over disciplinary proceedings in matters of advocates and
lawyers.
2. After the expiry of the periods referred to in sec. 1, in the case of personal data processed by an attorney
execution of the profession, personal data shall be removed. ”.

8)

The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 8
© Chancellery of the Sejm

pp. 8/114

Art. 7. In the Act of 6 July 1982 on legal advisers (Journal of Laws of 2018, items 2115 and 2193), after chapter 1,
Chapter 1a is added as follows:
Chapter 1a
Processing of personal data
Art. 5a. 1. The provisions of Art. 15 sec. 1 and 3, art. 18 and art. 19 of the Regulation of the European Parliament and of the Council (EU)
2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended. 9) ) shall apply to the extent that they do not infringe
the legal adviser's obligation to keep the confidentiality referred to in art. 3.
2. The provision of Art. 21 sec. 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and on the free
the flow of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation) in connection with
the case of personal data obtained by a legal adviser in connection with the provision of legal aid does not apply.
Art. 5b. The obligation of secrecy referred to in art. 3 sec. 4-6, does not cease if,
failure to disclose information obtained by a legal adviser in connection with the provision of legal aid occurs
President of the Personal Data Protection Office.
Art. 5c. 1. The period of storage of personal data is:
1) 5 years from the end of the year in which the procedure in which the personal data was collected ended in the case of personal data processed by the self-government bodies of legal advisers to the extent necessary
for the proper performance of public tasks specified in the Act and personal data are processed
as part of supervision over the activities of the self-government of legal advisers;
2) 10 years from the end of the year in which the procedure in which the personal data was collected ended in the case of personal data processed:
a) in the course of proceedings conducted by the self-government bodies of legal advisers:
- administrative,
- in the field of complaints and requests,
- other provided for by the Act or legal acts of self-government bodies issued on the basis of the Act
attorneys at law regarding attorneys at law, trainee attorneys at law or applicants
for entry on the list of legal advisers or the list of trainee legal advisers, as well as persons joining
entrance examination for legal adviser apprenticeship and legal adviser examination,
b) as part of the supervision of the proceedings referred to in point (a). and,
c) by legal advisers as part of their profession;
3) 15 years from the end of the year in which the procedure in which the personal data was collected ended in the case of personal data processed in the course of conducted by the self-government bodies of legal advisers
disciplinary proceedings against attorneys-at-law and trainee attorneys-at-law and during the performance of
the supervisory powers provided for by the act over disciplinary proceedings in cases
attorneys-at-law and trainee attorneys-at-law.
2. After the expiry of the periods referred to in sec. 1, in the case of personal data processed by legal advisers
legal within the scope of the profession, personal data shall be deleted. ”.
Art. 8. In the Act of 6 July 1982 on land and mortgage registers and mortgage (Journal of Laws of 2018, items 1916 and 2354),
the following changes are made:
1) in art. 25, the following paragraph is added: 4 is added:
"4. Entry for a natural person entitled under the law or claim, or a natural person to whom
the claim has been secured by a warning entry, includes her first name (s) and surname (s), number
PESEL, unless separate regulations provide for the assignment of this number, as well as the name of the father and the mother's name. ”;
2) in art. 68 2 after sec. 5 the following paragraph is added: 5 1 if added:
"5 1 . If the administrator of the mortgage is a natural person, his / her name is entered in the land and mortgage register
(names) and surname (s), PESEL number, unless separate regulations provide for the assignment of this number,
and the name of the father and the mother's name. ”.

9)

The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 9
© Chancellery of the Sejm

pp. 9/114

Art. 9. In the Act of September 16, 1982 - Cooperative Law (Journal of Laws of 2018, item 1285) after art. 93a is added
art. 93b and article. 93c is added:
"Art. 93b. 1. In connection with the processing by the minister responsible for construction, planning and
spatial management and housing, personal data obtained in the course of the proceedings
based on Article. 93a the right referred to in Art. 15 sec. 1 lit. g of the Regulation of the European Parliament and of the Council
(EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to data processing
data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation
data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended10 ) ), applies to the extent that
it does not affect the protection of the rights and freedoms of the person from whom the data was obtained.
2. The minister competent for construction, planning and spatial development and housing
twa informs about the restriction referred to in sec. 1, at the first action addressed to the data subject
concern.
3. If the period of storage of personal data referred to in sec. 1, does not result from the
of the Act of July 14, 1983 on the national archival resource and archives (Journal of Laws of 2019, items 553 and 730),
the minister competent for construction, planning and spatial development and housing
validates the data for the period determined in accordance with the provisions issued pursuant to Art. 6 sec. 2 of the Act of July 14
1983 on the national archival resource and archives.
4. The personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
2) a written commitment of persons authorized to process personal data to keep them confidential
nothing.
Art. 93c. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
Data Protection Regulation), does not affect the course and result of the proceedings referred to in art. 93a. ".
Art. 10. In the Act of October 26, 1982 on Upbringing in Sobriety and Counteracting Alcoholism
(Journal of Laws of 2018, items 2137 and 2244) the following changes are introduced:
1) after art. 25a, art. 25b as follows:
"Art. 25b. The commune head (mayor, city president) is the administrator of the data referred to in art. 25a paragraph 1 and 2,
processed by the municipal committee for solving alcohol-related problems appointed by him. ”;
2)

in art. 42 sec. 14 is replaced by the following:
"14. Data recorded with the use of monitoring devices are processed only by persons who have
a written authorization issued by the data controller in order to perform the tasks specified in the Act. These people
are obliged to keep this data confidential. ”.

Art. 11. In the Act of 14 July 1983 on the national archival resource and archives (Journal of Laws of 2019, item 553)
the following changes are introduced:
1) in art. 16d after paragraph 2 the following paragraph shall be added: 2a is added as follows:
"2a. The notification referred to in para. 2, point 1, contains the following data of the person concerned or his / her authorization
representative representative:
first name and last name;
1)
2) residential address;
3) mailing address;
telephone number or e-mail address, if provided for use;
4)
5) type and number of the document confirming the identity;
handwritten signature, qualified electronic signature, trusted signature or personal signature. ”;
6)

10) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 10
© Chancellery of the Sejm

pp. 10/114

2) in art. 21:
a) in sec. 1:
- point 10 is replaced by the following:
"10) coordinating tasks in the field of computerization, telecommunications and teleinformatics and management
information from state archives subordinate to him, in particular in the scope of:
a) purchase, design, construction, implementation, development, integration and operation of information systems
data and teleinformatics equipped with security measures for personal data processed
in these systems, including making these systems available to state archives and their implementation
supplies and construction works necessary to perform these tasks,
b) data exchange between the systems referred to in point (a). and;",
- after point 10, point 10a is added in the following wording:
"10a) ensuring the maintenance and service of IT and teleinformation systems and securing
no personal data processed in these systems; ",
b) in sec. 1a the words "para. 1 points 1 and 4 ”shall be replaced with the words“ sec. 1 points 1, 4 and 10 ”;
3) art. 22a is replaced by the following:
"Art. 22a. The entities referred to in Art. 22 sec. 1 items 2-3a and par. 2, in the field of business
archives may, on the basis of an agreement or an agreement concluded with the General Director of Archives, the State
or the competent state archives, use IT and teleinformation systems free of charge
referred to in Art. 21 sec. 1 point 10 lit. and.";
4) after art. 22a, art. 22b-22d as follows:
"Art. 22b. 1. For the processing of personal data by the entities referred to in Art. 22 sec. 1 points 1 and 2 and
paragraph 2, in terms of their archival activities, as well as in terms of storage by the units referred to
in art. 22 sec. 1 point 1, the documentation specified in art. 51a paragraph. 1 and art. 51r, the use of:
1) art. 16 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free movement
of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of
UE L 119 of 04/05/2016, p. 1, as amended d. 11) ), hereinafter referred to as "Regulation 2016/679", such that
Processors accept a written correction or supplement from the data subject
personal data without interfering with archival materials;
2) art. 18 sec. 1 lit. a and b of the Regulation 2016/679, to the extent necessary to ensure the use of the materials
archival in accordance with the Act, without violating the essence of the protection of personal data contained in these materials,
also in the case of unlawful primary data collection or in the event of untrue, nonaccuracy or incompleteness of data.
2. In the case referred to in par. 1 point 1, the correction or supplementation is stored and made available
they are kept separately from archival materials, and information about their contribution is included in the appropriate media
records.
3. Fulfillment of the obligation referred to in Art. 15 sec. 1 and 3 of Regulation 2016/679, takes place in the scope,
in which the personal data subject to disclosure can be determined by existing means of recording.
4. The data administrator informs about the limitations referred to in sec. 1 and 3, in the Information Bulletin
Public on its website, its website and in a visible place at its headquarters.
5. The security applied by the entities referred to in Art. 22, consist at least of:
1)

allowing for the processing of protected personal data only employees with written
authorization issued by the data controller;

2)

a written commitment of the employees referred to in point 1 to keep the processed data in the
confidence.

Art. 22c. 1. The units referred to in Art. 22, as part of archival activities, implement security
the freedoms and rights of the data subjects contained in the archives, in particular during their success
making personal data through anonymization, concluding agreements with the users of the archival resource, excluding
further processing of personal data and by pseudonymisation of data in IT systems
and ICT.

11) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 11
© Chancellery of the Sejm

pp. 11/114

2. The use of security measures in the form of anonymization and pseudonymization is not obligatory if:
1)

personal data is processed, including disclosure, with the consent of the data subject, his / her representative, prior to
statutory representative or legal guardian;

2)

the data subject has voluntarily and knowingly made it public.

3. Securing the freedoms and rights referred to in para. 1, shall apply mutatis mutandis to documentation unnew archival materials, as long as it does not contradict the purposes of handling this documentation.
Art. 22d. Units listed in Art. 22 sec. 1 points 1 and 2 and in sec. 2 point 2 process personal data,
respectively:
1)

perpetually

2)

for the period resulting from Art. 5 sec. 1 point 2. ”.

Art. 12. In the Act of March 21, 1985 on public roads (Journal of Laws of 2018, item 2068 and of 2019, item 698)
the following changes are introduced:
1) in art. 4 in point 44 replaced by a semicolon and point 45 is added as follows:
"45) Regulation 2016/679 - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and on the
the smooth flow of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation)
(Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended12 ) ). ”;
2) in art. 13b the following paragraph shall be added: 8–11 as follows:
"8. The road management board or the road manager performs the obligation referred to in:
1) art. 13 sec. 1 lit. a-c of the Regulation 2016/679 - by charging the fee referred to in Art. 13 sec. 1 point 1, in particular
in particular, by posting relevant information in the place where the fee is paid;
2) art. 13 sec. 1 lit. d – fi paragraph 2 of the Regulation 2016/679 - by providing information in the Information Bulletin
Public on its entity page, about which it informs the persons whose data is specified in point 1
personal data are processed.
9. The road management board or the road manager informs about the limitations referred to in sec. 8 by making available
verbatim information at the place where the fee is paid in the Public Information Bulletin on your website
subject and in a visible place at the headquarters.
10. Personal data processed in connection with the collection of fees referred to in Art. 13 sec. 1, paragraph 1, keeps
for the period determined in accordance with the regulations issued on the basis of art. 6 sec. 2b of the Act of July 14, 1983.
on the national archival resource and archives (Journal of Laws of 2019, items 553 and 730).
11. The personal data referred to in sec. 10, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
1)

allowing for the processing of personal data only persons with a written authorization to
data by the data administrator;

2)

a written commitment of persons authorized to process personal data to keep them confidential
nothing. ";

3) after art. 13b, art. 13ba as follows:
"Art. 13ba. Submitting the request referred to in Art. 18 sec. 1 of the Regulation 2016/679, does not affect
the obligation to pay the fee referred to in Art. 13 sec. 1 point 1. ";
4) in art. 13f the following paragraph is added: 4 and 5 as follows:
"4. In connection with the collection of the additional fee, the road authority or the road administrator perform the obligation referred to in
referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679, at the first action addressed to the data subject
unless it has the information and its scope or content has not changed.
5. Submitting the request referred to in Art. 18 sec. 1 of Regulation 2016/679, does not affect the obligation
payment of the additional fee. ”;
5) after art. 13hb, art. 13hba as follows:
"Art. 13hba. 1.In connection with the electronic toll collection, the entity collecting the toll fulfills the obligation to
referred to in art. 13 sec. 1 and 2 of Regulation 2016/679, with the first action addressed to the person to whom

12) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 12
© Chancellery of the Sejm

pp. 12/114

data concern, unless it has this information and its scope or content has not changed, and through
a website containing information on electronic toll collection.
2. Submitting the request referred to in Art. 18 sec. 1 of Regulation 2016/679, does not affect the obligation
payment of the electronic fee. ”;
6) in art. 16i in paragraph 1:
a) point 2 is replaced by the following:
"2) immediately inform the Toll Charger with which it has concluded the agreement referred to in Art. 16e
paragraph 1 paragraph 1 or article. 16h point 1, about the data, including personal data of the EETS user, necessary for
performance of this contract, including the devices provided to EETS users referred to in art. 16l
paragraph 1, and assigning these devices to a motor vehicle and an EETS user; ",
b) point 4 is replaced by the following:
"4) cooperate with an entity authorized to control the correctness of electronic payment,

referred to in art. 13l of paragraph 1, including providing this entity with the personal data of EETS users
violating the obligations referred to in Art. 13 sec. 1 point 3, art. 13i paragraph. 4a or 4b, on the terms
in the contract referred to in Art. 16e paragraph. 1 paragraph 1 or article. 16h point 1; ";
7) after art. 20 g, art. 20h as follows:
"Art. 20h. 1. Unless separate provisions provide otherwise, the competent entity or a person authorized by it
niona, on the basis of a written request, provides free personal data processed in connection with collection
electronic payment and the performance of the task referred to in art. 20 point 12:
1) the police,
2) Road Transport Inspection,
3)

Military Police,

4)

Border Guard,

5)

The Internal Oversight Office,

6)

Internal Security Agency,

7) the Foreign Intelligence Agency,
8) the Central Anti-Corruption Bureau,
Military Counterintelligence Service,

9)

10) the Military Intelligence Service,
11) a public prosecutor,
12) courts,
13) the Head of the National Tax Administration, the director of the tax administration chamber, the head of the office
customs and tax,
14) State Protection Service
- to the extent necessary to perform their statutory tasks.
2. The application referred to in par. 1, indicates:
1) designation of the case;
2)

circumstances from which it is necessary to obtain the requested data;

3)

data subject to disclosure.

3. The competent authority may consent to the sharing of data by electronic means of communication
personal, referred to in sec. 1, entities referred to in paragraph 1. 1 points 1-5 and 7-14, without the need to submit
written applications, if justified by the type or scope of the tasks performed.
4. Providing personal data referred to in sec. 1, in the manner specified in para. 3, followed by
by the entities referred to in para. 1 points 1-5 and 7-14, of the application containing:
1)

determination of the scope of data subject to disclosure;

2)

identification of the persons authorized to process the data referred to in point 1;

3)

a declaration that these entities have:
a) devices enabling the system to record who, when, for what purpose and what data was obtained, and

23/04/2019

Page 13
© Chancellery of the Sejm

pp. 13/114

b) technical and organizational security preventing the use of data contrary to their purpose
obtaining.
5. The competent authority shall provide the Internal Security Agency with the personal data referred to in para. 1,
in the manner referred to in para. 3, if the organizational unit of the internal security agency, which is
the recipient of the data, will submit the declaration referred to in sec. 4 point 3.
6. Pursuant to para. 1 and 3 of the personal data referred to in art. 9 sec. 1 chapter
of the ordinance 2016/679, unless the entity referred to in para. 1, is legally authorized to process these
data. ";
8) in art. 24n after paragraph In 7, the following paragraph shall be added: 7a is added as follows:
"7a. When considering the application referred to in para. 6 and 7, the minister responsible for transport issues
bundles referred to in art. 13 sec. 1 and 2 of Regulation 2016/679, at the first action directed to the person
submitting the application, unless it has this information and its scope or content has not changed. ”.
Art. 13. In the Act of 18 April 1985 on Inland Fisheries (Journal of Laws of 2018, item 1476 and of 2019
item 125) in art. 6d after paragraph 25, the following paragraph is added: 25a is added as follows:
"25a. Director of the regional water management board of the Polish Waters National Water Management
publishes and updates on its website:
1)

list of fishing areas;

2)

the name and surname or name of the fisherman authorized to operate in the fishing district;

3) contact details of the authorized person indicated by the fishing holder;
the period of validity of the agreements for the use of the fishing district. ”.

4)

Art. 14. In the Act of 15 July 1987 on the Human Rights Defender (Journal of Laws of 2018, item 2179), art. 17c
is replaced:
"Art. 17c. 1. The Ombudsman may process any information, including personal data, necessary for implementation
their statutory tasks.
2. The Ombudsman may process personal data referred to in Art. 9 sec. 1 and art. 10 of Parliament's Regulation
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to
the generation of personal data and on the free movement of such data, and repealing the Directive
95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended13 ) ),
jointly to protect human and civil liberties and rights in the performance of their statutory tasks.
3. The Defender allows for the processing of personal data by persons with a written authorization. ConditionThe authorization is granted on the basis of a written undertaking by the authorized person to keep the processed data
confidentiality. "
Art. 15. In the Act of May 17, 1989 - Geodetic and Cartographic Law (Journal of Laws of 2019, item 725) after Art. 5
Art. 5a and art. 5b as follows:
"Art. 5a. 1. In connection with the processing by the Chief Surveyor of the Country, voivodship marshals, starosts
or presidents of cities with poviat rights, voivodes, bodies and entities creating and maintaining
real estate information system and voivodeship inspectors of geodetic and cartographic supervision
of personal data obtained, respectively, with:
1)

keeping the state geodetic and cartographic resource,

2)

storing copies of security databases referred to in art. 7b paragraph. 1 point 4,

3) coordination of the location of the planned utilities networks,
4) creating and maintaining an integrated real estate information system,
5)

conducting control proceedings referred to in art. 9,

6)

publishing journals of professional practice referred to in art. 44b paragraph. 5, and keeping registers of
data of professional practice diaries,

7)

conferring professional qualifications in the field of geodesy and cartography and keeping a central register
people with professional qualifications in the field of geodesy and cartography,

13) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 14
© Chancellery of the Sejm

pp. 14/114

conducting disciplinary proceedings

8)

- the right referred to in art. 15 sec. 1 lit. g of Regulation (EU) 2016/679 of the European Parliament and of the Council of
April 27, 2016 on the protection of individuals with regard to the processing of personal data and in the matter
free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation
(Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended14 ) ), in terms of statements containing personal data of persons
third parties that do not result in the initiation of administrative proceedings are entitled to the extent that they do not exist
impact on the protection of the rights and freedoms of the persons from whom the data was obtained.
2. The entities referred to in par. 1, inform about the restriction referred to in para. 1, at the first act
to the person whose data is processed.
3. If the period of storage of personal data referred to in sec. 1, does not result from the
of the Act of July 14, 1983 on the national archival resource and archives (Journal of Laws of 2019, items 553 and 730)
or separate provisions, the entities referred to in para. 1, store data for the period determined in accordance with the provisions of
the letters issued on the basis of art. 6 sec. 2 and 2b of the Act of July 14, 1983 on the national archival resource
and archives.
4. The personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
1) allowing the processing of personal data only by persons with a written authorization
issued by the data controller;
a written commitment of persons authorized to process personal data to keep them confidential

2)

nothing.
Art. 5b. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
Data Protection Regulation), does not affect the performance of the tasks specified in Art. 5a paragraph. 1 points 1-5, 7 and 8. ”.
Art. 16. In the Act of February 14, 1991 - Law on Notaries (Journal of Laws of 2019, item 540), in section I, a section
Chapter 8 is added as follows:
"Chapter 8
Processing of personal data
Art. 78b. § 1. The provisions of Art. 15 sec. 1 and 3, art. 18 and art. 19 of the Regulation of the European Parliament and of the Council (EU)
2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended15 ) ) shall apply to the extent that they do not infringe
they are obliged to keep the secrecy referred to in Art. 18.
§ 2. The provision of Art. 21 sec. 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and on the free
the flow of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation) in connection with
the case of personal data obtained by a notary public while performing notarial activities shall not apply.
Art. 78c. The obligation of secrecy referred to in art. 18, does not cease, where with the request
the President of the Office for Protection discloses the information obtained during the performance of notarial activities
Personal Data.
Art. 78d. The period of storage of personal data collected by the National Council of Notaries, boards of chambers
notarial offices and qualification committees for the performance of tasks specified in the Act is 10 years from the end
the year in which the procedure in which the data was collected ended. The provision of art. 90 § 1 shall apply
respectively.".

14) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
15) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.

23/04/2019

Page 15
© Chancellery of the Sejm

pp. 15/114

Art. 17. In the Act of March 21, 1991 on the maritime areas of the Republic of Poland and maritime administration
(Journal of Laws of 2018, item 2214 and of 2019, item 125) after Art. 49, art. 49a is added:
"Art. 49a. 1. In an urgent case, the director of the maritime office, performing the tasks specified in
this chapter, performs the obligation referred to in Art. 13 sec. 1 and 2 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(General Data Protection Regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended16 ) ), by making available
not the information referred to in Art. 13 sec. 1 and 2 of this regulation, in the Public Information Bulletin on the website
subject of the office supporting this director, on its website and at the seat of the office
this place.
2. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament and of the Council
(EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to data processing
data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation
on data protection), does not suspend or limit the performance of tasks by the director of the maritime office
specified in this chapter. ”.
Art. 18. In the Act of 23 May 1991 on resolving collective disputes (Journal of Laws of 2019, item 174)
in art. 11 after paragraph 1 the following paragraph shall be added: 1 1 and 1 2 when:
"1 1 . Entry on the list referred to in para. 1, includes at least:
first name (names) and surname;

1)

2) contact details provided by the person applying for entry on the list.
1 2 . Processing of personal data other than those mentioned in par. 1 1 is admissible with the consent of the applicant
for entry on the list referred to in para. 1. "
Art. 19. In the Act of 20 July 1991 on the Inspection of Environmental Protection (Journal of Laws of 2018, items 1471 and 1479 and
of 2019, item 125) in art. 2 the following paragraph shall be added: 4-8 as follows:
"4. In an urgent case, the bodies of the Environmental Protection Inspection, carrying out the tasks referred to in
referred to in paragraph 1, 1a and 3, perform the obligation referred to in article 1. 13 sec. 1 and 2 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(General Data Protection Regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended17 ) ), hereinafter referred to as
"Regulation 2016/679", by providing the information referred to in art. 13 sec. 1 and 2 of the Regulation
2016/679, in the Public Information Bulletin on the website of the office, on its website and
at the seat of the office in a visible place.
5. In connection with the processing of personal data by the Inspection for Environmental Protection, in the course of
the tasks referred to in paragraph 1, 1a and 3 of the law referred to in Art. 15 sec. 1 lit. g of Regulation 2016/679, for
serves to the extent that it does not affect the protection of the rights and freedoms of the person from whom the data was obtained.
6. The bodies of the Environmental Protection Inspection shall inform about the restriction referred to in par. 5, respectively with
the first action addressed to the data subject, in the form of a public announcement, in a different form
a public announcement customarily accepted in a given locality or by publishing the letter in the Bulletin
Public Information on the website of the competent authority of the Environmental Protection Inspection.
7. The personal data referred to in sec. 5, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
natures.

2)

8. Submitting the request referred to in Art. 18 sec. 1 of the Regulation 2016/679, neither suspends nor does it
restricts the performance by the bodies of the Environmental Protection Inspection of the tasks referred to in paragraph 1, 1a and 3. "

16) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
17) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 16
© Chancellery of the Sejm

pp. 16/114

Art. 20. In the Act of August 24, 1991 on Fire Protection (Journal of Laws of 2018, items 620 and 1669),
the following changes are made:
1) art. 14g and art. 14h are replaced by the following:
"Art. 14g. 1. The Chief Commander of the State Fire Service ensures the functioning of the Support System
decision of the State Fire Service, hereinafter referred to as "SWD PSP", which is an ICT system supporting
raging:
1)

performing the tasks of the national rescue and firefighting system by organizational units of the State
The fire brigade;

2)

receiving emergency notifications from emergency notification centers, referred to in the Act of
November 22, 2013 on the emergency notification system (Journal of Laws of 2018, items 867 and 1115 and of 2019
item 730).

2. The maintenance, expansion and modification of the SWD PSP are financed from the state budget from the part which is
the minister is competent for internal affairs, and the parts managed by the competent voivodes.
3. The minister competent for internal affairs shall determine, by way of a regulation:
the minimum set of SWD PSP functionalities, including the way the system functions in emergency

1)

others,
the method of assigning, suspending and revoking access to this system to users of the State Guard
Fire and fire protection units

2)

- taking into account the need to ensure an optimal level of cooperation between this system and the ICT system
format of the emergency notification system.
Art. 14h. 1. The State Fire Service processes personal data in SWD PSP in order to protect life and health,
property or the environment against fire, natural disaster or other local threats, to the extent necessary
for the implementation of tasks resulting from the Act, obtained in connection with the conduct of rescue operations, and
handling emergency notifications referred to in art. 2 point 2 of the Act of 22 November 2013 on the notification system
emergency, including personal data of the reporting person and persons to whom the notification relates.
2. An organizational unit of the State Fire Service, in connection with the processing of personal data
in SWD PSP, performs the obligation referred to in Art. 13 sec. 1 and 2 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
data protection regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended18 ) ), hereinafter referred to as
zaniem 2016/679 ”, by providing information in the Public Information Bulletin on its website
or on its website and in a prominent place at the premises.
3. The person making the request pursuant to Art. 15 of Regulation 2016/679 is obliged to provide other information
formation about the circumstances of the incident to which the request relates, including the date and place of the incident and the telephone number
the phone from which the call related to the notification of the event was made.
4. The personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing the processing of personal data of persons having a written authorization issued by

1)

data controller;
a written commitment of persons authorized to process personal data to keep them confidential
natures.

2)

5. The personal data referred to in sec. 1, are kept only for the period necessary for implementation
tasks resulting from the act. These data are subject to review at least every 5 years from the date they were obtained.
6. The heads of organizational units of the State Fire Service provide information about
the conditions referred to in sec. 2 and 3, in the Public Information Bulletin on their personal websites or on their
on their websites and in a visible place at the headquarters of the units. ”;
2) after art. 14h, art. 14ha as follows:
"Art. 14ha. 1. Chief Commander of the State Fire Service, provincial commanders of the State Fire Service
Fire Department, district (city) commanders of the State Fire Service, Rector-Commandant of the Main School of Service
Fire Department and commanders of schools of the State Fire Service are joint controllers of personal data processing
at SWD PSP.

18) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 17
© Chancellery of the Sejm

pp. 17/114

2. The Commander-in-Chief of the State Fire Service determines the division of responsibilities of the joint administrators,
mentioned in sec. 1, resulting from the provisions of Regulation 2016/679.
3. The Chief Commander of the State Fire Service plans and implements the expansion and modification of the SWD PSP
and undertakes activities aimed at:
1)

ensuring protection against unauthorized access to SWD PSP;

2)

ensuring data integrity in SWD PSP;

3)

ensuring access to SWD PSP for entities processing data in this system;

4)

preventing damage to SWD PSP;

5)

defining the security rules for the processed data, including personal data;

6)

defining the rules for reporting personal data breaches;

7)

ensuring accountability of actions performed on PSP SWD data;

8) ensuring the correctness of data, including personal data processed in SWD PSP;
making backup copies.

9)

4. Provincial commanders of the State Fire Service, district (city) commanders of the State Fire Service
Fire Department, Rector-Commandant of the Main School of Fire Service and commanders of schools of the State Fire Service,
in terms of the properties of their operation, they ensure the maintenance of the PSP SWD and take the actions for which
referred to in paragraph 3.
5. The co-administrators create and update records of persons authorized to process personal data
in SWD PSP, authorize the processing of this data and keep a register of data processing activities
personal, referred to in art. 30 of Regulation 2016/679.
6. The provisions of Art. 14h and art. 14ha shall apply mutatis mutandis to the processing of personal data in SWD PSP
by fire protection units, referred to in article 1. 15 points 1a-8. ”.
Art. 21. In the Act of August 24, 1991 on the State Fire Service (Journal of Laws of 2018, items 1313, 1592 and 1669)
after art. 28a, art. 28b is worded as follows:
"Art. 28b. 1. The State Fire Service is entitled to process information, including processing
personal data, in order to conduct qualification procedures for service in the State Fire Service,
wearing for service in the State Fire Service and to the extent resulting from the course of the service relationship
firefighters, also after its termination, including the processing of personal data referred to in art. 9 sec. 1 and art. 10 of
of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of persons
individuals with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1,
with later d. 19) ).
2. The administrators of personal data referred to in sec. 1, are the Commander in Chief of the State Guard
Fire Department, provincial commanders of the State Fire Service, district (city) commanders of the State Fire Service
Fire Service, Rector-Commandant of the Main School of Fire Service, commanders of schools of the State Fire Service,
Director of the Scientific and Research Center for Fire Protection and Director of the Central Museum of Firefighting,
hereinafter referred to as "controllers" to the extent that they process this data.
3. Information, including personal data, referred to in sec. 1, are subject to safeguards preventing overuse or unlawful access or transfer consisting at least in:
1) allowing for the processing of personal data only persons who have a written authorization to
data by administrators;
a written commitment of persons authorized to process personal data to keep them confidential
natures.

2)

4. The administrators review the personal data referred to in sec. 1, at least every 10 years
from the date of their acquisition, in order to confirm the legitimacy of their further processing.
5. As part of the State Fire Service, the data protection inspectors referred to in art. 37 regulations
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
in connection with the processing of personal data and on the free movement of such data, and repeal
Directive 95/46 / EC (General Data Protection Regulation) is designated at the State Headquarters
The Fire Service, the Main School of Fire Service, schools of the State Fire Service, the Science and Research Center
the building of the Fire Protection Department, the Central Museum of Firefighting, the provincial headquarters of the State

19) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 18
© Chancellery of the Sejm

pp. 18/114

Fire Brigade for the area of ​the voivodeship and city headquarters of the 1st category State Fire Service. Confessed
when the data protection officer is to take into account the organizational structure and size of organizational units of
State Fire Brigade. ”.
Art. 22. In the Act of 7 September 1991 on the Education System (Journal of Laws of 2018, items 1457, 1560, 1669 and 2245),
the following changes are made:
1) after art. 13a, art. 13b is worded as follows:
"Art. 13b. 1. Other forms of pre-school education, schools, institutions, school management bodies or
centers, pedagogical supervision authorities and other entities performing the tasks and obligations specified in the
know they process personal data to the extent necessary for the performance of tasks and obligations arising from these
writings.
2. Teachers and other persons performing functions or performing work in the entities referred to in para. 1,
are obliged to maintain the confidentiality of information obtained in connection with their function or performed
work, concerning health, developmental and educational needs, psychophysical possibilities, sexuality, oriental
sexual, racial or ethnic origin, political opinion, religious or philosophical belief
full-fledged students.
3. The provision of para. 2 shall not apply:
1) in the event of a student's health risk;
if the student, and in the case of a minor student, his / her parent agrees to disclose certain

2)

information;
where provided for in specific provisions. ";

3)

2) in art. 92k in paragraph. 2 in point 2, letter a) is deleted. g.
Art. 23. In the Act of 25 October 1991 on organizing and conducting cultural activities (Journal of Laws of
of 2018, item 1983 and of 2019, item 115) is hereby amended as follows:
1) in art. 6a after sec. 2 the following paragraph shall be added: 2a is added as follows:
"2a. The period of data storage of the persons referred to in par. 1 shall be 80 years. ”;
2) in art. 7 after paragraph 4 the following paragraph is added: 4a is added as follows:
"4a. The period of data storage of the persons referred to in par. 1 shall be 80 years. ”;
3) in art. 7a after sec. 2 the following paragraph shall be added: 2a is added as follows:
"2a. In connection with the awarding of annual prizes, the bodies referred to in para. 1, process the data of persons,
referred to in sec. 2, for the period necessary to perform the tasks referred to in para. 1. The authorities referred to
in paragraph 1, review these data every 5 years. ”;
4) in art. 7b after paragraph 2 the following paragraph shall be added: 2a is added as follows:
"2a. In connection with the granting of scholarships, the bodies referred to in para. 1, process the data of persons about whom
mentioned in sec. 2, for the period necessary to perform the tasks referred to in para. 1. The authorities referred to
in paragraph 1, review these data every 5 years. ”;
5) in art. 14 after paragraph 1 the following paragraph shall be added: 1a is added as follows:
"1a. In the register referred to in para. 1, the following data is collected:
1) designation of the cultural institution, in particular the entity with which the organizer jointly runs the cultural institution
tours, and the name and surname of the representative of the organizer making the entry;
2) organization of cultural institutions, in particular:
a) the name and surname of the director of the cultural institution and his deputies or the designation of the natural person to whom
entrusted with the performance of the duties of a director or entrusted with the management of a cultural institution,
b) names and surnames of representatives of cultural institutions authorized to perform acts in law
on behalf of the institution and the scope of their authorizations,
c) name and surname of the representative of the organizer making the entry;
concerning the property of cultural institutions, in particular the name and surname of the organizer's representative

3)

entry;
merger, division and liquidation of cultural institutions, in particular the name and surname of the liquidator as well as the name and surname
the name of the representative of the organizer making the entry. ”.

4)

23/04/2019

Page 19
© Chancellery of the Sejm

pp. 19/114

Art. 24. In the Act of October 16, 1992 on orders and decorations (Journal of Laws of 2019, item 25),
the following changes have occurred:
1) after art. 32a, art. 32b is added:
"Art. 32b. Before making a decision to award the order or decoration, the President may address the appropriate persons
bodies, organizations or institutions to provide information that may be of significant importance in the case for shipment
an order or decorations. ”;
2) Art. 37a.
Art. 25. In the Act of 10 December 1993 on retirement benefits for professional soldiers and their families
(Journal of Laws of 2019, item 289) art. 35 is replaced by the following:
"Art. 35. 1. Public administration bodies, employers, pension and disability pension bodies, schools and universities
higher education institutions are obliged to provide the military pension authority with assistance and information, including sharing data
personal, in the matter of benefits provided for in the Act and issue, free of charge, at their request, all documents
ments, including certificates, necessary to determine the entitlement to benefits or their amount, or to confirm the existence of
entitlement to benefits.
2. The military pension authority is entitled to obtain information by electronic means free of charge
necessary to establish the entitlement to benefits or their amount or to confirm the existence of the right to benefits
from pension authorities and public registers, in particular from:
1) PESEL register,
educational information system,
2)
3) the Central List of the Insured,
a nationwide list of students and a nationwide list of doctoral students
4)
- in order to confirm the validity of the data held, to obtain contact details or to enable verification
cation of the right to benefits.
3. Military pension authority the information referred to in sec. 2, may be obtained in writing
changes of information. ”.
Art. 26. In the Act of February 18, 1994 on retirement benefits for Police officers, the Security Agency,
Internal Affairs, the Foreign Intelligence Agency, the Military Counterintelligence Service, the Military Intelligence Service,
Central Anticorruption Bureau, Border Guard, State Protection Service, State Fire Service,
Customs and Treasury and the Prison Service and their families (Journal of Laws of 2019, item 288), Art. 36 is replaced by the following:
"Art. 36. 1. Public administration bodies, employers, pension and disability pension bodies, schools and universities
higher education institutions are obliged to provide assistance and information to pension authorities, including disclosure of personal data
benefits provided for in the Act and issue free of charge, at their request, all documents, including
benefits necessary to establish the right to benefits or their amount or to confirm the existence of the right to
benefits.
2. Pension authorities are entitled to obtain necessary information by electronic means
to determine the entitlement to benefits or their amount or to confirm the existence of the right to benefits from bodies
old-age and disability pension and from public registers, in particular from:
1) PESEL register,
educational information system,

2)

3) the Central List of the Insured,
a nationwide list of students and a nationwide list of doctoral students

4)

- in order to confirm the validity of the data held, to obtain contact details or to enable verification
cation of the right to benefits.
3. In the event of a failure of the ICT systems used to obtain information by electronic means
in accordance with paragraph 2, the pension authorities obtain this information by means of a written exchange of information. ”.
Art. 27. In the Act of March 4, 1994 on the company social benefits fund (Journal of Laws of 2018, item 1316,
1608, 1669 and 2435) in art. 8:
1) after sec. 1 the following paragraph shall be added: 1a-1d as follows:
"1a. Providing the employer with the personal data of the person authorized to use the Fund, in order to
know the discounted services and benefits as well as subsidies from the Fund and determine their amount, in the form of a declaration
connection. The employer may request documentation of personal data to the extent necessary to confirm them.
Confirmation may take place, in particular, on the basis of statements and certificates about the life situation (incl
health), family and material persons entitled to use the Fund.

23/04/2019

Page 20
© Chancellery of the Sejm

pp. 20/114

1b. For the processing of personal data concerning health, referred to in art. 9 sec. 1 of the regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals
in connection with the processing of personal data and on the free movement of such data, and repeal
Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended)
d. 20) ), only persons with a written authorization to process such data may be allowed
issued by the employer. Persons authorized to process such data are obliged to keep them
in secret.
1c. The employer processes the personal data referred to in sec. 1a, for the period necessary to grant the relief
services and benefits, subsidies from the Fund and the determination of their amount, as well as for the period necessary for
asserting rights or claims.
1d. The employer shall review the personal data referred to in para. 1a, at least once a year
calendar in order to determine the necessity of their further storage. The employer deletes personal data that
further storage is unnecessary to achieve the purpose specified in paragraph 1a and 1c. ";
2) paragraph 2 is replaced by the following:
"2. The terms and conditions of using the services and benefits financed from the Fund, taking into account paragraph 1–1b,
and the principles of allocating the resources of the Fund to specific goals and types of social activity are defined by the employer
in the regulations determined in accordance with art. 27 sec. 1 or article. 30 sec. 6 of the Act of May 23, 1991 on trade unions
(Journal of Laws of 2019, item 263). An employer who does not operate a trade union organization agrees
regulations with an employee selected by the crew to represent its interests. ”.
Art. 28. In the Act of July 7, 1994 - Construction Law (Journal of Laws of 2018, item 1202, as amended 21) ) after Art. 84a
Art. 84aa and art. 84ab is added:
"Art. 84aa. 1. In connection with processing by architectural and construction administration bodies and authorities
construction supervision of personal data in the course of the implementation of tasks specified in the law referred to in the law
in art. 15 sec. 1 lit. g of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
on the protection of individuals with regard to the processing of personal data and on the free transfer
the flow of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation) (Journal of
UE L 119 of 04/05/2016, p. 1, as amended d. 22) ), shall apply to the extent that it does not affect the protection of the rights and
the identity of the person from whom the data was obtained.
2. The architectural and construction administration authorities shall inform about the restriction referred to in par. 1,
respectively, at the first action addressed to the data subject, or in the manner specified in art. 49
Of the Code of Administrative Procedure.
3. Construction supervision authorities shall inform about the restriction referred to in par. 1, at the first step
addressed to the data subject.
4. If the period of storage of personal data referred to in sec. 1, does not result from the
of the Act of July 14, 1983 on the national archival resource and archives (Journal of Laws of 2019, items 553 and 730)
or separate regulations, architectural and construction administration authorities and building supervision authorities
valid for the period determined in accordance with the provisions issued pursuant to Art. 6 sec. 2 and 2b of the Act of July 14
1983 on the national archival resource and archives.
5. The personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing for the processing of personal data only persons authorized by

1)

data controller;
a written commitment of persons authorized to process personal data to keep them confidential

2)

nothing.
Art. 84ab. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
Data Protection Regulation), does not affect:
keeping the registers and records referred to in art. 82b paragraph. 1 and 1a, art. 84 sec. 2 points 2-4 and art. 88a

1)

paragraph 1 point 3;

20) The amendment
21) Amendments

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.

to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2018, item 1276, 1496, 1669 and 2245 and from 2019.

item 51, 630 and 695.
to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.

22) The amendment

23/04/2019

Page 21
© Chancellery of the Sejm

pp. 21/114

2) the course and the result of the proceedings referred to in article 1. 97 sec. 1;
activities related to the control of compliance with and application of the provisions of the construction law. ”.

