Home Resources Articles Poland: New data protection regulations including consent under GDPR

Poland: New data protection regulations including consent under GDPR

by Usercentrics
Aug 31, 2020
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

Recently, Poland’s Data Protection Authority “UODO” has announced major changes in the legal basis for processing data. Therefore, consent is only the foundation for legitimate processing when there are no other legal grounds. However, if the consent is applicable, it must meet certain conditions in order to effectively constitute the basis for processing.

What is the current situation?

Only if “essential” tags are not the basis for data collection, consent can be the basis for processing personal data whilst meeting certain relevant conditions as provided by articles 4 (11) and 7 of the GDPR. 

Consent given before personal data is being processed should be explicit, specify the person giving his or her consent, show whose personal data is made available for how long and to whom, and inform about the purpose of the processing. The website owner is obliged to ensure that his activities comply with the principles governing the processing of personal data, in particular articles 5 and 7 of the GDPR.

New regulations from now on

It is crucial to remember that it is not allowed to force users to give their consent as such consent is not valid under GDPR. It should be recalled that we are dealing with forced consent when the consent clause is stated between many other points of the agreement. Forced consent also exists when a public or non-public institution performing a public task makes its activities subject to consent.

According to article 7 (3) GDPR, consent may be withdrawn at any time. The provision requires the website owner to inform the user of this right before giving his or her consent. Also, withdrawing consent must be as simple as giving it and possible in the same way.

Approval for marketing contact

Businesses should be particularly vigilant when it comes to their different marketing activities: While consent is not required for direct marketing, the situation changes when this form of communication is done by telephone as this is prohibited without prior consent.

Default settings

It should also be noted that any model which takes advantage of the passivity, silence or carelessness of the person whose personal data is being collected or setting pre-ticked boxes is unacceptable and consent gathered in this way is considered invalid. The person giving consent has to take affirmative action, to consent to the specific processing of his or her personal data. The user has to make the decision himself and consciously make a choice. Pre-ticked boxes can be easily overseen through inattention and rush.

Which actions should be taken by any company?

  1. Get an overview of all the data you are collecting and storing and find out whether you have to care about proper data security management.
  2. Check your system for possible leaks. You cannot only be charged a fine in case data is stolen but already if there is an existing data leak. Those GDPR violations can be detected with very little technical knowledge by competitors or users.
  3. Collect and manage your user’s consent. This can easily be done by implementing a Consent Management Platform (CMP). 

What are the benefits of a CMP?

✔ Collecting and storing consents in accordance with the law ⇨ Minimize your legal risk

✔ Audit proof documentation ⇨ Proof you did obtain your data the compliant way in case of an audit

✔ No loss of data ⇨ Protect your advertising revenue

✔ Boost of your user’s trust ⇨ Get ahead of your competitors by managing your user data transparently


You want to know more about the Usercentrics CMP?



The decision to implement a data protection-compliant CMP is ultimately at the discretion of the data protection officer and/or the legal department. These statements do not constitute legal advice. They merely serve to support and inform you about the current legal situation with respect to the implementation of a CMP solution. Please consult a qualified lawyer should you have any legal questions.

Related Articles


Digital Markets Act (DMA) for startups: benefits and challenges

With the Digital Markets Act (DMA) in effect, what challenges and benefits can start-ups and SMEs that rely on...


Understanding the Washington My Health My Data Act: a comprehensive guide

The Washington My Health My Data Act is a state-level data privacy law that focuses solely on consumer health...