Besides the EU AI Act, there is no specific national regulation of AI in Poland.
Yes: ustawa o systemach sztucznej inteligencji (AI Systems Act) - please see here.
No comprehensive guidance documents have been issued yet, but the Polish DPA is stepping up its activity in AI and GDPR and has recently published its position on data protection impact assessments for AI systems (see the answer below for details).
The Polish DPA has just recently established a dedicated AI Working Group within its Social Expert Team. Comprising external experts from various fields, the group aims to support theimplementation of the Polish DPA’s action plan to promote the privacy-compliant design and deployment of AI systems. In the near future, the AI Working Group plans to engage a wide range of stakeholders — including local governments, educational and cultural institutions, and businesses, particularly SMEs — to collaborate on data protection and AI-related initiatives (source: https://uodo.gov.pl/pl/607/3730; available in Polish).
In addition, the Polish DPA has also published its position on DPIAs (Data Protection Impact Assessments), specifically addressing AI systems (source: https://www.uodo.gov.pl/pl/598/3617; available in Polish). The position cites several AI use cases where a DPIA is mandatory (e.g., development and deployment of high-risk AI systems). So far, the official DPIA blacklist has not been updated to include these examples.
The Polish DPA is increasingly active on topics regarding the intersection of AI and data protection. Earlier this year, in January, it announced its plans to develop best practices to support entities in bringing AI tools to market (source: https://www.rp.pl/dane-osobowe/art41729641-miroslaw-wroblewski-prezes-uodo-wyzsze-kary-maja-efekt-prewencyjny; available in Polish). While the specific outcomes of this initiative remain to be seen, the Polish DPA’s growing engagement on AI-related issues signals a strong commitment to fostering responsible innovation in this area.
As an example of this commitment, the Polish DPA has actively cooperated with the Irish Data Protection Commission, participating in dialogue with representatives of social media platforms to develop solutions that comply with personal data protection requirements and address the misuse of deepfake technology. Their goal is to combat fraudulent practices involving the use of deepfake materials to impersonate well-known individuals or other social media users without their consent (source: https://uodo.gov.pl/pl/138/3892, available in Polish).
Additionally, the Polish DPA has advocated for the introduction of legislation directly addressing the dissemination of harmful deepfake content, ensuring victims have effective and rapid means of protecting their rights. It has also taken an active role in cases involving deepfakes and has even reported one such incident to the police (source: https://uodo.gov.pl/pl/138/3886, available in Polish).
In addition to these plans and undertakings, the Polish DPA has been engaged in several key activities:
The Polish Ministry of Digitalization established a Working Group on Artificial Intelligence to identify measures to ensure that Poland has the right conditions for the development of AI applications in both the private and public sectors, as well as for the conduct of scientific research (https://www.gov.pl/web/ai/grupa-robocza-ds-ai).
The Polish Ministry of Digitisation is working on a document entitled 'Policy for the Development of Artificial Intelligence in Poland until 2030'. This policy outlines the actions required to enable a digital transformation, boost the development of AI in Poland and strengthen the country's position on the international stage as a leader in the 'AI Continent'. It is an action plan designed to create optimal conditions for AI development in Poland.
The policy, among others, deals with trustworthy AI, which should meet specific legal requirements. Trustworthy AI should:
The policy outlines several measures to achieve this, including an interactive claims system for AI activity, guidelines on the transparency of personalised shopping algorithms, and copyright law amendments. https://ai.gov.pl/media/2025/06/Polityka-rozwoju-sztucznej-inteligencji-w-Polsce-do-2030-r.pdf
The Text and Data Mining Exception stipulated in the DSM Directive was implemented in the Polish Copyright Act (Art. 26(3))
No, AI is not specifically addressed in data protection laws in Poland.
However, the Polish DPA is actively involved in the AI Act’s implementation into Polish law. It has provided its comments on the draft legislation (source: https://uodo.gov.pl/pl/589/3511; available in Polish) and worked with the parliamentary committee for AI and the transparency of algorithms (source: https://www.uodo.gov.pl/pl/589/3087; available in Polish).
Back in 2024, the Polish DPA also reviewed a draft amendment to the Social Insurance System Act, which proposed automating phone calls to notify individuals of medical appointments using AI-based voicebots that process personal data. The DPA highlighted that biometric data (recordings of the callers’ voices) requires strict safeguards, and such safeguards or guarantees were not included in the legislative proposal.
Planned (not yet established): Komisja Rozwoju i Bezpieczeństwa Sztucznej Inteligencji (AI Development and Security Commission).
Yes, the Polish DPA has launched an official investigation into OpenAI following a complaint concerning ChatGPT. The complainant's requests for rectification and access to their personal data were not fulfilled, and they were not informed about the processing, source, and recipients of their data. The case is ongoing but nearing its conclusion. The Polish DPA has indicated that a decision is expected by the end of this summer and hinted that the outcome may not be favorable for OpenAI. (sources: https://www.wnp.pl/tech/ta-decyzja-moze-wywrocic-model-biznesowy-openai-prezes-uodo-zapadnie-do-konca roku,949376.html#:~:text=UODO%20pracuje%20nad%20decyzj%C4%85%2C%20kt%C3%B3ra,sp%C3%B3%C5%82ka%20praktycznie%20zala%C5%82a%20regulatora%20dokumentami; https://uodo.gov.pl/pl/138/2823; https://www.rp.pl/dane-osobowe/art41729641-miroslaw-wroblewski-prezes-uodo-wyzsze-kary-maja-efekt-prewencyjny; available in Polish).
The Polish DPA was also involved in a consultation process regarding cross-border proceedings on the use of personal data by major social media platforms for AI training, including complaints submitted by NOYB against Twitter/X (GROK tool) and Meta Platforms Ireland Limited (“Meta”) (AI tool).
Back in 2024, the Polish DPA also ordered Meta to stop displaying social media advertisements containing the personal data of two complainants who were the subject of false and deepfake-modified information, including images of them. The ban was ordered for a period of three months. As the case was a cross-border one, it was referred to the Irish Data Protection Commission (source: https://uodo.gov.pl/pl/138/3266 and https://uodo.gov.pl/pl/138/3268, available in Polish). This decision attracted a lot of attention and led to more complaints about the misuse of personal data and images, especially of public figures, in social media advertisements.
N/A
*Information is accurate up to 15 October 2025
