28.01.2026

Congress on Data Protection and New Technologies - report

On 28 January 2026, the Polish History Museum in Warsaw hosted the Congress on Data Protection and New Technologies, organized by the Office for Personal Data Protection and the National Chamber of Legal Advisers.

This event was an opportunity to celebrate the jubilee, twentieth edition of the Day of Personal Data Protection. This data protection day is celebrated every year on 28 January to mark the anniversary of the opening for signature of Council of Europe Convention 108, the first legally binding international instrument protecting privacy in the digital age.

The Congress of Data Protection and New Technologies brought together representatives of public administration, legal, scientific, business and experts in the field of personal data protection, new technologies and artificial intelligence.

The aim of the Congress was to exchange experiences and discuss current and future challenges related to the protection of personal data in the era of dynamic development of digital technologies, including artificial intelligence, process automation and growing cyber threats.

Table of contents

Opening of Congress
Substantive programme – panels and sessions
Regulation of personal data protection and artificial intelligence in the world's largest economies: EU, China and US. Current state and directions of development
Decade of application of the GDPR and lessons for the future
Data governance – can compliance and innovation be ensured?
AI – the regulatory future
Deepfake as a systemic threat – challenges for the state, the market and society
Ethics, personal data and new technologies at the service of the professions of public trust. Opportunities and risks for professional associations and their members
How to protect the rights of minors in the digital environment?
New technologies in employment
The use of AI and GDPR in the activities of Polish organisations – sectoral challenges and needs
Quantum Technologies – Cybersecurity, Privacy and Development Opportunities for Poland
Digital EHDS
Data protection in the era of cybercrime
Cyber incidents and personal data breaches
Smart cities
Deregulation – opportunities and challenges for data protection
Competences of the future
Protection of Personal Data in Churches and Other Religious Unions in the Age of Cyberthreats and Artificial Intelligence
Michał Serzycki Award Ceremony

Opening of Congress

The event was opened by representatives of public institutions, including the President of the Office for Personal Data Protection.

During the opening speech, Mirosław Wróblewski, President of the Office for Personal Data Protection, drew attention to the changing role of the President of the The Personal Data Protection Office – from a supervisory body focusing on the application of the GDPR to an institution stabilising the new architecture of EU digital law. He stressed that the implementation of European Digital Acts – including the AI Act, DGA, EHDS or DSA – requires a coherent understanding of the competences and coordination of regulators’ activities, and the priority is to counter fragmentation of implementations, overlapping competences and diverging interpretations" that could undermine the protection of individual rights.

- "Artificial intelligence poses new challenges to the protection of personal data, as AI systems process ever-increasing sets of data, often including special categories of data, while at the same time it is difficult to ensure the transparency of processing required by the GDPR and a fair assessment of the risks to the rights and freedoms of data subjects," said Mirosław Wróblewski.

The President of the The Personal Data Protection Office pointed out that the GDPR remains the foundation of legal protection, and data protection standards must also be consistently respected in automatic processing processes.

Włodzimierz Chróścik, President of the National Council of Legal Advisers, stressed that the protection of personal data is now firmly embedded in the organisation’s activities, and the challenges – including technological challenges – differ from those of a decade ago. He pointed out, among other things, the growing importance of biometric data and the need to build technology development in a responsible manner, based on standards for the safe use of AI tools.

Małgorzata Kidawa-Błońska, Marshal of the Senate of the Republic of Poland, pointed out that the Congress gathers communities co-responsible for the development of digital Poland, and the discussion about the future - full of opportunities and threats - requires solutions to be taken without delay. She also stressed that cybersecurity is one of the cornerstones of the security of the state and every citizen, while encouraging cooperation for high-quality legislation.

Deputy Prime Minister and Minister of Digital Affairs Dr Krzysztof Gawkowski pointed out that in the world of common technology and devices collecting data, privacy is not a luxury, but a condition for trust in digital services and the state. He pointed to the need for practical cooperation between institutions and stressed that the state should act ahead of schedule.

