Legislative amendments required to the Act implementing the Law Enforcement Directive
In its current form, the Act on the Protection of Personal Data Processed in Connection with preventing and combating crime does not provide full guarantees for the protection of the rights of individuals whose data are processed.
The President of the Personal Data Protection Office has submitted a request to the Minister of the Interior and Administration and to the Minister of Justice to initiate legislative work to ensure the proper implementation, within the Polish legal order, of the provisions of the Law Enforcement Directive (Directive (EU) 2016/680).
In his letter to Minister Marcin Kierwiński and Minister Waldemar Żurek, the President of the Personal Data Protection Office, Mirosław Wróblewski, pointed to the problems associated with the implementation of the Law Enforcement Directive. He had raised these concerns earlier—both during the consultation stage of the draft Act and during the European Commission’s evaluations of the Directive (in 2021 and 2025).
Exclusions in national law mean that not all areas of personal data processing for the purposes of identifying, preventing, detecting and combating criminal offences—covered by the Law Enforcement Directive—are included. As a result, personal data contained in case files and processed during procedural activities are not subject to any national provisions guaranteeing data protection. Criminal procedure legislation lacks fundamental rights of data subjects, such as the right to information, the right to lodge a complaint, the right of access, rectification, erasure, restriction of processing, as well as the right to lodge a complaint with an independent supervisory authority and to an effective judicial remedy against that authority’s decisions.
The President of the Personal Data Protection Office addressed the issue of supervision over the proper processing of personal data by courts in the exercise of judicial functions, emphasising the need to protect judicial independence. Supervision should be entrusted exclusively to specialised bodies within the justice system of each Member State. Clarifying national provisions and developing uniform interpretative guidelines could enhance transparency and ensure consistent application of data protection provisions, particularly in the context of establishing an independent supervisory authority, other than the President of the Personal Data Protection Office, located outside the judiciary.
Concerns were also raised regarding supervision of data processing by the Public Prosecutor’s Office , which is currently exercised solely by its internal organisational units, all subject to hierarchical subordination. This model contradicts the Directive’s requirement for supervision by a fully independent authority.
The absence of provisions designating independent bodies with inspection powers in the field of data protection deprives data subjects of protection and fails to respect their right to privacy.
The regulations governing access to data in large‑scale EU information systems are also problematic. The processing of personal data by national authorities is not subject to independent national supervision. The broad exclusions from data protection safeguards have serious consequences not only for the national system but also for the EU‑wide data‑protection framework, particularly regarding the functioning of large‑scale EU information systems and the integrity of the EU legal order.
Under Article 57 of the Law Enforcement Directive, Member States must adopt provisions establishing sanctions for infringements of national rules implementing the Directive and ensure their effective enforcement. These sanctions must be effective, proportionate and dissuasive. However, the Act does not equip the President of the Personal Data Protection Office with any sanctioning instruments of this nature.
The President of the Personal Data Protection Office also highlighted the need to regulate the role of the Data Protection Officer (DPO). Current provisions define the tasks of the DPO in a manner inconsistent with the Directive and imprecisely regulate the obligation to notify the supervisory authority of DPO appointments, creating difficulties for entities required to comply.
Attention was also drawn to the lack of implementation of the Directive’s provisions on indirect access.