Poland Data Protection Act 2018
Personal Data Protection Act
Ustawa z dnia 10 maja 2018 r. o ochronie danych osobowych
Poland
RET-PL-NA-PROTECT-2018
Last updated: February 21, 2019Effective: May 25, 2018
In Force (Amended)(In Force (Amended))
ActPay Transparency in HiringPay Gap ReportingEnforcement & RemediesPoland's Personal Data Protection Act (PDPA) of 2018 implements the EU GDPR, establishing the national framework for safeguarding personal data, including employee remuneration information. While it sets general data handling standards, specific pay equity and transparency obligations are introduced through complementary legislation, notably the implementation of the EU Pay Transparency Directive. The Act ensures lawful, fair, and transparent processing of data, crucial for any pay equity initiatives.
Overview
The Personal Data Protection Act (Ustawa z dnia 10 maja 2018 r. o ochronie danych osobowych) serves as Poland's primary national legislation for the protection of personal data, directly implementing the European Union's General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) into the Polish legal system. This Act, which came into force on May 25, 2018, replaced the previous Personal Data Protection Act of August 29, 1997, and significantly updated the legal framework for data processing in line with modern digital challenges and enhanced individual rights. Its overarching purpose is to safeguard the fundamental rights and freedoms of natural persons, particularly their right to the protection of personal data, by establishing clear rules for the collection, storage, use, and disclosure of such data across all sectors, including employment. While the Personal Data Protection Act provides the foundational legal framework for how personal data, including employee remuneration information, must be handled, it does not directly impose specific obligations related to pay equity, pay transparency, or gender pay gap reporting. Instead, its provisions ensure that any data collected for such purposes, or any data revealed through transparency measures, is processed lawfully, fairly, and transparently, with due regard for the data subject's rights. The Act is crucial for establishing the conditions under which employers can collect and process sensitive employee data, including salary information, ensuring that such processing is legitimate, proportionate, and secure. However, the specific mechanisms for promoting pay equity, enhancing pay transparency, and mandating pay gap reporting in Poland are primarily addressed by other, complementary legislation. Notably, Poland is in the process of implementing the EU Pay Transparency Directive (Directive (EU) 2023/970), which aims to strengthen the application of the principle of equal pay for equal work or work of equal value between men and women. This implementation involves amendments to the Labour Code and the introduction of new standalone legislation, which directly tackle the topics of pay transparency in hiring, pay gap reporting, and enforcement mechanisms. Therefore, while the Personal Data Protection Act sets the general data handling standards, the substantive obligations concerning pay equity are found in these specialized employment laws.Definitions
The Personal Data Protection Act (PDPA) establishes a comprehensive set of definitions crucial for understanding its scope and application. 'Personal data' is broadly defined as any information relating to an identified or identifiable natural person ('data subject'). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. This definition is fundamental, as it encompasses all forms of employee information, including salary, benefits, and other remuneration components, thereby subjecting them to the Act's protective measures. The 'processing of data' is another pivotal term, covering any operation or set of operations performed on personal data, whether or not by automated means. This includes collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. This expansive definition means that any action an employer takes with employee pay data—from collecting it for internal analysis to disclosing it as part of transparency requirements—falls under the purview of the PDPA, necessitating adherence to its principles of lawfulness, fairness, and transparency. While the PDPA defines terms related to data handling, the concepts of 'equal pay for equal work or work of equal value' and 'remuneration' are primarily defined within Poland's Labour Code and the new legislation implementing the EU Pay Transparency Directive. 'Equal pay for equal work or work of equal value' signifies that men and women should receive equal remuneration for performing the same work or work to which equal value is attributed, based on objective, gender-neutral criteria such as skills, effort, responsibility, and working conditions. 'Remuneration' is understood broadly to include all components of pay, regardless of their name or nature, as well as other work-related benefits granted to employees in cash or in-kind. These definitions are central to the pay equity framework, ensuring a comprehensive approach to assessing and addressing pay disparities.Covered Employers