3)

Art. 29. In the Mental Health Protection Act of August 19, 1994 (Journal of Laws of 2018, item 1878),
the following changes are taking place:
1) in art. 10b:
a) sec. 1 is replaced by the following:
"1. Protection of the rights of persons referred to in art. 10a paragraph. 1, is the task of the Patient Rights Ombudsman, which
it carries out, in particular, with the help of the Ombudsmen for Patient Rights of the Psychiatric Hospital. ",
b) in sec. 4 point 3 is replaced by the following:
"3) access to the medical records of the person referred to in art. 10a paragraph. 1; ";
2) in art. 18e paragraph. 5 is replaced by the following:
"5. Data recorded with the use of monitoring devices may be processed only by persons with
giving a written authorization issued by the data controller, in particular judges and Ombudsmen
Patient of a Psychiatric Hospital, in order to perform the tasks specified in the Act. Persons with written authorizations
are obliged to keep the data secret. ”.
Art. 30. In the Act of October 27, 1994 on toll motorways and the National Road Fund
(Journal of Laws of 2018, items 2014 and 2244) the following changes are introduced:
1) after art. 37a, art. 37aa and art. 37ab is added:
"Art. 37aa. 1. In connection with the collection of tolls for using the motorway, the entities indicated in Art. 37a paragraph. 1a make
they have the obligation referred to in Art. 13 sec. 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended23 ) ), hereinafter referred to as "Regulation
2016/679 ", at the first step addressed to the data subject, unless he or she has this information,
and their scope or content has not changed, and through the website containing information about
toll collection on the motorway.
2. Submitting the request referred to in Art. 18 sec. 1 of Regulation 2016/679, does not affect the obligation
payment of tolls for using the motorway.
Art. 37ab. 1. Unless separate regulations provide otherwise, the entities referred to in Art. 37a paragraph. 1a, or
persons authorized by them, on the basis of a written request, provide free personal data processed
related to toll collection on the motorway:
1) the police,
2) Road Transport Inspection,
3)

Military Police,

4)

Border Guard,

5)

The Internal Oversight Office,

6)

Internal Security Agency,

7) the Foreign Intelligence Agency,
8) the Central Anti-Corruption Bureau,
9)

Military Counterintelligence Service,

10) the Military Intelligence Service,
11) a public prosecutor,
12) courts,
13) the Head of the National Tax Administration, the director of the tax administration chamber, the head of the office
customs and tax,
14) State Protection Service
- to the extent necessary to perform their statutory tasks.

23) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 22
© Chancellery of the Sejm

pp. 22/114

2. The application referred to in par. 1, includes:
1) designation of the case;
2)

circumstances from which it is necessary to obtain the requested data;

3)

data subject to disclosure.

3. The relevant entity may consent to the disclosure, by means of electronic communication, of data
personal data referred to in sec. 1, entities referred to in paragraph 1. 1 points 1-5 and 7-14, without necessity
submit written applications, if it is justified by the type or scope of the tasks performed.
4. Providing personal data referred to in sec. 1, in the manner specified in para. 3, followed by
by the entities referred to in para. 1 points 1-5 and 7-14, of the application containing:
1)

determination of the scope of data subject to disclosure;

2)

identification of the persons authorized to process the data referred to in point 1;

3)

a declaration that these entities have:
a) devices enabling the system to record who, when, for what purpose and what data was obtained, and
b) technical and organizational security preventing the use of data contrary to their purpose
obtaining.

5. The relevant entity shall provide the Internal Security Agency with the personal data referred to
in paragraph 1, in the manner referred to in para. 3, if the organizational unit of the internal security agency
who is the recipient of the data submits the declaration referred to in sec. 4 point 3.
6. Pursuant to para. 1 and 3 of the personal data referred to in art. 9
paragraph 1 of Regulation 2016/679, unless the entity referred to in para. 1, is legally authorized to process
transmitting these data. ";
2) in art. 63d, the following paragraph shall be added: 5 and 6 as follows:
"5. The General Director of National Roads and Motorways or a special purpose road vehicle perform
the obligation referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679 in relation to the person whose personal data
are processed in connection with the control referred to in paragraph 1, at the first action addressed to that person,
unless it has this information and its scope or content has not changed.
6. Submitting the request referred to in Art. 18 sec. 1 of Regulation 2016/679, does not affect the performance
exercising the powers of the General Director for National Roads and Motorways or a special purpose road company,
referred to in sec. 1-4. "
Art. 31. In the Act of June 29, 1995 on public statistics (Journal of Laws of 2019, item 649),
the following changes:
1) in art. 2:
a) point 1a is replaced by the following:
"1a) statistical data - data on phenomena, events, objects and activities of entities of the national economy
life and situation of natural persons, including personal data obtained directly from the respondents
ts or from public administration information systems, official or non-public registers
information systems, from the moment they are collected for the purposes of performing official statistics
nej; ",
b) point 8 is replaced by the following:
"8) a survey for statistical surveys - a list of entities of the national economy covered by statistical surveys
, natural persons and other entities subject to statistical observation ordered in
the debt of specific characteristics, containing individual data along with their contact details; ",
c) after point 11a the following point 11b is added:
"11b) a natural person running a business - a natural person who is an entrepreneur within the meaning of
the Act of 6 March 2018 - Entrepreneurs' Law (Journal of Laws, item 646, 1479, 1629, 1633 and 2212), other
a natural person running a self-employed activity in order to make a profit and a person
physical person running an individual farm; ",

23/04/2019

Page 23
© Chancellery of the Sejm

d) in point 14, the full stop is replaced by a semicolon and the following point 15 is added:
"15) non-public information systems - systems for collecting, collecting and processing information that lead to
by entities other than the authorities and entities referred to in point 13, in particular entities
performing activities in the field of:
a) sale or delivery of electricity,
b) collective sewage disposal and collective water supply,
c) transmission, distribution and trade in gaseous fuels,
d) trading, transmission and generation of thermal energy,
e) telecommunications,
f) insurance,
g) transport and leasing,
h) airport management,
i) real estate management and administration. ”;
2) in art. 5:
a) sec. 1 is replaced by the following:
"1. Public statistics services:
1)

collect, collect and process data from entities of the national economy and about these entities and them
activities, as well as data from natural persons and about these persons, their life and situation, as well as data on
phenomena, events and objects;

2)

they store, combine the obtained data and re-use it in order to perform the tasks specified in the
knows. ",

b) after sec. 1 the following paragraph shall be added: 1a is added as follows:
"1a. The access of official statistics services to data and the transfer of data to these services takes place without
for a fee. ”;
3) after art. 5, art. 5a is added as follows:
"Art. 5a. 1. Official statistics services collect data, including personal data, from available specific sources
in the Act and the executive acts issued on its basis or separate acts.
2. In order to implement the tasks specified in the Act, including statistical surveys, official statistics services collected
data collection:
1)

from official registers;

2)

from public administration information systems;

3)

from non-public information systems;

4)

from respondents.
3. Official statistics services also collect data generally available from sources other than specified

pp. 23/114

in paragraph 2.
4. The data referred to in par. 2 and 3, are collected using available techniques, including the use of
automated electronic or IT tools.
5. Data from the sources referred to in par. 1 and sec. 2 points 1-3, shall be submitted or made available in the following formats,
referred to in Art. 18a paragraph. 2 and 3. ";
4) in art. 6:
a) sec. 1 is replaced by the following:
"1. As part of the conducted statistical research, data from respondents are collected using the method of observation
full or representative method on a randomly selected sample of a given community or by purposeful selection method. ",
(b) the following paragraph is added: 4 and 5 as follows:
"4. The share of natural persons running a business in statistical surveys concerns
their business activities is compulsory.

23/04/2019

Page 24
© Chancellery of the Sejm

pp. 24/114

5. The statistical surveys referred to in para. 3, in which natural persons provide direct responses
knowledge, are conducted after informing them about the legal basis of the study, the purpose of the study and the warranty
the secrecy referred to in art. 10, and whether participation in the study is compulsory or
free.";
5) art. 8 is replaced by the following:
"Art. 8. The personal data referred to in Art. 9 sec. 1 and art. 10 of the Regulation of the European Parliament and of the Council
(EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to data processing
data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation
on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended24 ) ), hereinafter referred to as the "Regulation
2016/679 ", may not be collected as an obligation in statistical surveys conducted with the participation of people
physical. ";
6) in art. 13:
a) sec. 1 is replaced by the following:
"1. Public administration bodies, the Social Insurance Institution, the National Health Fund,
The Polish Financial Supervision Authority, as well as other state or local government legal persons, registration authorities and
other entities maintaining official registers or non-public information systems, submit or make available
data collected free of charge for official statistics services in a detailed scope, form and dates,
specified in the program of statistical surveys of official statistics, in particular in the form of data sets
from ICT systems, including measurement results, environmental monitoring data, and in case of
the lack of an ICT system - in a different recorded form. ",
b) in sec. 3, the introduction to the enumeration is replaced by the following:
"The authorities and entities referred to in para. 1, with the exception of entities operating non-public systems
information, are obliged to: ",
c) sec. 4 is replaced by the following:
"4. The President of the Central Statistical Office is entitled to report to authorities and entities about
mentioned in sec. 1, with the exception of entities operating non-public information systems, applications for
concerning the information content and the quality requirements of the data contained therein in order to enable the use of
the availability of these data for the purposes of official statistics. ”;
7) in art. 35a:
a) sec. 1 is replaced by the following:
"1. Official statistics services process personal data specified in art. 35b paragraph. 1 in order to statistically
nym, including in particular:
organizing and conducting statistical surveys, including censuses referred to in art. 18
or separate acts, and statistical research, studies and analyzes referred to in Art. 21 sec. 2;

1)

2) developing and announcing demographic forecasts;
3)

conducting statistical surveys and analyzes referred to in Art. 25 sec. 1 point 11;

4)

developing the results of statistical surveys, including the results of censuses;

5) conducting statistical analyzes and studies;
6) conducting scientific and research and development works referred to in art. 25 sec. 1 point 15;
7) conducting and updating the sampling frame for statistical surveys referred to in Chapter 5a;
implementation of tasks resulting from the participation of the Republic of Poland in the European System of Statistics
(ESS), the European System of Central Banks (ESCB) and membership in international organizations
international. ",

8)

(b) the following paragraph is added: 3 is added:
"3. Official statistics services process personal data for the purposes of keeping and updating the national
official register of entities of the national economy. ”;
8) after art. 35a, art. 35aa is added:
"Art. 35aa. Personal data from the moment it is collected directly from respondents or from information systems
public administration and official registers or non-public information systems for the purposes of

24) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 25
© Chancellery of the Sejm

pp. 25/114

performing the tasks specified in the Act become statistical data and are covered by statistical confidentiality, except
aggregation of information contained in the national official register of entities of the national economy. ”;
9) in art. 35b:
a) in sec. 1:
- the introduction to the enumeration is replaced by the following:
"Official statistics services process the following personal data for statistical purposes:",
- points 1 and 2 are replaced by the following:
"1) names and surnames;
date of birth;",

2)

- after point 2, point 2a is added as follows:
"2a) country of birth and place of birth;",
- after point 5, the following points 5a-5c are added:
"5a) biometric data;
5b) genetic data;
5c) sexuality or sexual orientation; ",
- after point 12, point 12a is added in the following wording:
"12a) the fact that people live together;",
- after point 14, points 14a and 14b are added as follows:
"14a) income, including remuneration;
14b) social security and health insurance contributions; ",
- after point 16, points 16a-16c are added as follows:
"16a) use of an agricultural holding;
16b) managing an agricultural holding;
16c) workplace address; ",
- point 20 is replaced by the following:
"20) registered address, residential address or residence address;",
- after point 20, the following points 20a and 20b are added:
“20a) country of previous residence;
20b) country of departure; ",
b) sec. 2 is replaced by the following:
"2. Personal data referred to in sec. 1, are processed by official statistics services within the framework of
statistical surveys that provide information about the life and situation of natural persons or selected aspects
the life and situation of these people in the following areas:
population, demographic processes and migrations;

1)

2) households and families;
civic and socio-political activity, membership and support for social organizations and

3)

tic;
4)

working, unemployed and economically inactive by socio-economic characteristics;

5)

conducting economic, agricultural and forestry activities;

6) commuting to work;
7) working conditions, occupational diseases;
8) accidents and victims;
9) working time;
10) sources of income, including income, remuneration and their structure;
11) social security and health insurance contributions as well as contribution periods and working time;

23/04/2019

Page 26
© Chancellery of the Sejm

pp. 26/114

12) social insurance benefits;
13) financial situation and wealth of persons, households and families;
14) expenditure and quantitative consumption by persons and households;
15) housing conditions and household equipment;
16) time budget;
17) subjective assessments of the quality of life and the socio-economic situation;
18) social assistance, including beneficiaries of social assistance;
19) poverty and social exclusion;
20) supporting the family and foster care;
21) family benefits;
22) caring for children and youth;
23) higher education, including academic teachers, students and doctoral students;
24) education and upbringing, including students and teachers;
25) educational activity, including lifelong learning;
26) participation of the population in sport, recreation, tourism and culture, including recreation for children and youth;
27) illness and treatment, use of medical services, pro-health and anti-health behavior;
28) limitations in the performance of basic life activities;
29) access to and use of social and public services;
30) border traffic of people and vehicles;
31) human and social capital;
32) socio-religious behavior;
33) social relations;
34) information society;
35) security, threat of crime, violence;
36) participation in the use of the environment and environmental protection. ",
c) after sec. 2 the following paragraph shall be added: 2a is added as follows:
"2a. Official statistics services process the derived data and the inferred data obtained in the
the analysis of personal data referred to in sec. 1, in the areas referred to in paragraph 1. 2. ",
d) sec. 3 is replaced by the following:
"3. The data referred to in paragraph 1. 1, may be obtained directly from the natural person they relate to,
or an adult household member or from public administration information systems, official registers
or non-public information systems. ",
(e) paragraph 3 is deleted. 4;
10) in art. 35c:
a) the current content is marked as para. 1,
b) in sec. 1:
- in point 1 lit. a is replaced by the following:
"A) computerization - from the PESEL register, the central register of vehicles and the registry of civil status,",
- after point 1, point 1a is added as follows:
"1a) of the Minister of Justice - from the central database of land and mortgage registers,",
(c) the following paragraph is added: 2 and 3 as follows:
"2. Official statistics services process personal data specified in art. 35b paragraph. 1 and information about
and the situation of natural persons or selected aspects of life and the situation of these persons, referred to in art. 35b
paragraph 2, originating from non-public information systems in the detailed scope specified in the program
conducting statistical surveys of public statistics.

23/04/2019

Page 27
© Chancellery of the Sejm

pp. 27/114

3. Official statistics services process personal data referred to in Art. 8, collected from systems
information systems of public administration, official registers and non-public information systems,
ensuring the guarantees of their full protection on the terms specified in the Act. ”;
11) art. 35d and art. 35e are replaced by the following:
"Art. 35d. 1. Personal data, after their collection by official statistics services, if this is allowed by the purpose of their
face are pseudonymized.
2. Pseudonymization is carried out immediately, after determining the necessary subjective scope and before
litter, in the manner and in accordance with the procedure referred to in paragraph 4.
3. Reversal of pseudonymization takes place only to the extent necessary to achieve the statistical goal.
4. The manner and procedure of pseudonymisation of personal data is specified by the President of the Main Office by way of an order
Statistical.
Art. 35e. 1. Personal data, if it is necessary to perform the tasks specified in the Act, in the scope of
for statistical purposes, they are combined with data from various statistical surveys, official registers
public administration information systems and non-public information systems.
2. Using data for purposes other than those specified in the Act, in particular to make decisions
zji or individual decisions against a specific natural person is prohibited. ”;
12) Art. 35f;
13) art. 35g is replaced by the following:
"Art. 35g. The provisions of Art. 35a-35c, art. 35d paragraph. 1 and art. 35h shall apply to other authorities and entities conducting
performing the statistical surveys referred to in Art. 20, in the scope of statistical research conducted by them. ”;
14) after art. 35g, art. 35h as follows:
"Art. 35h. 1. To process personal data in order to perform the tasks specified in the Act by
the official statistics service does not apply the provisions of Art. 15, art. 16, art. 18 and art. 21 of Regulation 2016/679.
2. In connection with the processing of personal data by the services for the purpose of carrying out the tasks specified in the Act
of official statistics the fulfillment of the obligation referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679, follows
by providing the information referred to in art. 13 sec. 1 and 2 of Regulation 2016/679, in the Information Bulletin
Public on the website of the office and on the website of the Central Statistical Office.
3. Information on how to fulfill the obligation referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679,
is provided together with the information referred to in art. 6 sec. 5. ";
15) art. 39 is replaced by the following:
"Art. 39. The President of the Central Statistical Office ensures that the collected data is stored in accordance with
with the principles set out in Art. 10, art. 35d and chapter 5a. ”;
16) after chapter 5, chapter 5a is added as follows:
"Chapter 5a
Survey for statistical research
Art. 39a. 1. In order to carry out statistical surveys, the President of the Central Statistical Office runs the survey to
statistical research, hereinafter referred to as "OBS", in which he publishes information about entities subject to observation
statistical according to specific characteristics.
2. OBS is conducted in the ICT system.
3. Personal data, depending on the entity subject to statistical observation, are stored in the OBS
for no more than 100 years.
Art. 39b. 1. OBS shall be constantly and regularly updated in order to enable statistical observation
the subject of this observation in time and space.
2. OBS is updated using data from official registers and information systems
and statistical surveys, including censuses.
Art. 39c. 1. The data collected in the OBS is used only by official statistics services for the purpose of
conducting statistical surveys, including censuses.
2. The data collected in the OBS may be made available only in the manner referred to in Art. 20 paragraph 4.

23/04/2019

Page 28
© Chancellery of the Sejm

pp. 28/114

3. Data in OBS are collected, processed and stored under special conditions without
security and absolute data protection referred to in art. 10. ";
17) in art. 42 paragraph 1 is deleted. 2;
18) in art. 53 sec. 1 is replaced by the following:
"1. Submitting data in the form and manner specified in the program of statistical surveys of official statistics
and in the case of censuses - in a separate act, respectively, at the expense of the observing entity
statistical authority or the administrator of the public administration information system or the official register
or a non-public information system. ”.
Art. 32. In the Act of October 13, 1995 on the principles of registration and identification of taxpayers and remitters (Journal
of 2019, item 63) after art. 15a, art. 15aa is added:
"Art. 15aa. 1. In connection with the processing of personal data for the purpose of assigning a NIP, the performance of the obligation
referred to in art. 13 sec. 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and on the free
the flow of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of
UE L 119 of 04/05/2016, p. 1, as amended d. 25) ) is made by providing the information referred to
in art. 13 sec. 1 and 2, of this regulation in a publicly accessible place at the seat of the authority or in the Information Bulletin
Public Information on the website of this authority or office servicing this authority and on its website
towa. In this case, when obtaining personal data, the authority provides the data subject with information about
to fulfill this obligation.
2. The authorities referred to in Art. 14a, may authorize the processing of personal data of
carried out or serving in organizational units of the National Revenue Administration, to the extent necessary
to carry out the tasks entrusted to these people. The authorization is issued in writing by name
authorization, position authorization or internal act, unless a specific provision provides otherwise.
These authorities keep a register of persons authorized to process personal data.
3. Personal data processed by the authorities referred to in Art. 14a, are subject to preventive measures
abusive or unlawful access or communication consisting, at least in:
allowing the data controller to process personal data only of persons authorized to do so

1)

related;
a written commitment of persons authorized to process personal data to keep them confidential

2)

nothing;
3) testing and improving the applied technical and organizational measures;
4) ensuring secure communication in ICT networks, in particular through acquisition
and transfer of personal data to external entities using cryptographic techniques;
5)

ensuring protection against unauthorized access to CRP KEP;

6)

ensuring data integrity in CRP KEP;

7)

defining the security rules for the processed personal data. ”.

Art. 33. In the Act of October 13, 1995 - Hunting Law (Journal of Laws of 2018, item 2033 and of 2019,
item 125) is hereby amended as follows:
1) in art. 21 in section 3, point 2 is deleted;
2) after art. 21, art. 21a is added:
"Art. 21a. 1. A person applying for the examination referred to in Art. 21 sec. 1, submits the application
for admission to the exam containing:
first name and last name;

1)

2) address of the place of residence;
date and place of birth;

3)

4) social security number, and in its absence - the type and number of the document confirming identity;
5) contact details;
6) signature.

25) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 29
© Chancellery of the Sejm

pp. 29/114

2. In order to verify the identity, the person taking the examination referred to in Art. 21 sec. 1, it turns out
the examination commission an identity card or another document confirming the identity. ”.
Art. 34. In the Act of May 31, 1996 on persons deported to forced labor and imprisoned in
work retention by the Third Reich and the Union of Soviet Socialist Republics (Journal of Laws of 2014, item 1001 and of 2018
item 1552) in art. 4:
1) paragraph 1 is replaced by the following:
"1. The entitlement to the benefit is granted by the decision of the Head of the Office for Veterans and Reprebased on the request of the person concerned and documents and evidence proving the type
and a period of repression. ”;
2) after sec. 1 the following paragraph shall be added: 1a is added as follows:
"1a. The application referred to in paragraph 1. 1, includes the first name or names and surname, family name, date and place
birth, parents' names, current citizenship and citizenship at the time of being repressed, PESEL number,
address of the applicant's place of residence or mailing address, telephone number or e-mail address
if the applicant has them. ”;
3) paragraph 1 is deleted. 3.
Art. 35. In the Act of 5 July 1996 on tax consultancy (Journal of Laws of 2019, item 283),
the following changes:
1) after art. 25, art. 25a is added as follows:
"Art. 25a. 1. The minister responsible for public finance is the administrator of the processed data
for purposes related to the activities of the State Examination Commission for Tax Advisory and
organizing an exam for a tax advisor.
2.The data controller allows persons with written authorizations to process personal data
no.
3. Personal data processed in order to perform the tasks or obligations specified in the Act are subject to
gląd not less frequently than every 5 years from the date of obtaining them. ”;
2) in art. 37 the following paragraph is added: 5-7 as follows:
"5. The provisions of Art. 15 sec. 1 and 3, art. 18 and art. 19 of Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended.26 ) ) shall apply to the extent that they do not infringe
they are obliged to keep by the tax advisor or the persons referred to in para. 3, professional secrecy,
referred to in sec. 1 and 3.
6. In the case of personal data obtained by a tax advisor or persons referred to
in paragraph 3, in connection with the provision of tax advice, the provision of art. 21 sec. 1 of the regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals
in connection with the processing of personal data and on the free movement of such data, and repeal
Directive 95/46 / EC (General Data Protection Regulation).
7. The obligation of professional secrecy referred to in par. 1 and 3, does not cease, in the event that
providing the disclosure of information obtained by a tax advisor or persons referred to in para. 3,
in connection with the provision of tax consultancy, the President of the Personal Data Protection Office acts. ”;
3) after art. 63, art. 63a is added:
"Art. 63a. 1. The National Chamber of Tax Advisors is the administrator of data processed by the authorities
the self-government of tax advisers in order to perform the tasks or obligations of these authorities.
2.The data controller allows persons with written authorizations to process personal data
no.
3. Personal data processed in order to perform the tasks or obligations specified in the Act are subject to
to the insight at least every 5 years from the date of obtaining them. ”.

26) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 30
© Chancellery of the Sejm

pp. 30/114

Art. 36. In the Act of August 8, 1996 on the Council of Ministers (Journal of Laws of 2012, item 392, of 2015, item 1064,
of 2018, item 1669 and of 2019, item 271) is hereby amended as follows:
1) in art. 7 in section 4 point 3 is replaced by the following:
"3) conducts public consultations and cooperates with the local government and social organizations
and representative offices of professional and creative circles; ”;
2) after art. 39a, art. 39b is added:
"Art. 39b. To the extent necessary to prepare a draft government document, prepare and conduct
arranging arrangements, public consultations, giving opinions on this draft and considering it, the Council of Ministers, the President
The Council of Ministers, a member of the Council of Ministers, the Head of the Chancellery of the Prime Minister, another entity authorized
does not result from separate regulations, the entity acting under the authority of the Council of Ministers, the President
The Council of Ministers or a member of the Council of Ministers and the Government Legislation Center process personal data, incl
the data referred to in art. 9 sec. 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and on the freedom
flow of such data and repealing Directive 95/46 / EC (General Data Protection Regulation)
(Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 27) ). ”.
Art. 37. In the Act of September 13, 1996 on the maintenance of cleanliness and order in municipalities (Journal of Laws of 2018,
item 1454 and 1629) in art. 6n in sec. 1 point 1 shall be replaced by the following:
"1) the template of the declaration on the amount of the municipal waste management fee submitted by the owners of
movable property, taking into account art. 6m of paragraph 1a and 1b, including explanations on how to fill it in,
information indicated in art. 13 sec. 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of
April 27, 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended.28 ) ) and the instruction that the declaration constitutes
the basis for issuing the writ of execution; the resolution also contains information on the dates and place of
making a declaration; ".
Art. 38. In the Act of December 5, 1996 on the professions of doctor and dentist (Journal of Laws of 2019, items 537 and 577)
the following changes are introduced:
1) in art. 15 the following paragraph is added: 11 and 12 as follows:
"11. Marshal of the voivodeship, Minister of National Defense and the voivode, in order to perform
with the implementation of postgraduate internships of doctors and dentists, process the data in accordance with their properties
doctors and dentists including:
1)

soldier rank in active service;

2)

first name and last name;

3) social security number, and in its absence - the type and number of the document confirming identity;
date of birth;

4)

5) address of the place of residence;
6) number of the license to practice the profession;
7) specializations held;
8) reasons and periods of absence from work;
9) expected and actual date of delivery;
10) information about the certified disability;
11) information on the procedure for terminating the employment contract.
12. The data referred to in par. 11 points 8-11, may not be processed for any purpose other than financing the internship
postgraduate internship, extending the postgraduate internship and supervising the postgraduate internship, and access to
only persons who have a written authorization to process such data issued by
the voivodship marshal, the Minister of National Defense or the voivode. Persons with written authorization are
obliged to keep such data confidential. ”;

27) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
28) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 31
© Chancellery of the Sejm

pp. 31/114

2) in art. 16h the following paragraph shall be added: 10 and 11 as follows:
"10. Voivode, minister competent for health matters, minister competent for internal affairs and the minister
National Defense, in order to perform tasks related to the implementation of specialist training for doctors and doctors
dentists, process, according to their property, the data of doctors and dentists, including:
1)

the rank of a soldier in active service or an officer in a service relationship;

2)

first name and last name;

3) social security number, and in its absence - the type and number of the document confirming identity;
date of birth;

4)

5) address of the place of residence;
6) number of the license to practice the profession;
7) specializations held;
8) reasons and periods of absence from work;
9) expected and actual date of delivery;
10) information about the certified disability;
11) information on the procedure for terminating the employment contract.
11. The data referred to in sec. 10 points 8-11, may not be processed for any purpose other than financing school
specialization training, extension of specialization training and supervision over specialization training
and access to them may only be granted to persons with a written authorization to process such data
issued by a voivode, minister responsible for health, minister responsible for internal affairs or
Minister of National Defense. Persons with written authorization are required to keep these data
in confidentiality. "
Art. 39. In the Act of 10 April 1997. - Energy Law (Dz. U. of 2018. Pos. 755, as amended. D. 29) ) introduced
the following changes are made:
1) in art. 5d the current content is marked as para. 1 and the following paragraph is added: 2 and 3 as follows:
"2. The commune council determines, by resolution, the template of the application for payment of the energy allowance.
3. Personal data processed to the extent necessary to pay the energy supplement shall be stored
for a period not exceeding 5 years from the date the supplement was ceased to be paid. ';
2) in art. 32d in paragraph 4 the word "forward" is replaced by the word "makes available".
Art. 40. In the Act of June 6, 1997 - Penal Code (Journal of Laws of 2018, items 1600 and 2077) in Art. 115 § 12 received
reads:
“§ 12. An unlawful threat is both the threat referred to in Art. 190, as well as the threat of
criminal or other proceedings in which an administrative fine may be imposed as well
disseminating messages offensive to the honor of the threatened person or his / her closest person; is not a threatening announcement
causing criminal or other proceedings to which an administrative penalty may be imposed
pecuniary interest, if it is only intended to protect the right violated by a crime or threatened behavior
an administrative fine. ”.
Art. 41. In the Act of 20 June 1997 - Road Traffic Law (Journal of Laws of 2018, items 1990, 2244 and 2322
and of 2019, item 53 and 60) is hereby amended as follows:
1) in art. 80b, paragraph 1 is deleted. 4;
2) in art. 100ab, paragraph 1 is deleted. 2;
3) in art. 100 g, paragraph 1 is deleted. 7;
4) in art. 129 h of paragraph 1. 4 is replaced by the following:
"4. For the processing of personal data by the Chief Road Transport Inspector, to the extent
rhyme in paragraph 3, the provisions of art. 26 of the Act of December 14, 2018 on the protection of personal data by
in connection with the prevention and combating of crime (Journal of Laws of 2019, item 125). ”;

29) Amendments

to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2018, item 650, 685, 771, 1000, 1356, 1629, 1637

and 2348 and of 2019, item 42, 125 and 492.
23/04/2019

Page 32
© Chancellery of the Sejm

pp. 32/114

5) after chapter Vb the following chapter Vc is added:
"Department Vc
Processing of personal data
Art. 140o. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
data protection regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended30 ) ), does not affect the course of
and the result of the checks referred to in article 1. 129 sec. 1, 4 and 4a, art. 129a paragraph. 1, art. 129b paragraph. 1, art. 129c of paragraph 1. 1 and art. 129d
paragraph 1, nor the power of the competent authority to impose a penalty. ”.
Art. 42. In the Act of August 22, 1997 on the public blood service (Journal of Laws of 2017, item 1371 and of 2018
item 1375) in art. 17 sec. 3 is replaced by the following:
"3. The minister responsible for health is the administrator of the data collected in the e-blood system. ”.
Art. 43. In the Act of 27 August 1997 on Vocational and Social Rehabilitation and Employment of Disabled Persons,
in working order (Journal of Laws of 2018, items 511, 1000, 1076, 1925, 2192 and 2354) the following changes are introduced:
1) after art. 2a, art. 2b as follows:
"Art. 2b. 1. The employer processes personal data, including data on the health of persons:
1)

remaining in an employment relationship with him and non-working former employees,

2)

disabled people doing homework,

3)

participating in the recruitment process, undergoing training, internship, apprenticeship or apprenticeship
professional or graduate,
belonging to the groups listed in art. 5 of Annex 1 to Commission Regulation (EC) No 800/2008 of

4)

On August 6, 2008, declaring certain categories of aid compatible with the common market pursuant to Art. 87
and 88 of the Treaty (general block exemption regulation) (Journal of Laws EC L 214 of 09.08.2008, p. 3,
with later d. 31) ) and to Commission Regulation (EU) No 651/2014 of 17 June 2014 recognizing some
types of aid compatible with the internal market pursuant to Art. 107 and 108 of the Treaty (OJ L 187
of June 26, 2014, p. 1, as amended d. 32) ),
5)

being family members of employees and non-working former employees,

6)

referred to in Art. 21 sec. 2c, and people using the services of the organizational units referred to
in art. 21 sec. 2e point 3

- for the purposes specified in the Act.
2. Providing the employer with documents confirming personal data on health is voluntary.
3. In order to perform the tasks referred to in Art. 25a, art. 25c, art. 25d and art. 26a-26c, actions may be
based on automated data processing.
4. The processing referred to in para. 3, may include personal data about health.
5. In the case referred to in sec. 3 and 4, the data controller provides appropriate measures to protect
not the interests or fundamental rights, freedoms and legitimate interests of the data subject, incl
in particular, it provides that person with the right to receive human intervention, the right to express his or her own
ska and to challenge the decision made in an automated manner.
6. Security for the processing of personal data by entities and persons performing the resulting tasks
from the act consist at least of:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
natures.

2)

7. The employers referred to in para. 1, entities and persons performing tasks resulting from the Act
they contain personal data only for a period not longer than necessary and to the extent necessary for implementation

30) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.

31) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 320 of 30.11.2013, p. 22.
32) Amendments to the above-mentioned regulation were announced in the Journal Of UE L 329 of 15.12.2015, p. 28, Journal Of UE L 149
of June 7, 2016, p. 10, Journal Of UE L 156 of 20/06/2017, p. 1 and Dz. Of UE L 236 of 14/09/2017, p. 28.
23/04/2019

Page 33
© Chancellery of the Sejm

pp. 33/114

purposes of personal data processing and review the suitability of personal data processing no
less frequently than every 5 years.
8. The period of storage of data processed by entities referred to in Art. 6 sec. 1, is
50 years.";
2) in art. 6 the following paragraph is added: 5 and 6 as follows:
"5. Disability adjudication panels process personal data, including health data, only
not for the purposes of performing tasks and to the extent necessary for their performance.
6. Security for the processing of personal data by disability adjudication teams consist of what
the least on:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to maintain their confidentiality. ”;

2)

3) in art. 6c in sec. 6, the first sentence is replaced by the following:
"The voivode has direct supervision over the poviat teams with the help of voivodship teams.";
4) in art. 6ca:
a) in sec. The first sentence of 1 shall read as follows:
"The poviat team, at the request of the disabled person or their statutory representative, issues an identity card
a document documenting a disability or an ID documenting the degree of disability. ",
b) after sec. 1 the following paragraph shall be added: 1a is added as follows:
"1a. The application for issuing an ID card or its duplicate contains personal data of the person applying for
providing an ID card or its duplicate or data of the legal representative of that person, including:
1)

first name and last name;

2)

date and place of birth;

3)

sex;

4) PESEL number;
address of the place of residence, if different from the address of the place of residence;

5)

6) contact details;
7) data on the identity document. ",
(c) the following paragraph is added: 5 is added:
"5. The minister competent for social security may define a model application for issuance
ID documenting the disability or the degree of disability or a duplicate and share these
patterns in the Public Information Bulletin on its personal website. ”;
5) in art. 6d in sec. 4, point 4 is replaced by the following:
"4) data on the name and surname, PESEL number, gender and citizenship of the persons referred to in sec. 3 point 4,
the forms of their employment and working time; ”.
Art. 44. In the Act of August 29, 1997 - Tax Ordinance (Journal of Laws of 2018, item 800, as amended 33) ),
the following changes are made:
1) after art. 1, Art. 1a is added as follows:
"Art. 1a. § 1. The Act also regulates the manner in which the tax authorities perform the obligation stipulated in
referred to in Art. 13 sec. 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
on the protection of individuals with regard to the processing of personal data and on the free transfer
the flow of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation) (Journal of
UE L 119 of 04/05/2016, p. 1, as amended d. 34) ), hereinafter referred to as "Regulation 2016/679".
§ 2. The performance of the obligation referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679, is carried out independently
depending on the obligations of tax authorities provided for in the Act and does not affect the course and result of tax procedures
e.
§ 3. Making a request referred to in Art. 18 sec. 1 of the Regulation 2016/679, does not affect the course and
fiscal procedures. ”;

33) Amendments

to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2018, item 650, 723, 771, 1000, 1039, 1075, 1499,

1540, 1544, 1629, 1693, 2126, 2193, 2244 and 2354 and from 2019, item 60, 492 and 694.
34) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 34
© Chancellery of the Sejm

pp. 34/114

2) in art. 119zn:
a) § 2 is given the following wording:
"§ 2. The risk index is determined by the STIR clearing house at least once a day, based on the recommendations
computerized processing, if the purposes and conditions set out in this section are met. ",
b) § 5 is added as follows:
"§ 5. The processing referred to in § 2 may be based on personal data revealing the origin of
racial or ethnic origin and biometric data, provided that the purposes and conditions set out in this
our department. ”;
3) in art. 159 after § 1a, § 1b is added as follows:
"§ 1b. The call also contains the information referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679,
unless the summoned person has this information and its scope or content has not changed. ”;
4) in art. 165, § 9 is added, reading as follows:
“§ 9. The tax authority provides the information referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679,
at the first action addressed to the page, unless the page has this information and its scope or content has not been changed
changed. ";
5) in art. 165a in § 1, the following second sentence is added:
"The provision of art. 165 § 9 shall apply accordingly. ”;
6) in art. 170 after § 1, § 1a is added as follows:
"§ 1a. The notification of the submission of the application also contains the information referred to in Art. 13 sec. 1
and 2 of Regulation 2016/679, in the scope of data processed by the transferring authority, unless the applicant provides
does not have this information, and its scope or content has not changed. ”;
7) in art. 171 in § 1, a third sentence is added as follows:
"The provision of Art. 170 § 1a. ";
8) after art. 179, art. 179a is added:
"Art. 179a. The provision of art. 178 § 1 does not infringe the data subject's right to exercise the rights to
derogating from Art. 15 of the Regulation 2016/679. ”;
9) in art. 283 in § 2 in point 8, the full stop is replaced by a semicolon and the following point 9 is added:
"9) indication of the information referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679. ”;
10) after art. 306a, art. 306aa is added:
"Art. 306aa. The tax authority provides the information referred to in article 1. 13 sec. 1 and 2 of the Regulation
2016/679, at the first action addressed to the applicant, unless the applicant has this information,
and their scope or content has not changed. ”.
Art. 45. In the Act of August 29, 1997 on the National Bank of Poland (Journal of Laws of 2017, item 1373, of 2018
item 2243 and of 2019, item 371) after art. 59, art. 59a is added:
"Art. 59a. 1. In the case of processing personal data in order to perform specific tasks
in art. 3 sec. 2 points 6a and 7, the exercise of the powers referred to in Art. 15 sec. 1 and 3 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(general regulation on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 35) ), provide
litters that provide data to the NBP in the manner specified in Art. 23a paragraph. 1 and 2.
2. NBP informs about the limitations referred to in para. 1, by making this information available at the site
publicly available at its headquarters and in the Public Information Bulletin on the NBP website or
on the NBP website.
3. The period of storage of personal data referred to in sec. 1, is determined by the data administrator in accordance with
with the purposes of their processing, taking into account separate provisions on time limits. The NBP is reviewing these
personal data every 5 years.

35) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 35
© Chancellery of the Sejm

4. The personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:

pp. 35/114

1) allowing the data controller to process personal data only of persons authorized to do so
related;
a written commitment of persons authorized to process personal data to keep them confidential

2)

nothing;
3) testing and improving the applied technical and organizational measures;
4) ensuring safe communication in ICT networks, in particular by guaranteeing
not that it uses the process of obtaining and transferring personal data to third parties
cryptographic techniques;
5) ensuring protection against unauthorized access to the NBP IT systems;
6)

ensuring data integrity in the NBP IT systems;

7)

defining the security rules for the processed personal data.