Dr Krzysztof Gawkowski also referred to the need for regulations such as the GDPR, which, according to some people, is unnecessary due to the fact that people themselves disclose information about themselves.

"Privacy is not about not disclosing anything. Privacy is about having a choice. And data protection exists to make this choice a reality," said Dr Krzysztof Gawkowski.

The President of the Supreme Administrative Court, Prof. Jacek Chlebny, drew attention to the impact of technological progress on the functioning of the administrative judiciary, including through greater transparency and availability of information. At the same time, he stressed that the use of new technologies must not weaken the constitutional right to a court, and the citizen should keep a real choice of the form of contact with the court. He also pointed out that openness to the use of AI is inevitable, but entails new challenges, especially where judicial decisions require the highest level of guarantee.

Substantive programme – panels and sessions

Regulation of personal data protection and artificial intelligence in the world's largest economies: EU, China and US. Current state and directions of development

The discussion in this panel started with the issue of data protection of minors online, in particular in the context of access to social media. Participants pointed out that, despite difficulties in enforcing the rules, regulation in this area remains necessary. As noted by dr hab. Agnieszka Piskorz-Ryń, Prof. UKSW, the lack of full tightness of solutions does not mean that they should not be used.

In the following, the differences in the approach to regulating the deepfake phenomenon are discussed. It was pointed out that in China, the regulations serve far-reaching control of information for reasons of state security, while in the United States, the lack of comprehensive regulations causes interventions mainly in the case of threats to political processes or sexual content. Referring to the European approach, Dr Michał Czerniawski noted that the obligation to label AI-generated content could paradoxically weaken transparency if ‘everything’ is labelled.

The panel concluded by pointing out that Chinese and European regulations are sometimes similar in form, but they are fundamentally different in political and cultural context.

Decade of application of the GDPR and lessons for the future

This panel was devoted to summarizing the ten years of application of the GDPR and the challenges facing organizations today in the context of the dynamically changing regulatory and technological environment.

The discussion pointed out that organisations are increasingly ‘jumping from regulation to regulation’, which makes it difficult to build coherent business models. It was emphasized that the implementation of solutions based on artificial intelligence without prior arrangement of personal data protection issues leads to real risks, especially in the area of profiling.

It was also pointed out that it is not enough to comply with the GDPR only ‘on paper’ – documentary compliance does not automatically translate into effective data protection. Customers, partners and employees increasingly expect real security standards and the awareness that their data is processed responsibly and in accordance with the law.

It was emphasized that the maturity of the organization in the area of data protection means not only identifying threats, but also taking real actions, instead of ignoring or postponing them.

Data governance – can compliance and innovation be ensured?

The panel discussed the role of data governance in linking regulatory compliance with innovation development. It was emphasized that it is crucial to understand the technology that allows to properly identify and assess the risks associated with data processing.

Andrzej Burzyński from the Polish Financial Supervision Authority pointed out that the growing use of AI is largely due to its popularity, pointing out that ‘bad data displaces good’ because there are more of them. He pointed out that model hallucinations are a consequence of the quality of data on which AI systems are trained.

The panellists agreed that deregulation in the area of data is currently unlikely due to the dynamic development of technology. It was also emphasized that innovation in itself does not organize processes or data - here the basis remains diligence in their verification.

AI – the regulatory future

The discussion was opened by prof. dr hab. Włodzisław Duch, pointing out that regulations on artificial intelligence are primarily aimed at preventing damage, although the question of the goals we want to achieve through them remains equally important.

Dr. Damian Flisak pointed out that the greatest risks associated with AI are those that we do not yet know. He stressed that this technology is currently at a very early stage of development.

The panel discussed the European regulatory approach to large, cross-border tech corporations. The tension between the anthropocentric approach of the European Union and the interests of global business was pointed out, which makes AI regulations one of the most intensively lobbyed areas today. Attention was also drawn to the under-representation of the social side in legislative processes.