The Personal Data Protection Act (PDPA) applies to virtually all entities that process personal data in Poland, regardless of their size or sector, acting as data controllers or processors. This means that all employers, irrespective of their employee count, are subject to the PDPA's obligations when collecting, storing, and processing the personal data of their employees, including sensitive information such as remuneration details. The Act's territorial scope extends to processing carried out by a controller or processor established in Poland, or where the processing relates to data subjects in Poland, even if the controller or processor is not established in the EU. However, when considering the specific obligations related to pay transparency and pay gap reporting, the scope of covered employers is defined by the new legislation implementing the EU Pay Transparency Directive. While the precise thresholds are being finalized, initial drafts and discussions indicate that obligations such as gender pay gap reporting will apply to employers based on their employee headcount. For instance, employers with at least 100 employees are expected to have mandatory reporting obligations, with different frequencies depending on their size (e.g., every three years for employers with 100 to 249 employees, and annually for those with 250 or more). Furthermore, the pay transparency requirements in recruitment, such as providing salary ranges in job advertisements and prohibiting questions about pay history, are expected to apply to all employers, regardless of their size, as these are fundamental aspects of ensuring non-discriminatory recruitment processes. The implementation of the Pay Transparency Directive aims to create a level playing field across the employment market, ensuring that the principle of equal pay is upheld from the initial stages of employment. Therefore, while the PDPA provides a universal data protection baseline, the specific pay equity obligations are tiered and targeted based on employer characteristics, particularly size, under the new supplementary laws.Employee Rights
Under the Personal Data Protection Act (PDPA), employees, as data subjects, are granted a comprehensive set of rights concerning their personal data, including information related to their employment and remuneration. These rights are designed to ensure transparency and control over how their data is processed. Key rights include the right to be informed about the collection and use of their personal data, the right of access to their data, the right to rectification of inaccurate data, the right to erasure ('right to be forgotten') under certain conditions, and the right to restriction of processing. Employees also have the right to data portability, allowing them to obtain and reuse their personal data for their own purposes across different services. In the context of pay equity, these data protection rights are crucial. For example, the right of access allows an employee to request and obtain information about their own salary data held by the employer. While the PDPA does not mandate pay transparency in the sense of disclosing other employees' salaries, it ensures that an individual can verify the accuracy of their own pay records and understand how their remuneration data is being processed. Any collection or processing of pay data for pay equity analysis must respect these fundamental data subject rights, ensuring that employees are informed and their data is handled lawfully. Complementing these data protection rights, the new legislation implementing the EU Pay Transparency Directive introduces specific employee rights related to pay equity. Employees will have the right to request information from their employer about their individual pay level and the average pay levels, broken down by gender, for categories of employees performing the same work or work of equal value. This right is a cornerstone of pay transparency, empowering employees to identify potential pay disparities. Furthermore, employees will have the right to discuss their wages without fear of retaliation, fostering an environment where pay transparency can genuinely contribute to addressing gender pay gaps. Employers will be obliged to inform employees of these rights annually.Pay Transparency Requirements
The Personal Data Protection Act (PDPA) itself does not impose specific pay transparency requirements in the context of disclosing salary ranges in job postings or prohibiting pay history inquiries. Its focus is on the lawful, fair, and transparent processing of any personal data, including remuneration data, once it is collected. However, the principles of data minimization and purpose limitation under the PDPA would implicitly guide how employers handle pay-related information, ensuring that only necessary data is collected and used for specified, legitimate purposes. Significant pay transparency requirements are being introduced in Poland through the implementation of the EU Pay Transparency Directive. As of December 24, 2025, employers will be obliged to inform job candidates about the initial amount of salary or its range for the position they are applying for. This information must be provided in the job offer, before the job interview, or before concluding an employment contract, and should be presented in a written or electronic form. This measure aims to ensure informed and transparent negotiations about pay, preventing the perpetuation of historical pay discrimination. Furthermore, the new legislation explicitly prohibits employers from asking candidates about their remuneration at their current or previous employers. This 'pay history ban' is a critical component of pay transparency, designed to break cycles of pay discrimination that might follow individuals from one job to another. Job advertisements and job titles must also be prepared in a gender-neutral manner, and recruitment processes must be conducted in a non-discriminatory way. These requirements collectively aim to foster a more equitable and transparent recruitment landscape, aligning with the broader goals of the EU Pay Transparency Directive.Reporting & Audit Obligations
