Report on the activities of the President of the Personal Data Protection Office in 2024

The President of the Personal Data Protection Office has published a report on his activities in 2024. As every year, the document must be presented to Parliament, the Council of Ministers, the Ombudsman, the Ombudsman for Children’s Rights and the Prosecutor General by 31 August. This is the implementation of Article 59 of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 50 of the Act of 10 May 2018 on the protection of personal data.

The report on the activities of the Polish supervisory authority in 2024 presents the main findings concerning the statutory tasks carried out by the President of the Personal Data Protection Office, which include: handling complaints, conducting inspections, giving opinions on draft legal acts, receiving data breaches notifications and taking actions against controllers and processors in order to enforce their obligation to communicate those breaches to the data subjects. An important task is also education and information activities and participation in the work of international organizations and institutions dealing with the issue of personal data protection.

In 2024, the supervisory authority issued a total of 1719 administrative decisions, consisting of 1670 decisions on complaints, 20 decisions on infringements, 7 decisions on inspections and 22 decisions on the imposition of fines.

Complaints to the President of the Personal Data Protection Office

Compared to 2023, the total number of complaints submitted to the Polish supervisory authority increased to 8056 (the previous year it was 6962). Most were in the private sector and least in the cross-border sector.

Among them, the most common concerned, among others, sharing data on the Bulletin of Public Information (BIP) website, disseminating data contained in e-mail correspondence by not using the ‘BCC’ option, processing data using video monitoring, processing data in connection with debt collection, processing data for marketing purposes,  problems with minimization of children’s data, processing bank secret information in order to assess creditworthiness, making data available by banks to other entities, processing data for the purpose of issuing prescriptions, making available health data by the employer to other employees, processing biometric data by the employer, or sharing false information about an individual in advertisements on social media (cross-border proceedings concerning deepfakes).

Data Protection Breaches

In 2024, the Personal Data Protection Office received 14 842 notifications of personal data breaches (a slight increase compared to the previous year).  Most of them concerned the insurance sector,  whereas the least of them concerned the universities and education sectors.

Among the most frequently reported violations by data controllers were erroneous address correspondence, sharing data with unintended recipient, incorrect anonymization of data, loss of correspondence, unauthorized access to databases, theft of a data storage media/carrier.

In 2024, the SA provided an opinion on 779 legislative acts. An extremely important aspect when issuing opinions was for the President of the Personal Data Protection Office to take into account the context of personal data protection already at the legislative stage, especially when it comes to data protection impact assessment.

As regards the comments submitted by the President of Personal Data Protection Office to the long-term state strategies, it is necessary to mention, first of all, those referring to the Digitization Strategy of Poland until 2035.

The text of the document also raises the issue of the systematic extension of the competences of the President of the Personal Data Protection Office inter alia in connection with the application of the regulations in the field of the Artificial Intelligence Act, the draft Act on data governance, the draft amendment to the Act on the state's cybersecurity system and the EES entry/exit system for third-country nationals crossing the borders of EU Member States, as well as in connection with the establishing of the European Health Data Space (EHDS).

Questions from and cooperation with DPOs

According to the report, in 2024, controllers and individuals sent 1920 letters containing legal questions to the Personal Data Protection Office, while 233 letters were received from data protection officers. In addition, the President of the Personal Data Protection Office received 61 enquiries from supervisory authorities from other countries. In total, 2,214 legal questions were submitted to the Personal Data Protection Office. This is more than in the previous two years.

Many queries focused on issues such as the collection of biometric data, the use of video surveillance, the transfer of health data, the processing of data in connection with running a business, the transfer of data in connection with the protection of minors in schools, user authentication when accessing land and mortgage registers in the ICT system, determining the status of DPOs in the context of whistleblower reports.

Statements by the President of the Personal Data Protection Office

The report indicates that in 2024, the President of the Personal Data Protection Office issued 11 statements containing specific requests to various entities. These included requests to the Minister of Digitial Affairs to undertake legislative work leading to the amendment of the provisions of the Act on trust services and electronic identification, to the Minister of Finance regarding the amendment of the Act on the National Revenue Administration in connection with too unspecific and too broadly defined powers of the National Revenue Administration regarding access to citizens' data, to the Minister of Digital Affairs with a request to initiate the amendment procedure concerning the Act on electronic delivery, to the Minister of Justice with a request to adapt the Act on the protection of minors to the principles of personal data protection.

Another extremely important systemic statement by the President of the Personal Data Protection Office was addressed to the Minister for European Union Affairs. It was prepared due to the fact that, in the opinion of the supervisory authority, not all judgments of the CJEU and the conclusions resulting from them have been adequately taken into account in national law.

The Personal Data Protection Office educates

As far as the educational activities of the Personal Data Protection Office are concerned, the document mentions, among others, the celebration of the 18^th  Personal Data Protection Day, cooperation with the Social Team of Experts to the President of the Personal Data Protection Office (an advisory body established in June 2024), cooperation with the Minister of Education on the introduction of the school subject called “health education” (in the context of knowledge on digitization), the continuation of the "Your Data – Your Concern" programme, the publication of a guide on the protection of children's image in cooperation with the Orange Foundation,  the Michał Serzycki Award, a series of seminars organized together with the Social Insurance Institution, conferences on data protection in the context of new technologies and artificial intelligence, seminars and expert lectures, the "Personal Data Protection Office" campaign (launched in September 2024) and participation in the Pol'and'Rock Festival.