5. The President of the Personal Data Protection Office is not entitled to access individual data,
referred to in Art. 23 sec. 2, 2a, 3 and 3a, as well as statistical summaries, studies and evaluations referred to
in art. 23 sec. 6.
6. If it is necessary due to security requirements related to the control of access to information
or premises, NBP requests from persons providing services to the NBP or persons performing value transports
cash and their employees biometric data in the form of fingerprints, voice, hand geometry, layout
blood vessels in the fingers or hands. Biometric data may only be stored for the duration of the execution
services provided by these persons to the NBP or carrying out money transports. ”.
Art. 46. In the Act of August 29, 1997 - Banking Law (Journal of Laws of 2018, items 2187, 2243 and 2354 and of 2019
item 326) is hereby amended as follows:
1) in art. 4 in sec. 1 in point 46, the full stop is replaced by a semicolon and the following points 47 and 48 are added:
"47) Regulation 2016/679 - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and on the
the smooth flow of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation)
(Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 36) );
48) profiling - profiling of natural persons within the meaning of art. 4 point 4 of Regulation 2016/679. ”;
2) in art. 22aa:
a) in sec. 1, the following second sentence is added:
"The warranty referred to in the preceding sentence relates in particular to the reputation, honesty and fairness
the person's dignity and ability to conduct the bank's affairs in a careful and stable manner. ",
(b) the following paragraph is added: 10-12 as follows:
"10. In order to ensure prudent and stable management of the bank, the bank identifies other than
in paragraph 1 key functions in the bank related to the scope of duties, powers and responsibilities
qualities enabling the exercise of significant influence on the management of the bank. The bank ensures that the persons performing
these functions fulfill the requirements specified in par. 1.
11. The bank demands from a candidate for a member of the management board or supervisory board and from a person applying for full
no other key function in the bank to submit:
documents or statements regarding:

1)

a) change of name, surname or citizenship,
b) material situation and property status;
information necessary to assess compliance with the conditions set out in paragraph 1 concerning:

2)

a) address of residence or stay,
(b) education, profession, skills and professional experience, including the history to date
professional work, completed vocational training, work place and position, and functions
in the bodies of financial sector entities,
c) criminal proceedings and proceedings in cases of fiscal offenses against cantransfer to a member of the management board or supervisory board or a person applying for another key position
functions in the bank,

36) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 36
© Chancellery of the Sejm

pp. 36/114

d) imposed administrative sanctions,
e) administrative sanctions imposed on other entities in connection with the scope of responsibility of
transfer to a member of the management board or supervisory board or a person applying for the performance of another key person
functions in the bank,
f) court proceedings that may have a negative impact on the reputation of a candidate for a management board member
or the supervisory board or a person applying for another key function in the bank, and
administrative, disciplinary or enforcement actions in which he has occurred or is present
as a page,
g) knowledge of Polish and foreign languages,
h) the way of acting in life, environment and professional contacts and the way of behaving towards
people wronged by his actions.
12. The personal data referred to in sec. 11, shall be stored for no longer than 25 years. ”;
3) in art. 70, paragraph 1 is deleted. 5 and 6;
4) after art. 70, art. 70a is added:
"Art. 70a. 1. Banks and other institutions legally authorized to grant loans at the request of a natural person,
legal entity or an organizational unit without legal personality, provided that it has legal capacity, of the applicant
for a loan provide, in writing, an explanation of their creditworthiness assessment
of the applicant.
2. The explanation referred to in par. 1, includes information on factors, including personal data
of the applicant, which had an impact on the assessment of creditworthiness.
3. In the case of entrepreneurs, a bank and other institution authorized by law to grant loans may
charge a fee for the preparation of the explanation referred to in para. 1. The amount of the fee should be appropriate to
the amount of the loan.
4. The provisions of para. 1-3 shall apply mutatis mutandis to the entrepreneur applying for a cash loan. ”;
5) in art. 105 in paragraph. 1 in point 2 lit. u is replaced by the following:
"U) the entity referred to in Art. 45 sec. 1 of the Act of June 10, 2016 on the Banking Guarantee Fund
deposit guarantee system and resolution, to the extent necessary to ensure
failure to properly execute the disbursements of guaranteed funds, ”;
6) in art. 105a after sec. 1 the following paragraph shall be added: 1a-1c as follows:
"1a. Banks, other institutions legally authorized to grant loans, loan institutions and credit institutions
litters referred to in art. 59d of the Act of 12 May 2011 on consumer credit, as well as institutions established
based on Art. 105 sec. 4 may, in order to assess creditworthiness and analyze credit risk,
make decisions based solely on automated processing, including profiling, of personal data
- also constituting banking secrecy - provided that the person concerned by the decision is
in an automated manner, the right to receive appropriate explanations as to the grounds for the decision made, to
obtain human intervention in order to make a re-decision and to express one's own position.
1b. The decisions referred to in paragraph 1. 1A, may be taken only on the basis of the necessary data
for the purpose and type of loan, based in particular on the following categories of data:
data on a natural person:

1)

a) first name (names) and surname,
b) family name,
c) parents' names,
d) date and place of birth,
e) age,
f) gender,
g) citizenship,
h) marital status,
i) series and number of ID card or other document confirming identity,
j) PESEL number, if assigned,
k) tax identification number, if assigned,
23/04/2019

Page 37
© Chancellery of the Sejm

pp. 37/114

l) address of residence, registered address for permanent or temporary residence, current address of temporary residence, other
than the address of residence or registered office, correspondence address,
m) legal title to the occupied premises,
n) workplace,
o) profession,
p) education,
q) form of employment,
r) financial situation, including income and expenses,
s) dependents,
t) the property regime of the spouses;
liability data:

2)

a) the source of the obligation,
b) amount and currency,
c) the number and balance of the account maintained with the bank or other institution authorized by law to grant
loans, name and address of the seat or branch of the bank or other institution authorized by law to grant
losing credits,
d) the date on which the liability arose,
e) terms of repayment of the liability,
f) established legal safeguards,
g) the course of the implementation of the obligation,
h) the state of indebtedness due to the obligation,
i) the date of expiry of the obligation,
j) the reasons for the non-performance or the delay referred to in para. 3,
k) the reasons for the termination of the obligation.
1c. The decisions referred to in paragraph 1. 1a, may not be taken on the basis of the data referred to in Art. 9
of the regulation 2016/679. ”;
7) art. 106d is replaced by the following:
"Art. 106d. 1. Banks, other institutions legally authorized to grant loans, institutions established on
pursuant to Art. 105 sec. 4, loan institutions, entities whose primary activity is to make available
assets under a leasing contract, and the entities referred to in art. 59d of the Act of
On May 12, 2011 on consumer credit, they can process and share information, including information
covered by banking secrecy, in the cases of:
1)

justified suspicions referred to in art. 106a paragraph. 3;

2)

justified suspicions of committing crimes to the detriment of banks, other institutions,
institutions authorized to grant loans, credit institutions, financial institutions,
and entities referred to in art. 59d of the Act of May 12, 2011 on consumer credit
who, and their clients, for the purpose and to the extent necessary to prevent these crimes.

2. The entities specified in par. 1 may process and share information, including covered information
banking secrecy and information on convictions in cases of crimes committed against
damage to banks, other institutions legally authorized to grant loans, credit institutions, institutions
financial institutions, loan institutions and entities referred to in Art. 59d of the Act of May 12, 2011.
on consumer credit and their customers for the purpose and scope necessary to prevent these crimes. ”;
8) after art. 106d, art. 106e as follows:
"Art. 106e. For the processing of personal data by banks, other institutions legally authorized to grant
disbursement of loans and institutions established on the basis of art. 105 sec. 4, loan institutions, entities whose subThe basic activity consists in making available assets under a leasing agreement, and entities,
referred to in Art. 59d of the Act of 12 May 2011 on consumer credit, the provision of art. 15 of the Regulation

23/04/2019

Page 38
© Chancellery of the Sejm

pp. 38/114

2016/679 does not apply to the extent that it is necessary for the proper performance of tasks related to countermoney laundering and terrorist financing activities, in accordance with Art. 106, and crime prevention, in accordance with
with art. 106a and art. 106d. "
Art. 47. In the Act of 13 October 1998 on the social insurance system (Journal of Laws of 2019, item 300)
and 303) after Art. 34, art. 34a is added:
"Art. 34a. 1. The plant may fulfill the obligation referred to in Art. 13 sec. 1 and 2 of the Regulation of the Parliament
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to
the generation of personal data and on the free movement of such data, and repealing the Directive
95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended 37) ),
hereinafter referred to as "Regulation 2016/679", by providing the information referred to in Art. 13 sec. 1 and 2 of
2016/679, in a publicly accessible place at the headquarters or field organizational units, and at
its website or in the Public Information Bulletin on the Institute's website. In such a case
In the case of obtaining personal data, the Department informs the data subject about the place of sharing
this information.
2. The performance of the obligation referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679, is carried out independently
not from the Department's obligations and does not affect the course and result of the proceedings conducted by the Department. ”.
Art. 48. In the Act of 17 December 1998 on pensions and disability pensions from the Social Insurance Fund (Journal of Laws of 1998, No.
of 2018, item 1270 and 2245 and of 2019, item 39) in art. 117 after paragraph 4 the following paragraph is added: 4a is added as follows:
"4a. A request for confirmation of the periods referred to in Art. 6 sec. 1 point 10 and sec. 2, point 6a, includes the first name or
first and last name of the applicant, date and place of birth, parents' names, PESEL number, place address
residence or mailing address, telephone number or e-mail address, if the applicant has one
has. ”.
Art. 49. In the Act of January 6, 2000 on the Ombudsman for Children (Journal of Laws of 2017, item 922), Art. 10c receives
sound:
"Art. 10c. 1. The Ombudsman may process any information, including personal data, necessary for implementation
their statutory tasks.
2. The Ombudsman may process personal data referred to in Art. 9 sec. 1 and art. 10 of Parliament's Regulation
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to
the generation of personal data and on the free movement of such data, and repealing the Directive
95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended 38) ),
jointly to protect human and civil liberties and rights in the performance of their statutory tasks.
3. The Defender allows for the processing of personal data by persons with a written authorization. ConditionThe authorization is granted in the form of a written undertaking by the authorized person to keep the processed data
confidentiality of personal data. ”.
Art. 50. In the Act of May 24, 2000 on the National Criminal Register (Journal of Laws of 2018, items 1218 and 1544 and
of 2019, item 60) in art. 4 sec. 2 is replaced by the following:
"2. The Minister of Justice is the administrator of the data collected in the Register. ”.
Art. 51. In the Act of November 29, 2000 - Atomic Law (Journal of Laws of 2018, items 792, 1669 and 2227) in Art. 86c
the current content is marked as para. 1 and the following paragraph is added: 2-5 as follows:
"2. In the case of receiving, verifying and processing by the Agency's President information on
as well as information on attempts to illegally import or export to the territory of the Republic of Poland
radioactive substances from the territory of the Republic of Poland, the obligations referred to in Art. 13 of
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
with regard to the processing of personal data and on the free movement of such data, and
of Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended)
d. 39) ), are carried out by providing information in the Public Information Bulletin on the website of the Prezesa of the Agency, its website and in a place generally accessible at the seat of the Agency.
3. The Agency's President shall inform about the limitations referred to in sec. 2 by providing relevant information
in the Public Information Bulletin on the website of the Agency's President, on his website and at the site
generally available at the seat of the Agency.

37) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
38) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
39) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 39
© Chancellery of the Sejm

pp. 39/114

4. The period of data storage, referred to in sec. 2, shall be determined in accordance with the regulations issued under
art. 6 sec. 2 of the Act of July 14, 1983 on the national archival resource and archives (Journal of Laws of 2019,
item 553 and 730).
5. The personal data referred to in sec. 2, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
nothing. "

2)

Art. 52. In the Act of December 7, 2000 on the operation of cooperative banks, their association and banks
associating (Journal of Laws of 2018, item 613) in art. 22f after paragraph 2 the following paragraph shall be added: 2a is added as follows:
"2a. The members of the management board of the management unit should have the knowledge, skills and experience of
not to their functions and duties entrusted to them, and to guarantee proper performance
these responsibilities. The warranty referred to in the preceding sentence applies in particular to reputation,
the integrity and integrity of the person and the ability to handle the affairs of the management unit prudently
and stable. For the assessment of the warranty of prudent and stable management of the management unit, the
Art. 22aa paragraph. 10–12 of the Banking Act. ”.
Art. 53. In the Act of December 15, 2000 on Professional Self-Governments of Architects and Construction Engineers
(Journal of Laws of 2016, item 1725, of 2018, item 1669 and of 2019, item 577) after Art. 8c, art. 8d and art. 8e is added as follows:
"Art. 8d. 1. Due to the processing by the competent authorities of national and regional chambers of professional self-government
for architects and construction engineers personal data obtained in the course of the implementation of specific tasks
in the act, the right referred to in Art. 15 sec. 1 lit. g of the Regulation of the European Parliament and of the Council (EU)
2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended40 ) ), if it does not affect the protection
the rights and freedoms of the person from whom the data was obtained.
2. The competent authorities of national and regional chambers of professional self-government of architects and construction engineers
twa inform about the restriction referred to in sec. 1, at the first action addressed to the data subject
concern.
3. The personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential

2)

natures.
Art. 8e. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
Data Protection Regulation), does not affect:
conducting control proceedings;

1)

2) keeping the lists and the register referred to in Art. 8c, art. 19 paragraph 1 point 10 and article. 39, including their creation,
recording and maintaining, as well as updating and sharing data;
proceedings regarding the provision of cross-border services referred to in art. 20a;

3)

4) recognition of professional qualifications referred to in art. 33a, art. 33d and art. 33e;
conducting disciplinary proceedings referred to in Chapter 5. ”.

5)

Art. 54. In the Act of 21 December 2000 on inland navigation (Journal of Laws of 2017, item 2128, of 2018, item 1137)
and 1694 and of 2019, item 125 and 642) in art. 9 after paragraph 2g, the following paragraph shall be added: 2h and 2i as follows:
"2h. In an urgent case, the director of the inland navigation office, performing the tasks referred to in
referred to in paragraph 2 points 1, 2, 4-8 and 10, performs the obligation referred to in Art. 13 sec. 1 and 2 of the Regulation of the Parliament

40) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 40
© Chancellery of the Sejm

pp. 40/114

2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to
the generation of personal data and on the free movement of such data, and repealing the Directive
95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended 41) ),
hereinafter referred to as "Regulation 2016/679", by providing the information referred to in Art. 13 sec. 1 and 2 of
dzenia 2016/679, in the Public Information Bulletin on its website, on its website
and at the seat of the office in a visible place.
2i. Submitting the request referred to in Art. 18 sec. 1 of the Regulation 2016/679, neither suspends nor does it
limits the performance by the director of the inland navigation office of the tasks referred to in sec. 2 points 1, 2, 4-8
and 10. "
Art. 55. In the Act of February 3, 2001 on the protection of the heritage of Fryderyk Chopin (Journal of Laws, item 168), Art. 6 received
reads:
"Art. 6. 1. Natural persons and organizational units distinguished in the protection of Fryde's heritage
Chopin's roar, in particular in cultivating the knowledge and memory of the composer, conducting research and cooperation
in developing knowledge about the work and person of Fryderyk Chopin, popularizing his work, as well as
saving, collecting, securing and sharing objects and places related to his life and creation
honorably, he is awarded the honorary badge "Meritorious for the Protection of the Heritage of Fryderyk Chopin", hereinafter referred to as
mark ".
2. The badge is awarded to the same natural person or organizational unit only once.
3. The badge is awarded by the minister on his own initiative or at the request of:
1)

another minister or head of a central office;

2)

a local government administration body or a body of a local government unit;

3)

head of a foreign mission of the Republic of Poland within the meaning of art. 4 point 2 of the Act of 27 July
2001 on foreign service (Journal of Laws of 2018, item 2040 and of 2019, item 9);

4) an entity conducting statutory cultural activity, social organization or association, operate
working to protect the heritage of Fryderyk Chopin;
head of a public or private art school;

5)

6) a research institute or other scientific unit conducting research and expanding knowledge about life
Ciu and the works of Fryderyk Chopin.
4. The application referred to in par. 3, contains the applicant's data, including the name or first name and surname, address to
correspondence, justification of the application and candidate's data:
1) if the candidate is a natural person:
a) name and surname,
b) date and place of birth,
c) citizenship,
d) address of residence or correspondence,
e) education and academic titles,
f) telephone number or e-mail address,
g) information on the protection of Fryderyk Chopin's heritage;
2) if the candidate is an organizational unit:
a) name,
b) seat and address,
c) the nature of the business,
d) date of creation,
e) achievements in the protection of Fryderyk Chopin's heritage.
5. The period of storage of personal data contained in the application referred to in sec. 3 is 80 years.
6. The application referred to in sec. 3, is subject to the opinion of the committee for the opinion of applications
for the award of the Badge, hereinafter referred to as the "committee", which recommends to the minister a person or organizational unit to be awarded
Me Badges.

41) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 41
© Chancellery of the Sejm

pp. 41/114

7. The commission consists of 5 to 9 people, appointed by the minister for a period of one year, considered to be
artistic and scientific rhythms in the field of research on the life and work of Fryderyk Chopin. Committee members act
your functions socially.
8. The members of the Committee elect from among themselves the Chairman of the Committee and the Secretary of the Committee.
9. Information about the awarded Badges is made available in the Public Information Bulletin on the website of the
the minister's office and contain the following personal data:
1)

first name and last name;

2)

held academic titles;

3)

information on professional activities, including activities in the field of heritage protection
Frederic Chopin.
10. The Minister issues an ID card confirming the award of the Badge.

11. The Minister shall define, by way of a regulation, the pattern and procedure for examining the application referred to in para. 3, spopersons presenting the Badge and wearing a Badge miniature, the mode of operation of the commission, the Badge design and its miniatures, the legthymation confirming the awarding of the Badge, the procedure to be followed in the event of loss or damage to the Badge or
a card confirming the award of the Badge, including the issue of a duplicate, taking into account the elimination of
the ability to re-submit an application with the same content and to standardize the manner of submitting applications, efficient
carrying out the procedure for awarding the Badge, design used in Polish phaleristics as well as worthy and festive
honoring natural persons and organizational units to which the Badge is awarded. ”.
Art. 56. In the Act of 6 July 2001 on detective services (Journal of Laws of 2018, item 2163 and of 2019
item 55) is hereby amended as follows:
1) Art. 8;
2) Art. 25a;
3) after chapter 3, chapter 3a is added as follows:
"Chapter 3a
Processing of personal data
Art. 28a. A detective or an entrepreneur employing him processes personal data collected in the course of performance
the activities referred to in Art. 2 clause 1, without the consent of the data subjects, only in the scope of implementation
detective service.
Art. 28b. 1. After the completion of the detective service, the detective or the obligated entrepreneur employing him
is to provide the ordering party with personal data collected during the performance of the activities referred to in art. 2 clause 1.
2. In the event of the client's resignation from the receipt of personal data collected in the course of
the properties referred to in art. 2 clause 1, or failure to collect them within the prescribed period, these data shall be destroyed after
5 years from the date of completion of the detective service, not later than immediately after deletion
entrepreneurs from the register.
3. The activities referred to in par. 1 and 2, the detective or the entrepreneur employing him shall make a note,
which he attaches to the contract performance book. The note includes:
1)

information on the transfer or destruction of processed personal data and a description of this activity;

2)

the date of transfer or destruction of the processed personal data;

3) the signature of the ordering party, in the case of collecting the processed personal data, and the signature of the author
note.
4. Destruction of processed personal data by a detective takes place in the presence of the entrepreneur or
a person designated by him. The entrepreneur or a person designated by him signs the note referred to
in paragraph 3.
5. A detective or an entrepreneur employing him may provide personal data collected in the course of performance
the activities referred to in Art. 2 clause 1, only to another detective designated by the entrepreneur to
cooperation as part of the detective service or to take over the further implementation of the detective service
tangent.
Art. 28c. For the processing of personal data collected in the course of performing the activities referred to
in art. 2 clause 1, the provisions of Art. 13 sec. 1 and 2 and article. 15 sec. 1 lit. a, continuous regulation of the Parliament
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to

23/04/2019

Page 42
© Chancellery of the Sejm

pp. 42/114

with the processing of personal data and on the free movement of such data, and repealing the directive
95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended 42) ).
Art. 28d. The entrepreneur providing detective services informs about the restrictions referred to
in art. 28c, on its website or by posting it at a permanent place of business. ”.
Art. 57. In the Act of 27 July 2001 on probation officers (Journal of Laws of 2018, item 1014), the following is introduced
serious changes:
1) after art. 9, art. 9a and art. 9b is added:
"Art. 9a. 1. To the extent necessary to perform their statutory tasks, a professional probation officer, manager
the probation team of the court service and the district probation officer process the data of persons concerned by the proceedings,
including:
1)

first name and last name;

2)

date of birth;

3) family name;
4) social security number and the number and series of the document confirming identity;
factors that define a physical, physiological, mental, economic, cultural or social identity,

5)

in particular regarding personal attitude, behavior, interests, health and healthcare services,
property, material and living situation, employment, education, education, science, educational
activities, family life, functioning in the environment, ways of spending free time, addictions, dysfunctions
location and location;
6) address and contact details;
7) biometric physical features;
8) information on compliance with the legal order, allegations and circumstances of violations of the law,
bundles, ongoing court and administrative proceedings, convictions, penalties and settlements
snip in court or administrative proceedings.
2. To the extent necessary to perform his statutory tasks, a professional probation officer, team manager
the probation officer of the court service and the district probation officer process the data of other persons remaining in the joint
in the household with the persons concerned by the proceedings, including:
1)

first name and last name;

2)

date of birth;

3) family name;
4) social security number and the number and series of the document confirming identity;
5) information about personal attitude and behavior;
6) health information;
7) information about property, material and living situation;
8) information about employment;
9) information about education;
10) information on educational impact, family life and functioning in the environment;
11) information about addictions;
12) information on dysfunctions;
13) address and contact details;
14) information on compliance with the legal order, allegations and circumstances of violations of the law, conducted
court and administrative proceedings, convictions, penalties and decisions in proceedings
judicial or administrative.
3. The data controller of the persons concerned by the proceedings, including the Police, Border Guard, other authorities or
state institutions, local government bodies, associations and other social organizations, judicial bodies
of executive proceedings, institutions of social assistance and foster care, medical entities within the meaning of
the Act of 15 April 2011 on medical activity (Journal of Laws of 2018, items 2190 and 2219 and of 2019, item 492)
and 730), organizational units referred to in article 1. 2 points 1-8 of the Act of December 14, 2016 - Education Law

42) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.

23/04/2019

Page 43
© Chancellery of the Sejm

pp. 43/114

(Dz. U. of 2018. Pos. 996, as amended. D. 43) ), and public and private institutions within the meaning of the Act of 20 July
2018 - Law on Higher Education and Science (Journal of Laws item 1668, as amended 44) ) are obliged to provide probation officers
professional tutor, head of the probation team of the court service, district probation officer, to the extent necessary
to perform their statutory tasks, the personal data referred to in para. 1 and 2.
4. The data administrator provides the data to the professional probation officer, the manager of the probation service team
court and district probation officer free of charge.
Art. 9b. The administrator of data processed for the purpose of performing tasks or duties by the probation officer
court president is the president of the court in which the probation officer performs official duties. ”;
2) in art. 87 sec. 3 is replaced by the following:
"3. A social probation officer in connection with the performance of activities ordered by the court, judge or probation officer
professional, have the rights referred to in article 1. 9 and art. 9a. "
Art. 58. In the Act of August 11, 2001 on special rules for the reconstruction, renovation and demolition of buildings
for livestock destroyed or damaged as a result of the action of the elements (Journal of Laws of 2018, item 1345), the following
serious changes:
1) in art. 13d the following paragraph is added: 18 is added:
"18. The head of the commune, mayor or city president performs the obligation referred to in Art. 13 sec. 1 and 2 of
of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons
in connection with the processing of personal data and on the free movement of such data, and repeal
Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended)
d. 45) ), hereinafter referred to as "Regulation 2016/679", and informs about the restriction referred to in Art. 13da paragraph. 1,
in connection with the implementation of the activities referred to in:
1) paragraph 12 - by publishing relevant information in the Public Information Bulletin on its website under
litterowa, on its website and in the announcement referred to in paragraph 12;
2) paragraph 13 and 14 - by publishing relevant information in the Public Information Bulletin on its website
subject, on its website and in a visible place at its seat. ”;
2) after art. 13d, art. 13da and art. 13db as follows:
"Art. 13da. 1. In connection with the processing of data by the commune head, mayor, city president or voivode
personnel obtained in the course of proceedings on the adoption of local reconstruction plans
the right referred to in art. 15 sec. 1 lit. g of the Regulation 2016/679 shall apply, provided that it does not affect the protection of rights
and freedom of the person from whom the data was obtained.
2. If the period of storage of personal data referred to in sec. 1, does not result from the
the words of the Act of July 14, 1983 on the national archival resource and archives (Journal of Laws of 2019, items 553 and 730),
the authorities referred to in para. 1, store data for the period determined in accordance with the regulations issued on the basis of
knows art. 6 sec. 2 and 2b of the Act of July 14, 1983 on the national archival resource and archives.
3. The personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
1) allowing for the processing of personal data only persons who have a written authorization to
data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
natures.

2)

Art. 13db. Submitting the request referred to in Art. 18 sec. 1 of the Regulation 2016/679, does not affect
the course and results of the proceedings for the adoption of local reconstruction plans. ”.
Art. 59. In the Act of August 24, 2001 on the Military Police and military law enforcement bodies
(Journal of Laws of 2019, item 518) the following changes are introduced:
1) after art. 8, art. 8a is added as follows:
"Art. 8a. 1. In relation to persons applying for admission to service or work in the Military Police
the qualifying procedure is carried out.

43) Amendments

to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2018, item 1000, 1290, 1669 and 2245 and of 2019, item

534 and 730.
44) Amendments to the mentioned Act were announced in the Journal Of Laws of 2018, item 2024 and 2245 and of 2019, item 276, 447, 534, 577, and 730.
45) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 44
© Chancellery of the Sejm

pp. 44/114

2. The Commander-in-Chief of the Military Police organizes and conducts the qualifying procedure
to candidates applying for admission to service:
1) or work at the Military Police Headquarters, Military Police Training Center in MinMazowieckie and the Security Department of the Military Gendarmerie in Warsaw;
in the corps of professional officers in other organizational units of the Military Police.

2)

3. The Commander-in-Chief of the Military Police may authorize the appropriate commander of the Gendarmerie branch
Military to organize or conduct the qualification procedure.
4. The commander of the branch of the Military Police organizes and conducts the qualifying procedure
to other than those indicated in sec. 2, point 2, candidates applying for admission to service or work in subordinates
him organizational units.
5. The qualification procedure is aimed at determining whether the candidate has predispositions and meets the conditions for
serving or working in the Military Police.
6. A candidate applying for admission to service or work in the Military Police may be subjected to
psychological or psychophysiological dishes.
7. A candidate applying for admission to service or work in the Military Gendarmerie fills in the questionnaire
fiction and application for the qualification procedure.
8. The Commander in Chief of the Military Police or persons authorized by him in the course of the proceedings
qualification is carried out by:
1) to a job candidate:
a) interview,
b) checking in the National Criminal Register, the National Police Information System and the National
Criminal Information System as well as records and files not generally available, referred to
in art. 25 sec. 1 point 2 of the Act of August 5, 2010 on the protection of classified information (Journal of Laws of 2018,
item 412, 650, 1000, 1083 and 1669 and of 2019, item 125),
c) interview about the candidate at the place of residence and work,
d) psychological tests and psychophysiological tests - in the case of positions requiring
general predispositions;
towards a candidate for service, the activities listed in point 1 (a). a-c and:

2)

a) physical fitness exam,
b) exam on the level of knowledge of foreign languages,
c) psychological tests,
d) psychophysiological tests - in the case of positions that require special predispositions.
9. Military Police, in order to conduct qualification procedures, processes the following data:
1) in the case of a job candidate:
a) image,
b) surname, including family name,
c) first name or names,
d) father's name,
e) mother's name and maiden name,
f) marital status,
g) date of birth,
h) place of birth,
i) citizenship (citizenship),
j) series and number of ID card,
k) PESEL number,
l) held military rank or other rank in the formation referred to in Art. 17a paragraph. 1 of the Act of September 11
May 2003 on the military service of professional soldiers (Journal of Laws of 2019, items 330 and 730),
m) series and number of the military record book,
n) address of the place of residence,
o) series and number of passport,
23/04/2019

Page 45
© Chancellery of the Sejm

pp. 45/114

p) place of work or service,
q) income,
r) data on service or employment,
s) education,
t) result of the interview,
u) results of the interview at the place of residence and work,
v) the results of checks in files that are not generally available, referred to in Art. 25 sec. 1 point 2 of the Act
of August 5, 2010 on the protection of classified information,
w) results of checks in the National Criminal Register, the National Police Information System and the National
Criminal Information Center,
x) the result of the psychological examination,
y) the result of the psychophysiological examination;
in the case of a candidate for service, the data listed in point 1 and the result:

2)

a) fitness test,
b) language qualification test.
10. The provision of para. 8 point 2 lit. d applies to soldiers of the Military Police before being appointed to positions
professional, in the case of positions that require special predispositions.
11. The information referred to in sec. 9, shall be processed for the period necessary to conduct the proceedings
qualification and performance of service or work in the Military Police, as well as statutory performance
tasks by the Military Police.
12. The information referred to in sec. 9, obtained during the qualification procedure completed with the
negative processing shall be processed for a period of 5 years, counting from the date of completion of these proceedings.
13. The information referred to in sec. 9, are subject to safeguards to prevent abuse or
unlawful access or transfer consisting at least in the admission to processing
personal data only of persons with a written authorization issued by the data controller.
14. The Minister of National Defense shall define, by way of an ordinance, the manner and procedure of
application to the Military Gendarmerie as well as the model of the qualification questionnaire and the application for proceedings
qualification procedure, with a view to ensuring the efficient course of the qualification procedure and the qualification
to bear people with predispositions and conditions to perform service or work in the Military Police. ”;
2) in art. 9, paragraph 1 is deleted. 1a.
Art. 60. In the Act of 6 September 2001 on road transport (Journal of Laws of 2019, items 58, 60, 125 and 690),
the following changes are made:
1) in art. 55a:
a) paragraph 1 is deleted. 4-10,
(b) the following paragraph is added: 11–13 as follows:
"11. The inspection is entitled to issue decisions in individual cases based on
automated data processing, including profiling in connection with the implementation of the tasks referred to
in art. 129a paragraph. 1 point 3 lit. b and art. 129g of the Act of June 20, 1997 - Road Traffic Law.
12. In connection with the implementation of the tasks referred to in Art. 50, the inspection performs the obligation referred to
referred to in Art. 13 sec. 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and on the freedom
flow of such data and repealing Directive 95/46 / EC (General Data Protection Regulation)
(Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended. 46) ), hereinafter referred to as "Regulation 2016/679",
activity addressed to the data subject, unless he has this information, and its scope or
the content has not changed.
13. Submitting the request referred to in Art. 18 sec. 1 of Regulation 2016/679, does not affect the
the execution by the Inspection of the tasks referred to in art. 50. ";

46) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 46
© Chancellery of the Sejm

2) in art. 55b:
a) sec. 1 is replaced by the following:
"1. Unless separate regulations provide otherwise, the Chief Inspector of Road Transport and
commanding inspectors or persons authorized by them make available free of charge, on the basis of a written request,
personal data processed in connection with the performance of tasks specified in the Act:
1) the police,
2)

Military Police,

3)

Border Guard,

4)

Internal Security Agency,

5) the Foreign Intelligence Agency,
6) Central Anti-Corruption Bureau,
7)

Military Counterintelligence Service,

8)

Military Intelligence Service,

9) a public prosecutor,
10) courts,
11) the Head of the National Tax Administration, the director of the tax administration chamber, the head of the office
customs and tax,
12) the Internal Supervision Office,
13) the State Protection Service
- to the extent necessary to perform their statutory tasks. ",
b) sec. 3 is replaced by the following:
"3. Chief Inspector of Road Transport and voivodeship inspectors may agree to
the occurrence by means of electronic communication of the data referred to in para. 1, entities about which
mentioned in sec. 1 items 1-3 and 5-13, without the need to submit written applications, if justified
the type or scope of performed tasks. ",

pp. 46/114

the type or scope of performed tasks. ",
c) in sec. 4 the introduction to the enumeration is replaced by the following:
"Sharing the data referred to in sec. 1, in the manner referred to in para. 3, followed by submission by
entities referred to in sec. 1 items 1-3 and 5-13, of the application containing: ",
d) sec. 5 and 6 are replaced by the following:
"5. Chief Inspector of Road Transport and provincial inspectors provide the Agency
Internal Security, the data referred to in para. 1, in the manner referred to in para. 3, if
the organizational unit of the Internal Security Agency which is the recipient of the data will submit a declaration,
referred to in sec. 4 point 3.
6. Chief Inspector of Road Transport and provincial inspectors do not make available on the basis
paragraph 1 and 3 of the personal data indicated in art. 9 sec. 1 of Regulation 2016/679, unless the entity referred to
referred to in paragraph 1, is legally authorized to process this data. ",
(e) paragraph 3 is deleted. 7;
3) in art. 55c, paragraph 1 is deleted. 5;
4) Art. 82;
5) in art. 82 g, paragraph 1 is deleted. 3;
6) after art. 89c, art. 89d is added:
"Art. 89d. Submitting the request referred to in Art. 18 sec. 1 of the Regulation 2016/679, does not affect
the course of inspections carried out pursuant to the provisions of this chapter or under the authorization of the competent authority
to impose a penalty. ”.

23/04/2019

Page 47
© Chancellery of the Sejm

pp. 47/114

Art. 61. In the Act of July 3, 2002 - Aviation Law (Journal of Laws of 2018, items 1183, 1629 and 1637 and of 2019
item 235) is hereby amended as follows:
1) after art. 21a, art. 21b as follows:
"Art. 21b. 1. In connection with the processing by the President of the Office of personal data obtained in the course of
proceedings referred to in the Act, the law referred to in Art. 15 sec. 1 lit. g of Parliament's regulation
of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons in relation to
with the processing of personal data and on the free movement of such data, and repealing the directive
95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended 47) ),
hereinafter referred to as "Regulation 2016/679", shall apply to the extent that it does not affect the protection of rights and freedoms
people from whom the data was obtained.
2. The President of the Office shall inform about the restriction referred to in para. 1, at the first action addressed to
the data subject, as well as in the Public Information Bulletin on its personal website.
3. The period of storage of personal data processed in the course of the proceedings referred to in the Act,
shall be determined in accordance with the regulations issued on the basis of art. 6 sec. 2 of the Act of July 14, 1983 on the national
archives and archives (Journal of Laws of 2019, items 553 and 730).
4. The personal data referred to in sec. 3, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
nothing. ";

2)

2) in art. 27 the following paragraph is added: 8 is added:
"8. Submitting the request referred to in Art. 18 sec. 1 of the Regulation 2016/679, does not affect the mileage
and the result of inspections carried out by the President of the Office pursuant to the Act. ”;
3) in art. 134 after paragraph 1f the following paragraph shall be added: 1g and 1h as follows:
"1g. In connection with the investigation of the circumstances and causes of air incidents, the Commission and the Investigation Committee
State Aviation Accidents, referred to in art. 140, are entitled to data processing
personal health, referred to in article 1. 9 sec. 1 of Regulation 2016/679.
1h. The Commission and the State Aviation Accident Investigation Commission, referred to in art. 140,
perform the obligation referred to in art. 13 sec. 1 and 2 of Regulation 2016/679, at the first step
important to the data subject, unless the information referred to in Art. 13 sec. 1 and 2 of the Regulation
2016/679, are in the possession of that person, and the scope of this information or its content has not changed. ”.
Art. 62. In the Act of 5 July 2002 on the Provision of Legal Assistance by Foreign Lawyers in
of the Commonwealth of Poland (Journal of Laws of 2016, item 1874), section IVa is added after section IV as follows:
Section IVa
Processing of personal data
Art. 43a. For the processing of personal data in order to perform tasks, obligations or powers are
of the Act, the provisions of section Ia of the Act of May 26, 1982 - Law on the Bar and
section 1a of the Act of 6 July 1982 on legal advisers. ”.
Art. 63. In the Act of July 18, 2002 on the provision of electronic services (Journal of Laws of 2019, item 123),
the following changes are made:
1) art. 4 is replaced by the following:
"Art. 4. If the act requires the consent of the recipient, the provisions on the protection of personal data
out. ";
2) Art. 16 and art. 17;
3) in art. 18 sec. 3 and 4 are replaced by the following:
"3. The service provider distinguishes and marks these from the data referred to in paragraph 2, as the data you provide
it is necessary to provide the service by electronic means.

47) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 48
© Chancellery of the Sejm

pp. 48/114

4. The service provider may process, with the consent of the recipient and for the purposes of advertising, market research and behavioral research
and preferences of service recipients with the purpose of the results of these studies for the purpose of improving the quality of services
provided by the service provider, other data concerning the recipient, which are not necessary for the provision of the service by electronic means
the throne. ";
4) in art. 19 paragraph 1 is deleted. 1, 2, 4 and 5;
5) Art. 20–22.
Art. 64. In the Act of 27 March 2003 on spatial planning and development (Journal of Laws of 2018,
item 1945 and of 2019, item 60 and 235) is hereby amended as follows:
1) after art. 8, art. 8a and art. 8b is worded as follows:
"Art. 8a. 1. In connection with the processing by the commune head, mayor, city president, voivodeship marshal,
voivode, voivodeship board or metropolitan union board of personal data obtained in the course of
to initiate proceedings regarding the preparation of planning acts referred to in the Act, the law referred to in
referred to in Art. 15 sec. 1 lit. g of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
on the protection of individuals with regard to the processing of personal data and on the free transfer
the flow of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation) (Journal of
UE L 119 of 04/05/2016, p. 1, as amended d. 48) ), hereinafter referred to as "Regulation 2016/679", is entitled, if not
affects the protection of the rights and freedoms of the person from whom the data was obtained.
2. If the period of storage of personal data referred to in sec. 1, does not result from the
the words of the Act of July 14, 1983 on the national archival resource and archives (Journal of Laws of 2019, items 553 and 730),
the authorities referred to in para. 1, store data for the period determined in accordance with the regulations issued on the basis of
knows art. 6 sec. 2b of the Act of July 14, 1983 on the National Archival Resource and Archives.
3. The personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
natures.

2)

Art. 8b. Submitting the request referred to in Art. 18 sec. 1 of Regulation 2016/679, does not affect
course and result of proceedings related to the preparation of planning acts. ”;
2) after art. 11 the following Art. 11a is added as follows:
"Art. 11a. The head of the commune, mayor or city president performs the obligation referred to in Art. 13 sec. 1st and 2nd chapters
of the ordinance 2016/679, and informs about the restriction referred to in Art. 8a sec. 1, in connection with the implementation of active
referred to in:
1) art. 11 points 3, 7 and 9 - by providing relevant information in the Public Information Bulletin on its
the subject page, on its website and in a prominent place at its headquarters;
2) art. 11 points 1 and 8 - by providing relevant information in the Public Information Bulletin on its website
non-subjective, on its website and in a visible place at its seat and in the announcement
the information referred to in Art. 11 point 1, or in the announcement referred to in Art. 11 point 7. ";
3) after art. 17, art. 17a is added:
"Art. 17a. The head of the commune, mayor or city president performs the obligation referred to in Art. 13 sec. 1st and 2nd chapters
of the ordinance 2016/679, and informs about the restriction referred to in Art. 8a sec. 1, in connection with the implementation of active
referred to in:
1) art. 17 points 4, 9 and 12–14 - by providing relevant information in the Public Information Bulletin on
its website, on its website and in a prominent place at its headquarters;
2) art. 17 points 1 and 11 - by providing relevant information in the Public Information Bulletin on its website
non-subjective, on its website, in a visible place at its seat and in the announcement
the information referred to in Art. 17 point 1, or in the announcement referred to in Art. 17 point 9. ";
4) in art. 37b, the following paragraph shall be added: 7 is added:
"7. The head of the commune, mayor or city president performs the obligation referred to in Art. 13 sec. 1 and 2 of
2016/679, and informs about the restriction referred to in Art. 8a sec. 1, in connection with the implementation of activities,
referred to in:
1) paragraph 3 - by publishing relevant information in the Public Information Bulletin on its website under
litterowa, on its website and in a prominent place at its seat;
48) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 49
© Chancellery of the Sejm

pp. 49/114

2) paragraph 2 point 8 - by providing relevant information in the Public Information Bulletin on its website
subjective, on its website, in a visible place at its seat and in the announcement,
referred to in sec. 2 point 8. ”;
5) in art. 38b, the following paragraph shall be added: 6 is added:
"6. The voivodship board performs the obligation referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679,
and informs about the restriction referred to in Art. 8a sec. 1, in connection with the implementation of the activities referred to in:
1) paragraph 2 points 5 and 6 - by providing relevant information in the Public Information Bulletin on its website
subjective, on its website and in a visible place at its headquarters;
2) paragraph 2 point 4 - by providing relevant information in the Public Information Bulletin on its website
subjective, on its website, in a visible place at its seat and in the announcement,
referred to in sec. 2 point 4. ”;
6) in art. 41, the following paragraph is added: 3 is added:
"3. The voivodeship marshal performs the obligation referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679,
and informs about the restriction referred to in Art. 8a sec. 1, in connection with the implementation of the activities referred to in:
1) paragraph 1 point 3 - by providing relevant information in the Public Information Bulletin on its website
subjective, on its website and in a visible place at its headquarters;
2) paragraph 1 point 1 - by providing relevant information in the Public Information Bulletin on its website
subjective, on its website, in a visible place at its seat and in the announcement,
referred to in sec. 1 point 1. ".
Art. 65. In the Act of March 28, 2003 on rail transport (Journal of Laws of 2019, item 710),
the following changes:
1) in art. 15 the following paragraph is added: 3 is added:
"3. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament and of the Council
(EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to data processing
data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation
on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended49 ) ), hereinafter referred to as the "Regulation
2016/679 ", by the data subject, does not affect the course of inspections carried out by the President of UTK, nor
on the power of that authority to impose a penalty. ”;
2) in art. 28h after paragraph 1 the following paragraph shall be added: 1a and 1b as follows:
"1a. In connection with the investigation of serious accidents, accidents or incidents, the Commission is empowered to
the processing of personal data referred to in art. 9 sec. 1 of Regulation 2016/679, in terms of data relating to
health witnesses.
1b. The Commission performs the obligation referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679, at the first
activities addressed to the data subject, unless the information referred to in art. 13 sec. 1 and 2 of
2016/679 is in the possession of that person, and the scope of this information or its content has not changed. ”.
Art. 66. In the Act of May 22, 2003 on compulsory insurance, the Insurance Fund Gwaand the Polish Motor Insurers' Bureau (Journal of Laws of 2018, items 473 and 2448 and of 2019, item 125)
the following changes are introduced:
1) after art. 98a, art. 98b – 98d as follows:
"Art. 98b. The Fund processes personal data regarding health to the extent necessary to perform the tasks,
referred to in Art. 98 sec. 1-2 and art. 102a.
Art. 98c. The Fund processes personal data relating to criminal convictions and infringements of the law or related
security measures to the extent necessary to:
1) seeking reimbursement of the compensation referred to in art. 11 sec. 3, art. 43 and art. 58;
2)

satisfying the claims referred to in Art. 98 sec. 1-2;

3)

determining the circumstances of the event and the extent of the damage referred to in art. 16 sec. 3 and art. 102 paragraph. 3 and 4, and
identification and verification of phenomena related to insurance crime, referred to in art. 102
paragraph 7;
control of compliance with the obligations to conclude a contract of compulsory third-party liability insurance of vehicle owners

4)

mechanical and farmers' civil liability insurance, referred to in art. 84 sec. 2 point 2 lit. a and paragraph 3 point 2 lit. b, and
claiming a fee for failure to comply with these obligations, as referred to in Art. 90 and art. 91;
implementation of the tasks referred to in art. 102a;

5)

49) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 50
© Chancellery of the Sejm

pp. 50/114

6)

pursuing the reimbursement of benefits and costs incurred, in the cases specified in art. 110 sec. 1 and also
determining the material and property situation referred to in art. 94 and art. 110 sec. 2;

7)

payment of benefits referred to in art. 111, and to satisfy the claims referred to in Art. 113
and art. 114.

