On 10 July 2018, the CJEU ruled in Case C-25/17, in which it stated that the religious community (Jehovah's Witnesses), together with its members, is the controller of personal data with regard to the processing of personal data by the members as part of an organized, coordinated and encouraged by that community work carried out by paying door-to-door visits. 

The verdict was issued in response to the questions referred for a preliminary ruling by the Supreme Administrative Court of Finland on the interpretation of the provisions of Directive 95/46/EC of the EP and the Council on the protection of individuals with regard to the processing of personal data and the free movement of such data - an EU legal act preceding the GDPR.
In the course of the proceedings, the Finnish court found that members of the religious community of Jehovah's Witnesses in Finland as part of their preaching work, which included door-to-door visits, were taking notes about the people they visited. These people were not known to them before, and their data concerned, among others, names, addresses, religious beliefs and family situation. The purpose of the collected data was to document the activities of individual members of the community and for a possible return visit. Visitors were not asked to give their consent or even informed about it.

That is why the Finnish court has asked the CJEU four questions for a preliminary ruling. The first one concerned the very necessity of applying the provisions of the Directive to the religious community and its members if they were considered to be processing personal data only during activities of a purely personal or household nature.
The second question concerned the concept of "filing system" - the court asked whether data collected in a non-automated way and constituting loose notes could nevertheless constitute such a filing system taking into account that in fact the information needed for further use of such data can be obtained easily an without excessive costs.

Next, the court asked two questions about the scope of the term 'data controller' and whether it encompassed the religious community, as the collection of personal data was performed by individual members of that community and not by the community itself. What is more the community did not even have access to the information collected. Furthermore, in the case at hand, the religious community did not apply other specific measures, such as written instructions or orders, with the help of which it would direct the collection of data by its preachers.

As to the first question, the CJEU considered that the activities of the Jehovah community are not covered by the exceptions set out in the Directive and that as a result of its activity personal data is processed. Answering the court's second question, CJEU stated that the concept of a filing system covers a set of personal data collected in the course of door-to-door preaching, consisting of the names and addresses and other information concerning the persons contacted, if those data are structured according to specific criteria which, in practice, enable them to be easily retrieved for subsequent use. In order for such a set of data to fall within that concept, it is not necessary that they include data sheets, specific lists or other search methods.

Also in the case of the last two questions, as mentioned above, the CJEU recognized that the provisions of the Directive allow the religious community to be recognized together with its members as the controller in relation to the processing of personal data carried out by these members in the context of door-to-door preaching in an organized, coordinated and encouraged by that community. According to the CJEU, it is not necessary for the said community to have access to the data nor does it have to be determined that it provided its members with written guidelines or instructions regarding such processing.

The full text of the CJEU judgment in English version at the following link:




On 5 June 2018, the Court of Justice of the European Union gave judgment in Case C-210/16, in which it replied to the question referred for a preliminary ruling concerning Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and the free movement of such data.
The case concerned a German company conducting business in the field of education through its fan page on the social networking site Facebook. At the same time, the company used statistical data collected by using the so-called “cookies” files, made available to them free of charge via Facebook. These files are installed on the fan page users' devices when they visit the website and allow Facebook to collect and process personal data.

Based on the above the German supervisory authority ordered the company to deactivate the fan page due to the failure to inform its users about the collection of their data via Facebook. As a result of the company's complaint, the German Federal Administrative Court has asked the CJEU questions relating to the interpretation of the provisions of above-mentioned Directive.
In its ruling, the Court pointed out that it is true that by the mere fact of using the social networking site such as Facebook, its user (in this case the German company) does not become jointly responsible for the processing of personal data carried out through this portal. However, the administrator of the fan page on Facebook by creating such a site gave Facebook an opportunity to store cookies on the fan page visitors’ devices (eg.: PC) regardless of whether the person has an account on Facebook or not.

Therefore, according to the Court, the administrator of the fan page indirectly participates in defining the purposes and methods of processing personal data by setting parameters dependant among others on the target users of his fan page and objectives of managing and promoting its activities. In this case, according to the Court, it should be recognized that the administrator of the fan page is responsible at the Union level together with Facebook for the processing of data within the meaning of Directive 95/46.

The Tribunal also stressed that the fan page administrator's responsibility is even more justified when it comes to processing personal data of persons that don’t have an account on Facebook, because the mere entry on a fan page by these people results in the automatic processing of their personal data.
At the same time, the Court found that the supervisory authority of the Member States has powers of intervention in relation to an entity established in its territory, even if it is a subsidiary or branch (in this case it was a branch Facebook Germany) and even because of infringements of the rules on personal data protection by a third party established in another Member State (Facebook Ireland in the case at hand).

