Ikonka home dla okruszków News and events
photo
25.11.2025

A code of conduct has been created for private opinion and market research companies

The President of the Personal Data Protection Office (UODO), Mirosław Wróblewski, has approved the ‘Code of Conduct on the Processing of Personal Data by Private Research Agencies’. It clarifies the rules for protecting the personal data of research participants, including, among other things, obtaining their consent and profiling.

The creator of the code is the Employers’ Association of Opinion and Market Research Firms (OFBOR) — the only employers’ association in Poland that brings together private research agencies.

The reason for developing the code was the numerous inconsistencies in the processing of personal data of research participants. As a result, in the case of identical studies, participants could receive differing information depending on the entity conducting the research — including, among other things, information about the legal basis for processing personal data. The information obligations were also fulfilled differently.

The development of the code was therefore intended both to solve the practical problems faced by research agencies in applying the GDPR and to strengthen public trust in market and opinion research. For this reason, clear and uniform rules for processing the personal data of research participants (respondents) were presented in one place.

Who can join?
Members of the code may include private research agencies, as well as entities carrying out the studies specified in the code on behalf of a research agency, provided that they are based and conduct business operations in Poland. Joining the code is not conditional upon being a member of OFBOR.

What does it regulate?

The code clarifies the rules for protecting the personal data of research participants (with the exception of special categories of personal data within the meaning of Article 9(1) GDPR). It also defines the scope of research to which it applies.

The code includes provisions relating, among other things, to:

  • the legal bases for processing personal data (e.g., legitimate interest as a basis for processing personal data in order to document the accountability principle when exercising individuals’ rights, including maintaining the so-called Robinson List),
  • the rules for fulfilling information obligations,
  • ensuring the security of personal data processing

The code also includes guidelines to help conduct a risk assessment or, where justified, a data protection impact assessment.

It is worth emphasizing that the code obliges all entities that join it to appoint a Data Protection Officer (DPO). This is because it was recognized that the advantage of appointing a DPO is that it provides the research agency with additional substantive support in ensuring that personal data processing complies with the law.’"

Who will monitor its compliance?"

The role of the body monitoring compliance with the ‘Code of Conduct on the Processing of Personal Data by Private Research Agencies’ will be performed by Omni Modo sp. z o.o., which was accredited by the President of the UODO on 24 November 2025.

Joining the code of conduct comes with numerous benefits, because:

  • it establishes consistent personal data protection rules across the entire sector,
  • it provides practical guidelines—approved by the President of the UODO—for applying the GDPR in a specific industry, thereby facilitating daily work,
  • it enables demonstrating compliance with the GDPR (within the scope defined in the code of conduct),
  • it eliminates the risk of incorrect interpretation of legal provisions,
  • it is taken into account by the supervisory authority when imposing administrative fines,
  • it helps build a positive image and increases the trust of clients and business partners,
  • it ensures professional oversight of its application (carried out by an accredited monitoring body—for codes dedicated to the private sector).

Approved on 24 November 2025, the ‘Code of Conduct on the Processing of Personal Data by Private Research Agencies’ is the third document of its kind.

More information about codes of conduct can be found in the for data controllers section.

phone
Infoline (in Polish) UODO 606-950-000 Operates on weekdays from: 10:00-14:00
© UODO 2018 - 2025
Copyright.
Urząd Ochrony Danych Osobowych
map pin ul. Stanisława Moniuszki 1A, 00-014 Warszawa
envelope kancelaria@uodo.gov.pl
clock Working hours of the office: 8 a.m. – 4 p.m.
© UODO 2018 - 2025
Copyright.