Art. 98d. In order to perform the tasks referred to in Art. 84 sec. 2 point 2 lit. a and paragraph 3 point 2 lit. b, art. 98, art. 98b,
art. 98c, art. 102 and art. 102a, the Fund may make decisions in individual cases based on the
automated data processing, including profiling. ";
2) in art. 102 paragraph. 7 is replaced by the following:
"7. The Fund processes the data referred to in paragraph 1. 2-4 and art. 103, in order to control compliance with the obligation
conclusion of a compulsory insurance contract and in order to identify and verify phenomena related to
insurance crime or for other purposes, after modification that does not allow the identification of the person,
to whom the data relate. ";
3) in art. 105:
a) paragraph 1 is deleted. 3,
b) sec. 3a is replaced by the following:
"3a. Data to the Fund are transferred free of charge. ",
c) after sec. 4 the following paragraph is added: 4a is added as follows:
"4a. The law referred to in Art. 16 of Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended50 ) ), in terms of personal data
submitted to the Fund, is performed by rectifying the data after submitting a request to the insurance institution
roast.";
4) in art. 122 in paragraph. 1, the introduction to the enumeration is replaced by the following:
"The tasks of the Office include:";
5) after art. 136, art. 136a-136d as follows:
"Art. 136a. The office processes personal data regarding health to the extent necessary to perform the tasks,
referred to in Art. 122 sec. 1 paragraphs 3 and 4 and article. 123 points 1 and 2.
Art. 136b. The bureau processes personal data related to convictions and violations of law or related
security measures, to the extent necessary to:
1)

determining the circumstances of the event and the extent of the damage referred to in art. 16 sec. 3;

2)

consideration of the claim for compensation and taking steps to determine the responsibility
damages and the amount of compensation referred to in Art. 83-83b;

3)

organizing the liquidation of claims or direct liquidation of claims referred to in Art. 122 sec. 1 points 3 and 4;

4)

satisfying the claims referred to in Art. 123–125;

5)

implementation of the tasks referred to in art. 124 and art. 133–136.

Art. 136c. In order to perform the tasks referred to in Art. 122 sec. 1 paragraphs 3 and 4 and article. 123 points 1 and 2, the Bureau may
make decisions in individual cases based on automated data processing, including profiling
right.
Art. 136d. The bureau stores the received data for 21 years. ”.
Art. 67. In the Act of June 13, 2003 on social employment (Journal of Laws of 2019, item 217), the
the following changes:
1) after art. 8a, art. 8b is worded as follows:
"Art. 8b. 1. The Center processes personal data:
participants including name and surname, PESEL number, date of birth, address details, marital status, education
price, professional experience or qualifications, ethnic origin, health condition, addictions, convictions,

1)

punishments as well as other judgments issued in court or administrative proceedings,

50) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 51
© Chancellery of the Sejm

pp. 51/114

family members or legal representative of the participant, including the name and surname, PESEL number, date

2)

birth, address details
- to the extent necessary to perform the services specified in art. 3 sec. 1.
2. In connection with the processing of personal data in order to provide services by the Center, the performance of
the bundle referred to in art. 13 sec. 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of
April 27, 2016 on the protection of individuals with regard to the processing of personal data and in the matter
the free movement of such data and repealing Directive 95/46 / EC (General Protection Regulation
data) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended. 51) ), hereinafter referred to as "Regulation 2016/679",
by placing the information referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679, in a visible place
scu in the building where the services are provided.
3. The restriction referred to in para. 2, the data controller informs the data subject at the latest
her at the first action addressed to that person.
4. The security measures used by the data controller to protect personal data consist of at least
less on:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential

2)

nothing.
5. The personal data referred to in sec. 1, shall be stored for the period of 10 years, counting from the end of the calendar year in which the provision of services to data subjects has been completed.
6. The Center and persons providing services specified in Art. 3 sec. 1 are obliged to keep secret all
information and data obtained from the provision of these services. ”;
2) after art. 18e, art. 18f as follows:
"Art. 18f. 1. The entities referred to in Art. 18 sec. 1, process the data of participants of social integration clubs
z o.o., including data including name and surname, PESEL number, date of birth, address data, marital status,
education, professional experience or qualifications, ethnic origin, health condition, addictions, convictions, judgments
on punishment, as well as other judgments issued in court or administrative proceedings, name and surname, number
PESEL mayor, date of birth, address details of family members or legal representative, to the extent necessary
for professional and social reintegration.
2. In connection with the processing of personal data for the purpose of professional and social reintegration, entities
as referred to in Art. 18 sec. 1, perform the obligation referred to in article 1. 13 sec. 1 and 2 of Regulation 2016/679, by
placing the information referred to in art. 13 sec. 1 and 2 of Regulation 2016/679, in a visible place in the
the market in which activities are carried out as part of professional and social reintegration.
3. The restriction referred to in para. 2, the data controller informs the data subject at the latest
her at the first action addressed to that person.
4. The security measures used by the data controller to protect personal data consist of at least
less on:
1) allowing for the processing of personal data only persons who have a written authorization to
data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential

2)

nothing.
5. The entities referred to in Art. 18 sec. 1, are obliged to keep all information secret
and data obtained while carrying out activities within the framework of professional and social reintegration. ”.
Art. 68. In the Act of 23 July 2003 on the protection and care of monuments (Journal of Laws of 2018, item 2067)
and 2245) is amended as follows:
1) in art. 8 the following paragraph is added: 3 is added:
"3. The register contains personal data including the name, surname and address of residence or the name and address of the registered office of the
the body or the holder of the monument or the perpetual usufructuary of the land on which the immovable monument is located. ”;
2) in art. 22 the following paragraph is added: 7 is added:
"7. The records referred to in paragraph 1. 1, 2, 4 and 6, may contain personal data including:
name, surname and address of residence or the name and address of the registered office of the owner or user of the monument;

1)

51) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 52
© Chancellery of the Sejm

pp. 52/114

2)

name, surname and signature of the author of the registration or address card or the name and surname of the person who filled it in
record card;

3)

name and surname or the name of the contractor of the conservation works, restoration works, conservation research
or archaeological research at the monument. ”;

3) in art. 23 the following paragraph is added: 3 is added:
"3. The list contains personal data including the name, surname and address of residence or the name and address of the registered office
the owner or holder of the monument. ”.
Art. 69. In the Act of September 11, 2003 on the military service of professional soldiers (Journal of Laws of 2019, item 330)
in art. 58:
1) paragraph 1 is replaced by the following:
"1. Professional officers, with the exception of officers in the service of judges of military courts
and official positions of prosecutors for military matters, and non-commissioned officers performing professional military service
sowa in the financial and logistic authorities are required to submit a declaration of their financial standing.
The declaration of property status concerns personal property and property covered by the matrimonial common property. ”;
2) after sec. 1 the following paragraph shall be added: 1a is added as follows:
"1a. The declaration referred to in paragraph 1. 1, contains information, including personal data, including:
1)

name (s), surname and family name;

2)

date and place of birth;

3) names and surnames of the father and mother and their family names;
PESEL number as well as series and number of ID card;

4)

5) citizenship and gender;
6) telephone number and e-mail address;
7) place of employment, position or functions;
8)

real estate owned and their addresses;

9)

cash resources held;

10) owned stocks or shares in commercial companies;
11) acquired property from the State Treasury, other state legal person, local government units and
their associations or a municipal legal entity that was subject to sale by tender;
12) membership, employment or performance of activities in the company's management board, supervisory board or audit committee
trade, audit committee of a cooperative or the board of a foundation conducting business activity;
13) business activities carried out;
14) items of movable property with a value exceeding PLN 10,000;
15) pecuniary liabilities with a value exceeding PLN 10,000;
16) remuneration for work and income from other gainful activities;
17) income from joint property and personal property;
18) data on the conduct of business activity and performance by the spouse of functions in companies
trade or cooperatives;
19) other income and benefits. ”.
Art. 70. In the Act of 17 October 2003 on the performance of underwater works (Journal of Laws of 2017, item 1970 and
of 2018, item 2245) after art. 6, art. 6a is added as follows:
"Art. 6a. 1. In an urgent case, the director of the maritime office or the director of the inland navigation office
dowa, by performing the tasks referred to in Art. 6 sec. 1 and 2, performs the obligation referred to in Art. 13 sec. 1
and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on protection
natural persons with regard to the processing of personal data and on the free movement of such data
and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04/05/2016,
page 1, as amended d. 52) ), hereinafter referred to as "Regulation 2016/679", by providing the information referred to
in art. 13 sec. 1 and 2 of Regulation 2016/679, in the Public Information Bulletin on its personal website, at
on its website and in a visible place at the office.

52) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 53
© Chancellery of the Sejm

pp. 53/114

2. The data subject submitting a request referred to in Art. 18 sec. 1 of the regulation
2016/679, does not suspend or limit the performance by the director of a maritime office or the director of the office
inland navigation tasks specified in art. 6 sec. 1 and 2. "
Art. 71. In the Act of November 28, 2003 on family benefits (Journal of Laws of 2018, items 2220 and 2354 and
of 2019, item 60, 303 and 577) is hereby amended as follows:
1) in art. 22 in paragraph. 3 the words "may process" are replaced by the words "processes";
2) in art. 23:
a) sec. 9 is replaced by the following:
"9. The information referred to in paragraph 1. 8, are processed by the minister responsible for family affairs and
jewodów in order to monitor the implementation of family benefits and to enable the competent authorities
and voivodes to verify the right to family benefits and by entities listed in paragraph 10 in order,
in which the information was shared with them. Competent authorities and voivodes provide data to
the central register, using the software referred to in para. 7. ",
b) in sec. 10b in the first sentence, the words "may process" are replaced with the word "processes";
3) in art. 29:
a) used in sec. 1 the words "may collect and process" are replaced with the word "processes",
b) after sec. 1 the following paragraph shall be added: 1a-1c as follows:
"1a. Personal data referred to in sec. 1, are subject to safeguards to prevent abuse or
unlawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization

1)

issued by the data controller;
a written commitment of persons authorized to process personal data to keep them

2)

in confidentiality.
1b. Personal data referred to in sec. 1, is secured in a manner appropriate to the threats and risks
the occurrence of the situations referred to in sec. 1a, including in particular taking into account whether personal data
are processed in an automated manner or in a manner other than automated, and taking into account
ensuring control over what personal data, when and by whom.
1c. Persons processing personal data referred to in sec. 1, are obliged to keep them in the
confidence. ”.
Art. 72. In the Act of January 29, 2004 - Public Procurement Law (Journal of Laws of 2018, items 1986 and 2215 and
of 2019, item 53) is hereby amended as follows:
1) in art. 8 the following paragraph is added: 5 is added:
"5. The contracting authority provides the personal data referred to in Art. 10 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
regulation on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended. 53) ), hereinafter referred to as
2016/679 ", in order to enable the use of the legal protection measures referred to in section VI, to
the expiry of the time limit for their submission. ”;
2) after art. 8, art. 8a is added as follows:
"Art. 8a. 1. The contracting authority performs the obligations referred to in Art. 13 sec. 1-3 of Regulation 2016/679,
by including the required information in the contract notice, competition notice, specification of essential
of the terms of the contract, the rules of the competition or the first action addressed to the contractor.
2. In the event that the performance of the obligations referred to in Art. 15 sec. 1-3 of Regulation 2016/679,
would require a disproportionate effort, the contracting authority may require the data subject to indicate
additional information aimed at specifying the request, in particular providing the name or date of the proceedings
for the award of a public contract or competition.
3. The exercise by the data subject of the right to rectify or supplement personal data
b, referred to in art. 16 of the Regulation 2016/679, may not result in a change of the result of the procedure
for the award of a public contract or a competition or a change to the provisions of the contract to the extent inconsistent with the Act

53) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 54
© Chancellery of the Sejm

pp. 54/114

4. Submitting the request referred to in Art. 18 sec. 1 of Regulation 2016/679, does not limit the processing of
personal data until the end of the public procurement procedure or competition.
5. The awarding entity shall inform about the limitations referred to in sec. 2 and 4 and art. 97 sec. 1a, on the website
related to the procedure or competition being conducted, in the contract notice, competition notice, specification
essential terms of the order, competition regulations or otherwise available to the data subject.
6. The contracting authority processes the personal data collected in the public procurement procedure or
competition in a way that guarantees protection against their unlawful dissemination.
7. For the processing of personal data referred to in Art. 10 of Regulation 2016/679, may be allowed
only persons with written authorization. Persons authorized to process such data are
obliged to keep them confidential. ”;
3) in art. 11 after paragraph 6 the following paragraph is added: 6a and 6b as follows:
"6a. In the case of personal data provided by the contracting authority in the Public Procurement Bulletin,
the rights referred to in Art. 15 and art. 16 of Regulation 2016/679, are executed by way of a request
to the ordering party.
6b. The President of the Public Procurement Office ensures the technical maintenance of the ICT system, at
using which the Public Procurement Bulletin is made available, and determines the period of storage of personal data
placed in the Public Procurement Bulletin. ”;
4) in art. 96 after paragraph 3 the following paragraph shall be added: 3a and 3b as follows:
"3a. The principle of openness referred to in para. 3, applies to all personal data, except
the data referred to in art. 9 sec. 1 of the Regulation 2016/679, collected in the course of the procedure for granting
public procurement or competition. The limitations of the principle of openness referred to in Art. 8 sec. 3-5 apply
respectively.
3b. From the date of completion of the contract award procedure, if the request for which
referred to in Art. 18 sec. 1 of the Regulation 2016/679, will limit the processing of personal data contained therein
in the report and attachments to the report, the contracting authority does not provide the data contained in the report and in the
in the protocol, unless the conditions referred to in Art. 18 sec. 2 of Regulation 2016/679. ”;
5) in art. 97 after paragraph 1 the following paragraph shall be added: 1a and 1b as follows:
"1a. Where the performance of the obligations referred to in Art. 15 sec. 1-3 of Regulation 2016/679,
would require a disproportionate effort, the contracting authority may require the data subject to indicate it
additional information aimed, in particular, at specifying the name or date of the completed proceedings
for the award of the contract.
1b. The data subject's exercise of the right to rectify or supplement the information about which
referred to in Art. 16 of Regulation 2016/679, may not violate the integrity of the protocol and its annexes. ”;
6) after art. 143d, art. 143e is added:
"Art. 143e. 1. In the case referred to in Art. 29 sec. 3a, the contract contains provisions on how
documentation of employment and control of compliance by the contractor or subcontractor with the requirements concerning
employment under an employment contract and provisions on sanctions for failure to meet the requirements,
referred to in Art. 29 sec. 3a.
2. In order to verify employment by a contractor or subcontractor under an employment contract, persons
contracting the activities indicated by the contracting authority in the scope of the contract, the contract provides for the possibility
requests by the contracting authority, in particular:
1)

declarations of the contractor or subcontractor on the employment of an employee under an employment contract,

2)

a certified copy of the employment contract of the employed employee, certified as a true copy of the original,

3)

other documents

- containing information, including personal data, necessary to verify employment under a contract
employment, in particular the name and surname of the employed employee, date of conclusion of the employment contract, type of contract
for a job and the scope of the employee's duties. ”.

23/04/2019

Page 55
© Chancellery of the Sejm

pp. 55/114

Art. 73. In the Act of 12 March 2004. On social assistance (Dz. U. of 2018. Item. 1508, as amended. D. 54) ) introduced
the following changes are taking place:
1) in art. 23 sec. 4a is replaced by the following:
"4a. The minister responsible for social security keeps and develops a central register that includes
data on organizational units of social assistance, as well as data on persons and families of the applicants
for benefits from social assistance or those benefiting from these benefits and forms of social assistance provided,
collected by organizational units of social assistance on the basis of the provisions of the Act, and processes these
data in order to perform the tasks referred to in para. 1. Organizational units of social assistance provide data
to the central register, using the software referred to in para. 4. ";
2) in art. 25, the following paragraph is added: 7 is added:
"7. Authorized entities commissioned to perform a task in the field of social assistance, and in the case of
carrying out the commissioned task by organizational units of social assistance - these units are administrators
personal data processed for the purpose of providing social assistance benefits by these entities and units. ”;
3) in art. 100:
a) sec. 2 is replaced by the following:
"2. Entities and persons performing tasks in the field of social assistance specified in the Act process
personal data of persons to whom the Act applies, and of their family members to the extent and for the purpose necessary for
implementation of tasks resulting from the Act. ",
(b) the following paragraph is added: 3–7 as follows:
"3. In connection with the processing of personal data in order to provide the services referred to in art. 106
paragraph 2, and in order to provide services in support centers, family support homes, sheltered housing
and social welfare homes, the performance of the obligation referred to in art. 13 sec. 1 and 2 of Parof the European Lamentation (EU) 2016/679 of 27 April 2016 on the protection of natural persons
in connection with the processing of personal data and on the free movement of such data, and
of Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04.05.2016, p. 1,
with later d. 55) ), followed by the publication of the information referred to in Art. 13 sec. 1 and 2 of this regulation,
in a visible place in the building where the services are provided or provided.
4. The data administrator informs about the restriction referred to in para. 3, at the latest by the first act
to the data subject.
5. The organizational units referred to in Art. 110 sec. 1, art. 111, art. 112 paragraph. 1, 2 and 8 and article. 113
paragraph 1 and 3, performing tasks in the field of social assistance specified in the Act, are personal data controllers
processed for the purpose of granting and providing social assistance benefits.
6. The security measures used by the data controller to protect personal data consist of what
the least on:
1) allowing the processing of personal data only by persons with a written authorization
issued by the data controller;
a written commitment of persons authorized to process personal data to keep them

2)

in secret.
7. Entities and persons performing tasks in the field of social assistance specified in this Act
are obliged to keep secret all information and data obtained during the performance of these
tasks. ";
4) after art. 134l, art. 134m as follows:
"Art. 134m. 1. Partner organizations and the National Center process the personal data of users
from the aid specified in the Operational Program, including:
1)

name and surname, number of household members, including sex and age
and belonging to the target group of the Operational Program;

2)

the person's or family's income;

3) reasons for providing aid pursuant to Art. 7.

54) Amendments

to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2018, item 1693, 2192, 2245, 2354 and 2529 and

of 2019, item 271.
55) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 56
© Chancellery of the Sejm

pp. 56/114

2. Fulfillment of information obligations set out in the provisions on the protection of personal data, pending
providing assistance specified in the Operational Program takes place by providing information on processing
personal data:
1) in the case of partner organizations - in a visible place in the building where the aid is provided;
2)

in the case of the National Center - in the Public Information Bulletin on the website of the National Center
The center or its website.

3. The security measures used by the data controller to protect personal data consist of at least
less on:
1)

allowing for the processing of personal data only persons with a written authorization to
data by the data administrator;

2)

a written commitment of persons authorized to process personal data to keep them confidential
nothing.

4. The entities and persons performing the tasks specified in the Operational Program are obliged to keep
confidentiality of all information and data obtained while performing the tasks. ”.
Art. 74. In the Act of April 16, 2004 on construction products (Journal of Laws of 2019, item 266), after Art. 3 adds
Art. 3a is added as follows:
"Art. 3a. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
data protection regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 56) ), by the person whose data
are processed in connection with the implementation by the Chief Inspector of Construction Supervision and voivodships
construction supervision inspectors in the field of:
1) collecting information on the results of commissioned tests of samples of construction products, conducted controlls of construction products placed on the market or made available on the domestic market, issued
decisions, decisions and opinions,
2)

keeping a national list of the contested construction products, as referred to in Art. 15

- does not affect the implementation of tasks in this area. ”.
Art. 75. In the Act of 20 April 2004 on employment promotion and labor market institutions (Journal of Laws of 2018,
item 1265, as amended d. 57) ) is hereby amended as follows:
1) in art. 4:
a) paragraph 1 is deleted. 4,
b) after sec. 4 the following paragraph is added: 4a and 4b as follows:
"4a. The minister responsible for labor issues a central data register in the ICT system
personal persons applying for or benefiting from assistance specified in the Act, and
other persons, hereinafter referred to as the "central register".
4b. The minister competent for labor processes personal data of natural persons in the central register
in order for public employment services to perform statutory tasks, including verification of entitlements and data,
registration and status determination, provision of statutory assistance, issuing status decisions
and benefits, conducting control proceedings, fulfilling reporting obligations and obligations related to
the scope of official statistics and defining plans for further actions. ",
(c) paragraph 3 is deleted. 5,
d) after sec. 5 the following paragraph is added: 5a – 5k as follows:
"5a. In the central register, the minister competent for labor processes personal data:
1)

unemployed persons benefiting from the assistance specified in the act granted by the public employment services
or entities providing assistance on behalf of public employment services, including acquired from agencies
employment as part of the activities referred to in art. 66d;

2)

jobseekers benefiting from the assistance specified in the Act provided by the public services
employment or entities providing assistance on behalf of public employment services;

56) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
57) Amendments to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2018, item 1149, 1544, 1629, 1669, 2077, 2192, 2215,
2245, 2432 and 2435 and of 2019, item 60, 577 and 622.
23/04/2019

Page 57
© Chancellery of the Sejm

pp. 57/114

3)

unregistered persons using the assistance specified in the Act provided by public services
employment or entities providing assistance on behalf of public employment services;

4)

foreigners intending to perform or performing work in the territory of the Republic of Poland
ska;

5)

guarantors of the assistance specified in the Act;

6)

entrepreneurs within the meaning of the Act of March 6, 2018 - Entrepreneurs Law (Journal of Laws item 646,
1479, 1629, 1633 and 2212);

7) other entities benefiting from the assistance specified in the Act;
8)

intending to entrust or entrusting the performance of work;

9)

entities entrusting the performance of work to a foreigner;

10) insured persons;
11) payers of contributions;
12) employees of public employment services;
13) employees of Voluntary Labor Corps, using IT systems and tools for
stipulated by the minister responsible for labor.
5b. The following categories of personal data of unemployed persons are processed in the central register:
1)

first name (names) and surname;

2) citizenship or citizenship;
3) social security number, and in its absence - type, series and number of the document confirming identity;
4)

parents' names;

5) date and place of birth;
6) family name;
7)

sex;

8) marital status;
9) information about the family situation, including:
a) personal data of the spouse: first name (names) and surname, PESEL number, and in the absence of such number - type,
series and number of the document confirming identity and information about its remaining or not
staying in the register of the unemployed and job seekers,
b) personal data of dependent children: first name (names) and surname, PESEL number, and in
in the event of its absence - type, series and number of the document confirming identity, date and place of birth
choking,
c) in the case of a guardian of the disabled, caring for a disabled person with a significant
degree of disability or a child with a disability certificate, including the
ia: the need for constant or long-term care or assistance of another person due to the significant limitation
limited possibility of independent existence and the need for constant participation in everyday care
a child's marten in the process of its treatment, rehabilitation and education - personal data of each disabled person
non-disabled or each child: name (s) and surname, PESEL number, and in the absence of such number type, series and number of the document confirming identity,
d) personal data of the person or dependent persons, including for each person: name (s) and surname,
PESEL number, and in the absence of such number - type, series and number of the document confirming the identity
dear;
10) registered address for permanent or temporary residence and correspondence address;
11) e-mail address or telephone number or other contact details, if they have them;
12) information on education, interest in taking up training and work;
13) information on the type and degree of disability and contraindications to practice the profession,
if they concern them;
14) information about being a maintenance debtor within the meaning of the provisions on assistance to eligible persons
to alimony, if they concern them;
15) data on professional experience;

16) information necessary to establish the status or provide assistance specified in the Act;

23/04/2019

Page 58
© Chancellery of the Sejm

pp. 58/114

17) information on:
a) remoteness from the labor market - meaning information about skills, time without
work, place of residence in terms of distance from potential workplaces and access to
modern forms of communication with the poviat labor office and employers, and
b) readiness to start work - meaning information about involvement in independent search
work, readiness to adapt to the requirements of the labor market, availability, reasons
to work, the reasons for registering with the poviat labor office, the current one, and
current readiness to cooperate with the poviat labor office, other labor market institutions or
employers;
18) information on assistance provided on the basis of the Act, its adoption or refusal to accept it;
19) information about the assistance provided by:
a) organizational units of social assistance to the extent specified in the provisions on social assistance,
provided by the minister responsible for social security,
b) units servicing family benefits to the extent specified in the provisions on roday, transferred by the minister responsible for family affairs,
c) social welfare centers in connection with the implementation of the activities referred to in Art. 50 sec. 2 point 2,
d) employment agencies in connection with the implementation of activities referred to in art. 61b and art. 66n,
e) entities implementing activities in the field of social reintegration under the Program Activation and Integration as referred to in art. 62a,
f) entities implementing special programs referred to in Art. 66a;
20) information about the willingness to consent or not to consent to:
a) participation in labor market surveys conducted by public employment services, administrative bodies
governmental or local government or on their behalf,
b) the processing of personal data along with their scope on the basis of the provisions of the European Union
o the EURES network;
21) information provided by the National Labor Inspectorate in the scope specified in the provisions on
of the National Labor Inspectorate.
5c. They are processed in the central register in the case of:
1)

jobseekers - categories of data referred to in sec. 5b points 1-13, 15, 16 and 18-20;

2)

unregistered people using the assistance specified in the Act - categories of data about which
referred to in paragraph 5B points 1-11, 16, 18 and 20, and in the case of people participating in lifelong learning
financed from the KFS resources - the categories of data referred to in para. 5b points 1-11, 15, 16, 18
and point 20 lit. and;

3)

guarantors of the assistance specified in the Act - data categories referred to in para. 5B points 1, 3 and 10;

4)

foreigners who intend to perform or perform work in the territory of the Republic of Poland
ska - the data referred to in art. 90c of paragraph 1. 8 and 9;
entrepreneurs - the categories of data referred to in sec. 5b points 1-11, 16, 18 and point 20 lit. a, and:

5)

a) tax identification number NIP,
b) REGON identification number,
c) business address,
d) fax number and website address, if available,
e) the information specified in Art. 18e paragraph. 1 and art. 18g, if the entrepreneur is an employment agency
nienia,
f) information on training activities conducted, if the entrepreneur is
a training institution within the meaning of the Act,
g) notify the district labor inspector of identified infringement cases
the act, including the conditions for running an employment agency,
h) data specified in art. 50 sec. 14a-16 of the Act of October 13, 1998 on the social insurance system
(Journal of Laws of 2019, items 300, 303 and 730),
i) information on assistance provided by public employment services,
j) data on professional experience, in the case of entrepreneurs participating in the training
continuing education financed by the KFS;

23/04/2019

Page 59
© Chancellery of the Sejm

pp. 59/114

6) other entities benefiting from the assistance specified in the Act - data categories referred to
in paragraph 5b points 1-11, 16, 18 and point 20 lit. a, and:
a) NIP tax identification number, if they have one,
b) REGON identification number, if they have one,
c) business address,
d) fax number and website address, if available,
e) notify the district labor inspector of identified infringement cases
the act, including the conditions for running an employment agency,
f) data specified in art. 50 sec. 14a-16 of the Act of October 13, 1998 on the social insurance system
season,
g) information on assistance provided by public employment services,
h) data on professional experience, in the case of persons participating in retraining
financed by the KFS;
natural persons entrusting or intending to entrust the performance of work - data categories,

7)

referred to in sec. 5b points 1-11, 16 and point 20 lit. a, and:
a) NIP tax identification number, if they have one,
b) REGON identification number, if they have one,
c) fax number and website address, if available,
d) notify the district labor inspector of identified infringement cases
the act, including the conditions for running an employment agency,
e) data specified in art. 50 sec. 14a-16 of the Act of October 13, 1998 on the social insurance system
season,
f) information on assistance provided by public employment services;
natural persons who are entities entrusting the performance of work to a foreigner - data about which

8)

as referred to in Art. 90c of paragraph 1. 7;
insured persons - data collected on the insured person's and insured persons' accounts,
valid by the Social Insurance Institution in accordance with the provisions on the social insurance system

9)

to the extent specified in these provisions;
10) contribution payers - data collected on the account of the contribution payer, provided by the Insurance Company
in accordance with the provisions on the social insurance system to the extent specified in these
regulations;
11) employees of public employment services - the categories of data referred to in para. 5b point 1, and:
a) workplace and contact details used for official use,
b) name and description of the position held,
(c) training completed and, in the case of employer-initiated or financed training, or
co-financed by the Labor Fund, also the cost of training and the source of financing,
d) login, password information, information on the activity of the employee's account and granted system rights
ICT, if they concern them;
12) employees of Voluntary Labor Corps using IT systems and tools provided
by the minister responsible for labor - categories of data referred to in para. 5b point 1,
and:
a) workplace and contact details used for official use,
b) name and description of the position held,
c) completed training in the use of IT systems and shared tools
by the minister responsible for labor,
d) login, password information, information on the activity of the employee's account and granted system rights
ICT talks, if they concern them.
5d. Personal data processed by the public employment services in the central register are subject to
security consisting of at least:
allowing for the processing of personal data only persons with a written authorization

1)

issued by the data controller;
23/04/2019

Page 60
© Chancellery of the Sejm

pp. 60/114

a written commitment of persons authorized to process personal data to keep them

2)

in confidentiality.
5e. Personal data referred to in sec. 5a, are processed in the central register for a period of 50 years,
counting from the end of the calendar year in which the aid was completed.
5f. The central register is a set of data obtained from:
1)

from data registers of voivodeship labor offices;

2)

from data registers of poviat labor offices;

3)

from natural persons applying, through the minister responsible for labor, for assistance
stipulated in the act, provided by voivodeship labor offices and poviat labor offices.

5g. The voivodeship labor office shall submit to the central register the categories of data referred to in paragraph 5a
points 1-3, 6-8, 10 and 12, to the extent specified in para. 5b and 5c.
5h. The poviat labor office shall submit to the central register the categories of data referred to in para. 5a,
to the extent specified in sec. 5b and paragraph 5c points 1-11.
5i. In order to ensure the proper implementation of tasks by the public employment services and the minister
competent for social security matters to the minister competent for labor matters are made available to the following
processed categories of data, including personal data, to the extent necessary to perform these tasks
through:
the minister responsible for social security - data of natural persons referred to

1)

in paragraph 5a, points 1, 2, 7, 10 and 11, to the extent specified in para. 5b points 1-6, 8-12, 15, 16 and point 19 lit. and;
the minister responsible for family affairs - data of natural persons referred to in sec. 5a points 1, 2, 10 and 11,

2)

to the extent specified in sec. 5b points 1-6, 8-11, 14, 16 and point 19 lit. b;
Social Insurance Institution - data specified in art. 50 sec. 14-16 of the Act of October 13

3)

1998 on the social insurance system;
National Labor Inspectorate - information provided by the National Labor Inspectorate in the scope of

4)

lied in the provisions on the National Labor Inspectorate.
5j. To share the data referred to in paragraph 5i, the provision of paragraph. 6f shall apply mutatis mutandis.
5k. Fulfillment of the security referred to in paragraph 5d, ensure in the case of employees:
1)

the office supporting the minister in charge of labor - the minister in charge of labor;

2)

voivodeship labor office - director of the voivodeship labor office;

3)

poviat labor office - director of the poviat labor office;

4)

organizational units of social assistance and units servicing family benefits, about which
referred to in paragraph 6c and 6d - data controllers competent for these units. ",

e) sec. 6 is replaced by the following:
"6. Data from the central register may be made available in the manner and on the terms specified in the Act of
February 17, 2005 on the computerization of the activities of entities performing public tasks to other entities
implementing public tasks on the basis of separate regulations. ",
f) after sec. 6 the following paragraph is added: 6a – 6h as follows:
"6a. The minister responsible for labor provides voivodeship labor offices, as well as the minister responsible for
body responsible for social security in order to perform their statutory tasks, including verification of the law
to benefits and assistance specified in the Act, data from the central register referred to in para. 5a
points 1-3, 6-8, 10 and 12, to the extent specified in para. 5b and 5c.
6b. The minister responsible for labor makes available to poviat labor offices for the purpose of carrying out their tasks
statutory provisions, including verification of the right to benefits and providing assistance specified in the Act, data from the register
central, referred to in paragraph. 5a, to the extent specified in para. 5b and paragraph 5c points 1-11, and data of persons
physical, referred to in paragraph. 5f point 3, to the extent specified in para. 5b points 1, 3, 10, 11 and 16.
6c. The minister competent for labor provides social assistance organizational units for the purpose
implementation of their statutory tasks, including verification of the right to benefits and providing assistance specified in
provisions, data from the central register referred to in para. 5A, points 1, 2, 7, 10 and 11, to the extent specified
in paragraph 5b points 1-6, 8-12, 15, 16 and 18.

23/04/2019

Page 61
© Chancellery of the Sejm

pp. 61/114

6d. The minister competent for labor provides units servicing family benefits for the purpose of
implementation of their statutory tasks, including verification of the right to benefits and providing assistance specified in
provisions, data from the central register referred to in para. 5A, points 1, 2, 10 and 11, to the extent specified
in paragraph 5b points 1-6, 8-11, 14, 16 and 18.
6e. The data referred to in paragraph 1. 6a and 6b, are made available by way of their exchange between the telethe IT system in which the central register is kept, and the teleinformation system made available
by the minister responsible for labor and used by:
1)

voivodeship labor office, and the minister responsible for social security for the implementation of tasks
specified in the Act;

2)

a poviat labor office to carry out the tasks specified in the Act.

6f. The data referred to in paragraph 1. 6c and 6d, are made available by way of their exchange between the teleIT system in which the central register is kept, and the ICT system in which
a register of the minister responsible for:
1) social security;
2) family.
6g. The data referred to in paragraph 1. 6a-6d, are made available at the request of a specific natural person,
submitted with the use of the ICT systems referred to in para. 6e and 6f.
6h. The provisions of paragraph 1. 6a-6g shall apply to entities mentioned therein, which meet the following
conditions:
1)

ensure the identification of the person obtaining the information and the scope, date and purpose of obtaining it;

2)

provide safeguards preventing the use of information contrary to the purpose of obtaining it;

3)

ensure that access to data is supervised and recorded in accordance with data protection regulations
personal. ";

2) after art. 4, Art. 4a is added as follows:
"Art. 4a. 1. Voivodship labor offices and poviat labor offices, in order to carry out their statutory tasks,
including the verification of the right to benefits and the provision of assistance specified in the act, they obtain data from the Insurance Institution
Social Security to the extent referred to in Art. 50 sec. 14-16 of the Act of 13 October 1998 on the system
social security.
2. The data referred to in par. 1, are transferred through their exchange, respectively, between the systems
information and communication technology referred to in art. 4 sec. 6e. ";
3) in art. 8:
a) in sec. 1 point 18 shall be replaced by the following:
"18) cooperation with the minister competent for work in the field of establishing the central register;",
b) after sec. 1b, the following paragraph shall be added: 1ba-1bc as follows:
"1ba. In order to carry out statutory tasks, the voivodeship labor office keeps a register of data on the labor market
in the voivodship, including the personal data register of natural persons, hereinafter referred to as the "voivodship data register
whose employment office ".
1bb. Personal data is processed in the data register of the voivodeship labor office:
1) unemployed persons, including those obtained from employment agencies as part of the implementation of the activities referred to
in art. 66d, using the assistance specified in the Act provided by the public employment services
or entities providing assistance on behalf of public employment services,
2)

jobseekers who benefit from the assistance specified in the act provided by the public service
employment or entities providing assistance on behalf of public employment services,

3)

unregistered persons using the assistance specified in the Act provided by public services
employment or entities providing assistance on behalf of public employment services,

4)

entrepreneurs within the meaning of the Act of March 6, 2018 - Entrepreneurs Law,

5)

other entities benefiting from assistance specified in the Act,

6)

natural persons entrusting or intending to entrust the performance of work,

7)

insured persons,

8)

public employment service employees

- referred to respectively in Art. 4 sec. 5b and 5c.
23/04/2019

Page 62
© Chancellery of the Sejm

pp. 62/114

1bc. The provisions of Art. 4 sec. 5d and 5e and sec. 6a-6h regarding security, processing and deletion period
and access to data shall apply accordingly to the data register of the voivodeship labor office. ”;
4) in art. 9 in sec. 1 point 23 is replaced by the following:
"23) cooperation with the minister competent for work in the scope of establishing the central register;";
5) in art. 33:
a) after sec. 2d the following paragraph is added: 2e and 2f as follows:
"2e. The profile of assistance for the unemployed is determined by an employee of the poviat labor office on the basis of
knows the interview conducted with the unemployed, supported by the teleinformation system made available
by the minister responsible for labor.
2f. An employee of a poviat labor office may not establish a profile of assistance for the unemployed exclusively
in a manner consisting in the automated processing of information about the unemployed, including his personal data
out. ",
b) after sec. 5 the following paragraph is added: 5a-5d as follows:
"5a. In order to carry out statutory tasks, the poviat labor office keeps a register of data on the labor market
in the poviat, including the register of personal data of natural persons, hereinafter referred to as the "poviat data register
the employment office ".
5b. In the data register of the poviat labor office, personal data of natural persons about whom
as referred to in Art. 4 sec. 5a, 5b and par. 5c points 1-11.
5c. The provisions of Art. 4 sec. 5d and 5e and sec. 6a-6h regarding security, the period of processing and removal, and
access to data shall apply accordingly to the data register of the poviat labor office.
5d. Acquiring and sharing the data of the unemployed and job seekers referred to in art. 4
paragraph 5a, points 1 and 2, to the extent specified in para. 5b and paragraph 5 c, point 1, between poviat labor offices and
organizational units of social assistance or units servicing family benefits and providing them
tasks in the area of ​the same poviat, is carried out through the exchange of data between the teleIT, made available by the minister responsible for labor and used by the poviat
the labor office to carry out the tasks specified in the Act and the systems used by these units to
implementation of tasks in the field of social assistance and family benefits. The provision of art. 4 sec. 6g is used
respectively.",
(c) paragraph 3 is deleted. 6-9;
6) in art. 46, paragraph 1 is deleted. 5a.
Art. 76. In the Act of 30 April 2004 on pre-retirement benefits (Journal of Laws of 2017, item 2148 and
of 2019, item 39) in art. 11 in point 1 the words "Art. 117 paragraph. 1-4 "shall be replaced by the words" Art. 117 paragraph. 1-4a ".
Art. 77. In the Act of 30 April 2004 on the procedure in matters relating to state aid (Journal of Laws of 2004, No.
of 2018, item 362) after art. 11 the following Art. 11a is added as follows:
"Art. 11a. 1. In order to perform the tasks and obligations related to the proceedings in cases concerning
public power, the data controller is:
1)

President of the Office - in matters related to state aid other than state aid in agriculture or fisheries
hunting;

2)

the minister responsible for agriculture - in matters relating to state aid in agriculture or fisheries
stance;
the proper minister of public financies - in matters relating to state aid other than

3)

public power in agriculture or fisheries granted by heads of tax offices and directors
tax administration chambers;
an entity granting assistance in proceedings related to granting state aid.

