photo
08.07.2026

European Commission launches infringement proceedings against Poland over failure to implement Directive (EU) 2016/680 (Law Enforcement Directive)

The absence of provisions ensuring proper oversight of the processing of personal data in the area of public order protection and the administration of justice has prompted the European Commission to initiate infringement proceedings against Poland (INFR(2026)2130). The Personal Data Protection Office has repeatedly drawn attention to this issue, and several months ago its President, Mirosław Wróblewski, addressed a formal communication to the Ministers of Internal Affairs and Justice, informing them of the urgent need to amend the relevant legislation.

Infringement proceedings are an EU legal mechanism conducted by the European Commission against a Member State that fails to fulfil its obligations under EU law. Their purpose is to compel the Member State concerned to comply with Union regulations. The procedure consists of several stages. The first, informal step is a letter of formal notice from the Commission requesting the Member State to remedy the breach. In this letter, the Commission identifies the infringements and demands an explanation within a specified timeframe.

If the Commission considers the response insufficient, it issues a reasoned opinion, formally setting out the allegations and establishing a deadline for the Member State to comply with EU law. The third stage is referral to the Court of Justice of the European Union. If the Court finds that EU law has been breached and Poland still fails to amend its legislation, the Commission may lodge a further complaint, which may ultimately result in financial penalties being imposed on the country.

The Personal Data Protecion Office consistently warns of incorrect implementation of Directive (EU) 2016/680

In early April, the President of the Personal Data Protection Office emphasised in the aforementioned letter to the two ministries that the Act on the Protection of Personal Data Processed in Connection with the Prevention and Combating of Crime (Act of 14 December 2018) does not, in its current form, provide full guarantees for the rights of data subjects. The purpose of the submission was precisely to ensure the proper implementation of Directive (EU) 2016/680 (Law Enforcement Directive) into the Polish legal order. It was not the first communication from the Personal Data Protection Office on this matter.

President Mirosław Wróblewski drew the attention of Minister Marcin Kierwiński and Minister Waldemar Żurek to the problems associated with the Directive’s implementation. He had already raised these concerns during the consultation of the draft implementing legislation and during the evaluations of the Directive itself (in 2021 and 2025). It should be emphasised that numerous exclusions adopted in the national Act mean that it does not cover all areas of personal data processing for the purposes of identifying, preventing, detecting and combating criminal offences as envisaged by Directive (EU) 2016/680.

As a result, data processed during procedural activities and contained in case files are subject neither to the aforementioned Act nor to the general principles of data protection, but solely to criminal procedure. However, criminal procedure lacks guarantees of fundamental rights of data subjects, such as: the right to information, the right to lodge a complaint, access to data, rectification, erasure, restriction of processing, the right to lodge a complaint with an independent supervisory authority, and the right to an effective judicial remedy against decisions of that authority. This view is shared by some judicial supervisory bodies.

This position has also been reflected in academic literature. Problems related to the implementation of Directive (EU) 2016/680 were previously identified, among others, by Professor Agnieszka Grzelak (currently Deputy President of the Personal Data Protection Office) in publications on data protection in the area of police cooperation and the administration of justice.

Oversight of the Directive’s application remains insufficient

Another important issue highlighted by the President of the Personal Data Protection Office concerns oversight of personal data processing by courts in the exercise of judicial functions (to safeguard judicial independence). Such oversight should be entrusted exclusively to specialised, independent bodies. In Poland, however, the relevant provisions still require clarification. Uniform interpretative guidelines are also lacking. Their development could enhance transparency of oversight and ensure consistency in the application of the law, particularly in the context of establishing an independent supervisory authority (other than the President of the Personal Data Protection Office) outside the judicial structure.

The current lack of coherence is reflected, for example, in the fact that courts of appeal more frequently adopt a broad interpretation of the exclusion of the Directive’s application, whereas regional and district courts sometimes apply a narrower interpretation. This leads to inconsistencies in the application of the law, weakens the coherence of the oversight system and reduces legal certainty. Although organisational provisions assign courts certain supervisory tasks and powers under the Act of 14 December 2018, most competent bodies do not identify the areas in which the Act should apply.

No basis for applying Directive (EU) 2016/680’s exclusion to oversight in the prosecution service

The situation differs in the prosecution service, where competent bodies assume that they are authorised to exercise oversight under Directive (EU) 2016/680. This indicates a systemic interpretative problem in which the formal assignment of supervisory powers does not translate into their actual and consistent exercise. In both courts and the prosecution service, oversight is hierarchical, meaning that higher-level bodies supervise lower-level units. However, in the case of courts, the shortcomings of this model are mitigated by constitutional guarantees of judicial independence. In the prosecution service, the strong hierarchical structure raises serious doubts as to whether supervisory bodies meet the requirement of independence. The absence of regulations designating independent bodies with control powers in the field of personal data protection ultimately deprives data subjects of protection and fails to respect their right to privacy.

The President of the Personal Data Protection Office has long emphasised that, under the Constitution, the prosecution service does not administer justice sensu stricto. This leads to the conclusion that the exclusions provided for in Directive (EU) 2016/680 should not apply to it, and therefore data processing by the prosecution service should be subject to full oversight by an independent supervisory authority. In Poland, some tasks have been concentrated in the hands of the President of the Personal Data Protection Office, while bodies operating within the structures of courts and the prosecution service do not possess the full powers envisaged by the Directive. This results in fragmentation of the oversight system and hinders the establishment of a uniform standard of data protection. Similar interpretative difficulties occur only in a limited number of EU Member States, whereas in most countries the oversight system in this area functions without significant problems.

Other remarks by the Personal Data Protection Office regarding current regulations implementing Directive (EU) 2016/680

Incorrect implementation of the Directive adversely affects the functioning of large-scale EU information systems in Poland, including oversight of access by public order authorities to personal data processed in those systems.

Furthermore, Article 57 of Directive (EU) 2016/680 requires Member States to adopt regulations establishing effective, proportionate and dissuasive sanctions for breaches of national provisions implementing the Directive and to ensure their effective enforcement. The Polish Act does not equip the President of the Personal Data Protection Office with instruments enabling the application of such sanctions. Mirosław Wróblewski also referred to the need to regulate the role of the Data Protection Officer (DPO). The current provisions shape the tasks of DPOs in a manner inconsistent with the Directive and imprecisely define the obligations concerning notifications relating to DPOs.

A separate issue is the exclusion of the application of the Act of 14 December 2018 to certain tasks of the services listed in Article 3(2) of that Act.

Moreover, many provisions of the current Act—although technically repeating the Directive—are drafted in such general terms that they cannot be regarded as proper implementation of EU law, as in practice they lead to the exclusion of effective protection of fundamental rights.

Prospects for further action

The European Commission’s decision to initiate infringement proceedings confirms that the concerns repeatedly raised by the President of the Personal Data Protection Office were not merely interpretative but related to genuine inconsistencies between Polish legislation and EU law.

The Commission’s actions form part of a broader process of verifying the correct implementation of EU law by Member States and do not yet determine the outcome of the proceedings.

The supervisory authority expresses hope that the proceedings will contribute to the efficient adoption of legislative solutions ensuring full compliance of Polish regulations with EU law and a uniform standard of personal data protection.

The President of the Personal Data Protection Office remains ready to cooperate with the competent authorities in the process of aligning national legislation with the requirements of EU law and to present the experience and recommendations developed in the course of its previous activities.