Participants in the discussion also stressed the importance of algorithmization and responsible use of AI not only in the context of human protection, but also the impact of technology on the environment and the planet.

mic threat – challenges for the state, the market and society

In this part of the Congress, participants focused on the deepfakes phenomenon and its growing scale and consequences for state security, the digital market and individual rights, in particular for children and young people. The discussion showed that deepfake has ceased to be a marginal technological problem and has become a real criminal tool, used both for financial gain and for peer and sexual violence.

The Personal Data Protection Office President Mirosław Wróblewski pointed out that as revealed by Reuters, ‘the vast majority of the world’s advertising revenue today is generated by deepfake technology’, showing the scale of the economic dimension of the phenomenon. He also emphasized that deepfake increasingly refers to peer violence, pointing to the recent case of a student whose image was manipulated using AI tools.

verified before it is published. Referring to the responsibility of global platforms, he recalled the words from the comic book and the film Spiderman: "With great power comes great responsibility".

Katarzyna Staciwa, R&D coordinator at the NCPD, drew attention to the particularly dramatic dimension of deepfakes in the context of child sexual exploitation. As she emphasized, today one photo can be reworked in such a way that an eight-second video is obtained from it, which shows how low the barrier to entry is and how huge the scale of the threat is. At the same time, she expressed her appreciation for the actions of the President of The Personal Data Protection Office, stressing the institutional courage needed to protect minors in the digital environment.

Ethics, personal data and new technologies at the service of the professions of public trust. Opportunities and risks for professional associations and their members

The discussion in this panel focused on ethical and legal challenges related to the use of new technologies in public trust professions.

The panellists emphasised that although new technologies play an increasingly important role in the professions of public trust, man must always remain at the center of these activities. Modern tools can support the practice of the profession, but the responsibility for decisions, especially for doctors and lawyers, cannot be entirely transferred to technological systems, which has a direct link with professional ethics.

- "Ethics and privacy are difficult to separate. And when we talk about personal data, we obviously protect it much more effectively if we refer to ethics," said Monika Krasińska, director of the Department of Law and New Rights Technology of The Personal Data Protection Office.

How to protect the rights of minors in the digital environment?

This panel focused on current challenges related to the protection of children and young people online. Participants in the discussion pointed out that in the public debate there are more and more topics such as deepfake, cyberbullying, regulations resulting from the DSA and postulates to increase the age limit for social media users. At the same time, it was emphasized that law and education often do not keep up with the pace of technological development.

The discussion highlighted a change in the language of the debate, with the term ‘heyt’ increasingly being replaced by the term ‘cyberviolence’, which makes it possible to describe threats more precisely and to respond more adequately to them. It was also highlighted that children are given access to technology earlier than they are prepared for the risks involved, and parents often do not have sufficient tools to support them in this regard.

MEP Monika Rosa, chair of the Sejm Committee on Children and Youth Affairs, pointed out that as a society we have entered the digital world with the conviction that it will solve many problems, and the intensive use of technology by adults naturally translates into children's behavior.

"The effective protection of minors requires not only legal regulation, but also reflection on our own habits and the responsibilities of adults," said Monika Rosa.

The discussion also highlighted the need to clearly label online child abuse as a criminal offence and to make digital platforms more responsible for designing services accessible to minors.

New technologies in employment

The panel was devoted to the relationship between the Labour Code, the GDPR and the AI Act in the context of the use of new technologies in employment. The discussion focused on what responsibilities are incumbent on employers when they reach for AI-based algorithms and tools, both in recruitment and in job monitoring.

Dr hab. Marlena Sakowska-Barła, Professor of the University of Lodz and a member of the Social Panel of Experts at the President of The Personal Data Protection Office, emphasized that algorithms never create a new reality functioning outside the law, but their use generates new legal problems. She pointed out that the use of algorithms in the work environment should be carried out with great caution, as it entails high risks. She also pointed out that tools based on new technologies are often implemented without due consideration of existing legal regulations.

The panellists agreed that artificial intelligence in employment should play a supporting role, not a decision-making role. Reliable risk analysis, as required by both the GDPR and the AI Act, regardless of whether the technology concerns recruitment, job evaluation or workplace inspections, remains the employer's primary responsibility.