4)

2. Data of aid beneficiaries or aid granting entities, including the tax identification number
name, legal basis for granting aid, date of granting aid, size of the entrepreneur, information about the
location, place of residence and type of activity, the value of the aid, the form and purpose of the aid,
is made available on the website of the President of the Office or the minister responsible for agriculture. ”.

23/04/2019

Page 63
© Chancellery of the Sejm

pp. 63/114

Art. 78. In the Act of 27 May 2004 on investment funds and management of alternative investment funds,
(Journal of Laws of 2018, items 1355, 2215, 2243 and 2244) the following changes are introduced:
1) in art. 2 after point 2e, point 2f is added as follows:
"2f) Regulation 2016/679 - this shall mean the Regulation of the European Parliament and of the Council (EU)
2016/679 of 27 April 2016 on the protection of individuals with regard to data processing
data and on the free movement of such data, and repealing Directive 95/46 / EC (general
regulation on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 58) ); ”;
2) after art. 13a, art. 13b is worded as follows:
"Art. 13b. Investment fund, society, alternative investment company and ASI management, as well
entities referred to in art. 32 sec. 1 and 2, in the scope of their activities referred to in these provisions and
in art. 32 sec. 2b, being data controllers processing personal data within the meaning of art. 4 point 1 of the Regulation
2016/679, are not obliged to perform the obligations referred to in art. 15 of Regulation 2016/679,
to the extent that it is necessary for the proper implementation of anti-money laundering tasks
and terrorist financing and crime prevention. ”;
3) art. 193 is replaced by the following:
"Art. 193. The securitization fund and the entity with which the society has concluded a securitization management agreement
debtors, collect and process personal data of debtors of securitized receivables
solely for the purposes of managing the securitized receivables. ";
4) in art. 281 in section 1 in point 15, the full stop is replaced by a semicolon and the following point 16 is added:
"16) the President of the Personal Data Protection Office in connection with pending proceedings before this authority,
if it is necessary in pending proceedings. ”;
5) in art. 286b paragraph. 16 is replaced by the following:
"16. The Commission may provide the supervisory authority of a third country with information on an individual case
carried out by the Commission, if the conditions referred to in Regulation 2016/679 are met - in the case of
personal data, and if their transfer is necessary for the performance of the tasks specified in the Act. The commission can
also, if the conditions referred to in Regulation 2016/679 are met, consent to further transfernot this information to the supervisory authority of another third country. ”.
Art. 79. In the Act of July 16, 2004 - Telecommunications Law (Journal of Laws of 2018, items 1954, 2245 and 2354 and
of 2019, item 643) is hereby amended as follows:
1) in art. 57 in paragraph. 1 in point 2, the semicolon is replaced by a dot and point 3 is deleted;
2) in art. 78 in paragraph. 2, point 1 is replaced by the following:
"1) in the case of a subscriber who is a consumer:
a) the data referred to in art. 169 paragraph. 1,
b) address of the place of residence and correspondence address - if it is different from the address of the place of residence,
c) PESEL number - in the case of a citizen of the Republic of Poland,
d) the name, series and number of the document confirming identity, and in the case of a foreigner who is not
a national of a Member State or the Swiss Confederation - passport or residence card number, ”;
3) in art. 159 in section 1 point 1 shall be replaced by the following:
"1) data concerning the user, subject to Art. 161 sec. 2; ";
4) in art. 161 sec. 2 is replaced by the following:
"2. The processing of the user's personal data - other than those indicated in art. 159 sec. 1 points 2-5 - being
a natural person on the basis of the provisions on the protection of personal data. ”;
5) art. 174 is replaced by the following:
"Art. 174. Data protection law shall apply to obtaining the consent of the subscriber or end user
personal. ";

58) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 64
© Chancellery of the Sejm

pp. 64/114

6) after art. 174, the following Art. 174 with 1 added:
"Art. 174 1 . The provider of publicly available telecommunications services is obliged to implement appropriate
technical and organizational security measures ensuring the security of personal data processing. Independentnot from the requirements specified in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and on the free
the flow of such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of
UE L 119 of 04/05/2016, p. 1, as amended d. 59) ), hereinafter referred to as "Regulation 2016/679", protection measures at least
less:
ensure that access to personal data has a person with a written authorization issued by

1)

data administrator, and
protect stored or transferred personal data against accidental or unlawful destruction,

2)

accidental loss or alteration as well as unauthorized or unlawful storage, processing,
access or disclosure, and
ensure the implementation of a security policy with regard to the processing of personal data. ";

3)

7) in art. 174a:
a) sec. 1 is replaced by the following:
"1. The provider of publicly available telecommunications services notifies the President of the Office of Security
Personal Data on the breach of personal data within the time limit and on the terms specified in the Regulation
Mission (EU) No 611/2013 of 24 June 2013 on notification measures
on personal data breaches under Directive 2002/58 / EC of the European Parliament and of the Council
on privacy and electronic communications (Journal of Laws UE L 173 of 26/06/2013, p. 2), hereinafter referred to as
Germany 611/2013 ".",
b) after sec. 2 the following paragraph shall be added: 2a is added as follows:
"2a. The President of the Personal Data Protection Office provides secure electronic means for
notification of personal data breaches referred to in sec. 1, and information about
the mode of access to these resources and their application. ",
c) sec. 3 is replaced by the following:
"3. Where a personal data breach may adversely affect the subscriber's rights or
end user who is a natural person, provider of publicly available telecommunications services
shall also immediately notify the subscriber or end user of such breach in accordance with the terms and
ll in regulation 611/2013, subject to the provisions of paragraph 2. 5. ",
d) after sec. 3 the following paragraph shall be added: 3a is added as follows:
"3a. The consent referred to in Art. 3 sec. 5 of Regulation 611/2013, the President of the Office for Data Protection Osoit issues by way of a decision. ",
e) sec. 5 is replaced by the following:
"5. The notification referred to in para. 3, is not required if the provider publicly available
of telecommunications services has demonstrated the implementation of technological protection measures referred to in Art. 4
paragraph 1 and 2 of Regulation 611/2013, which prevent the reading of data by unauthorized persons and
applying these measures to data whose protection has been violated. ",
f) after sec. 5 the following paragraph is added: 5a is added as follows:
"5a. The provider of publicly available telecommunications services demonstrates that the conditions referred to in
referred to in paragraph 5, immediately providing the President of the Personal Data Protection Office with the relevant document
mentation. ",
g) sec. 6 is replaced by the following:
"6. If the provider of publicly available telecommunications services has failed to notify the subscriber or user
an end user who is a natural person about the breach of personal data, the President of the Office of Protection
Personal Data may be imposed on the provider by a decision to provide subscribers or users
final users, who are natural persons, of such notification, taking into account possible unfavorable
favorable effects of the breach. ",
h) paragraph 1 is deleted. 7 and 8,

59) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 65
© Chancellery of the Sejm

pp. 65/114

(i) the following paragraph is added: 9 is added:
"9. Where a personal data breach affects subscribers or end-users
persons who are natural persons from other Member States, the President of the Office for Personal Data Protection
inform the other concerned authorities of the Member States. ";
8) art. 174b and art. 174c are replaced by the following:
"Art. 174b. For the control of the performance by the President of the Personal Data Protection Office
a provider of publicly available telecommunications services, the obligations referred to in art. 174 1 , art. 174a and
art. 174d, the provisions of the Act of 10 May 2018 on the protection of personal data (Journal of Laws
item 1000 and 1669 and of 2019, item 730).
Art. 174c. The President of the Personal Data Protection Office, by sending the request referred to in art. 52 sec. 1
the Act of May 10, 2018 on the Protection of Personal Data, to the provider of publicly available telecommunications services
requirements take into account the European Commission guidelines on the implementation of the obligation to notify the subscriber or
end user who is a natural person about the breach of his personal data and indicates the circumstances,
the form and manner of such notification. The President of the Personal Data Protection Office may provide speeches
in the Public Information Bulletin on its website, unless they contain information that
business secrets. ”;
9) in art. 174d in paragraph. 1, the introduction to the enumeration is replaced by the following:
"The provider of publicly available telecommunications services keeps a register of personal data breaches, incl
the facts accompanying the violations, their effects and the actions taken, including in particular: ";
10) after art. 210, art. 210a is added:
"Art. 210a. 1. Who does not fulfill the obligation:
1)

implementation of technical and organizational security measures referred to in art. 174 1 ,

2)

information regarding the President of the Personal Data Protection Office, referred to in art. 174a paragraph. 1,

3)

information in relation to the subscriber or end user referred to in art. 174a paragraph. 3,

4)

keeping a register of personal data breaches referred to in art. 174d paragraph. 1

- is subject to a financial penalty imposed by the President of the Personal Data Protection Office in the amount of up to 3% of
the performance of the punished entity achieved in the previous calendar year.
2. The penalties imposed on the basis of par. 1, the provisions of Art. 209 paragraph. 1a-3 and art. 210.
The powers of the President of UKE specified in these provisions are vested in the President of the Office for Personal Data Protection
out. ".
Art. 80. In the Act of 27 August 2004 on healthcare services financed from public funds
(Journal of Laws of 2018, item 1510, as amended. 60) ) the following changes are introduced:
1) in art. 188:
a) in sec. 1:
- the introduction to the enumeration is replaced by the following:
"The Fund processes the personal data of the insured for the purpose of:",
- after point 10, point 10a is added in the following wording:
"10a) conducting analytical and forecasting work related to the implementation of healthcare services
nej. ",
b) in sec. 1a, the introduction to the enumeration is replaced by the following:
"The Fund processes personal data of persons referred to in art. 2 clause 1 point 2, in order to: ",
c) sec. 1b is replaced by the following:
"1b. The Fund processes personal data of persons referred to in art. 2 clause 1 points 3 and 4, for the purpose of accounting
drug reimbursement costs. ",

60) Amendments

to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2018, item 1515, 1532, 1544, 1552, 1669, 1925, 2192

and 2429 and of 2019, item 60, 303, 399 and 447.
23/04/2019

Page 66
© Chancellery of the Sejm

pp. 66/114

d) in sec. 2, the introduction to the enumeration is replaced by the following:
"The Fund processes personal data of persons entitled to healthcare services on the basis of regulations
on coordination and international agreements in order to: ",
e) sec. 2a is replaced by the following:
"2a. The Fund processes personal data in order to perform the tasks specified in art. 97 sec. 3 points 2 and 3a. ",
f) in sec. 2b, the introduction to the enumeration is replaced by the following:
"The Fund processes the following personal data of patients from Member States other than the Republic of Poland
European Union in order to perform the tasks referred to in Art. 97a paragraph. 2 and 5: ",
g) sec. 2c is replaced by the following:
"2c. The Fund processes personal data related to issuing prescriptions for reimbursed drugs,
food for special nutritional uses and medical devices, and their delivery at a pharmacy or on display
ordering the supply of medical devices referred to in the regulations issued on the basis of
art. 38 sec. 4 of the Act on the refund. ",
h) in sec. 3, the introduction to the enumeration is replaced by the following:
"The minister competent for health matters processes personal data:",
i) in sec. 4 the introduction to the enumeration is replaced by the following:
"In order to perform the tasks referred to in para. 1-3, the minister responsible for health and the Fund process
the following data: ";
2) in art. 188a, the introduction to the enumeration is replaced by the following:
"In order to perform the tasks specified in the Act, the Fund processes the following personal data of the issuers
prescriptions for reimbursed drugs, foodstuffs for particular nutritional uses and medical devices, persons
issuing an order for the supply of medical devices referred to in the regulations issued on the basis of
art. 38 sec. 4 of the Act on the reimbursement of persons providing benefits on the basis of contracts for the provision of care benefits
health and applying for the conclusion of such contracts: ”;
3) in art. 188b, the introduction to the enumeration is replaced by the following:
"In order to perform the tasks specified in Art. 97a paragraph. 2 point 3, the Fund processes the following data on persons
dying occupations: ”;
4) in art. 188ba:
a) sec. 1 is replaced by the following:
"1. The Fund processes personal data of persons applying for granting access or using
cations made available by the Fund to service providers and non-service providers
persons and persons authorized by them in order to use IT services and communicate with the Fund Shem. ",
b) in sec. 2, the introduction to the enumeration is replaced by the following:
"In order to perform the tasks referred to in para. 1, the Fund processes the following data: ”;
5) in art. 188c paragraph. 6 is replaced by the following:
"6. The Fund processes data on the implementation of drug programs referred to in the Act on the reimbursement
cji. ";
6) in art. 188d, the introduction to the enumeration is replaced by the following:
"A local government unit, in order to perform the tasks referred to in Art. 9a and art. 9b, processes the data
about:";
7) in art. 191:
a) sec. 1 is replaced by the following:
"1. The minister competent for health processes data on health insurance in the scope of
necessary for the implementation of tasks resulting from the Act. ",
b) in sec. 2, the introduction to the enumeration is replaced by the following:
"The Fund processes the personal data of beneficiaries other than the insured, in order to:",

23/04/2019

Page 67
© Chancellery of the Sejm

pp. 67/114

c) after sec. 2 the following paragraph shall be added: 2a is added as follows:
"2a. The minister competent for health issues the personal data of beneficiaries other than insured persons
roasts, in order to:
financing of healthcare services;

1)

2) control:
a) the type, scope and reasons for the provided healthcare services,
b) compliance with the principles of legality, economy, reliability and purposefulness of provided financing
healthcare services;
3) monitoring the health condition and needs of beneficiaries other than the insured for benefits
healthcare, drugs and medical devices. ",
d) in sec. 3, the introduction to the enumeration is replaced by the following:
"In order to perform the tasks referred to in para. 1, the minister competent for health matters and the Fund processing
they report the following data: ",
e) sec. 4 is replaced by the following:
"4. The Minister of National Defense, the Minister of Justice, the minister competent for internal affairs,
the minister responsible for public finances and the minister responsible for health process information
necessary for the implementation of tasks resulting from the Act. ”.
Art. 81. In the Act of November 25, 2004 on the profession of sworn translator (Journal of Laws of 2017, item 1505 and
of 2018, item 1669) after chapter 4, chapter 4a is added as follows:
"Chapter 4a
Processing of personal data
Art. 29a. 1. The provisions of Art. 15 sec. 1 and 3, art. 18 and art. 19 of the Regulation of the European Parliament and of the Council (EU)
2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended. 61) ), apply to the extent that they do not infringe
they are obliged to keep by a sworn translator the professional secrecy referred to in Art. 14 sec. 1 point 2.
2. The provision of Art. 21 sec. 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April
2016 on the protection of individuals with regard to the processing of personal data and on the free
the flow of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation), in
in the case of personal data obtained by a sworn translator in connection with the translation, it does not apply.
Art. 29b. The obligation of secrecy referred to in art. 14 sec. 1, point 2, does not cease in the event that
the President of the Data Protection Office requests the disclosure of information obtained in connection with the translation
Personal.
Art. 29c. The period of storage of personal data collected by a sworn translator in the relationship
with translation is 4 years from the end of the calendar year in which the data was collected. After
during this period, personal data will be deleted, unless their further storage is necessary for the protection of rights
or pursuing claims. ”.
Art. 82. In the Act of December 17, 2004 on liability for violation of public finance discipline
(Journal of Laws of 2018, items 1458, 1669, 1693 and 2192) the following changes are introduced:
1) after art. 3, Art. 3a is added as follows:
"Art. 3a. 1. Entities providing bodies competent in cases of violation of financial discipline
public headquarters, legal and administrative and technical services are the controllers of data processed by
these organs.
2. Data controllers authorize service providers to process personal data
legal, administrative and technical authorities competent in cases concerning violation of public finance discipline
to the extent necessary to perform the entrusted tasks. The authorization is issued in writing on the way
a personal authorization, a position authorization or an internal act, unless a specific regulation provides
otherwise.

61) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 68
© Chancellery of the Sejm

pp. 68/114

3. Data controllers keep a register of persons authorized to process personal data on the basis of
knows the authorizations or in connection with the performance of functions in the authorities competent in cases of violation of discipline
public finance.
4. Unless specific provisions provide otherwise, the persons processing the data are obliged to keep confidential
personal data and methods of securing them.
5. Providing the information referred to in Art. 13 sec. 1 and 2 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
data protection regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 62) ), hereinafter referred to as
2016/679 ", takes place independently of the duties of the authorities provided for in the Act and does not affect
course and result of the conducted proceedings.
6. The data controller provides the information referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679,
at the first action of the authority addressed to the data subject, unless the person has this information,
and their scope or content has not changed.
7. Submitting the request referred to in Art. 18 sec. 1 of the Regulation 2016/679, neither suspends nor does it
limits the implementation by the competent authorities in cases concerning violation of public finance discipline
tasks resulting from legal regulations. ”;
2) after art. 173, the following Art. 173a is added:
"Art. 173a. The provision of art. 173 paragraph. 1 does not infringe the data subject's right to exercise the rights
resulting from art. 15 of the Regulation 2016/679. ”.
Art. 83. In the Act of February 17, 2005 on computerization of activities of entities performing public tasks
(Journal of Laws of 2019, item 700) the following changes are introduced:
1) after art. 15a, art. 15b as follows:
"Art. 15b. 1. A public entity to protect the legal or factual interest of a natural person, in particular
in particular in connection with the services provided to her, she may use her contact details collected
in a public register or ICT systems. No response from a natural person to an attempt to establish
by a public entity of contact with the use of contact details may not adversely affect its situation
legal or actual.
2. The public entity, when using the contact details of a natural person, informs it of the legal basis on
binding contact. ”;
2) in art. 19f:
a) in sec. 1, point 2 is deleted,
b) in sec. 3, the words "and withdraw consent to the processing of personal data" shall be deleted;
3) in art. 19 g the following paragraph is added: 4 is added:
"4. The agreement referred to in paragraph 1. 1 and 2, be signed with a trusted signature, personal signature or
with a digitized electronic signature. ”;
4) in art. 19h, the following second sentence is added:
"The data is processed for a period of 6 years from the last user activity in the system.".
Art. 84. In the Act of 21 April 2005 on subscription fees (Journal of Laws of 2014, item 1204, of 2015
item 1324, from 2018, item 1717 and of 2019, item 572) in art. 5 the following paragraph is added: 5-7 as follows:
"5. A natural person or entity with a registered radio or television receiver may
end the notification of the discontinuation of use of these devices. The operator is designated within the meaning of the Act of 23 November
2012 - The Postal Law deregisters radio or television sets.
6. After deregistering the receiver, deletion of personal data of persons referred to in sec. 5, followed by
5 years from the end of the calendar year in which the receiver was deregistered, provided
that these persons are not indebted in paying subscription fees and that there are no pending proceedings against them
on arrears in paying subscription fees or enforcement proceedings.
7. In the case of repayment of the debt in subscription fees or completion of pending proceedings,
referred to in sec. 6, after the date of de-registration of the receiver, the deletion of personal data takes place after the expiry of
5 years from the end of the calendar year in which the liability expired. ”.

62) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 69
© Chancellery of the Sejm

Art. 85. In the Act of 29 July 2005 on Counteracting Domestic Violence (Journal of Laws of 2015, item 1390)
in art. 9c:
1) paragraph 1 is replaced by the following:
"1. Members of the interdisciplinary team and working groups to the extent necessary to perform the tasks,
referred to in Art. 9b, process data:
1)

people suspected of being affected by domestic violence and those affected by violence
in the family:
a) name and surname,
b) parents' names,
c) age,
d) address of the place of residence or stay,
e) telephone number or e-mail address or other contact method, if any,
f) information about the state of health,
g) information about addictions,

pp. 69/114

h) information on convictions, decisions on punishment, other decisions issued in court proceedings
administrative or
i) information about the family situation,
j) information about the professional situation and sources of income,
k) information on the housing situation;
other persons staying on the farm with the person suspected of using it

2)

domestic violence, or with a perpetrator of domestic violence:
a) name and surname,
b) a relationship of kinship with a person suspected of using domestic violence, or
with a person abusing domestic violence,
c) age,
d) information on the professional situation and sources of income,
e) in the case of children, details of the school and classes attended by the child;
people suspected of using domestic violence, and people using domestic violence

3)

no:
a) name and surname,
b) age,
c) marital status,
d) address of the place of residence or stay,
e) telephone number or e-mail address or other contact method, if any,
f) a relationship of kinship with a person suspected of being affected by domestic violence
or with a person affected by domestic violence,
g) information about the state of health,
h) information about addictions,
i) information on convictions, decisions on punishment, other decisions issued in court proceedings
administrative or
j) information on the professional situation and sources of income;
persons reporting suspicions of domestic violence and witnesses of violence:

4)

a) name and surname,
b) address of the place of residence,
c) telephone number or e-mail address or other means of contact, if any. ”;

23/04/2019

Page 70
© Chancellery of the Sejm

pp. 70/114

2) the following paragraph shall be added: 4-7 as follows:
"4. Apart from the cases specified in the Act, the documentation generated during the implementation of the tasks referred to in the Act
referred to in Art. 9b, access is granted only to members of the interdisciplinary team and working groups as well as individuals
indicated in sec. 1 points 1 and 3.
5. The persons referred to in sec. 1, point 3, have access to the documentation, with the exception of access to the documentation
containing data on persons affected by domestic violence and persons reporting suspected use of violence
in the family, the disclosure of which could endanger the life, health or safety of people affected by
domestic violence or persons reporting suspicion of domestic violence, in particular due to
connecting access to:
1)

"Blue Card" forms containing data of persons affected by domestic violence;

2)

minutes of meetings of the interdisciplinary team and working groups, unless they relate only to activities
taken against persons suspected of using domestic violence, and
domestic violence;

3) notes and documents produced in the implementation of the tasks referred to in article 1. 9B, unless these documents
they concern only actions taken against persons suspected of using violence
in the family and people using domestic violence;
other documents collected in the implementation of the tasks referred to in art. 9b, the disclosure of which
would endanger the life, health or safety of people affected by domestic violence or
persons reporting suspicion of domestic violence.

4)

6. The administrator of data processed on the basis of the provisions of this article is the help center
providing organizational and technical support for an interdisciplinary team.
7. The security measures used by the data controller to protect personal data consist of at least
less on:
1) allowing for the processing of personal data only persons who have a written authorization to
data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
nothing. "

2)

Art. 86. In the Act of July 29, 2005 on Trading in Financial Instruments (Journal of Laws of 2018, item 2286,
and 2244) is hereby amended as follows:
1) in art. 3 after point 4w, the following point 4x is added:
"4x) Regulation 2016/679 - this shall mean the Regulation of the European Parliament and of the Council (EU)
2016/679 of 27 April 2016 on the protection of individuals with regard to data processing
data and on the free movement of such data, and repealing Directive 95/46 / EC (general
regulation on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 63) ); ”;
2) after art. 83j, art. 83k is added:
"Art. 83k. Investment firms that are administrators processing personal data within the meaning of art. 4
point 1 of Regulation 2016/679 are not obliged to perform the obligations referred to in art. 15 of
2016/679, to the extent that it is necessary for the proper implementation of counter-measures
money laundering and terrorist financing and crime prevention. ";
3) in art. 149 in point 13, the full stop is replaced by a semicolon and the following point 14 is added:
"14) the President of the Personal Data Protection Office - to the extent necessary to implement the statutory provisions
tasks. "
Art. 87. In the Act of July 13, 2006 on Passport Documents (Journal of Laws of 2018, item 1919),
the following changes:
1) after art. 13, art. 13a is added as follows:
"Art. 13a. 1. Applications for issuing a passport document include:
1) PESEL number;
2) surname;
3) family name and other surnames, if changed;

63) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 71
© Chancellery of the Sejm

pp. 71/114

4)

name names);

5)

parents' names and mother's maiden name;

6)

date and place of birth;

7)

sex;

8)

signature of the person for whom the passport document is to be issued, except for the cases referred to
in art. 18 sec. 2 and 3;

9) name, surname, type, series and numbers of identity documents, signatures of parents or those established by the court
guardians or one of the parents or guardians appointed by the court expressing their consent to the issue
a passport document for a minor and the date of their submission;
10) optional telephone number or e-mail address;
11) instruction on criminal liability for providing false data or concealing data;
12) place, date and signature of the person submitting the application;
13) date and signature of the person collecting the passport document;
14) official endorsements.
2. An application for a passport or a temporary passport to be submitted to the voivode and the minister responsible for
internal affairs, in addition to the data indicated in sec. 1, also includes the correspondence address, date and signature of the person
receiving the canceled passport held so far, and the application for a temporary passport
in the case referred to in Art. 23 sec. 1 point 3, also includes the address of permanent residence.
3. An application for a passport or a temporary passport to be submitted to the consul, in addition to the indicated data
in paragraph 1, also includes the address for correspondence abroad, the date and the signature of the person receiving the canceled, held
so far, a passport document, and an application for a temporary passport in the case referred to above
in art. 23 sec. 1 point 3, also includes the address of permanent residence.
4. Application for a diplomatic passport or a service passport of the Ministry of Foreign Affairs
in addition to the data indicated in sec. 1 also includes:
1) correspondence address;
2) current workplace and position;
obliging the holder of the passport document to return the passport document immediately after

3)

use or in the event of loss of the right to use this document. ”;
2) in art. 46:
a) paragraph 1 is deleted. 2,
(b) the following paragraph is added: 3 and 4 as follows:
"3. The central register processes:
1) the data referred to in Art. 18 sec. 1 points 1-5 and 9 and article. 25;
2) family name;
3) names and surnames of parents;
4) signature of the holder;
5) biometric data in the form of fingerprints;
6) biometric data in the form of an image of the face;
series, number and expiry date of the identity card and the name of the issuing authority;

7)

8) address and date of registration for permanent residence;
9) country of residence;
10) country of the previous place of residence;
11) date of deregistration from the place of permanent residence;
12) address and date of registration for temporary stay;
13) date of deregistration from the place of temporary stay;
14) date of death;
15) data concerning the application for issuing a passport document:
a) application number,
23/04/2019

Page 72
© Chancellery of the Sejm

pp. 72/114

b) the name of the authority executing the request,
(c) the status of the application and the date on which it was updated;
16) passport document data:
a) the data referred to in art. 18 sec. 1 points 7, 8 and 10,
b) the status of the passport document and the date of its update,
c) data concerning the application referred to in Art. 17 sec. 1, art. 38 sec. 1 point 1 and sec. 3:
- data on the identity of the requested person,
- data on the authority that submitted the application,
- reference number and legal basis of the application,
- date of receipt of the application,
- date of withdrawal of the application by the authorized body,
d) information on the application and revocation or amendment by an authorized body of a preventive measure
what in the form of a ban on leaving the country combined with the retention of a passport document or
on temporary detention of a passport document by an authorized body:
- data on the identity of the person against whom the preventive or temporary measure has been applied owl withholding a passport document,
- data on the authority that applied the preventive measure or notified the provisional measure
withholding a passport document,
- date of receipt and reference number of the case file,
- date of issue and details of the authority that revoked or amended the preventive measure,
e) information about the decision issued pursuant to Art. 39 sec. 1:
- date and reason for the decision,
- name of the authority issuing the decision,
- file reference number;
17) data on passport booklets of temporary passports and personalization stickers for
temporary passports lost before being personalized or defective in the process of
knitting:
a) series and number of the passport book of the temporary passport,
b) series and number of the personalization sticker for the temporary passport,
c) date and reason for the loss of the passport book of the temporary passport or personalization sticker
to a temporary passport,
d) the date and reason for the missing passport book of a temporary passport or a personal sticker
application for a temporary passport;
18) data on passport documents lost before collection by a Polish citizen:
a) series and number of the passport document,
b) date and reason for the loss of the passport document;
19) data on passport booklets missing in the preparation process:
a) series and number of the passport booklet,
b) date and reason for missing the passport book at the time of drawing up;
20) data on lost non-personalized passport booklets:
a) series and number of the passport booklet,
b) the date and reason for the loss of the passport book.
4. Data for the central register are transferred:
1) from the records of issued and canceled passport documents, hereinafter referred to as "passport records port ", in terms of the data referred to in paragraph 3 points 1-18;
directly by the minister responsible for internal affairs, in the scope of the data referred to

2)

in paragraph 3 points 19 and 20. ";

23/04/2019

Page 73
© Chancellery of the Sejm

pp. 73/114

3) in art. 47:
a) sec. 1 is replaced by the following:
"1. Passport authorities keep, within the scope of their tasks, passport records. ",
(b) paragraph 3 is deleted. 2,
(c) the following paragraph is added: 3 is added:
"3. The data referred to in art. 46 sec. 3 points 1-19, and
correspondence address. ”;
4) after art. 47, art. 47a and art. 47b is added:
"Art. 47a. 1. The data processed in the central and passport records are not removed from the
except for the data referred to in art. 46 sec. 3 point 5.
2. Biometric data in the form of fingerprints shall be kept in the central register and
until the passport authority enters into the passport register the confirmation of
passport document.
3. If the passport authority issues a decision to refuse to issue a passport document, the data
biometric fingerprints are stored in the central register and passport records to
the time the authority enters into the passport register the information on the refusal to issue a passport document
for the reasons referred to in Art. 17 sec. 1, and the file number of the case for the issue of a passport.
Art. 47b. 1. The passport authority accepting the application for a passport document shall be made ex officio
check data in passport records, in the central register and in the PESEL register, in question
in the Act of 24 September 2010 on population records (Journal of Laws of 2018, items 1382 and 1544 and of 2019, item 60)
and 730), compares the data contained therein with the data contained in the application for issuing a passport document
and in the submitted documentation.
2. In the case of non-compliance of the data referred to in Art. 18 sec. 1 points 1-5 and 9 and
in art. 46 sec. 3 points 2, 3 and 7-14, in the records and register referred to in para. 1, with the data contained in the application
for issuing a passport document and the submitted documentation, the authority that found the non-compliance,
measures to remove non-compliance, in accordance with Art. 11 sec. 2 of the Act of September 24, 2010 on records
population.
3. In the absence of direct access to the PESEL register, the non-compliance referred to in para. 2, conSula shall immediately notify the minister responsible for computerization. ”;
5) Art. 48;
6) in art. 49:
a) sec. 1 is replaced by the following:
"1. Central records and passport records are kept in the ICT system in which
a set of data about the person and all passport documents prepared for that person is kept. ",
b) sec. 3 is replaced by the following:
"3. Passport authorities provide, in electronic form, via passport records
to the central register, data from passport records immediately after considering the application for issuing a document
passport or a decision refusing or invalidating a passport has been issued. ';
7) after art. 49, art. 49a-49c as follows:
"Art. 49a. 1. The maintenance and development of central records in order to perform the tasks specified in the Act are ensured
minister responsible for computerization, including:
1)

provides protection against unauthorized access to the central records;

2)

ensures data integrity in the central records;

3)

ensures the availability of the ICT system in which the central records are kept, for
persons processing data in these records;

4)

counteracts damage to the ICT system in which the central records are kept;

5)

defines the rules for the security of processed data, including personal data;

6)

defines the rules for reporting personal data breaches;

7)

ensures accountability of actions performed on the data of the central register;

8)

ensures the correctness of data processed in the central register.
23/04/2019

Page 74
© Chancellery of the Sejm

pp. 74/114

2. The minister responsible for computerization shall perform the duties referred to in Art. 15 of the Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals
in connection with the processing of personal data and on the free movement of such data, and repeal
Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended)
d. 64) ), hereinafter referred to as "Regulation 2016/679".
Art. 49b. 1. The maintenance and development of the ICT system, by means of which passport authorities conduct
passport records, in order to perform the tasks specified in the Act, are provided by the minister responsible for matters
internal, including:
1)

provides protection against unauthorized access to passport records;

2)

ensures data integrity in passport records;

3)

ensures the availability of the ICT system in which passport records are kept, for
litters processing data in these records;

4)

counteracts damage to the ICT system in which passport records are kept;

5)

defines the rules for the security of processed data, including personal data;

6)

defines the rules for reporting personal data breaches;

7)

ensures accountability of actions performed on the data of passport records.

2. The minister competent for internal affairs ensures the functioning of a separate network enabling connection
electronic communication between central records and passport records.
3. The minister responsible for foreign affairs ensures the operation of a separate network enabling connection
electronic communication between the central records and passport records kept by consuls.
4. Passport authorities shall perform the duties referred to in Art. 15 of Regulation 2016/679.
Art. 49c. Minister responsible for internal affairs, minister responsible for computerization, minister responsible for
competent for foreign affairs, the consul and the voivode have access to the central records. ”;
8) art. 50–52;
9) in art. 53, the following paragraph is added: 3 is added:
"3. The documentation referred to in paragraph 1. 1, shall be stored on the principles and in the manner specified in the regulations
issued on the basis of art. 6 sec. 2 and 2b of the Act of July 14, 1983 on the national archival resource and archives
(Journal of Laws of 2019, items 553 and 730). ”;
10) after chapter 6, chapter 6a is added as follows:
"Chapter 6a
Data sharing
Art. 54a. The minister responsible for computerization provides the data collected in the central register,
excluding biometric data in the form of fingerprints:
1) the police,
2)

Border Guard,

3)

The Internal Oversight Office,

4) the Internal Security Agency,
5) the Foreign Intelligence Agency,
6) Central Anti-Corruption Bureau,
the minister competent for public finance,

7)

8) a public prosecutor,
courts,

9)

10) the Prison Service,
11) the Military Counterintelligence Service,
12) the Military Intelligence Service,
64) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 75
© Chancellery of the Sejm

pp. 75/114

13) Military Police,
14) the Head of the National Criminal Information Center,
15) State Protection Service
- to the extent necessary to perform their statutory tasks.
Art. 54b. 1. Data from the central register shall be made available in the following manner:
full data teletransmission;

1)

2) individual.
2. Data from the central register shall be made available free of charge.
Art. 54c. 1. The minister competent for computerization may give consent, by way of an administrative decision,
to make the data collected in the central register available to the entities referred to in art. 54a, using
devices for data teletransmission, after submitting a one-time, simplified application, if they meet the following
conditions:
1)

have devices that allow the system to record who, when, for what purpose and what data;

2)

have technical and organizational safeguards that prevent the use of data inconsistently with the purpose
I am going to obtain them;
it is justified by the specificity or scope of statutory tasks.

3)

2. The minister responsible for computerization, by way of an administrative decision, refuses to disclose it
data in the full data teletransmission mode, if the authorized entities do not meet the requirements specified
in paragraph 1.
Art. 54d. In a unitary procedure, the minister responsible for computerization provides access to the central records
data on the document or its holder, excluding biometric data in the form of fingerprints,
at a one-time request of the entities referred to in art. 54a, submitted in writing or in the form of a document
electronic using means of electronic communication.
Art. 54e. 1. Passport authorities shall make the documentation referred to in Art. 53 sec. 1, located in their
possession.
2. The passport documentation referred to in Art. 53 sec. 1, shall be made available upon a reasoned request submitted
by the person to whom this documentation relates or by the entity referred to in art. 54a, if obtaining data
by this entity is justified by the scope of performed tasks specified in specific acts.
3. Passport documentation is made available free of charge.
Art. 54f. 1. Passport authorities at the request of the data subject, submitted in writing or in a form
an electronic document using electronic means of communication, issue a certificate containing
containing a full copy of the data concerning that person processed in the passport records kept by them
with the exception of biometric data in the form of fingerprints.
2. The certificate shall be drawn up, depending on the applicant's request, in writing or in writing
an electronic document that is transferred using electronic means of communication. Behindservices issued in the form of an electronic document bear a qualified electronic signature,
with a trusted signature or a personal signature.
3. The certificate may take the form of a printout from the ICT system.
Art. 54g. 1. The passport authority provides data on the document or its possession from the passport register.
the dacha, with the exception of biometric data in the form of fingerprints, at the one-time request of the entity for which
rhyme in art. 54a, submitted in writing or in the form of an electronic document using the means
electronic communication.
2. In the mode referred to in sec. 1, the data is made available free of charge.
Art. 54h. The minister responsible for computerization in consultation with the minister responsible for matters
internal entities will determine, by way of a regulation, a template of an application for:
1)

providing data from passport and central records on a unitary basis,

2)

sharing data from the central register in the mode of full data teletransmission,

3)

providing the documentation referred to in art. 53 sec. 1

- taking into account the need to ensure the efficiency and security of sharing data and documentation about which
referred to in Art. 53 sec. 1. "
23/04/2019

Page 76
© Chancellery of the Sejm

pp. 76/114

Art. 88. In the Act of July 21, 2006 on Financial Market Supervision (Journal of Laws of 2019, items 298 and 326),
art. 4, Art. 4a is added as follows:
"Art. 4a. 1. To achieve the goal referred to in Art. 2, the Commission processes personal data, including data about which
as referred to in Art. 9 sec. 1 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
on the protection of individuals with regard to the processing of personal data and on the free transfer
the flow of such data and the repeal of Directive 95/46 / EC (General Data Protection Regulation) (Journal of
UE L 119 of 04/05/2016, p. 1, as amended d. 65) ), in the field of health data.
2. The personal data referred to in sec. 1 may be processed only by persons with written authorizations
no no. Persons having a written authorization are obliged to keep these data secret on the basis of
roof, referred to in article 1. 16 sec. 1.
3. The personal data referred to in sec. 1, the Commission processes for a period of 25 years.
4. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament and of the Council
(EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to data processing
data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation
Act on data protection), does not affect the course and result of proceedings, other supervisory activities, and
exercising the rights referred to in art. 6, the possibility of submitting a notification of suspicion of committing
the offenses and the performance of the obligations referred to in Art. 6b.
5. The Commission is the controller of personal data processed by the arbitration court in question
in art. 18 sec. 1, and by the examination boards referred to in the Act of 15 December 2017 on distribution
insurance, the Act of July 29, 2005 on Trading in Financial Instruments, the Act on Insurance Activity
and reinsurance and the Act of 23 March 2017 on mortgage loans and supervision over intermediaries
mortgage and agents. ”.
Art. 89. In the Act of August 25, 2006 on biocomponents and liquid biofuels (Journal of Laws of 2018, item 1344,
1356 and 1629) in art. 15 sec. 3 is replaced by the following:
"3. The register of farmers is open to the public, with the exception of those referred to in Art. 14 sec. 3 paragraph 1, the address of the place of residence
the farmer and the addresses of the group members. "
Art. 90. In the Act of 8 September 2006 on the State Emergency Medical Services (Journal of Laws of 2017, item 2195,
with later d. 66) ) is hereby amended as follows:
1) in art. 24b paragraph. 1 and 2 are replaced by the following:
"1. The dispatcher of air medical rescue teams being a unit supervised by the minister in charge
responsible for health matters is administered by SWD PRM, which enables the safe processing of data, including
trolley of users' access to data, and documents changes made by them, enabling in particular
re-creation of the history of each alarm notification and event notification.
2. The minister competent for health matters, voivodes, the administrator of air medical rescue teams
being a unit supervised by the minister responsible for health and disposers of emergency medical teams
they process the data registered in SWD PRM, including call recordings, personal data of the reporting person,
data of other persons indicated at the time of accepting the application, geographic positions, contact details or description
events, and make them available at the request of the court, the prosecutor's office, the Police, the Patients' Ombudsman or the National Fund
Health. ”;
2) art. 24c is replaced by the following:
"Art. 24c. 1. Minister competent for health matters, voivodes, administrator of air rescue teams
medical department being a unit supervised by the minister competent for health and disposers of medical
of the medical industry are joint controllers of data in SWD PRM and other data obtained in connection with the relationship
with the reception and handling of alarm notifications and event notifications using SWD PRM.
2. The minister competent for health matters:
1) issues and withdraws authorizations to process personal data in SWD PRM for office employees
serving the minister responsible for health and national and provincial consultants about whom
referred to in the Act of November 6, 2008 on consultants in health care (Journal of Laws of 2017, item 890 and
of 2018, item 1669), to the extent referred to in point 2;

65) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
66) Amendments to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2018, item 650, 1115, 1544, 1629 and 1669 and from 2019.
item 15, 60, 235 and 399.
23/04/2019

Page 77
© Chancellery of the Sejm

pp. 77/114

determines the scope of data that may be made available to the national and voivodeship consultants referred to

2)

in the Act of 6 November 2008 on consultants in health care, and the entities referred to
in art. 39;
defines the powers in SWD PRM;

3)

4) processes the data in SWD PRM necessary to perform the tasks referred to in art. 19 paragraph 1 and art. 24a paragraph. 1;
performs the obligations arising from art. 19 and art. 34 of the Regulation of the European Parliament and of the Council (EU)

5)

2016/679 of 27 April 2016 on the protection of individuals with regard to data processing
data and on the free movement of such data, and repealing Directive 95/46 / EC (general
Data Protection Regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 67) ), hereinafter referred to as "Regulation
governing 2016/679 ”.
3. Voivodes:
1)

issue and revoke authorizations to process personal data at SWD PRM for employees of the government office
jewódzki;

2)

grant and withdraw powers in SWD PRM;

3)

process the data in SWD PRM necessary to perform the tasks referred to in art. 19 paragraph 2;

4)

fulfill their obligations under Art. 15 and art. 16 of Regulation 2016/679 to the extent introduced by
their data to SWD PRM;
fulfill their obligations under Art. 19 and art. 34 of the Regulation 2016/679.