The Personal Data Protection Act (PDPA) does not directly impose obligations for employers to conduct pay equity audits or submit gender pay gap reports. Its focus is on the secure and lawful processing of personal data, meaning that if an employer *does* collect data for such reports, it must be done in compliance with PDPA principles. This includes ensuring that the collection is for a legitimate purpose, the data is accurate, and appropriate security measures are in place to protect sensitive remuneration information. However, comprehensive reporting and audit obligations are being introduced in Poland as part of the implementation of the EU Pay Transparency Directive. Employers meeting certain size thresholds will be required to prepare and submit gender pay gap reports. Specifically, employers with at least 100 employees will have mandatory reporting obligations. For employers with 100 to 249 employees, reports will be required every three years, while those with 250 or more employees will need to report annually. These reports must detail the gender pay gap and other relevant pay information, broken down by categories of employees performing the same work or work of equal value. The draft legislation also outlines procedures for addressing identified pay gaps. If a gender pay gap of 5% or more is identified within a category of workers and cannot be justified by objective, gender-neutral criteria, the employer will generally have six months to take effective remedial action. Failure to close such a gap may trigger a mandatory joint pay assessment with trade unions or employee representatives. These reports will be accessible to employees and supervisory authorities, enhancing accountability and facilitating the identification and rectification of pay disparities.Governance & Enforcement Bodies
The primary governance and enforcement body for the Personal Data Protection Act (PDPA) in Poland is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, UODO). UODO is an independent public authority responsible for supervising the application of data protection legislation, including the GDPR and the national PDPA. Its responsibilities include conducting investigations, imposing administrative fines, issuing warnings, and advising on data protection matters. Data subjects (employees) can file complaints with UODO if they believe their data protection rights have been violated by an employer. For matters concerning employment law and the principle of equal pay, the National Labour Inspectorate (Państwowa Inspekcja Pracy, PIP) traditionally serves as a key enforcement body. PIP is responsible for supervising and controlling compliance with labour law, including provisions related to equal treatment in employment and non-discrimination. With the implementation of the EU Pay Transparency Directive, the powers and responsibilities of PIP, or potentially new specialized bodies, are expected to be enhanced to specifically address pay equity and transparency violations. The new legislation implementing the Pay Transparency Directive is also expected to establish or designate specific monitoring bodies for pay gap reporting and compliance. These bodies will be responsible for receiving and reviewing the mandatory gender pay gap reports submitted by employers, monitoring compliance with pay transparency requirements, and initiating enforcement actions where necessary. The interaction between UODO, PIP, and these new or enhanced bodies will be crucial for a comprehensive enforcement framework, ensuring both data protection and pay equity principles are upheld in the workplace.Monitoring & Evaluation
The monitoring and evaluation of compliance with the Personal Data Protection Act (PDPA) primarily falls under the purview of the President of the Personal Data Protection Office (UODO). UODO conducts inspections, investigates complaints from data subjects (employees), and has the authority to issue corrective measures, warnings, and administrative fines. The monitoring process involves assessing whether data controllers and processors adhere to the principles of lawful, fair, and transparent processing, purpose limitation, data minimization, accuracy, storage limitation, integrity, and confidentiality when handling personal data, including employee remuneration data. In the context of pay equity, while the PDPA ensures the proper handling of data, the monitoring and evaluation of pay transparency and equal pay principles are governed by the new legislation implementing the EU Pay Transparency Directive. This new framework will introduce specific mechanisms for monitoring employer compliance with pay transparency requirements, such as the provision of salary ranges in job advertisements and the prohibition of pay history