The use of AI and GDPR in the activities of Polish organisations – sectoral challenges and needs

The panel opened with a presentation of the ‘Strategic Report – Examination of the organisation’s needs for the use of artificial intelligence and the protection of personal data’, prepared by the Social Panel of Experts attached to the President of the The Personal Data Protection Office. More than 40% of organisations surveyed do not currently use AI-based solutions, and the biggest challenges relate to the application of law, data management, and ethical and reputational concerns.

Dr hab. Ireneusz Wochlik, a member of the Social Team of Experts at the President of The Personal Data Protection Office, pointed out that only a small part of the organization actually controls data used in AI processes, which increases the risk of violations.

Eliza Turkiewicz from the Digital Market Department in the Lewiatan Confederation stressed the need for clear and understandable communication and the preparation of clear guidelines by supervisory authorities.

Quantum Technologies – Cybersecurity, Privacy and Development Opportunities for Poland.

The discussion in this part of the Congress was devoted to the impact of quantum technologies on data security and privacy protection.

Prof. dr hab. Michał Tomza emphasized that quantum technologies do not only mean faster calculations, but completely new possibilities, including the potential to decrypt data secured by traditional encryption methods.

During the panel, it was pointed out that the threats associated with the development of quantum technologies are real and may materialize in the coming years, including not only classical cryptography, but also blockchain-based solutions. At the same time, it was emphasized that quantum cryptography gives new, very high security standards, based on a unique communication model.

Digital EHDS

The panel focused on the European Health Data Space (EHDS) as a new model for the exchange of medical data. Its importance for the health system, innovation and the protection of patients' privacy was discussed.

Attention was drawn to the ethical dimension of data protection and the need to provide patients with a real sense of security in the health system.

Aneta Sieradzka, member of the Social Panel of Experts attached to the President of the The Personal Data Protection Office, stressed that ‘patients are donors of personal data’ and that patient autonomy and clear rules for data processing, especially genetic data, are crucial.

It was also pointed out that EHDS can improve access to data and reduce system costs, provided that there is open discussion and build public trust.

Data protection in the era of cybercrime

During the panel, Dr Eng. Radosław Nielek, Director of NASK, pointed to the sharp increase in the scale of cyber incidents, stressing that last year NASK received over 650,000 reports regarding, among others, attempts at financial fraud and phishing, often carried out through online platforms.

Participants stressed that effective data protection requires not only the development of technical infrastructure, but above all the improvement of digital competences and user awareness. Threats related to ransomware attacks, including theft, data encryption and blackmailing of administrators, as well as risks arising from the uncontrolled use of AI-based tools in organisations were also highlighted.

It has been pointed out that actions taken to ensure cybersecurity must take into account the different legal bases for the processing of personal data, including specific state security regulations, while respecting the rights of data subjects.

Cyber incidents and personal data breaches

In this panel, Andrzej Zieliński, head of the Department of Control and Infringements at The Personal Data Protection Office, presented examples of phishing attacks that the Office dealt with, drawing attention, among others, to the importance of multi-factor authentication. He also pointed out that every system is as weak as its oldest update.

The obligation to inform those affected by the breach was also discussed, stressing the need to adapt the message to the recipient, including children. System solutions were also discussed, which in one place through the S46 system will allow for notifying the President of the Office of a personal data breach by entities covered by the national cybersecurity system that use this system.

Smart cities

The panel was devoted to the challenges related to the cybersecurity of urban infrastructure, in particular in the context of financial constraints or competence needs in the area of IT. It was stressed that these factors have a direct impact on the level of security of systems used in cities.

It was pointed out that attacks on critical infrastructure – such as communication or water supply facilities – can not only paralyse the functioning of cities, but also pose a real threat to the health and life of residents. As indicated by dr hab. Dariusz Szostek, Professor of the University of Silesia, Director of the Intercollegiate Cyber Science Center, the attack leading to data leakage is less dangerous than the interference of cybercriminals in water supply systems, which may result in water contamination.

The panellists also emphasized that despite organizational and financial difficulties, local governments have been preparing for the implementation of the NIS2 Directive for a long time.

