No. According to the Telecommunications Law (Art. 173) (the “Telecoms Law”), which implements cookie regulations into Polish law, cookie consent is necessary.
Cookie consent can be expressed by adjusting the settings of the software installed in the telecommunications terminal equipment used by the subscriber or end user, or by adjusting service configuration settings (e.g., browser settings). Since 2019, the Telecoms Law has required cookie consent to conform to GDPR consent requirements (Art. 174 Telecoms Law).
Yes, although the market approach is twofold. There are still entities which rely on implied consent provided by user browser settings (such consent is obtained by further use of the site without changing default browser settings).
The President of Polish Personal Data Protection Office (the “Polish DPA”) decided that such consent is not valid. Market practice is shifting towards active consent collection, i.e., consent obtained by means of consent management tools.
Yes. The Telecoms Law allows for the use of “strictly necessary cookies” without consent, provided that such use is necessary for the purposes of:
No, only strictly necessary cookies can be placed automatically without consent. The Polish DPA stated in its decision that consent is not necessary when cookies are used to ensure the proper functioning of the website, e.g. displaying certain content or ensuring its security.
However, the Polish DPA is the regulator responsible for supervising personal data processing and not the regulator tasked with supervising the use of cookies (which is the responsibility of the President of the Electronic Communication Office).
Neither the Telecoms Law nor regulatory guidance provide for any additional exemptions, which means that use of other types of cookies requires consent.
The Telecoms Law does not make this clear. On the one hand, cookie consent should meet the GDPR standard for consent; so implied consent is unlikely to be deemed sufficient. However, due to a provision allowing for the collection of cookie consent by way of adjusting service configuration settings (e.g., by browser settings), some have argued that implied consent via browser settings is also possible.
According to the Polish DPA caselaw1, consent provided passively via browser settings without action on the part of the user is invalid, as it does not meet the requirements contained in Art. 4 (11) of the GDPR. Subsequently, the Polish DPA ordered the deletion of the IP address and Cookie ID. The caselaw resulted from data subject complaints. No administrative fines were imposed. One of the decision’s was repealed2, but the Polish DPA upheld its reasoning in a subsequent decision.
Nevertheless, it is still quite common for website operators to assume that a user who does not change his or her browser settings and continues to use a website, consents to the use of cookies.
No, the Telecoms Law requires that the user is informed expressly and in advance, in an unambiguous, simple, and comprehensible manner, about:
The Polish DPA confirmed in a recent decision that the user needs to obtain a privacy notice before the user may consent to the use of cookies. Some entities (usually those who implement a consent management tool) add information about retention periods and the specific cookie being used.
No, cookie banners/ management tools are necessary. Cookie banners are commonly used regardless of whether consent is obtained via browser settings or a management tool.
There are no guidelines or enforcement decisions on this. Cookie walls were used by the biggest publishers on the Polish market once the GDPR entered into force, this was not challenged by regulators. However, most large publishers operating in the market have since implemented the IAB Europe Transparency and Consent Framework v 2.0 and thus no longer use cookie walls.
Not proactively. There are two regulators responsible for the enforcement of cookie rules: (i) the Polish DPA in charge of data processing and (ii) the President of the Electronic Communication Office in charge of cookie rules. Neither are active in enforcement against breaches of cookie rules or related data processing.
However, the Polish DPA acts in response to complaints, for example:
It is rumoured that a number of cookie cases are pending before the Polish DP.
No.
Yes, however:
1Decisions issued by the Polish DPA (i) on 7 October 2021, case no ZSPR.440.331.2019.PR.PAM and (ii) on 9 March 2023, case no DS.523.4364.2021.PR.PAM.