inquiries. The National Labour Inspectorate (PIP) is expected to play a significant role in these inspections, ensuring adherence to the amended Labour Code provisions. Furthermore, the mandatory gender pay gap reporting obligations for larger employers will serve as a key tool for monitoring and evaluation. The designated monitoring bodies will analyze these reports to identify significant, unjustified pay gaps. If a gap exceeding a certain threshold (e.g., 5%) is found and cannot be objectively justified, employers will be required to take remedial action. The effectiveness of these measures will be evaluated based on the reduction of gender pay gaps over time and the overall compliance rate with the new transparency and reporting obligations, with regular assessments and potential adjustments to the regulatory framework.Enforcement & Penalties
The Personal Data Protection Act (PDPA) provides for significant enforcement powers and penalties for non-compliance, aligning with the GDPR framework. The President of the Personal Data Protection Office (UODO) can impose administrative fines that are substantial, designed to be effective, proportionate, and dissuasive. For serious infringements, fines can reach up to EUR 20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Lesser infringements may incur fines up to EUR 10 million or 2% of worldwide annual turnover. These penalties apply to violations such as unlawful processing of personal data, failure to comply with data subject rights, or inadequate security measures for employee data. In addition to administrative fines, individuals whose data protection rights have been infringed may have the right to receive compensation for damages suffered. The PDPA also outlines criminal liability for certain intentional data protection offenses, such as unlawful processing of personal data for personal gain. The appeals process for UODO decisions typically involves appealing to administrative courts. For violations of the new pay transparency and equal pay provisions introduced through the implementation of the EU Pay Transparency Directive, specific enforcement mechanisms and penalties are being established. These may include financial penalties for employers who fail to comply with obligations such as providing salary ranges, prohibiting pay history questions, or submitting gender pay gap reports. Draft legislation suggests fines ranging from PLN 1,000 to PLN 30,000 for certain violations, with potential for higher penalties, such as up to PLN 50,000, for non-compliance with the broader law. In pay discrimination claims, the burden of proof will shift to the employer, and employees will be entitled to claim compensation for unpaid wages, benefits, lost profits, and damages for harm suffered, including interest for delay.Relationship to Other Laws
The Personal Data Protection Act (PDPA) operates in close conjunction with the European Union's General Data Protection Regulation (GDPR), as it serves as the national implementing legislation for the GDPR in Poland. The PDPA complements the directly applicable GDPR by addressing areas where Member States are permitted to legislate differently, such as specific provisions concerning employee data in the workplace. Therefore, the PDPA must always be interpreted and applied in harmony with the GDPR, with the latter taking precedence in cases of direct conflict. In the context of employment, the PDPA interacts significantly with the Polish Labour Code (Kodeks pracy). While the Labour Code governs the general rights and obligations of employers and employees, including principles of non-discrimination and equal treatment, the PDPA dictates how personal data collected and processed within the employment relationship must be handled. For example, the PDPA sets the rules for employee monitoring (e.g., CCTV, email monitoring) and the collection of specific categories of personal data from candidates and employees, often amending or supplementing Labour Code provisions. The new legislation implementing the EU Pay Transparency Directive will further integrate with the Labour Code, introducing specific provisions on pay transparency, equal pay for equal work, pay gap reporting, and enforcement mechanisms. These new laws will build upon the existing anti-discrimination framework in the Labour Code and the constitutional right to equal pay, providing more detailed and actionable requirements. The PDPA will continue to govern the data protection aspects of any data collected or processed under these new pay equity laws, ensuring that while transparency is promoted, individual privacy rights are simultaneously protected.International Context