Deregulation – opportunities and challenges for data protection

The discussion focused on deregulatory proposals of existing legal solutions and their consequences for the personal data protection system. Participants in this debate wondered whether the proposed rules are adequate, respond to current challenges, or introduce facilitations without lowering individual rights.

Anna Korzecka, Deputy Director of the Department of Law and New Technologies of The Personal Data Protection Office, stressed that limiting legal requirements must respect the rules already developed, including the case-law of the Court of Justice of the EU. It also pointed out that Article 23 of the GDPR allows for the possibility of introducing certain restrictions in national law, but does not allow for a complete exclusion.

The panellists also considered whether deregulation in the area of existing provisions on the protection of personal data, as well as the methods of its implementation, will not translate into greater complications in the application of the law.

Competences of the future

In this part, the participants of the Congress had the opportunity to listen to a lecture by Dr. Paweł Kowalski, legal advisor and Plenipotentiary of the President of the KRRP for new technologies, who presented practical tips for developing the competences of the future, in particular in the legal profession, in the context of the use of artificial intelligence tools. He stressed that technological transformation is inevitable and the skillful use of AI becomes an element of competitive advantage.

"AI will not replace lawyers, but lawyers using AI will replace those who do not," said Dr. Paweł Kowalski.

Protection of Personal Data in Churches and Other Religious Unions in the Age of Cyberthreats and Artificial Intelligence

This panel was devoted to discussing, among others, the challenges faced by churches, religious associations and faithful in the context of cyber threats and the development of artificial intelligence.

Dr Jakub Kwaśnik, Data Protection Inspector of the Archdiocese of Krakow, discussed specific examples of cyberattacks, e.g. on parishes or phishiong activities targeting the faithful.

The Church's approach to artificial intelligence and new technologies was presented by Prof. Piotr Kroczek, the Church Data Protection Inspector. At the same time, he presented specific solutions based on AI, which are already used by the Church today.

Jakub Groszkowski, Chief Co-ordinator for Research and Development Data Protection in Churches and Religious Unions in the UODO presented a presentation on the position and empowerment of the President of the Office for Personal Data Protection in the Polish legal order. He discussed the scope of competences of the supervisory authority, the types of proceedings conducted and actions taken on the basis of Article 91 of the GDPR.

He also pointed to the practical dimension of The Personal Data Protection Office’s cooperation with churches and other religious associations, including agreements on the exchange of information, educational and training activities and initiatives strengthening the role of personal data protection inspectors.

Michał Serzycki Award Ceremony

The last point of the Congress on Data Protection and New Technologies was the presentation of the Michał Serzycki Award. The awards were presented by Mirosław Wróblewski, President of UODO and Włodzimierz Chróścik, President of the National Council of Legal Advisers.

This year, honored for their outstanding commitment to the protection of personal data, the right to privacy, and educational and expert efforts to raise public awareness, they were:

Magdalena Bigaj, President of the Digital Citizenship Institute Foundation, whose expert and social activities contribute significantly to raising awareness of the threats posed to the youngest users by new technologies, including uncontrolled collection of personal data;

Prof. Paweł Fajgielski from the Catholic University of Lublin, whose scientific activity constitutes a lasting contribution to the development of law, the development of personal data protection standards in Poland;

Prof. Grażyna Szpor from the Cardinal Stefan Wyszyński University, which belongs to the group of the most outstanding Polish lawyers specializing in broadly understood IT law. Professor Grażyna Szpor’s scientific output includes more than 200 publications on IT law, e-government, cybersecurity and personal data protection.

The following editors also received the Michał Serzycki Prize: Niebezpiecznik.pl, CyberDefence24.pl and Sekurak.pl.

The editors of these services disseminate knowledge about cybersecurity, personal data protection and state security every day.

The Congress on Data Protection and New Technologies confirmed that the protection of personal data remains the foundation for the development of digital technologies - from artificial intelligence, through cybersecurity, to new models of data management - and the main challenge today is regulatory consistency and responsible implementation of innovations.