Media activity

In 2024, 228 press releases were published on the Personal Data Protection Office’s website; 164 responses to questions from journalists were received. The President of the Personal Data Protection Office and his representatives gave 19 interviews for the press, radio and television.

The report details that in 2024, the media coverage amounts to 22 797 times, when the information about the President of the Personal Data Protection Office was released. The most the President of the Personal Data Protection Office received in online media, accounting for 90.4% of all publications.

As regards the Personal Data Protection Office it is reported that it was mentioned 15 542 times.

550 posts of the Personal Data Protection Office were published on the X-portal profile , and this is the best result compared to the last two years. The first Personal Data Protection Office’s post appeared on LinkedIn in March 2024. In total, 41 posts were published on LinkedIn in 2024.

International cooperation

The tasks of the President of the Personal Data Protection Office include cooperation with supervisory authorities of other EU Member States, in particular within the activities of the European Data Protection Board  frameworks, established by the provisions of the GDPR, to which the President of the Personal Data Protection Office belongs.

As part of international activities, the President of the Personal Data Protection Office or his representatives participated, among others, in the meeting of the Central and Eastern Europe Data Protection Authorities (CEEDPA), the Spring Conference of European Data Protection Authorities, the international conference High Level Policy Dialogue on Data Governance; The President of the Personal Data Protection Office took part in meetings of the EDPB’s Network of Communications, informing about the activities of the European Data Protection Board.

In 2024, Polish supervisory authority participated also in drafting of one of the EDPB’s guidelines and of three opinions issued by the EDPB.

The Personal Data Protection Office also considers participation in the coordinated supervision of large-scale IT systems to be one of its most important activities in the international field.

Intensive activities of the President of the Personal Data Protection Office in 2024, which were undertaken in many areas and in various forms, were intended to achieve, among others, such objectives as: adopting legal provisions in the national legal order that take the utmost account of personal data protection standards, respect fundamental rights, including the right to privacy and the right to informational autonomy of citizens, raising the level of awareness of data subjects, controllers and processors and the DPOs supporting them, ensuring the proper functioning of the Data Protection Officers when performing their tasks. Activities were also dedicated to encouraging development of the codes of conduct and supporting initiatives to develop such documents.

Identification of current problems

The report draws attention to the tendency observed for many years - despite many positive changes in the legislative process in this area - for some public authorities to omit the President of the Data Protection Office in the process of discussing certain solutions and seeking opinions on draft normative acts concerning the processing of personal data or containing regulations in this area. This is not only an omission in breach of the applicable rules, but also a missed opportunity for the supervisory authority to provide expert support to the drafter at the earliest possible stage of the legislative process. The involvement of the authority at the earliest during the work of the Government Legislation Centre and the legal commission should, unfortunately, be assessed negatively, because it is too late to make substantive findings. This has a negative impact on the legislative process.

A similar problem according to the President of the Office remains the lack of correct identification of the matter of personal data in the legislative process. The report points out that the drafter should consider, at the very beginning of the analyses and conceptual work carried out, the impact that their implementation will have in the area of privacy and the processing of personal information on individuals. That is why it was indeed pivotal for the President of the Personal Data Protection Office to take action in the area of legislation and to start building strategic partnerships in this area. At the beginning of 2025, two cooperation agreements were signed with the Government Legislation Centre and the Polish Association of Legislation, which provided training and meetings on privacy protection issues in legislation.

The President of the Personal Data Protection Office, in a summary of 2024, also states that the fundamental issue to be solved remains the failure of the legislator to carry out a thorough review of the currently applicable provisions in terms of the need to adapt them to the standards not only of Regulation 2016/679 (GDPR), but also Directive 2016/680 (the Law Enforcement Directive). In fact, regulations that have not been adapted to the requirements of the aforementioned EU acts still remain in legal circulation.

According to Mirosław Wróblewski, President of the Personal Data Protection Office, the report on the activities of the data protection authority accompanied by the assessment of the state of compliance with data protection regulations constitutes the most comprehensive information on the functioning of the personal data protection system in our country and the supervisory authority competent in this area. The President of the Personal Data Protection Office notes that, in particular, reading those parts of the report that relate to new technologies and the related challenges to data protection will be particularly interesting. At the same time, the President of the Personal Data Protection Office stresses that the report is an excellent summary on the implementation by the supervisory authority’s personal data protection priorities, as well as activities in all other areas where this protection is necessary, providing a valuable source of information for state authorities, controllers, data protection officers and all other entities of the data ecosystem, as well as – it should be emphasized – data subjects. The growing number of complaints that reach the President of the Personal Data Protection Office requires special emphasis, as it seems to indicate not only numerous problems related to data protection, but also the growing awareness of citizens and public trust in the Polish data protection authority.

The full report is available at: https://uodo.gov.pl/pl/487/2279