The Personal Data Protection Act (PDPA) in Poland is fundamentally shaped by its adherence to international data protection standards, most notably the European Union's General Data Protection Regulation (GDPR). As a Member State of the EU, Poland was obliged to implement the GDPR, which became directly applicable on May 25, 2018. The PDPA serves to nationalize and specify certain aspects of the GDPR, ensuring a consistent and high level of data protection across the Union. This places Poland's data protection regime within a robust international framework, emphasizing principles such as lawfulness, fairness, transparency, purpose limitation, and data minimization, which are globally recognized best practices. In the realm of pay equity and employment law, Poland's legislative developments are heavily influenced by international and European norms. The ongoing implementation of the EU Pay Transparency Directive (Directive (EU) 2023/970) is a direct response to a European mandate aimed at strengthening the application of the principle of equal pay for equal work or work of equal value. This directive itself draws inspiration from broader international labour standards, including those set by the International Labour Organization (ILO). Specifically, ILO Convention No. 100 on Equal Remuneration (1951) and Convention No. 111 on Discrimination (Employment and Occupation) (1958) advocate for equal pay and non-discrimination in employment, principles that are deeply embedded in the EU Directive and, consequently, in Poland's evolving pay equity laws. These international instruments provide a foundational ethical and legal imperative for national legislation to address pay disparities and promote workplace equality.Implementation Timeline
| Date | Milestone | Status |
|---|---|---|
| August 29, 1997 | Previous Personal Data Protection Act enacted | Repealed |
| May 25, 2018 | Personal Data Protection Act (2018) entered into force, implementing GDPR | In Force |
| September 12, 2017 | Two bills on personal data protection published in Poland (leading to 2018 PDPA and 2019 Implementing Act) | Completed |
| February 21, 2019 | Act on amendments to sectorial acts accompanying the GDPR (Implementing Act) entered into force | In Force |
| June 2025 | Amendment to the Labour Code signed, implementing pre-employment pay transparency measures of EU Pay Transparency Directive | In Force (from Dec 24, 2025) |
| December 24, 2025 | Pre-employment pay transparency measures (salary ranges in job ads, pay history ban) enter into force | In Force |
| December 2025 | First draft of the Act on strengthening the application of the right to equal pay (comprehensive Pay Transparency Directive implementation) published | Proposed |
| November 25, 2025 | Polish government published key principles for new gender pay transparency legislation | Completed |
| June 7, 2026 | Deadline for full implementation of EU Pay Transparency Directive in Poland | Awaiting Entry |
Compliance Checklist
| Requirement | Action Required | Deadline |
|---|---|---|
| **Personal Data Protection Act (PDPA) Compliance** | ||
| Lawful Processing of Employee Data | Ensure all collection, storage, and processing of employee personal data (including remuneration) has a legal basis (e.g., consent, contract, legal obligation). | Ongoing |
| Data Minimization | Collect only personal data that is adequate, relevant, and limited to what is necessary for the specified purposes. | Ongoing |
| Purpose Limitation | Process employee data only for specified, explicit, and legitimate purposes, and not further process it in a manner incompatible with those purposes. | Ongoing |
| Data Subject Rights | Establish procedures to facilitate employees' rights (access, rectification, erasure, restriction, portability, objection). | Ongoing |
| Data Security | Implement appropriate technical and organizational measures to ensure the security of employee personal data. | Ongoing |
| Data Breach Notification | Have procedures in place to detect, report, and investigate personal data breaches to UODO and affected employees (if applicable). | Immediately upon discovery (within 72 hours for UODO) |
| Employee Monitoring Compliance | If conducting CCTV or email monitoring, ensure compliance with specific Labour Code amendments introduced by the PDPA (e.g., informing employees, purpose limitation, retention periods). | Ongoing |
| **Pay Transparency Directive Implementation Compliance** | ||
| Salary Range Disclosure in Job Ads | Provide initial salary amount or range in job advertisements or before employment contract conclusion. | From December 24, 2025 |
| Prohibition of Pay History Inquiries | Refrain from asking candidates about their current or previous remuneration. | From December 24, 2025 |
| Gender-Neutral Job Postings | Ensure all job titles and advertisements are gender-neutral and recruitment processes are non-discriminatory. | From December 24, 2025 |
| Employee Right to Pay Information | Inform employees annually of their right to request information on their individual pay and average pay levels (gender-disaggregated) for comparable roles. | Annually (by March 31, as per draft) |
| Job Evaluation (for larger employers) | Conduct job evaluations based on objective, gender-neutral criteria (skills, effort, responsibility, working conditions) to determine categories of employees. | By June 7, 2026 (expected) |
| Gender Pay Gap Reporting (for 100+ employees) | Prepare and submit gender pay gap reports to the designated monitoring body. | Annually (250+ employees) / Every 3 years (100-249 employees) - By June 7, 2026 (expected) |
| Remedial Action for Pay Gaps | Take effective remedial action to close unjustified gender pay gaps of 5% or more within six months of identification. | Ongoing (upon identification of gap) |
| Joint Pay Assessment (if gap persists) | Conduct a joint pay assessment with employee representatives if an unjustified 5%+ gap persists for 6 months. | Ongoing (if gap persists) |
Sources and References
© RewardsET.com / Smitteck GmbH — created on 22-Jan-2026 using Gemini 2.5 Flash