Compensation for Illegal Processing of Personal Data from the Perspective of Polish Law

The provisions of the Polish Data Protection Act supplement Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) to the extent that this act does not regulate the issue of compensation claims for unlawful processing of personal data. After a vigorous discussion that took place in the doctrine of civil law, it was concluded that the liability for damages referred to in Article 82 of the Regulation is in tort. This determination provoked far-reaching legal consequences, since the regime of liability for damages was based in Polish law on the principle of fault. For unlawful processing of personal data, the injured party may seek compensation for material damage or compensation for non-pecuniary damage. In addition to the liability for damages specified in Article 82 of the Regulation, the EU legislator has introduced administrative-legal liability for unlawful processing of personal data. On the basis of this liability regime, Polish public entities, including public-administration bodies, can act in a dual role. On the one hand, a public-administration body may be the entity responsible for the unlawful processing of personal data and will be subject to administrative-law sanctions, while on the other hand, it may be the entity that supervises public and private entities regarding the correctness of personal-data processing.