Provisions of criminal law in personal data protection – some remarks
Katarzyna Pruszkiewicz-Słowńska
Uniwersytet Warmińsko-Mazurski w Olsztynie UWMhttps://orcid.org/0000-0001-8441-0143
Abstract
Numerous academic studies have addressed the criminalisation of personal data protection offences in the Polish legal system. However, few publications offer structured information on the rights of injured parties in criminal proceedings where their personal data has been processed without legal grounds or authorisation. Although criminal law provisions pertaining to the protection of personal data have been in place since the Act on the Protection of Personal Data of 29 August 1997 and are now set out in the applicable Act on the Protection of Personal Data of 10 May 2018, many data controllers still process personal data without realising that they are continually exposing themselves to liability. This raises the question of the extent to which the new provisions on personal data breaches have ensured more effective and precise protection. This study aims to analyse selected criminal law provisions regarding personal data protection, taking into account the rights of parties affected by unauthorised personal data processing. The paper approaches the issue from a legal theoretical standpoint, employing elements of dogmatic analysis. There is also a practical dimension to this, as the study discusses cases that have been heard in national courts. The intention behind introducing criminal provisions for the protection of personal data was to impose criminal liability only in exceptional situations involving the most serious violations. However, an analysis of selected criminal cases heard by national courts shows that these proceedings often result in a conditional fine or imprisonment. While there is no doubt that the provisions shaping criminal liability have a deterrent effect on the average citizen, their effectiveness in achieving the objectives of the GDPR is questionable.
Keywords:
penal law, injured party, personal data, personal data processing, breachReferences
Barta P., Litwiński P., Ustawa o ochronie danych osobowych. Komentarz, C.H. Beck, Warsaw 2015. Google Scholar
Bielak-Jomaa E., Lubasz D. (eds.), RODO. Ogólne rozporządzenie o ochronie danych. Komentarz, 2018, Lex. Google Scholar
Dudka K. (ed.), Kodeks postępowania karnego. Komentarz, 2023, Lex. Google Scholar
Fajgielski P., Komentarz do rozporządzenia nr 2016/679 w sprawie ochrony osób fizycznych w związku z przetwarzaniem danych osobowych i w sprawie swobodnego przepływu takich danych oraz uchylenia dyrektywy 95/46/WE (ogólne rozporządzenie o ochronie danych), [in:] idem, Ogólne rozporządzenie o ochronie danych. Ustawa o ochronie danych osobowych. Komentarz, 2022, Legalis. Google Scholar
Litwiński P. (ed.), Ustawa o ochronie danych osobowych. Komentarz, 2018, Legalis. Google Scholar
Poniatowski P., Niedopuszczalne lub nieuprawnione przetwarzanie danych osobowych – aspekty prawnokarne, „Prokuratura i Prawo” 2021, No. 10. Google Scholar
Schabowski J., Nielegalne przetwarzanie danych osobowych. Sankcje karne, [in:] P. Litwiński (ed.), Odo. Compliance. Praktyczny komentarz z przykładami i orzecznictwem, 2025, Legalis. Google Scholar
Świecki D. (ed.), Kodeks postępowania karnego, Vol. 1: Komentarz aktualizowany, 2025, Lex. Google Scholar
Uniwersytet Warmińsko-Mazurski w Olsztynie UWM
https://orcid.org/0000-0001-8441-0143
License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