5)

4. The dispatcher of air medical rescue teams being a unit supervised by the minister responsible
health issues:
1) processes in SWD PRM the data necessary to perform the tasks referred to in art. 27a paragraph. 2 and art. 48;
2) processes data in order to ensure the maintenance, expansion, modification and technical service of SWD PRM;
3) issues and withdraws authorizations to process personal data in the scope covering the resulting tasks
from the administration of SWD PRM;
4) grants and withdraws powers in SWD PRM as part of the implementation of the entrusted tasks;
5)

may entrust the processing of data processed in SWD PRM to entities specialized in providing
providing technical support for ICT systems, to the extent necessary for the proper implementation of
dishes related to the maintenance and operation, expansion and modification of SWD PRM;

6)

performs the obligations arising from art. 15 and art. 16 of Regulation 2016/679 to the extent introduced by
data to SWD PRM;
performs the obligations arising from art. 19 and art. 34 of the Regulation 2016/679.

7)

5. Dispatchers of medical rescue teams:
1)

issue and revoke authorizations to process personal data at SWD PRM for employees;

2)

grant and withdraw powers in SWD PRM;

3)

they process data in SWD PRM for the purpose and scope necessary for the proper performance of the resulting tasks
from the provisions of the act;
fulfill their obligations under Art. 15 and art. 16 of Regulation 2016/679 to the extent introduced by

4)

their data to SWD PRM;
fulfill their obligations under Art. 19 and art. 34 of the Regulation 2016/679.

5)

6. The personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization;

1)

2) a written commitment of persons authorized to process personal data to keep them confidential
natures.
7. The entities referred to in par. 2-5, undertake activities aimed at:
ensuring protection against unauthorized access to SWD PRM;

1)

2) ensuring data integrity in SWD PRM;
3)

ensuring the availability of SWD PRM for entities processing data in this system;

4)

preventing damage to SWD PRM;

67) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 78
© Chancellery of the Sejm

5)

defining the security rules for the processed data, including personal data;

6)

defining the rules for reporting personal data breaches;

7)

ensuring accountability in SWD PRM;

8)

ensuring the correctness of data processed in SWD PRM.

pp. 78/114

8. Entities specialized in the provision of technical maintenance of ICT systems, which
they believed the processing of personal data in SWD PRM, they cannot entrust the processing of data to other entities
tom or share data with entities other than those authorized under the law.
9. In the event of the necessity to disclose personal data to entities authorized under the
legal regulations, an entity specialized in providing technical support for ICT systems
who made the data available, informs the SWD PRM administrator about this fact, no later than within 3 days from
the day when this fact occurred.
10. In the event of circumstances resulting in the cessation of processing of processed data
at SWD PRM by entities specialized in providing technical maintenance of ICT systems,
these entities are obliged, within 3 days from the date of the occurrence of circumstances resulting in the cessation of processing
data, to transfer the processed data to the SWD PRM administrator.
11. The entities referred to in par. 2-5, fulfill the obligation referred to in article 1. 13 sec. 1 and 2 of the Regulations
2016/679, in connection with the processing of personal data in SWD PRM, by providing information in the Office
years of Public Information on its website or on its website.
12. The person making the request pursuant to Art. 15 of the Regulation 2016/679 is obliged to provide
information about the circumstances of the incident to which the request relates, including the date and place of the incident and the telephone number
the phone from which the call related to the notification of the event was made.
13. The entities referred to in par. 2-5, provide information on the limitations referred to in paragraph 1. 12,
in the Public Information Bulletin on its website or on its website.
14. The entities referred to in par. 2-5, keep records of persons authorized to process data,
to whom they have issued authorizations to process personal data in SWD PRM. ”;
3) in art. 24e:
a) sec. 2 and 3 are replaced by the following:
"2. Minister competent for health matters, voivodes, administrator of aviation rescue teams
medical facility being a unit supervised by the minister competent for health and disposers
medical rescue teams using SWD PRM process and share data:
1)

regarding recipients within the meaning of Art. 2 point 16 of the Act of April 28, 2011 on the information system
tions in health care, to the extent specified in Art. 4 sec. 3 of this act;

2)

covering personal data of persons performing the tasks of voivodeship rescue coordinators
medical;

3) including personal data of persons performing the tasks of a medical dispatcher;
4)

covering personal data of persons performing the tasks of members of emergency medical teams;

5)

covering personal data of persons performing only the tasks of drivers referred to in art. 36
paragraph 3;

6)

covering personal data of persons performing, on the basis of data from SWD PRM, tasks consisting in:
management, control, preparation of statistical reports and analyzes;

7)

covering personal data of persons reporting to the emergency number, their telephone numbers and
the degree of kinship with the person in a state of emergency, if applicable;

8)

enabling the exchange of electronic documents between service providers and service providers and payment
within the meaning of Art. 2 point 9 lit. a and point 15 of the Act of April 28, 2011 on the information system
in health care.
3. The data referred to in sec. 2 points 1-5, 7 and 8, are made available:

1) the National Health Fund;
2)

the unit subordinate to the minister competent for health, competent in the field of information systems
health protection;

3) national and voivodeship consultants referred to in the Act of 6 November 2008 on consultants
tach in health care, to the extent referred to in art. 24c of paragraph 1. 2 point 2;
4) entities referred to in art. 39, to the extent specified in Art. 24c of paragraph 1. 2 point 2. ",
23/04/2019

Page 79
© Chancellery of the Sejm

pp. 79/114

(b) paragraph 3 is deleted. 4.
Art. 91. In the Act of January 12, 2007 on Special Purpose Road Companies (Journal of Laws of 2017,
item 2093 and of 2018, item 12 and 1693) is hereby amended as follows:
1) after art. 5, art. 5a is added as follows:
"Art. 5a. In the event that the company performs the obligation of the road administrator, as referred to in Art. 20 point 12 of the Act
of March 21, 1985 on public roads, provision of art. 20h of this Act shall apply accordingly. ”;
2) in art. 7a the following paragraph shall be added: 4 is added:
"4. The special purpose road vehicle becomes the administrator of personal data whose administration
the strator was the General Director for National Roads and Motorways, in connection with administrative decisions and decisions
the warranties referred to in sec. 1, as well as the matters referred to in para. 2, as well as contracts and agreements,
referred to in sec. 3. "
Art. 92. In the Act of April 26, 2007 on crisis management (Journal of Laws of 2018, items 1401 and 1560) after
art. 6c, art. 6d as follows:
"Art. 6d. 1. In the case of an employee employed in a position that allows access to information about
security of the critical infrastructure facility and the person applying for this position, the operator of
critical structure requires the employee and that person to submit information on criminal records, including information
whether their personal data is collected in the National Criminal Register.
2. The critical infrastructure operator requests the employee's biometric data in the form of fingerprints,
voice, corneal image, or finger vein network, if such information is required for access control purposes
to information on the safety of the critical infrastructure facility and rooms.
3. The critical infrastructure operator stores the information and data referred to in par. 1 and 2, only
for the period of employment of the employee to whom these data relate. ”.
Art. 93. In the Act of June 15, 2007 on the license of a restructuring advisor (Journal of Laws of 2016, item 883 and
of 2019, item 55) after art. 20, Art. 20a is added as follows:
"Art. 20a. The period of storage of personal data collected by the restructuring advisor at
exercising the rights and obligations under the restructuring advisor's license is 5 years from the end
the procedure in which the data was collected. After this period, the personal data will be deleted,
unless their further storage is necessary to protect rights or pursue claims. ”.
Art. 94. In the Act of September 7, 2007 on Assistance to Persons Entitled to Alimony (Journal of Laws of 2019, item 670)
the following changes are introduced:
1) in art. 15:
a) in sec. 8b in the first sentence, the words "may be processed" are replaced with the words "are processed",
b) in sec. 8cb in the first sentence the words "may process" are replaced with the words "processes";
2) in art. 22 in paragraph. 1 the words "may collect and process" are replaced by the words "process";
3) after art. 22, art. 22a is added as follows:
"Art. 22a. 1. Personal data referred to in Art. 22 sec. 1, are subject to safeguards preventing overuse or unlawful access or transfer consisting, at least in:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
nesses. "

2)

Art. 95. In the Act of 17 October 2008 on the change of name and surname (Journal of Laws of 2016, item 10) after
art. 11 the following Art. 11a is added as follows:
"Art. 11a. Administrative proceedings to change the name and surname are conducted using
the data contained in the register of marital status referred to in art. 2 clause 2 of the Act of November 28, 2014.
- Law on civil status records (Journal of Laws of 2018, item 2224 and of 2019, item 730), and in the PESEL register, for which
rhyme in art. 6 sec. 1 of the Act of 24 September 2010 on population records (Journal of Laws of 2018, items 1382 and 1544
and of 2019, item 60 and 730), to the extent necessary to issue a decision in the case. ”.

23/04/2019

Page 80
© Chancellery of the Sejm

pp. 80/114

Art. 96. In the Act of November 6, 2008 on the rights of patients and the Patient's Rights Ombudsman (Journal of Laws of 2017,
item 1318, as amended d. 68) ) is hereby amended as follows:
1) in art. 24:
a) paragraph 1 is deleted. 4,
b) sec. 5 and 6 are replaced by the following:
"5. If the entity providing health services has concluded an agreement on entrusting data processing
personal data referred to in art. 28 sec. 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended. 69) ), hereinafter referred to as "Regulation
2016/679 ", the implementation of this contract may not interfere with the provision of health services,
in particular as regards ensuring, without undue delay, access to the data contained in the documentation
medical.
6. The entity entrusted with the processing of personal data in connection with the implementation of the contract for
the processing of personal data referred to in art. 28 sec. 3 of Regulation 2016/679, is applicable
to keep confidential information related to the patient obtained in connection with the implementation of this
the contract. This subject is bound by the mystery also after the patient's death. ”;
2) in art. In paragraph 26. 3, point 2 is replaced by the following:
"2) public authorities, including the Patient's Rights Ombudsman, the National Health Fund, and organs
the self-government of medical professions and consultants in health care, as well as the Ombudsman for Patients' Rights
Of the Psychiatric Hospital, to the extent necessary for these entities to perform their tasks, in particular
supervision and control; ';
3) in art. 28 sec. 2a is replaced by the following:
"2a. The fees referred to in paragraph 1. 1, shall not be collected in the case of making the medical documentation available:
1) the patient or his legal representative for the first time in the requested scope and in the manner provided for
referred to in Art. 27 sec. 1 points 2 and 5 and sec. 3;
in connection with the proceedings before the provincial commission for adjudication of medical events, about which

2)

referred to in Art. 67e paragraph. 1. ";
4) in art. 30a:
a) paragraph 1 is deleted. 10,
b) sec. 11 is replaced by the following:
"11. Persons who, in connection with the implementation of the contract for entrusting the processing of personal data, about which
referred to in Art. 28 sec. 3 of Regulation 2016/679, gained access to information related to the patient, are
tied to keeping them secret, also after the patient's death. ”;
5) in art. 47:
a) in sec. 1 after point 3, point 3a shall be added in the following wording:
"3a) protection of the rights of patients using health services provided by a psychiatric hospital
tic referred to in Art. 3 point 2 of the Act of August 19, 1994 on the protection of mental health

(Journal of Laws of 2018, item 1878 and of 2019, item 730); ",
b) after sec. 1 the following paragraph shall be added: 1a is added as follows:
"1a. The task referred to in paragraph 1. 1 point 3a, the Ombudsman implements, in particular, with the help of Ombudsmen
Rights of a Patient of a Psychiatric Hospital, the tasks and scope of which are specified in the Act of August 19
1994 on the protection of mental health. ”;
6) after art. 47, art. 47a is added:
"Art. 47a. 1. The Ombudsman may process any information, including personal data, necessary to fulfill his / her
their statutory tasks.

68) Amendments

to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2017, item 1524, 2018, item 1115, 1515, 2219

and 2429 and of 2019, item 150 and 447.
to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.

69) The amendment

23/04/2019

Page 81
© Chancellery of the Sejm

pp. 81/114

2. The Ombudsman processes personal data referred to in art. 9 sec. 1 of Regulation 2016/679, only
in order to protect patients' rights in the performance of the tasks referred to in art. 47 paragraph. 1 points 1-3a and 7-10.
3. The administrator of the data referred to in sec. 1 and 2, is the Ombudsman.
4. Personal data are subject to safeguards preventing abuse or unlawful access
entrusting or transferring at least in the following ways:
allowing the data controller to process personal data only of persons in writing to

1)

the authorized persons;
a written undertaking by persons authorized to process personal data to keep them in the

2)

mysteries;
3) regular testing and improvement of the applied technical and organizational measures. ”.
Art. 97. In the Act of 21 November 2008 on the Civil Service (Journal of Laws of 2018, item 1559), in Art. 15 sec. 5 received
reads:
"5. The Head of the Civil Service processes personal data of members of the Civil Service Corps and collects, uses
and processes other information in order to fulfill its statutory tasks. ”.
Art. 98. In the Act of 23 January 2009 on the National School of Judiciary and Public Prosecution (Journal of Laws of 2018,
item 624, 1045, 1443 and 1669) art. 56 is replaced by the following:
"Art. 56. 1. The National School is the administrator of personal data of applicants, candidates for applicants,
lecturers and candidates for lecturers of the National School and persons covered by training or improvement
vocational training conducted by the National School, persons taking examinations conducted at the
the act of law and members of committees and teams appointed under the act, as well as personal data
included in the files made available to the National School for didactic purposes, to the extent necessary for implementation
the tasks of the National School.
2. The Minister of Justice is the administrator of personal data processed for the purpose of its implementation
tasks, duties or powers under the Act. ”.
Art. 99. In the Act of April 2, 2009 on Polish citizenship (Journal of Laws of 2018, item 1829), the
the following changes:
1) in art. 21 the following paragraph is added: 6 and 7 as follows:
"6. The President of the Republic of Poland, upon receipt of the application, may address the competent authorities,
organizations or institutions for information that may be of significant importance in the case of granting citizenship
Polish state.
7. The authorities, organizations or institutions referred to in para. 6, are required to provide written information
within 30 days from the date of receipt of the inquiry. In particularly justified cases, this period may be exceeded
extended for up to 3 months, about which the authority, organization or institution obliged to provide information notifies
The President of the Republic of Poland. ”;
2) in art. 49, the following paragraph is added: 6 and 7 as follows:
"6. The President of the Republic of Poland, upon receipt of the application, may address the competent authorities,
organization or institution to provide information that may be relevant in the waiver case
Polish citizenship.
7. The authorities, organizations or institutions referred to in para. 6, are required to provide written information
within 30 days from the date of receipt of the inquiry. In particularly justified cases, this period may be exceeded
extended for up to 3 months, about which the authority, organization or institution obliged to provide information notifies
The President of the Republic of Poland. ”;
3) in art. 59 sec. 2 is replaced by the following:
"2. The minister competent for internal affairs is the administrator of data processed in the register of central
nym. "

23/04/2019

Page 82
© Chancellery of the Sejm

pp. 82/114

Art. 100. In the Act of May 7, 2009 on compensating the families of victims of collective liberties
in the years 1956–1989 (Journal of Laws item 741, of 2011, item 622 and of 2014, item 496) in Art. 4 in sec. 2:
1) point 1 is replaced by the following:
"1) name or names and surname of the applicant, date and place of birth, parents' names, PESEL number,
phone number or e-mail address and address of the place of residence or correspondence address and
a trunk of kinship or affinity linking him with the deceased victim of a collective liberation event; ”;
2) after point 1, point 1a is added as follows:
"1a) the first name or names and surname of the person referred to in art. 1 clause 1, family name, date and place of birth,
parents' names, PESEL number, if given, and date of death; ”;
3) point 4 is replaced by the following:
"4) an indication of the form of payment of the cash benefit along with information about the name of the bank and the bank account number
applicant if this form of payment is chosen; '.
Art. 101. In the Act of June 25, 2009 on organic farming (Journal of Laws of 2017, item 1054 and of 2018
item 1616 and 1633) in art. 17:
1) in sec. 1 point 1 shall be replaced by the following:
"1) the Chief Inspector and the President of the Agency for Restructuring and Modernization of Agriculture, through the agency of
electronic means of communication in the form of an electronic document bearing a qualified signed
electronic semester, by November 30 of each year, a list of producers referred to in the Act of
December 18, 2003 on the national system of producer records, farm records and records
applications for granting payments (Journal of Laws of 2017, item 1853) who have met certain requirements concerning
organic production in accordance with the regulations on organic farming, as of 15 March
the stop of this year; ";
2) paragraph 1a is replaced by the following:
"1a. If, as a result of an inspection carried out by the certification body, it is found necessary
supplement or change the data contained in the list referred to in paragraph 1 point 1, the certification body supplements
nations or amends the list, as of December 31 of this year, and submits it to the Chief Inspector and
The President of the Agency for Restructuring and Modernization of Agriculture in the manner and in the form specified in paragraph 1 point 1, on time
not until 14 January of the year following the year in which this list was submitted. ”.
Art. 102. In the Act of 17 July 2009 on the system of managing the emissions of greenhouse gases and other substances
(Journal of Laws of 2018, items 1271, 1669 and 2538 and of 2019, item 412) in art. 6:
1) in sec. 2, point 1 is replaced by the following:
"1) entities using the environment, persons authorized to represent these entities, and
persons who are users of the National Database:
a) name and surname,
b) the name of the entity and its legal form,
c) address of the place of residence,
d) registered office address,
e) e-mail address, website address, mobile phone number, telephone number
civil,
f) PESEL number, and in the absence of a PESEL number - series and number of the document confirming the identity
dear,
g) identification number in the national official register of national economy entities (REGON),
tax identification mayor (NIP) and the number in the National Court Register (KRS); ”;
2) the following paragraph shall be added: 5 is added:
"5. Personal data processed as part of the National System are subject to safeguards preventing overuse or unlawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
nesses. "

2)

23/04/2019

Page 83
© Chancellery of the Sejm

pp. 83/114

Art. 103. In the Act of 5 November 2009 on cooperative savings and credit unions (Journal of Laws
of 2018, item 2386 and 2243 and of 2019, item 326) is hereby amended as follows:
1) after art. 16a, art. 16b as follows:
"Art. 16b. The provisions of Art. 106d and art. 106e of the Act of August 29
1997 - Banking Law. ”;
2) in art. 18 the following paragraph is added: 6 is added:
"6. The provisions of Art. 22aa paragraph. 1
and 10-12 of the Act of August 29, 1997 - Banking Law. ”;
3) in art. 51 after paragraph 1 the following paragraph shall be added: 1a is added as follows:
"1a. Members of the credit union management board should have knowledge, skills and experience appropriate to their duties
their functions and the duties entrusted to them, and guarantee the proper performance of these duties.
The warranty referred to in the preceding sentence applies in particular to reputation, honesty and reliability.
the person concerned and the ability to handle the affairs of the cash register in a careful and stable manner. To evaluate the warranty of cautious
and stable management of the cash register, the provisions of Art. 22aa paragraph. 10-12 of the Act of August 29, 1997 Banking law.".
Art. 104. In the Act of March 4, 2010 on spatial information infrastructure (Journal of Laws of 2018, item 1472)
in art. 10 sec. 1 is replaced by the following:
"1. Integrating spatial data sets and services belonging to third parties into the infrastructure may be
drink at their request, with the consent of the lead competent authority or on the initiative of the lead authority with the consent of third parties,
if it is compatible with the public interest and the spatial data sets and services to be incorporated are compatible with the general
non-binding legal regulations and comply with the technical standards in force. ”.
Art. 105. In the Act of April 9, 2010 on Disclosure of Economic Information and Exchange of Economic Data
darczych (Journal of Laws of 2019, item 681), the following changes are introduced:
1) in art. 2 in sec. 2 in point 7, the full stop is replaced by a semicolon and the following point 8 is added:
"8) Regulation 2016/679 - it shall mean the Regulation of the European Parliament and of the Council (EU)
2016/679 of 27 April 2016 on the protection of individuals with regard to data processing
data and on the free movement of such data, and repealing Directive 95/46 / EC (general
regulation on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 70) ). ”;
2) art. 3 is replaced by the following:
"Art. 3. 1. For the processing of personal data about the debtor by the economic information bureau in relation
with the provision of economic information:
1) the provision of art. 19 of Regulation 2016/679 is applied in such a way that the economic information bureau informs
on rectification or deletion or limitation of the processing of personal data to the extent specified
in art. 2 clause 1 point 2 lit. a and c, point 3 lit. a, bid and point 4 lit. b-fih-j recipient to whom personal data has been disclosed,
if 90 days have not elapsed from the date of their receipt by the recipient;
the provision of Art. 21 sec. 1 of Regulation 2016/679.

2)

2. Exercise of the debtor's right to demand that the processing of personal data be restricted in the event of
referred to in art. 18 sec. 1 lit. a and b of the Regulation 2016/679, in the manner specified in art. 21a paragraph. 1. ObjectThe obligations of the economic information bureau in terms of limiting the processing of personal data are set out in Art. 21a
paragraph 3.
3. For the processing of personal data by creditors in connection with the transfer to the economic information bureau
providing economic information about the debtor who is a natural person, the provision of art. 21 sec. 1 of
2016/679.
4. The limitations referred to in par. 1, the economic information bureau informs the data subject
concern, at the latest at the first action addressed to that person.
5. The restriction referred to in para. 3, the creditor informs the debtor about which in the request for payment
referred to in Art. 14 sec. 1 point 3 or article. 15 sec. 1 point 3 or sec. 1a.
6. The data controller provides appropriate measures to protect the interest or fundamental rights and will
the data subject. ”;

70) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 84
© Chancellery of the Sejm

pp. 84/114

3) after art. 22a, art. 22b is worded as follows:
"Art. 22b. 1. Everyone has the right to access economic information stored by
office, provided in accordance with art. 14–18.
2. Natural persons have the right to access their personal data stored by the office
the rules set out in Regulation 2016/679. The amount of fees that the office may charge in accordance with the ordinance
2016/679, is specified in the price list adopted by the management board of the office.
3. Access to data in the scope referred to in par. 2, it is free of charge for consumer debtors,
if it occurs no more than once every 6 months.
4. In the case of entities other than natural persons, access to the data referred to in para. 1, underis charged in accordance with the price list in force in the office, which may not be higher than 0.5% of the minimum rent
remuneration for work determined on the basis of the provisions of the Act of 10 October 2002 on the minimum remuneration
for work (Journal of Laws of 2018, item 2177). ”;
4) in art. 23:
a) paragraph 1 is deleted. 1,
b) sec. 5 is replaced by the following:
"5. A public administration body may not require presenting, forwarding or attaching to the application
the document or printout referred to in paragraph 2. The provision shall apply accordingly to disclosed information
based on Article. 22b paragraph. 1 and 2. "
Art. 106. In the Act of August 6, 2010 on identity cards (Journal of Laws of 2019, item 653),
the following changes:
1) art. 55 is replaced by the following:
"Art. 55. 1. The Register of Personal Identity Cards is a central register kept in the ICT system
nym.
2. The maintenance and development of the Register of Identity Cards in order to perform the tasks specified in the Act is ensured
minister responsible for computerization, including:
provides protection against unauthorized access to the Register of ID Cards;

1)

2) ensures the integrity of data in the Register of Personal Identity Cards;
3)

ensures the availability of the ICT system in which the ID Card Register is kept,
for entities processing data in this register;

4)

counteracts damage to the ICT system in which the
bells;

5)

defines the rules for the security of processed data, including personal data;

6)

defines the rules for reporting personal data breaches;

7)

ensures accountability of activities performed on the data of the Register of Personal IDs;

8)

ensures the correctness of the data processed in the Register of Personal Identity Cards.

3. The minister responsible for internal affairs, at the request of the minister responsible for computerization, may
participate in the implementation of tasks related to the development of the Register of ID Cards and ensuring the correct
data processed in this register.
4. The minister responsible for internal affairs ensures the functioning of a separate enabling network
access by the authorities referred to in para. 7, to the Register of ID Cards.
5. The minister responsible for foreign affairs ensures the operation of a separate enabling network
access for consuls to the Register of Personal IDs.
6. The data is entered into the Register of Personal Identity Cards directly in real time:
the commune authority competent to issue an ID card in the scope of:

1)

a) the data contained in the application for an ID card specified in art. 28 points 1-7, together with
a nated photograph or a file containing a photograph, and the data specified in art. 56 sec. 1
point 3 lit. b, point 4 lit. d third to sixth indents, ninth and eleventh indents and (d). e,
b) dates and reasons for leaving the application for an ID card without examination,
c) the number and date of issuing the administrative decision refusing to issue the ID card referred to
in art. 32,
d) the number and date of the administrative decision declaring the invalidity of the identity card for which
referred to in Art. 52;
23/04/2019

Page 85
© Chancellery of the Sejm

pp. 85/114

minister competent for internal affairs - in the scope of data specified in art. 56 sec. 1, excluding

2)

data entered by the commune authority.
7. In order to perform the tasks specified in the Act, the following persons have access to the Register of ID Cards:
voivode, consul, minister responsible for internal affairs and the minister responsible for computerization.
8. The minister responsible for computerization shall perform the duties referred to in Art. 15 of the Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals
in connection with the processing of personal data and on the free movement of such data, and repeal
Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended)
d. 71) ). ";
2) in art. 56 the current content is marked as para. 1 and the following paragraph is added: 2 and 3 as follows:
"2. The data collected in the Register of Identity Cards is not deleted.
3. The Register of Personal Identity Cards collects data on all identity cards of personal
personalized, including invalid and defectively personalized. ";
3) after art. 56, art. 56a and art. 56b is added:
"Art. 56a. 1. A commune authority, when accepting an application for a new ID card, ex officio performs the application
check the data contained in the application for an ID card with the data contained in the Register of Evidence
Personal and in the PESEL register.
2. In the event of non-compliance of the data contained in the application with the data contained in the registers,
referred to in sec. 1, the authority that has found the non-compliance of the data shall take steps to remove the non-compliance
in accordance with Art. 11 of the Act of 24 September 2010 on population records (Journal of Laws of 2018, items 1382 and 1544 and
of 2019, item 60 and 730).
Art. 56b. In the event of an error or lack of data in the Register of ID Cards in relation to
to the data referred to in art. 56 sec. 1 points 2-4 and 6, the authorities shall, according to their jurisdiction, forward immediately
information about the need to rectify or supplement them to the minister responsible for computerization,
using the ICT system. ”;
4) Art. 57–58;
5) in art. In paragraph 63 1 the words "Art. 56 points 1, 3, 4, 7 and 8 "shall be replaced by the words" Art. 56 sec. 1 points 1, 3, 4, 7 and 8 ”;
6) in art. 66, paragraph 1 is deleted. 4.
Art. 107. In the Act of 24 September 2010 on population records (Journal of Laws of 2018, items 1382 and 1544 and of 2019, no.
item 60) is hereby amended as follows:
1) art. 6 is replaced by the following:
"Art. 6. 1. The PESEL register is a central set of data referred to in Art. 8, kept in the system
ICT.
2. The maintenance and development of the PESEL register, in order to perform the tasks specified in the Act, is ensured by the minister of
responsible for computerization, including:
provides protection against unauthorized access to the PESEL register;

1)

2) ensures the integrity of data in the PESEL register;
3)

ensures the availability of the ICT system in which the PESEL register is kept for entities
processing data in this register;

4)

counteracts damage to the ICT system in which the PESEL register is kept;

5)

defines the rules for the security of processed data, including personal data;

6)

defines the rules for reporting personal data breaches;

7)

ensures accountability of actions performed on the PESEL register data;

8) ensures the correctness of the data processed in the PESEL register.
3. The minister responsible for internal affairs, at the request of the minister responsible for computerization, may
participate in the implementation of tasks related to the development of the PESEL register and ensuring the correctness of data
in this register.
4. The minister competent for internal affairs ensures the functioning of a separate network enabling the
access to the PESEL register to the authorities referred to in para. 7, with the exception of consuls.

71) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 86
© Chancellery of the Sejm

pp. 86/114

5. The minister responsible for foreign affairs ensures the functioning of a separate network enabling the
sulom access to the PESEL register.
6. The minister responsible for computerization shall perform the duties referred to in Art. 15 of the Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals
in connection with the processing of personal data and on the free movement of such data, and repeal
Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended)
d. 72) ).
7. In order to perform the tasks specified in the Act, the commune authority, head of the registry office,
port, voivode, minister responsible for internal affairs and the minister responsible for computerization of
sit down to access the register. ”;
2) after art. 6, art. 6a is added as follows:
"Art. 6a. 1. The register of residents is kept in accordance with the local jurisdiction by the commune head (mayor,
Mayor of the city), hereinafter referred to as the "commune authority".
2. The maintenance and development of the register of residents is ensured by the authority competent to keep it, which in the scope
of this register undertakes the activities indicated in Art. 6 sec. 2. ";
3) in art. 10 after paragraph 6 the following paragraph is added: 6a is added as follows:
"6a. Entries in system logs (logs) are kept for 5 years from the date of their creation. ”;
4) in art. 11 after paragraph 2a, the following paragraph shall be added: 2b and 2c as follows:
"2b. The removal of inconsistencies may consist, in particular, in the rectification of incorrect or supplementary data
fulfillment of data.
2c. The application referred to in paragraph 1. 1, includes first name (names) and surname, PESEL number, correspondence address
cji - if the correspondence is to be carried out by post, and justification. ”;
5) after art. 12, art. 12a is added as follows:
"Art. 12a. Data and entries collected in the PESEL register and residents' registers are not removed from
with the protection of art. 10 sec. 6 and 6a. ";
6) Art. 45a;
7) in art. 47 paragraph. 3a is replaced by the following:
"3a. The authority that received the request in the form referred to in para. 1, directed by the obliged entity
based on Article. 48 to use data teletransmission devices, refuses, by way of a decision, to initiate
proceedings. ”;
8) in art. 48 sec. 2 is replaced by the following:
"2. The entities referred to in Art. 46 sec. 1, which do not have a decision to consent to sharing
data by means of data teletransmission devices, referred to in art. 51 sec. 1 point 1, data from the PESEL register
or the register of residents is made available in the manner specified in art. 47 up to three hundred figures
unit in a calendar year. ”.
Art. 108. In the Act of December 16, 2010 on collective public transport (Journal of Laws of 2018, item 2016
and 2435) after Art. 6, art. 6a is added as follows:
"Art. 6a. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
data protection regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 73) ), does not affect the course of
inspections and the power of the competent authority to impose a penalty. '
Art. 109. In the Act of February 4, 2011 on the care of children up to the age of 3 (Journal of Laws of 2019, item 409), Art. 3a
in paragraph 2 the words "may process" are replaced by the words "process".

72) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
73) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 87
© Chancellery of the Sejm

pp. 87/114

Art. 110. In the Act of 15 April 2011 on medical activity (Journal of Laws of 2018, items 2190 and 2219 and of 2019
r. item 492) is hereby amended as follows:
1) in art. 23 sec. 2 is replaced by the following:
"2. The provision of paragraph 1 does not apply to professional internships referred to in article 1. 18 sec. 4 and 6, art. 19 paragraph 4 and 6
and art. 19a paragraph. 3, if these practices do not observe the premises referred to in article 1. 23a
paragraph 1. ";
2) after art. 23, art. 23a is added as follows:
"Art. 23a. 1. The head of the entity performing medical activities may specify in the regulations of the organization
way of observing rooms:
generally accessible, if it is necessary to ensure the safety of patients or employees of the premises

1)

red,
in which health services are provided and patients' stay, in particular bed rooms,

2)

hygienic and sanitary rooms, changing rooms, cloakrooms, if it results from separate provisions
- with the use of devices that enable image recording (monitoring).
2. Image recordings obtained as a result of the monitoring referred to in sec. 1 point 1 containing personal data,
The entity performing medical activities shall process and store them only for the purposes for which they were collected
for a period not longer than 3 months from the date of recording.
3. After the expiry of the period referred to in sec. 2, image recordings obtained as a result of monitoring containing
personal data shall be destroyed, unless separate regulations provide otherwise. ”;
3) in art. 24 sec. 2 is replaced by the following:
"2. The current information referred to in sec. 1 points 4, 9, 11 and 12 and article. 23a paragraph. 1 shall be made public
patients by displaying them in a visible manner at the place where services are provided and on the website
the entity performing the medical activity and making it available in the Public Information Bulletin, in the case of
the litter required to lead it. ”.
Art. 111. In the Act of 28 April 2011 on the information system in health care (Journal of Laws of 2019, item 408)
the following changes are introduced:
1) in art. 2, point 1 is replaced by the following:
"1) data administrator - the administrator referred to in art. 4 point 7 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(General Data Protection Regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 74) ); ”;
2) in art. 9a in sec. 2 the second sentence is deleted;
3) in art. 19:
a) paragraph 1 is deleted. 5,
b) sec. 7 is replaced by the following:
"7. The data contained in the medical registers referred to in para. 1, may be made available for the purpose of
undertaking scientific research and for statistical purposes in a form that does not allow them to be linked to a specific one
a natural person. ",
(c) paragraph 3 is deleted. 9,
d) in sec. 15 the second sentence is deleted.

74) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 88
© Chancellery of the Sejm

pp. 88/114

Art. 112. In the Act of 12 May 2011 on the National Council of the Judiciary (Journal of Laws of 2019, items 84 and 609),
the following changes are taking place:
1) in art. 3 in sec. 2 in point 8 replaced by a semicolon and point 10 is added as follows:
“10) supervises the processing of personal data by the Constitutional Tribunal, the Tribunal of State and the Court
The Supreme Administrative Court and courts of appeal, as part of their proceedings,
ants. ";
2) in art. 20 paragraph 1 is replaced by the following:
"1. The Council debates in plenary sessions. The proceedings are broadcast via the Internet, unless
The Supervisory Board adopts a resolution to exclude the openness of the meeting. The Council excludes the openness of the meeting in whole or in part,
if the openness could lead to the disclosure of information subject to protection on the principles set out in
knows of August 5, 2010 on the protection of classified information (Journal of Laws of 2018, items 412, 650, 1000, 1083 and 1669 and
of 2019, item 125) or infringe an important private interest by disclosing the data referred to in art. 9 sec. 1
and art. 10 of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free movement of such data
data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119
of May 4, 2016, p. 1, as amended d. 75) ). "
Art. 113. In the Act of May 12, 2011 on Consumer Credit (Journal of Laws of 2018, items 993 and 1075) in Art. 10 to
the temporary content is marked as para. 1 and the following paragraph is added: 2 is added:
"2. If the creditor refuses to grant a consumer credit to the consumer, the provisions of art. 70a paragraph. 1 and 2
of the Act of August 29, 1997 - Banking Law shall apply accordingly. ”.
Art. 114. In the Act of 9 June 2011 on supporting the family and foster care system (Journal of Laws of 2018,
item 998, 1076, 1544 and 2245) is hereby amended as follows:
1) in art. 7:
a) in sec. 1 the words "may process" are replaced with the words "process",
(b) paragraph 3 is deleted. 2,
(c) the following paragraph is added: 4 is added:
"4. Personal data referred to in sec. 1, are subject to safeguards to prevent abuse or
unlawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization

1)

issued by the data controller;
a written commitment of persons authorized to process personal data to keep them

2)

in secret.";
2) in art. 161, the following paragraph is added: 5 is added:
"5. Personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
1)

allowing for the processing of personal data only persons with a written authorization to
data by the data administrator;

2)

a written commitment of persons authorized to process personal data to keep them confidential
nothing. "

Art. 115. In the Act of 15 July 2011 on control in government administration (Journal of Laws, item 1092), Art. 55 in paragraph. 2
after the words "The controller makes the audit files available after anonymization", the words "or pseudonymization" are added.
Art. 116. In the Act of 18 August 2011 on the safety of persons in water areas (Journal of Laws of 2011, No.
of 2018, item 1482) is hereby amended as follows:
1) in art. 12 in section 3, point 3 is replaced by the following:
"3) a list of lifeguards with documents confirming that they meet the conditions specified
in Art. 2 point 5; ";

75) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 89
© Chancellery of the Sejm

pp. 89/114

2) in art. 14 the following paragraph is added: 6 is added:
"6. Personal data referred to in sec. 3, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
1)

allowing for the processing of personal data only persons with a written authorization to
data by the data administrator;

2)

a written commitment of persons authorized to process personal data to keep them confidential
nesses. ";

3) in art. 25 in paragraph 2 in point 6, the full stop is replaced by a semicolon and the following point 7 is added:
"7) processing of personal data, including data on the health status of people who were provided assistance
as part of rescue operations. ”.
Art. 117. In the Act of 18 August 2011 on safety and rescue in the mountains and organized
ski areas (Journal of Laws, item 1241, of 2013, item 7 and of 2018, item 1115), the following changes are introduced:
1) in art. 5 in sec. 3, point 3 is replaced by the following:
"3) a list of mountain rescuers together with documents confirming that they meet the conditions specified
in Art. 2 point 9; ";
2) in art. In 7, the following paragraph shall be added: 6 is added:
"6. Personal data referred to in sec. 3, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
1) allowing for the processing of personal data only persons who have a written authorization to
data by the data administrator;
2)

a written commitment of persons authorized to process personal data to keep them confidential
nesses. ";

3) in art. 40 in section 2 in point 6, the full stop is replaced by a semicolon and the following point 7 is added:
"7) processing of personal data, including data on the health status of people who were provided assistance
as part of rescue operations. ”.
Art. 118. In the Act of 19 August 2011 on payment services (Journal of Laws of 2019, item 659),
the following changes:
1) art. 10 is replaced by the following:
"Art. 10. Suppliers, payment organizations and entities operating payment systems process personal data
to the extent necessary to prevent fraud related to the performed payment services,
payment scheme or payment system operation and the investigation and detection of such fraud
by the competent authorities. ";
2) after art. 10, art. 10a is added as follows:
"Art. 10a. Suppliers, payment organizations and entities operating payment systems that are administrators
data are not required to perform the obligations referred to in art. 15 of the Regulation of the Europejski and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(general regulation on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 76) ), to the extent
who is it necessary for the proper implementation of anti-money laundering and financing tasks
terrorism and crime prevention. ”.
Art. 119. In the Act of August 19, 2011 on Veterans of Activities Outside the State (Journal of Laws of 2018,
item 937 and 2018) after Art. 38, the following art. 38a is added:
"Art. 38a. 1. The Minister of National Defense runs a database of injured veterans and veterans, and
the data referred to in paragraph 1. 2, in order to exercise the rights of these persons under the Act.
2. In the database referred to in par. 1, data on veterans and veterans of the injured are collected, including:
1)

first name (names) and surname;

2) PESEL number;
3)

date and place of birth;

76) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 90
© Chancellery of the Sejm

p. 90/114

4) address of the place of residence or correspondence address;
5) contact telephone number;
6) information on participation in activities outside the state, including: name and type of peacekeeping or stable mission
position, its place and duration of the mission, as well as the name of the occupied official position or
this function;
7)

the amount of the health detriment, authority issuing the decision, as well as the number and date of the decision;

8) number and date of the accident report and the authority drawing up the report;
9) number and date of the decision on the award of compensation benefits and the authority issuing the decision;
10) number and date of the decision on granting the veteran or veteran status of the victim;
11) the date of confirmation of the delivery of the decision on granting the veteran or veteran status of the victim;
12) number and date of issue of the decision depriving the victim of the veteran or veteran status;
13) the amount of the injured veteran allowance, the name of the paying authority and the date of commencement of the payment;
14) series and number of the victim's veteran or veteran ID card and the date of its issue;
15) date of confirmation of receipt of the victim's veteran or veteran ID card;
16) number and date of the decision granting study aid to the injured veteran, the amount awarded
the aid and the date on which it was paid;
17) name of the authority paying the financial aid for science;
18) number and date of the decision suspending the payment of financial aid for science;
19) number and date of issue of the decision on granting allowance to a veteran or a victim of veterans, date of issue
the payment of the allowance, its amount and the name of the paying authority;
20) the amount of reimbursement of the costs of participation in the celebrations and the name of the entity inviting to participate in the
fast.
3. The data referred to in sec. 2 points 3-5 are collected on the basis of the information contained in the application for
knowing the veteran or veteran status of the injured person.
4. The data referred to in par. 2, are subject to safeguards to prevent abuse or non-compliance
with the right to access or transfer, consisting at least in the admission to the processing of personal data
only persons with a written authorization issued by the data controller. ”.
Art. 120. In the Act of 19 August 2011 on the transport of dangerous goods (Journal of Laws of 2019, items 382 and 534)
after art. 14, art. 14a is added as follows:
"Art. 14a. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
data protection regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 77) ), does not affect the course of
the control referred to in Art. 99 sec. 1. "
Art. 121. In the Act of 28 June 2012 on the repayment of certain unsettled receivables of entrepreneurs,
resulting from the implementation of public contracts awarded (Journal of Laws of 2019, item 580) after Art. 12, art. 12a
as follows:
"Art. 12a. 1. The General Director, performing the tasks specified in the Act, performs the obligation referred to in the Act
in art. 13 sec. 1 and 2 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
knows the protection of individuals with regard to the processing of personal data and on free movement
such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119
of May 4, 2016, p. 1, as amended d. 78) ), at the first action addressed to the contractor or entrepreneur, unless
that they have this information and its scope or content has not changed.
2. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament and of the Council
(EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to data processing
data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation
data protection), does not affect the rights and obligations of the General Director under the Act, including
performing the verification referred to in Art. 5 sec. 3, the payment of the amounts referred to in article 1. 7 sec. 1, and the right to
the claims referred to in Art. 11 sec. 1 and 2. "

77) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
78) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 91
© Chancellery of the Sejm

pp. 91/114

Art. 122. In the Act of August 31, 2012 on the State Commission for Investigation of Maritime Accidents (Journal of Laws of 2018,
item 925 and 1669) after Art. 34, art. 34a is added:
"Art. 34a. The Commission performs the obligation referred to in Art. 13 sec. 1 and 2 of the Regulation of the Europejski and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(General Data Protection Regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 79) ), at the first
activities addressed to the data subject, unless he has this information and its scope or content does not
have changed. ”.
Art. 123. In the Act of 14 December 2012 on waste (Journal of Laws of 2019, item 701), the following is introduced:
changes:
1) in art. 80 after paragraph 1 the following paragraph shall be added: 1a-1c as follows:
"1a. The marshal of the voivodship, in order to perform the tasks related to conducting BDO, processes personal data
bowe and is the data controller.
1b. Personal data referred to in sec. 1a, the following is stored:
1) in the case of waste records - for a period of 5 years from the end of the calendar year in which they were prepared
waste registration documents;
2)

in the case of other data - for a period of 100 years from the end of the calendar year in which they were
governed documents containing this data.
1c. Personal data referred to in sec. 1a, are subject to safeguards preventing abuse or not

lawful access or transfer consisting at least in:
1) allowing for the processing of personal data only persons who have a written authorization to
data by the data administrator;
2)

a written commitment of persons authorized to process personal data to keep them confidential
nesses. ";

2) in art. 81 after sec. 1 the following paragraph shall be added: 1a is added as follows:
"1a. The administrator of personal data processed in the BDO system is the minister responsible for environmental
dowiska. ".
Art. 124. In the Act of October 11, 2013 on mutual assistance in the recovery of taxes, customs duties,
and other cash receivables (Journal of Laws of 2018, item 425) after Art. 11 the following Art. 11a is added as follows:
"Art. 11a. Personal data processed in order to perform tasks under the Act are subject to protection
to prevent abuse or unlawful access or transmission consisting of at least
less on:
1)

allowing the data controller to process personal data only of persons authorized to do so
related;

2)

a written commitment of persons authorized to process personal data to keep them confidential
natures;

3) testing and improving the applied technical and organizational measures;
4) ensuring secure communication in ICT networks, in particular through acquisition
personal data and their transfer to external entities using cryptographic techniques;
5)

ensuring protection against unauthorized access to IT systems of the authorities;

6)

ensuring data integrity in the IT systems of the authorities;

7)

defining the security rules for the processed personal data. ”.

Art. 125. In the Act of 22 November 2013 on the emergency notification system (Journal of Laws of 2018, item 867)
and 1115) is hereby amended as follows:
1) in art. 8 in sec. 1 point 2 shall be replaced by the following:
"2) entering into the ICT system referred to in Art. 10, and recording in this system
data on the content of emergency reports, including recordings of telephone conversations in full

79) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 92
© Chancellery of the Sejm

pp. 92/114

an emergency notification, data of reporting persons and other persons indicated at the time of receiving the notification,
geographical positions, information about the place of the occurrence and its type, and a brief description of the occurrence; ”;
2) art. 10 is replaced by the following:
"Art. 10. 1. The performance of the centre's tasks is supported by the ICT system.

2. The data referred to in Art. 8 sec. 1, point 2, are stored in the ICT system for 3 years.
3. The maintenance and development of the ICT system is ensured by the minister responsible for administration
public.
4. The minister competent for public administration may entrust, by agreement, to the minister
competent for public finance, performing activities in the field of ensuring the maintenance of space
server. In this case, the implementation of the task is financed from the state budget, from the part that is at the disposal of the owner
is the minister responsible for public finances.
5. The minister responsible for public administration, the voivode or the entity referred to in Art. 7 sec. 2,
are joint controllers of data processed in the ICT system obtained in connection with the service
emergency notifications.
6. Personal data processed in the ICT system are subject to preventive safeguards
abusive or unlawful access or communication consisting, at least in:
1)

allowing for the processing of personal data only persons with a written authorization to
data by the joint data controller;

2)

a written commitment of persons authorized to process personal data to keep them confidential
natures.
7. The minister competent for public administration:
issues authorizations to process personal data in the ICT system for employees
the office supporting the minister competent for public administration, performing tasks in the field of

1)

emergency notification system;
determines the scope of data processing.

2)

8. The voivode or the entity referred to in Art. 7 sec. 2:
1)

issue authorizations to process personal data in the ICT system for
coworkers performing emergency notification tasks;

2)

define the scope of data processing.
9. The minister competent for public administration, the voivode or the entity referred to in Art. 7 sec. 2:

1)

provide protection against unauthorized access to the ICT system;

2)

ensure data integrity in the ICT system;

3)

ensure the availability of the ICT system for entities processing data in this system;

4)

prevent damage to the ICT system;

5)

define the rules for the security of processed data, including personal data;

6)

define the rules for reporting personal data breaches;

7)

ensure accountability of actions performed on data in the ICT system;

8)

ensure the correctness of data processed in the ICT system.
10. The minister responsible for public administration ensures:

1)

maintaining the continuity of the ICT system;

2)

technical solutions for the training of emergency number operators.

11. The minister competent for public administration removes the data concerning the content of emergency notifications by
processed in the ICT system after the deadline referred to in para. 2.
12. The minister responsible for public administration, the voivode or the entity referred to in Art. 7 sec. 2,
processes data in the ICT system obtained in connection with the performance of the centre's tasks referred to
referred to in Art. 8, including the data referred to in Art. 9 sec. 1 and art. 10 of the Regulation of the European Parliament and of the Council
(EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to data processing

23/04/2019

Page 93
© Chancellery of the Sejm

pp. 93/114

data and on the free movement of such data, and repealing Directive 95/46 / EC (general regulation
on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended80 ) ), hereinafter referred to as the "Regulation
2016/679 ", as provided by the declarant.
13. In connection with the processing of personal data in the ICT system, the performance of the obligation,
referred to in art. 13 sec. 1 and 2 of Regulation 2016/679, is made by providing information in the Bulletin
Public Information on the website of the minister competent for public administration, voivode or
the entity referred to in art. 7 sec. 2, on their websites and in a prominent place at their premises.
14. The voivode or the entity referred to in art. 7 sec. 2, provides data processed in the teleinformation system
mathematical, referred to in art. 8 sec. 1 point 2, at the request of the court, public prosecutor's office or the police.
15. The person making the request pursuant to Art. 15 of the Regulation 2016/679 is obliged to provide
information about the circumstances of the incident to which the request relates, including the date and place of the incident and the telephone number
the phon from which the call related to the notification of the event was made. ”;
3) Art. 10a and art. 11.
Art. 126. In the Act of 30 May 2014 on consumer rights (Journal of Laws of 2019, item 134) after Art. 4 is added
art. 4a is added as follows:
"Art. 4a. 1. The administrator who is an entrepreneur referred to in Art. 7 sec. 1 point 1 of the Act of March 6
2018 - Entrepreneurs' Law (Journal of Laws, item 646, 1479, 1629, 1633 and 2212), performs the obligations referred to
in art. 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free movement of such data
data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119
of May 4, 2016, p. 1, as amended d. 81) ), hereinafter referred to as "Regulation 2016/679", in the scope of the contracts referred to
in chapters 2 and 3, by displaying it in a conspicuous place on business premises or making it available on your own
website of the relevant information.
2. The provision of para. 1 shall not apply if the data subject is unable to get acquainted with the information
the transactions referred to in Art. 13 of Regulation 2016/679.
3. The provision of para. 1 does not apply to the data controller who:
1) processes the data referred to in art. 9 sec. 1 of Regulation 2016/679, or
provides the data referred to in art. 9 sec. 1 of Regulation 2016/679, other administrators, with the exception of

2)

where:
a) the data subject has consented to disclose their data, or
b) disclosing the data is necessary to fulfill the obligation incumbent on the administrator. ”.
Art. 127. In the Act of 11 July 2014 on the principles of implementing programs in the field of financial cohesion
in the financial perspective 2014-2020 (Journal of Laws of 2018, items 1431 and 1544 and of 2019, item 60) in Art. 71 sec. 1 received
reads:
"1. The minister responsible for regional development is the administrator of the collected personal data
in the central ICT system. ”.
Art. 128. In the Act of August 29, 2014 on the energy performance of buildings (Journal of Laws of 2018, item 1984)
after art. 38, the following art. 38a and art. 38b is worded as follows:
"Art. 38a. 1. In the case of processing personal data by the minister responsible for construction,
spatial planning and development and housing in order to carry out the tasks specified in the Act
the right referred to in art. 15 sec. 1 lit. g of Regulation (EU) 2016/679 of the European Parliament and of the Council of
April 27, 2016 on the protection of individuals with regard to the processing of personal data and in the matter
free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation
(Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended 82) ), is granted to the extent that it does not affect the protection of
the rights and freedoms of the person from whom the data was obtained.
2. The minister competent for construction, planning and spatial development and housing
twa informs about the restriction referred to in sec. 1, at the first action addressed to the data subject
concern.
3. If the period of storage of personal data referred to in sec. 1, does not result from the
the words of the Act of July 14, 1983 on the national archival resource and archives (Journal of Laws of 2019, items 553 and 730),

80) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
81) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
82) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 94
© Chancellery of the Sejm

pp. 94/114

the minister competent for construction, planning and spatial development and housing for
retains data for the period determined in accordance with the provisions issued on the basis of art. 6 sec. 2 of the Act of July 14
1983 on the national archival resource and archives.
4. The personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
natures.

2)

Art. 38b. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC (general
Regulation on data protection), by the person whose data is processed in connection with the implementation by the minister
responsible for construction, planning and spatial development as well as housing tasks in the
end:
1)

conducting control proceedings,

2)

keeping a central register of the energy performance of buildings,

3) entering and updating the data of persons authorized to draw up energy performance certificates
and persons authorized to inspect the heating system or air conditioning system that meet the requirements,
referred to respectively in art. 17, art. 22, art. 24, art. 27 and art. 34, to the lists of authorized persons,
4) verification of energy performance certificates and reports on the inspection of the heating system or system
air conditioning, as referred to in art. 36
- does not affect the implementation of tasks in this area. ”.
Art. 129. In the Act of 28 November 2014 - Law on civil status records (Journal of Laws of 2018, item 2224),
the following changes are made:
1) art. 5 is replaced by the following:
"Art. 5. 1. The register of marital status is kept in the ICT system.
2. The maintenance and development of the marital status register, in order to perform the tasks specified in the Act, is ensured by
the helm responsible for computerization, including:
1)

provides protection against unauthorized access to the marital status register;

2)

ensures the integrity of data in the registry of civil status;

3)

ensures the availability of the ICT system in which the marital status register is kept, for
litters processing data in this register;

4)

counteracts damage to the ICT system in which the marital status register is kept;

5)

defines the rules for the security of processed data, including personal data;

6)

defines the rules for reporting a breach of personal data protection;

7)

ensures accountability of actions performed on the data in the marital status register;

8)

ensures the correctness of data processed in the marital status register.

3. The minister responsible for internal affairs, at the request of the minister responsible for computerization, may
participate in the implementation of tasks related to the development of the civil status register and ensuring the correctness of data
processed in that register.
4. The minister competent for internal affairs ensures the operation of a separate network enabling connection
electronic capability allowing access to the authorities referred to in para. 6, to the registry of marital status.
5. Entry in the register of marital status is made by the head of the civil registry office or the deputy head
registry office.
6. In order to perform the tasks specified in the Act, the head of the registry office, the deputy head of the office
civil status, voivode, minister competent for internal affairs and minister competent for IT
zations have access to the marital status register.
7. The minister responsible for computerization shall perform the duties referred to in Art. 15 of the Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals
in connection with the processing of personal data and on the free movement of such data, and repeal
23/04/2019

Page 95
© Chancellery of the Sejm

pp. 95/114

Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended)
d. 83) ). ";
2) in art. 28:
a) sec. 3 and 4 are replaced by the following:
"3. If the person affected by the birth certificate or marriage certificate lives longer than the storage period
of this act by the head of the registry office, the record is kept until it is drawn up for that person
death certificate or registration of information about the death of that person.
4. After the expiry of the periods referred to in sec. 1 and 3, civil status records and collective registration files
within 2 years, the head of the civil registry office forwards the state to the appropriate archives
wego. ",
(b) the following paragraph is added: 5 is added:
"5. After the expiry of the periods referred to in para. 1 and 3, and before the transfer of the acts of collective state registration
civil law to the appropriate state archive, their disclosure takes place in accordance with art. 26 sec. 4. ";
3) art. 51 is replaced by the following:
"Art. 51. Documents from the registry of civil status are issued for the periods of keeping the records referred to
referred to in Art. 28 sec. 1 and 3, as well as after the expiry of these periods, and before the transfer of civil status documents to the competent
in the national archives. ”;
4) in art. 124 in paragraph. 8, the following second and third sentences are added:
“After the marital status is transferred to the marital status register, the data used for the transfer of the record are subject to change
permanent removal from the computer system. Until the marital status is transferred to the civil status register
the head of the registry office is the administrator of the data stored in the computer system. ";
5) in art. 128 after paragraph 1 the following paragraph shall be added: 1a and 1b as follows:
"1a. If for a person for whom a birth certificate or a marriage certificate has been drawn up in the registry
carried out before the date of entry into force of this Act, no death certificate has been drawn up or information has not been registered
on death, the book of births and the book of marriages, despite the expiry of the periods referred to in sec. 1, be stored until
the time when the death certificate for the person concerned was prepared or the information about the death of that person was registered.
1b. Verification of the preparation of a death certificate for a person or registration of information about the death of that person is made
in the marital status register or PESEL register. If it is found that an act has not been prepared for a person
death and no information about the death was registered and no statement that the person had a PESEL number, driver
the registry office officer is entitled to transfer the books to the appropriate state archives, after the expiry of
the periods referred to in sec. 1. ";
6) in art. 129, paragraph 1 is deleted. 5;
7) in art. 130 sec. 3 and 4 are replaced by the following:
"3. From the registers of marital status kept before the date of entry into force of this Act, after the lapse of periods,
referred to in Art. 128 sec. 1 and 1a, copies do not appear.
4. Civil status records drawn up in the registers of civil status kept before the date of entry into force
of this Act, after the expiry of the periods referred to in Art. 128 sec. 1 and 1a, are not subject to transfer to the register
marital status. Providing access to them and the files of collective registrations of marital status or alphabetical indexes
by the head of the registry office before transferring the registry office to the appropriate state archives
stewardship is carried out in accordance with the principles set out in the Act of July 14, 1983 on the national archival resource
and archives (Journal of Laws of 2019, items 553 and 730). ”;
8) after art. 130, art. 130a is added:
"Art. 130a. 1. The documents referred to in Art. 44 sec. 1, from the acts drawn up in the registers of civil status
conducted before the date of entry into force of this Act and transferred to the state archives before the
the periods referred to in Art. 128 sec. 1 and 1a, it seems after the transfer of the act to the registry of civil status
by the head of the registry office who prepared or stored the record and transferred it to the archives.
2. The head of the registry office transfers the act referred to in para. 1, on the basis of
a copy of the certificate certified by the archive and entered in the civil status record drawn up in the stored book
an additional note in the state archives about its transfer to the register of marital status and the prohibition of making
nannying the act on the terms specified in the Act of 14 July 1983 on the national archival resource and archives
by the competent state archive. Mention of the prohibition of access to the act is annulled by the manager
83) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 96
© Chancellery of the Sejm

pp. 96/114

the registry office, which drew up the note after the transferred document was transferred to the appropriate archive
state, in accordance with Art. 131. ";
9) art. 131 is replaced by the following:
"Art. 131. 1. Civil status records transferred to the marital status register from the records of civil status records
established on the basis of the existing regulations, for which the specified storage periods have expired
in art. 128 sec. 1, shall be transferred from the register of marital status to the competent state archives within 10 years from
the date of transfer, in accordance with the regulations issued on the basis of art. 5 sec. 2c of the Act of July 14, 1983 on national
a given archival resource and archives.
2. If the person concerned by the birth certificate or marriage certificate lives longer than the period referred to in para. 1,
the record is kept in the marital status register until a death certificate is drawn up for that person or until a
information about the death of this person.
3. Use shall be made to verify the preparation of a death certificate for a person or to register information about the death of that person
the provision of Art. 128 sec. 1b. ".
Art. 130. In the Act of 28 November 2014 on medical boards subordinate to the minister competent for
internal (Journal of Laws of 2019, item 345) after Art. 4, Art. 4a is added as follows:
"Art. 4a. 1. Public administration bodies within the meaning of the Act of June 14, 1960 - Code of
administrative tasks, employers and pension and disability pension bodies are obliged to provide medical boards
assistance and information, including providing personal data in connection with medical certification and issuing free
no, at their request, all documents, including certificates, necessary for issuing a medical certificate.
2. Medical boards are entitled to obtain necessary information by electronic means
to issue a decision from pension authorities and public registers, in particular from:
1) PESEL register,
2) the Medical Information System and other registers referred to in the provisions on the information system in the protection of
not health,
3) the Central List of Insureds
- to confirm the validity of the data held, to obtain contact details or to enable the release
judgments.
3. In the event of a failure of the ICT systems used to obtain information by electronic means
in accordance with paragraph 2 medical boards obtain this information by means of a written exchange of information. ”.
Art. 131. In the Act of 5 December 2014 on the Large Family Card (Journal of Laws of 2017, item 1832, as amended 84) )
in art. 21:
1) in sec. 1 in the introduction to the enumeration, the words "may process" are replaced with the word "process";
2) in sec. 1a in the introduction to the enumeration, the words "may process" are replaced with the word "processes";
3) in sec. 4 the words "may be processed" are replaced by the words "are processed";
4) the following paragraph is added: 6 and 7 as follows:
"6. Personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written obligation of persons authorized to process personal data to keep them confidential
natures.

2)

7. Persons processing personal data referred to in sec. 1, are obliged to keep them confidential. ”.
Art. 132. In the Act of 19 December 2014 on Sea Fisheries (Journal of Laws of 2019, items 586 and 642) after Art. 114
Art. 114a is added:
"Art. 114a. 1. In the event of urgency, the Chief Inspector of Sea Fisheries, carrying out the tasks
as referred to in art. 107 paragraph. 1 point 1, performs the obligation referred to in Art. 13 sec. 1 and 2 of the Regulation
(EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals

84) Amendments

to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2017, item 2161, of 2018, item 1544, 1669, 2383

and 2432 and of 2019, item 60.
23/04/2019

Page 97
© Chancellery of the Sejm

pp. 97/114

in connection with the processing of personal data and on the free movement of such data, and repeal
Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended)
d. 85) ), hereinafter referred to as "Regulation 2016/679", by providing the information referred to in Art. 13
paragraph 1 and 2 of Regulation 2016/679, in the Public Information Bulletin on its website, on its website
not on the Internet and at the seat of the office in a visible place.
2. Submitting the request referred to in Art. 18 sec. 1 of the Regulation 2016/679, neither suspends nor does it
restricts the performance by the Chief Sea Fisheries Inspector of the tasks referred to in Art. 107
paragraph 1 point 1. ".
Art. 133. In the Act of February 20, 2015 on renewable energy sources (Journal of Laws of 2018, items 2389 and 2245 and
of 2019, item 42 and 60) in art. 159, paragraph. 1.
Art. 134. In the Act of March 20, 2015 on the activists of the anti-communist opposition and
for political reasons (Journal of Laws of 2018, item 690), the following changes are introduced:
1) in art. 5 after paragraph 2 the following paragraph shall be added: 2a and 2b as follows:
"2a. An application submitted by an anti-communist opposition activist or a person repressed for reasons
list includes the applicant's first name or names and surname, date and place of birth, parents' names, number
PESEL number, address of residence or correspondence address, telephone number or e-mail address.
2b. A petition filed by a family member of a deceased anti-communist opposition activist or
for political reasons, in addition to the data referred to in sec. 2a, contains the date of death of the opposition activist
anti-communist or repressed person for political reasons, name or names of the applicant, surname
at birth, date and place of his birth, parents' names, PESEL number, if given, and the degree of kinship
or affinity linking the applicant with an anti-communist opposition activist or a repressed person with
political reasons. ";
2) in art. 8 the current content is marked as para. 1 and the following paragraph is added: 2-4 as follows:
"2. The application for a cash benefit includes the applicant's name and surname, date of birth, PESEL number,
home address or mailing address, telephone number or e-mail address and name
the bank and the bank account number to which the cash benefit is to be transferred, if the applicant chooses
this form of payment.
3. The application for granting financial aid contains the data referred to in para. 2, as well as first names, surnames,
the degree of kinship and the net income of persons with whom the applicant runs a joint household.
4. The application for granting financial aid should be accompanied by copies of documents that will constitute
the basis for determining the health, family and financial situation of the person applying for financial assistance or
persons running a common household with the applicant, in particular:
1) a certificate of disability, inability to work or a degree of disability;
2)

a document confirming the amount of net income, in particular the current decision on the revaluation of the pension or
pensions, employer's certificate of remuneration for work;

3)

agricultural tax payment order and a certificate from the commune office on the size of the farm in hectares
conversion rates;

4)

a certificate of the applicant's child continuing education in a lower secondary school, upper secondary school,
secondary school or university;

5)

a decision to recognize or refuse to recognize a given person as unemployed and to lose the unemployed status, granted
no, refusal to grant, suspension or resumption of payment as well as loss or deprivation of the right to the allowance,
scholarship and other benefits financed from the Labor Fund that do not result from concluded contracts, or
declaration on remaining in the register of the unemployed or job seekers. ”;

3) in art. 10:
a) sec. 1 is replaced by the following:
"1. Financial aid may be granted to eligible persons in a difficult financial situation
health, health or in connection with the occurrence of random events. ",
b) in sec. 5 in point 1 lit. a is replaced by the following:
"A) in a difficult material or health situation or in the event of random events - up to 150%
the lowest pension, ".

85) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 98
© Chancellery of the Sejm

pp. 98/114

Art. 135. In the Act of June 12, 2015 on the greenhouse gas emission allowance trading scheme
(Journal of Laws of 2018, items 1201 and 2538) in art. 7 the current content is marked as sec. 1 and the following paragraph is added: 2 is added:
"2. Personal data processed in connection with the administration of the system are subject to safeguards to prevent
abusive or unlawful access or communication consisting, at least in:
1) allowing for the processing of personal data only persons who have a written authorization to
data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
nesses. "

2)

Art. 136. In the Act of June 25, 2015 on the treatment of infertility (Journal of Laws of 2017, item 865), the following wording is introduced
the following changes:
1) in art. 37 paragraph. 8;
2) in art. 47 paragraph 1 is deleted. 3.
Art. 137. In the Act of 10 July 2015 on supporting the sustainable development of the fishing sector, with the participation of
European Maritime and Fisheries Fund (Journal of Laws of 2017, item 1267) in art. 25 after paragraph 1 the following paragraph shall be added: 1a
as follows:
"1a. The Agency is the administrator of the data collected in the electronic registration and storage system
the data referred to in art. 125 sec. 2 lit. d of Regulation No 1303/2013. ”.
Art. 138. In the Act of 11 September 2015 on insurance and reinsurance activities (Journal of Laws of 2019,
item 381) is hereby amended as follows:
1) in art. 3 in sec. 1 after point 33, point 33a shall be added as follows:
"33a) profiling - profiling of natural persons within the meaning of art. 4 point 4 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to
the generation of personal data and on the free movement of such data, and repealing the Directive
95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended 86) ),
hereinafter referred to as "Regulation 2016/679"; ";
2) in art. 35 sec. 7 is replaced by the following:
"7. The obligation referred to in paragraph 1. 1, applies to the Polish Chamber of Insurance and Insurance
Guarantee Fund and the Polish Bureau of Motor Insurers and their employees
completion of statutory tasks. ”;
3) after art. 35, the following Art. 35a and art. 35b is added:
"Art. 35a. The insurance undertaking may process personal data, including personal data covered by the obligation
keeping the secrecy referred to in art. 35 sec. 1, in the event of a justified suspicion that a crime has been committed
to the detriment of the insurance undertaking for the purpose and to the extent necessary to prevent this crime.
Art. 35b. For the processing of personal data by the insurance company, the provisions of art. 15 of the Regulation
2016/679 to the extent that it is necessary for the proper implementation of the anti-laundering tasks
money and terrorist financing and crime prevention shall not apply. ”;
4) in art. 38:
a) in sec. 2:
- in point 1, the words "and negotiations" are deleted,
- point 2 is replaced by the following:
"2) the reasons for outpatient treatment, diagnostic tests performed during it and their
the results, other health services provided and the results of treatment; ",
b) in sec. 6 the word "in writing" shall be deleted,
c) in sec. 8 in the second sentence, the word "in writing" shall be deleted;
5) in art. 39 in section 1 the word "written" used twice in different types and cases is deleted;

86) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 99
© Chancellery of the Sejm

pp. 99/114

6) in art. 41:
a) sec. 1 is replaced by the following:
"1. The insurance undertaking processes the data referred to in Art. 9 of Regulation 2016/679, concerning
health, the insured or entitled under the insurance contract, contained in the insurance contracts or
declarations submitted prior to the conclusion of the insurance contract, in order to assess the risk of the insurance
insurance contract or performance of the insurance contract, to the extent necessary due to the purpose and type of insurance
nia. ",
b) after sec. 1 the following paragraph shall be added: 1a-1c as follows:
"1a. The insurance undertaking may make decisions in individual cases, relying solely on
not for automated processing, including profiling, of personal data in order to:
1) assessment of insurance risk - in the case of personal data related to insurance
others,
performance of the insurance activities referred to in Art. 4 sec. 9 points 1 and 2 - in the case of data
personal data relating to the insured, policyholders and persons entitled under the insurance contract

2)

- provided that the person concerned by the automated decision is granted the right to receive appropriate
explain the grounds of the decision made, challenge this decision, express your own position and to
obtain human intervention.
1b. The decisions referred to in paragraph 1. 1a, may be taken only on the basis of the following categoriesdata relating to a natural person:
first name (names) and surname;

1)

2) family name;
3)

parents' names;

4)

date and place of birth;

5) age;
sex;

6)

7) citizenship;
8) PESEL number, if assigned;
9) tax identification number, if given;
10) number and series of identity card or other document confirming identity;
11) the nature of the work performed (industry);
12) place of residence;
13) insurance period;
14) insurance history;
15) sum insured;
16) marital status;
17) the insured's health condition;
18) financial situation;
19) the date and number of the damage registration, the date of the occurrence of the damage and the date of reporting the damage or claim;
20) identifying the insurance contract to which the damage relates;
21) identifying the subject of insurance.
1c. The insurance undertaking may process the personal data referred to in sec. 1b, relating to insurance
persons, policyholders or other persons entitled under the insurance contract, without the consent of the data subject
for the purposes referred to in Art. 33 paragraph 3, not longer than 12 years from the date of termination of the insurance contract. ",
(c) paragraph 3 is deleted. 2;
7) in art. 42 after paragraph 2 the following paragraph shall be added: 2a is added as follows:
"2a. In the cases referred to in para. 1 and 2, insurance company, Insurance Guarantee Fund,
The Polish Bureau of Motor Insurers and the Financial Ombudsman process the personal data of persons responsible
for the occurrence of the fortuitous event referred to in art. 10 of the Regulation 2016/679. ”.

23/04/2019

Page 100
© Chancellery of the Sejm

p. 100/114

Art. 139. In the Act of October 9, 2015 on the implementation of the Agreement between the Government of the Republic of Poland
and the Government of the United States of America on Improving International Tax Compliance
and implementation of the FATCA legislation (Journal of Laws of 2017, item 1858 and of 2019, item 694) in art. 11 the following paragraph is added: 3
as follows:
"3. Personal data processed in order to perform tasks under the Act and the FATCA Agreement
provide safeguards to prevent abuse or unlawful access or transmission
at least at:
1) allowing the data controller to process personal data only of persons authorized to do so
related;
a written commitment of persons authorized to process personal data to keep them confidential

2)

nothing;
3) regular testing and improvement of the applied technical and organizational measures;
4) ensuring safe communication in ICT networks, in particular by guaranteeing
not that the process of obtaining and transferring personal data to external entities uses the technology
cryptographic devices;
ensuring protection against unauthorized access to the IT systems of the authorities referred to

5)

in paragraph 1;
6)

ensuring data integrity in the IT systems of the authorities referred to in para. 1;

7)

defining the security rules for the processed personal data. ”.

Art. 140. In the Revitalization Act of October 9, 2015 (Journal of Laws of 2018, item 1398), the following is introduced
changes:
1) after art. 6, art. 6a is added as follows:
"Art. 6a. The head of the commune, mayor or city president performs the obligation referred to in Art. 13 sec. 1 and 2 of
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of persons
individuals with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1,
with later d. 87) ), hereinafter referred to as "Regulation 2016/679", by publishing relevant information in the Bulletin
Public Information on its personal page, on its website and in a visible place
at its headquarters, and in the case of activities referred to in Art. 6 sec. 2, additionally in the announcement and
no. ";
2) after art. 24, art. 24a and art. 24b is added as follows:
"Art. 24a. 1. In the case of processing personal data by the commune head, mayor or city president,
in order to perform the task of drawing up a municipal revitalization program, the law referred to
in art. 15 sec. 1 lit. g of Regulation 2016/679 shall apply to the extent that it does not affect the protection of rights and freedoms
the person from whom the data was obtained.
2. If the period of storage of personal data referred to in sec. 1, does not result from the
of the Act of July 14, 1983 on the national archival resource and archives (Journal of Laws of 2019, items 553 and 730)
the authorities referred to in para. 1, store the data for the period determined on the basis of art. 6 sec. 2b of this act.
3. The personal data referred to in sec. 1, are subject to safeguards preventing abuse or not
lawful access or transfer consisting at least in:
allowing for the processing of personal data only persons with a written authorization to

1)

data by the data administrator;
a written commitment of persons authorized to process personal data to keep them confidential
natures.

2)

4. The authorities referred to in para. 1, inform about the restriction referred to in para. 1, by sharing
relevant information in the Public Information Bulletin on your website, on your website,
entrance and in a visible place at its seat, and in the case of activities referred to in art. 6 sec. 2, addin the announcement and announcement.
Art. 24b. Submitting the request referred to in Art. 18 sec. 1 of the Regulation 2016/679, does not affect
course and result of the proceedings. ”.

87) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 101
© Chancellery of the Sejm

pp. 101/114

Art. 141. In the Act of February 11, 2016 on state aid in bringing up children (Journal of Laws of 2018, item 2134)
and 2354 and of 2019, item 60, 303 and 577) is hereby amended as follows:
1) in art. 12 in section 3 the words "may process" are replaced by the words "processes";
2) in art. 14:
a) in sec. 3, the first sentence is replaced by the following:
"The information referred to in sec. 2, are processed by the minister responsible for family affairs and the voivode
in order to monitor the implementation of educational benefits and to enable the competent authorities and
jewodom verification of the right to child benefits and by the entities mentioned in sec. 4 in order to
in which the information was made available to them. ",
b) in sec. 4a in the first sentence, the words "may process" are replaced with the word "processes";
3) after art. 14, art. 14a is added as follows:
"Art. 14a. 1. A domestic bank and a cooperative savings and credit union referred to in Art. 13
paragraph 5 point 3, and the Social Insurance Institution, for the purposes of submitting the application and attachments to the application,
in Art. 13 sec. 4, submitted in electronic form using the system referred to respectively
in art. 13 sec. 5 point 2 or 3, on behalf of the competent authority, process the following personal data concerning persons
applying for a child benefit and members of their families:
1)

first name and last name;

2)

date of birth;

3) address of the place of residence;
4) marital status;
5) citizenship;
sex;

6)

7) PESEL number, and if a PESEL number has not been issued - the number and series of the document confirming the identity
identity;
8) e-mail address and telephone number - in the case of a person applying for
chowawczyczy - if he has them;
income;

9)

10) information resulting from the certificates and declarations referred to in Art. 13 sec. 4 point 3.
2. Persons authorized by a domestic bank, a cooperative savings and credit union or Zakład UbezSocial roast for the processing of personal data referred to in para. 1, are obliged to keep
their confidentiality.
3. The domestic bank, the cooperative savings and credit union and the Social Insurance Institution provide
which allow for the submission of the application and attachments to the application referred to in Art. 13 sec. 4, by means of the system
rhyme, respectively, in Art. 13 sec. 5 paragraph 2 or 3, provide the necessary technical and organizational measures
ensuring the security of the processed personal data referred to in sec. 1, and the measures specified
in art. 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
the protection of natural persons with regard to the processing of personal data and on the free movement of such data
data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119
of May 4, 2016, p. 1, as amended d. 88) ).
4. The domestic bank, the cooperative savings and credit union and the Social Insurance Institution provide
which allow for the submission of the application and attachments to the application referred to in Art. 13 sec. 4, by means of the system
rhyme, respectively, in Art. 13 sec. 5 points 2 or 3, provide the competent authority with information for confirming
fulfilling the obligations set out in art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council
of 27 April 2016 on the protection of individuals with regard to the processing of personal data
and on the free movement of such data, and repealing Directive 95/46 / EC (General
on data protection) and enable the competent authority to carry out audits and inspections.
5. If a domestic bank, a cooperative savings and credit union or Zakład Ubezpieczeń Spoin order to enable the submission of the application and attachments to the application referred to in Art. 13 sec. 4, using
the system referred to in Art. 13 sec. 5 point 2 or 3, use the services of another entity that will process
personal data referred to in sec. 1, this entity processes personal data on behalf of the competent authority. Bymouths 2-4 and art. 13 sec. 21 shall apply accordingly. ”;

88) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 102
© Chancellery of the Sejm

pp. 102/114

4) in art. 24:
a) in sec. 1 the words "may process" are replaced with the words "process",
b) after sec. 1 the following paragraph shall be added: 1a-1c as follows:
"1a. Personal data referred to in sec. 1, are subject to safeguards to prevent abuse or
unlawful access or transfer consisting at least in:
1)

allowing for the processing of personal data only persons with a written authorization
issued by the data controller or processor;

2)

a written obligation of persons authorized to process personal data to keep them in the
confidence.

1b. Persons processing personal data referred to in sec. 1, are obliged to keep them in the
confidence.
1c. In the case referred to in Art. 14a, the written authorization referred to in para. 1a, point 1, it seems
respectively, a domestic bank, a cooperative savings and credit union or the Social Insurance Institution. ”.
Art. 142. In the Act of February 25, 2016 on the re-use of public sector information (Journal of Laws
of 2018, item 1243 and 1669) is hereby amended as follows:
1) in art. 7:
a) sec. 1 is replaced by the following:
"1. The provisions of the Act do not infringe the right of access to public information or the freedom to disseminate it
ia, or the provisions of other acts specifying the terms, conditions and procedure for access or re-use
information that is public sector information. ",
(b) the following paragraph is added: 3-5 as follows:
"3. For the processing of personal data for the purpose of sharing or transmitting sector information
public to re-use the provision of art. 13 sec. 3 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(General Data Protection Regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 89) ), hereinafter referred to as
hereinafter "Regulation 2016/679", shall not apply.
4. For the processing of personal data by the user for the purpose of re-use:
1)

persons performing public functions related to the performance of these functions, including the conditions of
casting and performing these functions,

2)

natural persons representing legal persons, including their contact details,

3)

including the name (company), tax identification number (NIP) or the name and surname of the contractor under
obligated litter

- the provisions of Art. 14 sec. 1-4 of the Regulation 2016/679 shall not apply.
5. The obligation referred to in Art. 19 of the Regulation 2016/679, the obliged entity shall perform by
updating the data, respectively, on the website of the Public Information Bulletin, in the central
repository or otherwise. ';
2) in art. 14 in paragraph. 1 in point 3, the full stop is replaced by a semicolon and the following point 4 is added:
"4) public sector information containing personal data.".
Art. 143. In the Act of 29 April 2016 on special rules for the performance of certain tasks in the field of
computerization of the activities of the National Revenue Administration bodies (Journal of Laws of 2017, item 2192 and of 2019, item 492)
the following changes are introduced:
1) in the title of the act, the general description of the subject of the act shall be replaced by the following:
"On the specific rules for the performance of certain tasks related to computerization in the field of administrative departments
governmental budget and public finances ”;
2) art. 1 is replaced by the following:
"Art. 1. The Act defines the rules for the implementation of certain IT projects of public use
as defined in Art. 3 point 6 of the Act of February 17, 2005 on the computerization of the activities of implementing entities
public tasks (Journal of Laws of 2019, items 700 and 730) in the field of matters covered by government administration departments budget
and public finance, in order to provide the minister competent for budget and public finance, hereinafter referred to as

89) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 103
© Chancellery of the Sejm

pp. 103/114

hereinafter "the minister competent for public finance", and other bodies of the National Treasury Administration
data, ICT systems and solutions supporting the detection of violations of tax law
and higher efficiency of collection of taxes, fees and non-tax budgetary receivables, based on
o data obtained from ICT systems of the minister responsible for public finances and
new units of the National Revenue Administration and ICT systems used to service the state budget. ”;
3) in art. 2 in sec. 2, the introduction to the enumeration is replaced by the following:
"As part of the implementation of IT projects referred to in Art. 1, the special purpose vehicle performs for the benefit of the Treasury
State represented by the minister responsible for public finances public tasks in the scope of: ”;
4) in art. 17:
a) paragraph 1 is deleted. 1,
(b) paragraph 3 is deleted. 3,
(c) the following paragraph is added: 4 is added:
"4. Personal data processed in order to perform tasks under the Act are subject to security
to prevent abuse or unlawful access or transmission consisting of at least
less on:
1) allowing the data controller to process personal data only of persons for this purpose
entitled;
2)

a written commitment of persons authorized to process personal data to keep them
in secret;

3) regular testing and improvement of the applied technical and organizational measures;
4) ensuring safe communication in ICT networks, in particular by guaranteeing
making the process of acquiring and transferring personal data to external entities
developed cryptographic techniques;
5)

ensuring protection against unauthorized access to IT systems of the special purpose vehicle;

6)

ensuring data integrity in the IT systems of the special purpose vehicle;

7)

defining the security rules for the processed personal data. ”;

5) in art. 18:
a) sec. 1 is replaced by the following:

"1. The special purpose vehicle is obliged to appoint a data protection officer. ",
(b) paragraph 3 is deleted. 2 and 3,
c) used in paragraph 4, 5 and 7, the word "proxy" shall be replaced with the words "data protection officer",
d) sec. 6 is replaced by the following:
"6. In the event of a breach of the Act, provisions on the protection of personal data or regulations
on the protection of legally protected secrets, the Data Protection Officer takes steps to clarify
the circumstances of this violation, immediately notifying the management board of the special purpose vehicle and the minister responsible for
for public finance. ”.
Art. 144. In the Act of May 13, 2016 on Counteracting the Threats of Sexual Crimes (Journal of Laws
of 2018, item 405) in art. 5 sec. 2 is replaced by the following:
"2. The Minister of Justice is the administrator of personal data collected in the Register. ”.
Art. 145. In the Act of June 10, 2016 on the Bank Guarantee Fund, the guarantee system
deposits and forced restructuring (Journal of Laws of 2017, item 1937, as amended90 ) ) the following
changes:
1) after art. 5, art. 5a is added as follows:
"Art. 5a. The Fund processes personal data to the extent necessary to perform the tasks specified in art. 5
paragraph 1-6. ";
2) in art. 42 paragraph 1 is deleted. 4;

90) Amendments

to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2017, item 2491, of 2018, item 685, 723, 1637, and 2243

and of 2019, item 326.
23/04/2019

Page 104
© Chancellery of the Sejm

pp. 104/114

3) in art. 45 after paragraph 2 the following paragraph shall be added: 2a is added as follows:
"2a. The entity referred to in paragraph 1. 1, processes personal data to the extent necessary to make payments
guaranteed funds. ".
Art. 146. In the Act of 21 October 2016 on the concession for construction works or services (Journal of Laws
item 1920 and 2018, item 1669 and 1693) is hereby amended as follows:
1) in art. 13 after paragraph 2 the following paragraph shall be added: 2a is added as follows:
"2a. The contracting authority provides the personal data referred to in Art. 10 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(general regulation on data protection) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 91) ), hereinafter referred to as
"Regulation 2016/679", in order to enable the use of legal remedies referred to in
section 10, until the expiry of the period for their bringing. ”;
2) after art. 13, art. 13a is added as follows:
"Art. 13a. The contracting authority shall keep the documentation of the procedure, including the concession contract, for a period of 5 years from
the day of concluding the procedure for concluding a concession contract in a manner that guarantees its inviolability. If time
the duration of the concession contract exceeds 5 years, the contracting authority shall keep the contract throughout its duration. ”;
3) after art. 16, Art. 16a is added as follows:
"Art. 16a. 1. The contracting authority performs the obligations referred to in Art. 13 sec. 1-3 of Regulation 2016/679,
by including the required information in the concession notice, prior information notice,
when applying for a concession contract, in the concession documents or at the first
to the contractor.
2. If, in the concession award procedure or after its completion, the
referred to in Art. 15 sec. 1-3 of the Regulation 2016/679, would require a disproportionately large effort,
the ordering party may request the data subject to provide additional information in order to clarify
making the request, in particular the name or date of the concession award procedure.
3. The data subject's exercise of the right to rectify or supplement the information about which
referred to in Art. 16 of the Regulation 2016/679, may not result in a change in the result of the procedure for concluding a conassignment or a change to the provisions of the concession contract to the extent inconsistent with the Act and violation of the
kept documentation of the proceedings.
4. Submitting the request referred to in Art. 18 sec. 1 of Regulation 2016/679, does not limit the processing of
the provision of personal data until the concession contract procedure is completed.
5. The awarding entity shall inform about the limitations of the application of the provisions of Regulation 2016/679, in question
in paragraph 2 and 4, on the website of the conducted procedure, in the concession notice, in the preliminary announcement
information, an invitation to apply for a concession contract, in the concession documents or otherwise
available to the data subject. ”;
4) after art. 18 the following Art. 18a is added as follows:
"Art. 18a. 1. In the case of personal data provided by the ordering party in the Procurement Bulletin
The public law referred to in Art. 15 and art. 16 of Regulation 2016/679 shall be executed by way of a request
addressed to the ordering party.
2. The President of the Public Procurement Office ensures the technical maintenance of the ICT system, at
using which the Public Procurement Bulletin is made available, and determines the period of storage of personal data
placed in the Public Procurement Bulletin. ”;
5) in art. 26 the following paragraph is added: 8 is added:
"8. The manner of documenting employment and the rights of the contracting authority referred to in para. 7 points 1 and 2,
take into account the possibility of the contracting authority requesting:
1)

statements of the concessionaire or subcontractor on the employment of an employee under an employment contract,

2)

a certified copy of the employment contract of the employed employee, certified as a true copy of the original,

other documents
3)
- containing information, including personal data, necessary to verify employment under a contract
employment, in particular: name and surname of the employed employee, date of conclusion of the employment contract, type of contract
for a job, scope of employee's duties. ”;

91) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 105
© Chancellery of the Sejm

pp. 105/114

6) in art. 29 the following paragraph is added: 7 is added:
"7. The contracting authority processes personal data collected in the course of and after the conclusion of the procedure
concession contracts in a manner that guarantees their protection against their unlawful dissemination. ”;
7) in art. 30, the following paragraph is added: 6 is added:
"6. For the processing of personal data referred to in art. 10 of the Regulation 2016/679, may be
only persons with written authorization are allowed to go. Persons authorized to process such data
are obliged to keep them confidential. ”.
Art. 147. In the Act of November 16, 2016 on the National Revenue Administration (Journal of Laws of 2018, item 508,
with later d. 92) ) is hereby amended as follows:
1) after art. 34, art. 34a is added:
"Art. 34a. 1. KAS body may authorize employees or functionaries to process personal data
employees serving in KAS organizational units to the extent necessary to perform the tasks entrusted
those people. The authorization is issued in writing by personal authorization or authorization
position or an internal act, unless a specific law provides otherwise. The KAS body keeps a register
persons authorized to process personal data.
2. The provision of para. 1 shall apply mutatis mutandis to the National Tax School. ”;
2) in art. 35:
a) in sec. 3 in point 1 lit. d is replaced by the following:
"D) other documents and information provided to the bodies of KAS in order to perform statutory tasks;",
b) sec. 4 is replaced by the following:
"4. Head of the National Tax Administration, director of the National Tax Information, director of the
tax administration, the head of the tax office and the head of the customs and tax office introduce to
CRDP, the data contained in the documents and information referred to in para. 3 point 1. ";
3) in art. 47:
a) in sec. 1, the common part is replaced by the following:
"- can process the necessary information containing personal data.",
b) sec. 2 is replaced by the following:
"2. The data referred to in Art. 9 sec. 1 and art. 10 of the Regulation of the European Parliament and of the Council (EU)
2016/679 of 27 April 2016 on the protection of individuals with regard to data processing
data and on the free movement of such data, and repealing Directive 95/46 / EC (general
Data Protection Regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 93) ), hereinafter referred to as "Regulation
governance 2016/679 ", may be processed by the bodies of KAS only when it is necessary due to
on the scope or nature of the conducted proceedings or performed activities. ”;
4) after art. 47a, art. 47b – 47e as follows:
"Art. 47b. KAS authorities process personal data, including CRDP, for the purposes of performing tasks or duties
specified in the Act, for the period necessary to achieve these goals.
Art. 47c. Conducting analytical, forecasting and research activities related to remaining phenomena
in the jurisdiction of KAS and the risk analysis referred to in Art. 2 clause 1 paragraphs 10 and 12a, may rely on
automated data processing or automated decision making, including profiling,
calling legal effects against a profiled person or whose data is subject to automated processing.
Art. 47d. 1. In order to perform the obligation referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679,
KAS authorities may provide information on the processing of personal data in a publicly accessible place
at the seat of the KAS body and on its website or in the Public Information Bulletin on the website
subject matter of this authority or office that supports this authority. In this case, the KAS authority during the acquisition
personal data provides the data subject with information about the place where the information is made available.
2. The performance of the obligation referred to in Art. 13 sec. 1 and 2 of Regulation 2016/679, is carried out independently
not from the duties of KAS bodies and does not affect the course and results of the procedures referred to in sections IV and V.

92) Amendments

to the uniform text of the said Act were announced in Journal Of Laws of 2018, item 650, 723, 1000, 1039, 1499, 1544, 1577,

1654, 2193, 2245 and 2354 and of 2019, item 53 and 125.
93) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 106
© Chancellery of the Sejm

pp. 106/114

Art. 47e. Personal data processed in order to perform tasks under the Act are subject to protection
to prevent abuse or unlawful access or transmission consisting of at least
less on:
allowing the data controller to process personal data only of persons authorized to do so

1)

related;
a written commitment of persons authorized to process personal data to keep them confidential

2)

nothing;
3) regular testing and improvement of the applied technical and organizational measures;
4) ensuring safe communication in ICT networks, in particular by guaranteeing
not that the process of obtaining and transferring personal data to external entities uses the technology
cryptographic devices;
5)

ensuring protection against unauthorized access to KAS IT systems;

6)

ensuring data integrity in KAS IT systems;

7)

defining the security rules for the processed personal data. ”;

5) after art. 145, art. 145a is added:
"Art. 145a. 1. The processing of personal data referred to in:
1) art. 9 sec. 1 of Regulation 2016/679, with the exception of data revealing racial or ethnic origin,
political views, religious or philosophical beliefs and genetic data,
2) art. 10 of Regulation 2016/679
- relating to officers, is allowed only to the extent that it is necessary for the performance of tasks
the minister responsible for public finance, the Head of the National Revenue Administration or the director of the chamber
tax administration imposed by law.
2. The processing of the officer's biometric data is permissible also when providing such data
necessary to control access to rooms requiring special protection or special
important information, the disclosure of which may harm the authorities referred to in para. 1.
3. For the processing of personal data referred to in sec. 1, may only be
certificates with a written authorization to process such data issued by the Head of the National Administration
Tax Office or the director of the tax administration chamber. Officers authorized to process such
data are obliged to keep them secret.
4. In matters not regulated by the Act on matters related to the processing of personal data, provisions
art. 22 2 and art. 22 3 of the Act of June 26, 1974 - Labor Code (Journal of Laws of 2018, item 917, as amended 94) ), hereinafter referred to as
hereinafter referred to as the "Labor Code", shall apply accordingly. ";
6) art. 214 is replaced by the following:
"Art. 214. The provisions of the Labor Code concerning the rights of employees related to
with parenthood, unless the provisions of the Act are more favorable. ”.
Art. 148. In the Act of December 14, 2016 - Education Law (Journal of Laws of 2018, items 996, 1000, 1290, 1669 and 2245)
and of 2019, item 534) is hereby amended as follows:
1) after art. 30, art. 30a is added as follows:
"Art. 30a. 1. Other forms of pre-school education, schools, institutions, school management bodies or
centers, pedagogical supervision authorities and other entities performing the tasks and obligations specified in the
know they process personal data to the extent necessary for the performance of tasks and obligations arising from these
writings.
2. Teachers and other persons performing functions or performing work in the entities referred to in para. 1,
are obliged to maintain the confidentiality of information obtained in connection with their function or performed
work, concerning health, developmental and educational needs, psychophysical possibilities, sexuality, oriental
sexual, racial or ethnic origin, political opinion, religious or philosophical belief
full-fledged students.
3. The provision of para. 2 shall not apply:
in the event of a student's health risk;

1)

94) Amendments

to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2018, item 1000, 1076, 1608, 1629, 2215, 2244, 2245,

2377 and 2432 and of 2019, item 730.
23/04/2019

Page 107
© Chancellery of the Sejm

pp. 107/114

if the student, and in the case of a minor student, his / her parent agrees to disclose certain

2)

information;
where provided for in specific provisions. ";

3)

2) in art. 68 in paragraph. 1 in point 11, the full stop is replaced by a semicolon and the following point 12 is added:
"12) implements appropriate technical and organizational measures ensuring the compliance of personal data processing
by a school or facility with the provisions on the protection of personal data. ”.
Art. 149. In the Act of 15 December 2016 on the General Prosecutor's Office of the Republic of Poland (Journal of Laws, item 2261,
of 2018, item 723, 1544 and 1669 and of 2019, item 60) after art. 6, art. 6a is added as follows:
"Art. 6a. 1. For the processing of personal data, including the data referred to in Art. 9 sec. 1 and art. 10 of
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of persons
individuals with regard to the processing of personal data and on the free movement of such data, and
repealing Directive 95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1,
with later d. 95) ), hereinafter referred to as "Regulation 2016/679", in order to perform the statutory tasks of the Public Prosecutor's Office
ralna and the President of the General Prosecutor's Office specified in the Act and in the Act of 16 December 2016 on
management of state property (Journal of Laws of 2018, item 1182, as amended. 96) ), the provisions of art. 15 sec. 1 and 3 and art. 19 chapter
of the ordinance 2016/679 shall apply to the extent that it does not violate the secret of the General Prosecutor's Office referred to
in Chapter 4.
2. Submitting the request referred to in Art. 18 sec. 1 of Regulation 2016/679, does not affect the performance
tasks of the General Prosecutor's Office or the President of the General Public Prosecutor's Office.
3. The provision of art. 21 sec. 1 of the Regulation 2016/679 does not apply to personal data obtained
by the General Prosecutor's Office in connection with the provision of legal aid to entities referred to in Art. 12
paragraph 1 points 2 and 3.
4. The President of the General Prosecutor's Office reviews personal data in terms of their necessity for
storing:
1) every 2 years - in relation to data processed in connection with the implementation by the President of the General Prosecutor's Office
tasks referred to in the Act of 16 December 2016 on the principles of state property management;
2) every 10 years - in relation to data processed in connection with the implementation by the General Prosecutor's Office or
The President of the General Prosecutor's Office, other statutory tasks.
5. The President of the Public Prosecutor's Office, at the request of the data subject, informs about the restrictions
referred to in paragraph 1-3.
6. The obligation of secrecy of the General Prosecutor's Office, referred to in Chapter 4, does not cease to exist
the case when with a request to disclose information obtained by the General Prosecutor's Office in connection with the execution
the activities referred to in Art. 38 sec. 1, there is the President of the Personal Data Protection Office. ”.
Art. 150. In the Act of December 16, 2016 on the principles of state property management (Journal of Laws of 2018,
item 1182, as amended d. 97) ) after art. 8, art. 8a is added as follows:
"Art. 8a. 1. The Chancellery of the Prime Minister keeps a list of:
members of management and supervisory bodies of companies and proxies of the shareholder referred to

1)

in art. 11 sec. 2 of the Act of August 30, 1996 on Commercialization and Certain Employee Rights;
2)

persons who are shareholders of companies with State Treasury shareholding, representing at least one
share capital;

3)

persons who passed the examination referred to in Art. 19 paragraph 1 point 1 lit. h – j, and persons who have obtained permissions
to sit on supervisory bodies under the previously applicable regulations.

2. The Chancellery of the Prime Minister and entities referred to in Art. 8 sec. 1, are joint controllers
personal data of persons referred to in sec. 1 paragraphs 1 and 2, in the exercise of the powers delegated by
The Prime Minister. The mutual rights and obligations of the joint controllers are specified in the agreement.
3. The Chancellery of the Prime Minister may provide entities referred to in art. 8 sec. 1, personal data
bowe persons referred to in paragraph 1. 1, point 3, to the extent necessary for these entities to exercise their powers
provided by the Prime Minister. ”.

95) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
96) Amendments to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2018, item 1669, 1735, 2024, 2243 and 2270 and
of 2019, item 229, 447, 492, and 730.
97) Amendments to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2018, item 1669, 1735, 2024, 2243 and 2270 and
of 2019, item 229, 447 and 492.
23/04/2019

Page 108
© Chancellery of the Sejm

pp. 108/114

Art. 151. In the Act of 16 December 2016 - Provisions introducing the act on the principles of managing state property
stwowe (Journal of Laws, item 2260 and of 2018, items 1669 and 2159) after Art. 109, art. 109a is added:
"Art. 109a. The minister competent for the economy may entrust, by agreement, the Chancellery of
zesa of the Council of Ministers performing tasks related to the implementation, maintenance and development of the ICT system tactic supporting the performance of the contracts referred to in Art. 109. ".
Art. 152. In the Act of March 9, 2017 on the exchange of tax information with other countries (Journal of Laws of 2019,
item 648 and 694) is hereby amended as follows:
1) in art. 6, the current content is marked as para. 1 and the following paragraph is added: 2 is added:
"2. Personal data processed in order to perform tasks under the Act are subject to safeguards
preventing abuse or unlawful access or transmission consisting, at least, of:
allowing the data controller to process personal data only of persons authorized to do so

1)

related;
a written commitment of persons authorized to process personal data to keep them confidential

2)

nothing;
3) regular testing and improvement of the applied technical and organizational measures;
4) ensuring safe communication in ICT networks, in particular by guaranteeing
not that the process of obtaining and transferring personal data to external entities uses the technology
cryptographic devices;
5)

ensuring protection against unauthorized access to IT systems;

6)

ensuring data integrity in IT systems;

7)

defining the security rules for the processed personal data. ”;

2) in art. 30 sec. 1 is replaced by the following:
"1. The reporting financial institution performs the obligations referred to in Art. 13 of Parliament's regulation
2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to
the generation of personal data and on the free movement of such data, and repealing the Directive
95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended 98) ), on
will expire allowing the reporting person to exercise his / her rights specified in Art. 15-20 of this regulation
of the ruling, before the information referred to in Art. 33 paragraph 1 and art. 36 sec. 1. "
Art. 153. In the Act of March 9, 2017 on the monitoring system for road and rail freight transport
(Journal of Laws of 2018, item 2332) in art. 4, paragraph 1 is deleted. 6.
Art. 154. In the Act of April 21, 2017 on combating doping in sport (Journal of Laws, item 1051 and of 2018
item 2245 and 2320) is amended as follows:
1) in art. 5 in sec. 1 after point 3, point 3a shall be added in the following wording:
"3a) conducting explanatory activities aimed at establishing disciplinary liability for doping
in the sport of the rider or, in the cases referred to in Art. 3 sec. 1 points 5-9, a person helping in the preparation
competition in sport; ';
2) after art. 27, art. 27a is added as follows:
"Art. 27a. In connection with planning and conducting doping control during the competition period
and beyond them, the Agency processes the following personal data of controllers:
1) face image;
sex;

2)

3) signature;
4) e-mail address;
5) telephone number;
6) information on anti-doping control carried out so far. ”;

98) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 109
© Chancellery of the Sejm

pp. 109/114

3) in art. 29:
a) sec. 1 is replaced by the following:
"1. The Agency by conducting doping control during an in-competition or out-of-competition period
them, performs a task carried out in the public interest, the purpose of which is to ensure the integrity of
sports competition, disclosure of the offenses referred to in art. 48 sec. 1 and art. 49, and health protection
players. ",
b) after sec. 3 the following paragraph shall be added: 3a is added as follows:
"3a. Players' personal data is subject to safeguards that prevent abuse or are incompatible
with the right to access or transfer, consisting at least in the admission to the processing of personal data
only persons with a written authorization issued by the data controller and in writing
obliging persons authorized to process personal data to keep them secret. ",
c) sec. 4-8 are replaced by the following:
"4. The players' personal data may be processed in the ICT system.
5. The Agency stores the players' personal data for the period necessary to complete the activities related to
with anti-doping control and determination of disciplinary liability for doping in sport,
however, for less than 10 years from the date of obtaining them.
6. Personal data of the players referred to in sec. 2 points 1, 2, 8, 13 and 18, the Agency may store
for a period longer than specified in paragraph 5, if they are necessary to establish disciplinary liability
for doping in sports.
7. The Agency verifies the collected personal data at least every 18 months
players, with the exception of the data referred to in paragraph 6, which the Agency verifies at least every 10 years.
8. Subject to the provisions of subpara. 6, after the expiry of the period referred to in para. 5, or after the verification
the tions referred to in para. 7, the collected personal data of players or such data deemed unnecessary shall be subject to
protocol and commission destruction, ordered by the Agency Director. ",
(d) the following paragraph is added: 9 is added:
"9. Submitting the request referred to in Art. 18 sec. 1 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(General Data Protection Regulation) (Journal of Laws UE L 119 of 04/05/2016, p. 1, as amended 99) ), does not affect
for the implementation of the task referred to in paragraph 1. "
Art. 155. In the Act of 11 May 2017 on statutory auditors, audit firms and public supervision
(Journal of Laws, item 1089 and of 2018, items 398, 1669, 2193 and 2243) the following changes are introduced:
1) after art. 2, Art. 2a and art. 2b as follows:
"Art. 2a. The Polish Chamber of Statutory Auditors is the administrator of data processed for the purposes of
tasks or duties by the self-government bodies of statutory auditors related to the activities of the Examination Committee
ts, hereinafter referred to as the "Committee", and the organization of examinations for candidates for statutory auditors.
Art. 2b. 1. Personal data processed in order to perform the tasks or obligations specified in the Act and
Regulation No. 537/2014 are subject to review at least every 5 years from the date of their receipt.
2. Personal data are subject to safeguards preventing abuse or unlawful access
entrusting or transferring at least in the following ways:
1)

allowing the data controller to process personal data only of persons authorized to do so
related;

2)

a written commitment of persons authorized to process personal data to keep them confidential
nothing;

3) regular testing and improvement of the applied technical and organizational measures;
4) ensuring safe communication in ICT networks;
5)

ensuring protection against unauthorized access to IT systems;

6) ensuring data integrity in IT systems;
7)

defining the security rules for the processed personal data.

99) The amendment

to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 110
© Chancellery of the Sejm

pp. 110/114

3. The obligation of secrecy referred to in Art. 78 and art. 95, does not cease in the event that with the request
disclosure of information obtained in connection with the performance of the profession of a statutory auditor or the performance
tasks by the entities referred to in these provisions are performed by the President of the Personal Data Protection Office. ”;
2) in art. 4 in sec. 2 in point 5, in the common part, the words "Examination, hereinafter referred to as" the Committee ", shall be deleted.
Art. 156. In the Act of 27 October 2017 on primary health care (Journal of Laws of 2019, item 357)
art. 20 is replaced by the following:
"Art. 20. The service provider providing primary health care services is obliged
to process, store and share personal data contained in the declaration of choice and in the information
the tions referred to in art. 16-18, in accordance with the provisions of the Act of November 6, 2008 on patient's rights
and the Patient's Rights Ombudsman (Journal of Laws of 2017, item 1318, as amended100 ) ) and the provisions on the protection of personal data
out. ".
Art. 157. In the Act of March 1, 2018 on counteracting money laundering and financing of terrorism (Journal of Laws
item 723, 1075, 1499 and 2215 and of 2019, item 125) is hereby amended as follows:
1) in art. 34, paragraph 1 is deleted. 6;
2) art. 66 is replaced by the following:
"Art. 66. The provisions shall not apply to the processing of personal data collected in the Register
art. 15 sec. 1 lit. c of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on
knows the protection of individuals with regard to the processing of personal data and on free movement
such data and repealing Directive 95/46 / EC (General Data Protection Regulation) (Journal of Laws UE L 119
of May 4, 2016, p. 1, as amended d. 101) ). "
Art. 158. In the Act of March 6, 2018 on the Central Register and Information on Economic Activity and the
Information for the Entrepreneur (Journal of Laws, item 647, 1544, 1629 and 2244 and of 2019, item 60), Art. 50.
Art. 159. In the Act of 22 March 2018 on bailiffs (Journal of Laws, items 771, 1443, 1669 and 2244 and
of 2019, item 55) is hereby amended as follows:
1) in art. 158 sec. 3 is replaced by the following:
"3. The Minister of Justice is the administrator of the ICT system used to process data
personal data contained in the documentation referred to in Art. 155 sec. 1 and art. 156. ";
2) after art. 159, art. 159a is added:
"Art. 159a. 1. Personal data contained in the ICT system created by 1 January 2021,
referred to in art. 158 sec. 1, are subject to safeguards preventing the abuse of
or unlawful access or transfer, in particular by applying proportionate
technical and organizational measures to ensure protection against unauthorized access
to the ICT system.
2. The administrators of the data in the system are bailiffs to the extent that these data relate to
their cases. ”;
3) after art. 164, art. 164a is added:
"Art. 164a. 1. When performing the obligation referred to in Art. 13 sec. 1 and 2 of the Regulation of the European Parliament
and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to processing
personal data and on the free movement of such data, and repealing Directive 95/46 / EC
(General Data Protection Regulation) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended 102) ), hereinafter referred to as
"Regulation 2016/679", bailiff:
1)

provides the data subject with the information referred to in art. 13 sec. 1 lit. aic regulation
2016/679, when obtaining this data from it;

2)

makes available in a publicly accessible place at the office or on the law firm's website, other
Permanent disclosure of information about what the data subject informs about during the collection
personal data from her.

100) Amendments

to the uniform text of the aforementioned Act were announced in Journal Of Laws of 2017, item 1524, 2018, item 1115, 1515, 2219

and 2429 and of 2019, item 150, 447 and 730.
to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
102) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
101) The amendment

23/04/2019

Page 111
© Chancellery of the Sejm

pp. 111/114

2. Obligations under Art. 15 of the Regulation 2016/679 are implemented on the terms specified in art. 9
of the Act of November 17, 1964 - Code of Civil Procedure, and only to the extent that it does not violate it
the bailiff's obligation to maintain professional secrecy referred to in art. 27.
3. In the scope of conducted proceedings or activities undertaken by the bailiff on the basis of
art. 3 sec. 3 and paragraph 4 points 1 and 2 of the Act, the provision of Art. 16 of Regulation 2016/679 shall apply only to the extent and on the basis of
courts provided for in the Act of 17 November 1964 - Code of Civil Procedure.
4. As part of the bailiff's performance of the tasks referred to in Art. 3 sec. 3 and paragraph 4 points 1 and 2, the use of
by a given person with the right to limit the processing of personal data referred to in art. 18 sec. 1 of the regulation
2016/679, takes place only in the manner provided for in Art. 767 of the Act of November 17, 1964 Code of Civil Procedure.".
Art. 160. In the Act of May 9, 2018 amending the Act - Road Traffic Law and certain other acts
(Journal of Laws, item 957) after Art. 16, Art. 16a is added as follows:
"Art. 16a. Until the date indicated in the communication referred to in Art. 16 sec. 2, the policeman will stop the driving license
against receipt if the vehicle driver exceeds the number of 24 points obtained for violations,
referred to in Art. 130 of the Act amended in Art. 1. The provisions of Art. 135 sec. 2, art. 136 sec. 1 and 1a and art. 139 of the Act
changed in art. 1 shall apply accordingly. ”.
Art. 161. In the Act of May 10, 2018 on the Protection of Personal Data (Journal of Laws, item 1000 and
the following changes:
1) after art. 5, art. 5a is added as follows:
"Art. 5a. 1. The administrator who has received personal data from an entity performing a public task, does not
he fulfills the obligations referred to in Art. 15 sec. 1-3 of the Regulation 2016/679, where the entity provides
the person who provided personal data made a request in this regard due to the need for proper performance
a public task aimed at:
1)

crime prevention, detection or prosecution of offenses or execution of penalties, incl
protection against and prevention of threats to public security;

2)

protection of the economic and financial interests of the state, including in particular:
a) realization and recovery of income from taxes, fees, non-tax budget receivables and others
receivables,
b) carrying out administrative enforcement of pecuniary and non-pecuniary receivables and execution
securing cash and non-cash receivables,
c) preventing the use of the activities of banks and financial institutions for purposes related to
zek with tax fraud,
d) disclosure and recovery of property threatened with forfeiture in connection with criminal offenses,
e) conducting inspections, including customs and fiscal inspections.

2. In the case referred to in par. 1, the administrator responds to the request made on the basis of
art. 15 of Regulation 2016/679 in a way that makes it impossible to determine that the administrator processes personal data
received from an entity performing a public task. ”;
2) after art. 6, art. 6a is added as follows:
"Art. 6a. 1. For the processing of personal data as part of the exercise of constitutional and statutory obligations
petitions of the President of the Republic of Poland, in matters not covered by national security, shall be applied accordingly
accordingly, the provisions of Art. 4-7, art. 11, art. 12, art. 16, art. 17, art. 24 sec. 1 and 2, art. 25 sec. 1 and 2, art. 28-30, art. 32, art. 34,
art. 35, art. 37-39 and art. 86 of the Regulation 2016/679 and the provisions of art. 6 and art. 11 of the Act.
2. The processing of data referred to in Art. 9 and art. 10 of Regulation 2016/679, takes place in the scope of
unnecessary for the implementation of the constitutional and statutory powers of the President of the Republic of Poland, if the law
or freedoms of the data subject do not override the performance of the tasks resulting from these
petition. ";
3) after art. 11 the following Art. 11a is added as follows:
"Art. 11a. 1. The entity that appointed the inspector may appoint a person replacing the inspector during his time
absences, taking into account the criteria referred to in art. 37 sec. 5 and 6 of Regulation 2016/679.
2. In connection with the performance of the inspector's duties during his absence to the person replacing him
the provisions relating to the inspector shall apply accordingly.
3. The entity that appointed the person replacing the inspector shall notify the President of the Office of the appointment under the procedure
specified in Art. 10 and provides her data in accordance with art. 11. ";
23/04/2019

Page 112
© Chancellery of the Sejm

pp. 112/114

4) in art. 57 sec. 1 is replaced by the following:
"1. The administrator may apply to the President of the Office for prior consultations,
referred to in Art. 36 of Regulation 2016/679. ”;
5) after art. 101, the following Art. 101a is added as follows:
"Art. 101a. 1. In connection with the pending proceedings on the imposition of an administrative fine,
the entity referred to in art. 101, is obliged to provide the President of the Office, at his request, on the
30 days will elapse from the date of receipt of the request and the data necessary to determine the basis of the administrative penalty
monetary.
2. If the data is not provided by the entity referred to in Art. 101, or when provided by
this entity makes it impossible to determine the basis of the administrative fine, the President of the Office determines
the basis for the assessment of the administrative fine in an estimated manner, taking into account the size of the entity, specific
fic of his business or publicly available financial data about the entity. ";
6) in art. 108 the current content is marked as para. 1 and the following paragraph is added: 2 is added:
"2. The same penalty shall be imposed on anyone who, in connection with the pending proceedings on the imposition of an administrative
penalty, does not provide the data necessary to determine the basis for the assessment of the administrative fine
or provides data that make it impossible to determine the basis of the administrative fine. ”.
Art. 162. In the Act of July 20, 2018 - Law on Higher Education and Science (Journal of Laws, item 1668, as amended)
d. 103) ) is hereby amended as follows:
1) in art. 176, point 1 is replaced by the following:
"1) Art. 24 sec. 9, art. 177–180, art. 182–226, art. 259–262, art. 264, art. 266, art. 267 paragraph. 1, art. 268-270, art. 322,
art. 343, art. 345, art. 346, art. 348-350, art. 351 paragraph. 4, art. 354, art. 355, art. 360–362, art. 408, art. 409 paragraph. 2-5,
art. 410, art. 411, art. 420, art. 423, art. 425–428, art. 432, art. 469a and article. 469b; ";
2) in art. 258 paragraph 1 is deleted. 3;
3) after section XIV, section XIVa is added as follows:
"Division XIVa
Processing of personal data
Art. 469a. The obligation resulting from the fulfillment of the request made pursuant to art. 16 of Parliament's regulation
of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons in relation to
with the processing of personal data and on the free movement of such data, and repealing the directive
95/46 / EC (general regulation on data protection) (Journal of Laws UE L 119 of 04.05.2016, p. 1, as amended 104) ), as
hereinafter referred to as "Regulation 2016/679", is performed by the entity that obtained the data from the data subject.
Art. 469b. 1. For the processing of personal data by entities referred to in Art. 7 sec. 1 points 1 and 4-7,
for the purposes of research and development, the application of the provisions of Art. 15, art. 16, art. 18 and art. 21
of Regulation 2016/679, if it is probable that the rights specified in these provisions will prevent
or seriously hamper the achievement of the objectives of research and development, and if these exclusions are necessary for
achieving these goals.
2. Processing is allowed to the extent necessary to conduct research and development work
personal data revealing racial or ethnic origin, political opinions, religious beliefs or
worldview, trade union membership and the processing of genetic data, bio-data
for the purpose of uniquely identifying a natural person or data concerning health, sexuality or
sexual orientation of this person, provided that the publication of the results of these studies and papers is done in a manner
enabling the identification of a natural person whose data has been processed.
3. When processing personal data referred to in sec. 1 and 2, the data controller implements the appropriate
technical and organizational security of the rights and freedoms of natural persons whose personal data is processed
pursuant to Regulation 2016/679, in particular by pseudonymisation or data encryption,
authorizing the processing of such data to a minimum number of people necessary to conduct research and work
development, access control to rooms where documents containing personal data are stored,
and the development of a procedure specifying the method of data protection.
4. The personal data referred to in sec. 1 and 2, shall be anonymized immediately after achieving the research objective
research or development work. Until then, data that can be used to identify the person concerned

103) Amendments

to the mentioned Act were announced in the Journal Of Laws of 2018, item 2024 and 2245 and of 2019, item 276, 447, 534, and 577.
104) The amendment to the above-mentioned regulation was announced in the Journal Of UE L 127 of 23/05/2018, p. 2.
23/04/2019

Page 113
© Chancellery of the Sejm

pp. 113/114

physical, must be entered separately. They can be combined with details of an individual
only if required for the purpose of research or development.
5. For the processing of personal data in order to prepare a diploma thesis or doctoral dissertation,
required to obtain a diploma of completion of studies or an academic degree, the provisions of para. 1-4 applies
out. ”.
Art. 163. 1. An employer who, on the date of entry into force of this Act, uses monitoring of premises
of the workplace trade union organization referred to in Art. 22 2 § 2 of the Act amended in Art. 4 as it is
owls, within 14 days from the date of entry into force of this Act, ceases to monitor such rooms
it shall immediately inform the workplace trade union organization.
2. An employer who, on the date of entry into force of this Act, uses the monitoring of sanitary rooms referred to
referred to in Art. 22 2 § 2 of the Act amended in Art. 4 in the current wording, is required to obtain consent to
the continued use of monitoring of the workplace trade union organization, and if the employer does not have a workplace organization
union - consent of employee representatives elected in accordance with the procedure adopted by a given employer, no later than
within 30 days from the date of entry into force of this Act. Within 3 days from the date of refusal to grant consent or from
on the expiry of the 30-day period for granting it, the employer ceases to monitor such rooms,
of which he immediately informs the company trade union or employee representatives.
Art. 164. The existing executive regulations issued on the basis of:
1) art. 14 g of paragraph 1. 5 of the Act amended in Art. 20 remain in force until the date of entry into force of the implementing provisions issued
on the basis of art. 14 g of paragraph 1. 3 of the Act amended in Art. 20, as amended by this Act, but not
for less than 24 months from the date of entry into force of this Act;
2) art. 21 sec. 3 of the Act amended in Art. 33 remain in force until the entry into force of the implementing regulations issued
based on Article. 21 sec. 3 of the Act amended in Art. 33, as amended by this Act, but no longer than
for a period of 12 months from the date of entry into force of this Act;
3) art. 6 sec. 3 of the Act amended in Art. 55 remain in force until the entry into force of the implementing regulations issued
based on Article. 6 sec. 11 of the Act amended in Art. 55, as amended by this Act, but no longer than
for a period of 12 months from the date of entry into force of this Act;
4) art. 33 paragraph 5 of the Act amended in Art. 75 remain in force until the entry into force of the implementing regulations issued
based on Article. 33 paragraph 5 of the Act amended in Art. 75, but no longer than for a period of 12 months from the date of entry
the entry into force of this Act;
5) art. 38 sec. 9 of the Act amended in Art. 138 remain in force until the entry into force of the implementing provisions issued
on the basis of art. 38 sec. 9 of the Act amended in Art. 138, but not longer than for a period of 12 months from the date
entry into force of this Act.
Art. 165. Resolutions issued prior to the entry into force of this Act pursuant to Art. 6n of the amended act
in art. 37 remain in force until the resolutions pursuant to Art. 6n of the Act amended in Art. 37, as amended
by this Act, but not longer than for a period of 12 months from the date of entry into force of this Act.
Art. 166. The provision of Art. 143e of the Act amended in Art. 72 apply to public procurement procedures
instituted after the entry into force of this Act.
Art. 167. Matters initiated and not completed before the date of entry into force of Art. 13a of the Act amended in Art. 87 thisthe Act is carried out on the basis of the existing provisions.
Art. 168. The provisions of Art. 130a and art. 131 of the Act amended in Art. 129, as amended by this Act, shall apply
according to birth certificates and marriage certificates issued in the register of civil status concerning persons, for
for whom no death certificate has been drawn up or information on death has not been registered, if the books of births and marriage books,
in which these files were drawn up, were transferred to the appropriate state archives pursuant to Art. 128 of the act
changed in art. 129, in the current wording.
Art. 169. In cases initiated pursuant to Art. 57 of the Act amended in Art. 161, in the current wording,
and not completed before the date of entry into force of this Act, prior consultations are not granted, and the initiated proceedings
seriously it is redeemed.
Art. 170. The central register established pursuant to Art. 4 sec. 4 of the Act amended in Art. 75, containing personal data,
referred to in Art. 4 sec. 5a of the Act amended in Art. 75, becomes the central register referred to in article 2. 4 sec. 4a
the act amended in Art. 75.
23/04/2019

Page 114
© Chancellery of the Sejm

pp. 114/114

Art. 171. The entities referred to in Art. 4 sec. 5k of the Act amended in Art. 75, meet the security specified
in art. 4 sec. 5d of the act amended in art. 75 within 6 months from the date of entry into force of this Act.
Art. 172. 1. A business information bureau operating on the date of entry into force of this Act, which
the applicable data management regulations were approved by the minister responsible for economy before
on May 25, 2018, will adjust the data management regulations to the provisions of the act amended in art. 105 as amended
given by this Act, within 3 months from the date of entry into force of this Act and will submit no later than on
14 days will elapse from the date of its adoption for approval by the minister competent for economy.
2. In the event of failure to provide the economic information bureau, referred to in paragraph. 1, to the minister competent for
economic affairs to approve the regulations of data management within the time limit referred to in para. 1, the competent minister
for the economy issues a decision prohibiting the office from pursuing economic activity.
3. Final decision on the prohibition of economic activity by the economic information bureau
causes the dissolution of the joint-stock company in the form of which the office is run.
4. The data management regulations submitted and not approved until the effective date of this Act shall be returned
in order to adapt to the provisions of the Act amended in Art. 105, unless before the date of entry into force of this Act
The President of the Personal Data Protection Office issued a positive opinion in relation to these regulations
in art. 11 sec. 2 of the Act amended in Art. 105.
Art. 173. The Act shall enter into force after 14 days from the date of its publication, except for:
1) art. 87, paragraph 1, which shall enter into force 90 days from the date of its announcement;
2) art. 107 points 7 and 8, which shall enter into force on May 1, 2019;
3) art. 157 point 2, which shall enter into force on October 13, 2019.

President of the Republic of Poland: A. Duda

23/04/2019