The full text of the CJEU judgment is available at the following link: 



On 25 May 2018, the Act of 10 May 2018 on Personal Data Protection (Dz. U. poz. 1000) entered into force. The Act brings Polish law into conformity with the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), also known as the “GDPR”. 
The Act specifies, among others, the following:
general conditions for imposing administrative fines;
a new competent authority for the protection of personal data (“the President of the Office for the Protection of Personal Data”);
public entities obliged to appoint a Data Protection Officer  (“DPO”);
the administrative procedure pertaining to the personal data breach procedure;
rules on inspection of compliance with personal data protection legislation;
civil liability for breaches of personal data protection legislation and legal proceedings;
criminal liability for breaches of the provisions on the protection of personal data; and also
amends a number of sectoral laws, such as the Labour Code.
On the same day the official website of the new Office for the Protection of Personal Data was launched. It contains, among others, the following information:
forms of the notification about DPO appointment to the President of the Office for the Protection of Personal Data;
forms of the notification of personal data breaches to the President of the Office for the Protection of Personal Data;
guidelines to data controllers on risk analysis and on the register of processing operations;
requirements for the documentation of the processing of personal data.
The Act is available at the following address:
The official website of the Office for the Protection of Personal Data is available at the following address:
On 18 April 2018, the Act of 1 March 2018 amending certain acts in connection with the introduction of e-Prescription (Dz. U. poz. 697) entered into force, and together with it, the Regulation of the Minister of Health of 13 April 2018 on prescriptions (Dz. U. poz. 745).
According to the Ministry of Health, the basic benefits resulting from the above act are to be as follows:
limited number of visits to doctors, which results in shorter waiting times
tests by means of information and communication systems 
In connection with the entry into force of new regulations, the Ministry of Health published a statement concerning the application of the above mentioned regulation the Regulation of the Minister of Health, in which it was emphasized that until 31 December 2018 pharmacies collect and transmit information to voivodships branches of the National Health Fund on the basis of the hitherto binding rules. In § 18 point 1 of the Ordinance, transitional provisions and regulations have been included. procedures for the handling of paper-based prescriptions issued before the date of entry into force of the Regulation. The change will take place as of 17 October 2018, as from that date "prescriptions in paper form delivered by a pharmacy connected to the P1 Platform will be tightened up by issuing a Reception Document, and in the absence of the above connection also on the basis of the existing rules".
The Ministry of Health also informs that on the basis of the § 7 point 3, the otaxing of the prescription will be based on the generation of a Recipe Receipt Document for each item on the prescription.
Ultimately, e-prescriptions are to replace traditional, paper-based ones from 2020.
The message of the Ministry of Health is available at the following address:

Ministry of Health published a statement in the matter of accepting drug donations by hospitals. Minister of Health pointed out that provisions of the Act on reimbursement of medicines, foodstuffs intended for particular nutritional uses and medical devices (the “Reimbursement Act”) regard only reimbursed medicinal products and do not forbid donations to hospitals.

According to the statement, hospitals may autonomously decide whether to accept and use donated medicines. The Reimbursement Act and regulations regarding emergency access to treatment do not forbid accepting drug donations and using such medicines. 

Full text of the statement is available under the following link:


On 14 February 2018, the Government Legislation Centre published a new draft bill amending certain laws with regard to introduction of e-prescription.
The new bill amends seven acts, including Pharmaceutical Law and the Act on the reimbursement of medicines, foodstuffs intended for particular nutritional use and medical devices.
The bill provides, among others, substantial formalization of the process of submitting request by health care providers. These requests shall  cover additional information, e.g.:
  • number of patients provided with medicines on the basis of a previous request; 
  • written confirmation of the request issued by a person authorized to write prescriptions (within the scope of providing health care services)
  • declaration that products indicated in the request will be used only for the purpose of providing health care services,
  • statement, that the requested number of medicines does not exceed one-month supply. 
The Council of Ministers accepted the draft bill on 20 February 2018.
The draft bill, together with its justification and supplementing documents, is available under the following link: http://legislacja.rcl.gov.pl/projekt/12308251/katalog/12491278#12491278

On 4th January 2018 the draft amendment to the Suppression of Unfair Competition Act was published on the Government’s Legislation Centre’s (Rządowe Centrum Legislacji) website.

The main purpose of the amendment is to implement the directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure.

The draft explicitly states that an act of unfair competition shall be, among others, mere acquisition of other parties’ information constituting business secrets. Moreover, the project changes the statutory features of an act of unfair competition, e.g. by eliminating a “transfer” of other parties’ business secrets. However, the drafters claim that this is only a minor editorial change - unlawful transfer of other parties’ business secret will still be unlawful (as “publication”). 

The draft law is available under the following link:



The Article 29 Working Party adopted guidelines on consent for personal data processing and guidelines on transparency of personal data processing.

The guidelines were adopted in order to achieve a consistent approach of the supervisory authorities of the EU member states in regard to assessment of validity of the consents. In the guidelines on consent the Article 29 Working Party laid down inter alia requirements on validity of consents obtained before the date from which the regulation 679/2016 (General Data Protection Regulation – GDPR) shall apply, that is before 25 May 2018, after this date (i.e. whether it will be permissible to continue processing of personal data on the basis of the “old” consents).

In line with the guidelines of the Article 29 Working Party the consents which have been obtained to date (“old” consents) continue to be valid in so far as it is in line with the conditions laid down in the GDPR. This does not mean however that all such consents will continue to be valid – for example, all presumed consents of which not references are kept  will “automatically be below the consent standard of the GDPR” due to the fact that the controller will not be able to demonstrate their validity in line with article 7 paragraph 1 of the GDPR. In such case the consents will need to be “renewed”, i.e. obtained again in compliance with the GDPR.

The adopted guidelines are available at the following address: