Polish Data Protection Law
On 4 May 2019 new Polish data protection legislation entered into force. The legislation introduces amendments to 162 existing sectoral acts to ensure compliance with the GDPR. This includes the Telecommunications Law, the Electronic Services Act, the Public Procurement Law and the Tax Ordinance. The most striking and discussed changes were introduced into the Labor Code, and the Banking and Insurance Law.
A provision allowing for automated decisions and profiling was introduced for insurers. Customer consent is not necessary if automated decisions are taken for insurance risk assessment purposes or in handling claims if they are based on the types of personal data listed in the Act. The right to obtain human intervention and explanations applies. This new law also introduced a maximum retention period of 12 years for listed personal data that can be used for profiling and automated decision-making processes.
Moreover the Act gives banks the right to take automated decisions and profile clients without their consent in determining their creditworthiness, and credit risk analyses checks. However, automated decisions without a client’s consent can be based only on listed and limited types of personal data and, importantly, such decisions cannot be based on special categories of personal data. But the Act gives clients the right to acquaint themselves with the basis of their creditworthiness assessments, and banks must ensure that the reconsideration of automated decisions involves human-made assessments.