There is no single, comprehensive legal act in Poland that would regulate the entirety of personal data processing in the financial industry. As a rule, the General Data Protection Regulation (Regulation (EU) 2016/679) (’GDPR’) applies. There are individual acts that regulate certain sectors, for example, the banking and insurance sectors, as well as issues related to anti-money laundering and combatting the financing of terrorism (’AML/CFT’).
Among the regulations relating to the issue of personal data processing by financial market institutions, the following should be distinguished:
Financial market institutions are institutions supervised by the Financial Supervision Authority (’PFSA’) and, therefore, financial institutions are also required to apply in their activities the recommendations and guidelines published by the PFSA. Both the recommendations and guidelines include guidelines concerning areas such as operational risk management or cybersecurity.
The President of the Polish data protection authority (’UODO’) and the PFSA.
In the case of the aforementioned industry acts, the processing of personal data takes place for the purpose of entering into and performing a contract, as well as on the basis of the laws.
The Banking Law and the Insurance Law contain provisions allowing the use of a decision based on automated processing. This is possible in situations defined by the laws and under certain conditions. At the same time, the aforementioned laws indicate what data can be used for this process.
As a rule, decisions based solely on automated processing, including profiling, of personal data may be used, provided that the person affected by the automated decision has the right to receive an adequate explanation of the grounds for the decision taken, to obtain human intervention in order to make a new decision, and to express their own position.
The aforementioned laws also indicate the possibility of obtaining personal data from other entities or sharing data with other entities. Depending on the case, this will be possible on the basis of authorisation under a legal provision or on the basis of consent.
There are no specific requirements for how customers should be informed of an institution’s privacy policies and practices.
Specific requirements of the sector with regard to data security and risk management result from guidelines and recommendations of supervisory authorities, mainly the PFSA. In particular, the guidelines result from Recommendation D on the Management of Information Technology and ICT Environment Security at Banks (only available in Polish here) (’Recommendation D’) or Recommendation D-SKOK on the Management of Information Technology and ICT Environment Security at Credit Unions (only available in Polish here) (’Recommendation D-SKOK’).
As a rule, there are no special requirements as to the time limits for storing personal data of a financial nature and retention periods depend on civil law claims limitation, i.e. three years, or six years in case of consumers.
Specific regulations for the financial sector pertain, for example, information that constitutes a banking secret, and, depending on the purpose and type information, its processing may be performed for a period of no more than five years or for a period of 12 years.
AML issues are defined in the AML/CFT Law. Pursuant to Article 33(3) of the AML/CFT Law, obliged institutions shall document the identified money laundering and terrorist financing risks related to the business relationship or to the occasional transaction and its assessment, taking into account, in particular, factors concerning: the type of customer, the geographical area, the purpose of the account, the type of products, services, and ways of their distribution, the level of property values deposited by the customer or the value of transactions carried out, and the purpose, regularity, or duration of the business relationship. This means that obliged institutions may obtain and process personal data necessary to fulfil the above-mentioned obligation, as well as other obligations under the AML/CFT Law.
In accordance with Article 34 of the AML/CFT Law, an obliged institution must apply financial security measures, which include identifying the customer and verifying their identity, and identifying the beneficial owner and taking reasonable steps to verify its identity as well as establish ownership and control.
In addition, the obliged institution evaluates the economic relations, including obtaining information on their purpose and intended nature, as well as monitors the customer’s economic relations on an ongoing basis, including, inter alia, analysing transactions, examining the sources of origin of property values, and verifying the validity of documents.
The AML/CFT Law allows obliged institutions, for the purpose of applying financial security measures, to process information contained in the identity documents of the customer and the person authorised to act on their behalf, and make copies thereof.
Pursuant to Article 36 of the AML/CFT Law, an obliged institution conducts customer identification, which consists of establishing the data of a natural person indicated in the AML/CFT Act (at a minimum: name and surname, citizenship, date of birth, address of residence, series, and number attached to an identity document). In addition, the AML/CFT Law requires that the data of the beneficial owner and the data of the person authorised to act on behalf of the customer be established.
In connection with the above, obliged institutions may process data to the extent necessary to fulfil their duties.
Pursuant to the AML/CFT Law, prior to establishing economic relations or carrying out an occasional transaction, obliged institutions shall inform the customer about the processing of their personal data, in particular about the obligations of the obliged institution under the AML/CFT Law with respect to the processing of such data.
As a general rule, information is retained for five years from the date the business relationship ends or the date of the occasional transaction. Similarly, the results of analyses are kept for five years from the date on which they are carried out. This period may be extended at the request of the Inspector General under Article 49 of the AML/CFT Law.
Pursuant to Article 104(1) of the Banking Law, a bank, persons employed by it, and persons through whom the bank performs banking activities are obliged to maintain banking secrecy, which is inclusive of all information concerning a banking activity, obtained during the negotiation, conclusion, and execution of the agreement under which the bank performs this activity.
In addition, pursuant to Article 54(1) of the AML/CFT Law, obliged institutions, their employees, and other persons acting in the name and on behalf of obliged institutions shall keep secret: (i) the fact of providing the General Inspector or other competent authorities with the information specified in the AML/CFT Law; and (ii) information on planning to initiate and on conducting an analysis on money laundering or terrorist financing.
The rules for disclosure of bank secrecy are set forth in Article 105 of the Banking Law. In this regard, a bank is obligated to provide information constituting banking secrecy to, among others, the Head of the National Tax Administration, banks and credit institutions, cooperative savings and credit unions, the clearing house, suppliers that provide the service of initiating a payment transaction, suppliers that provide access to account information, and payment service providers.
The Banking Law regulates to what extent bank secrecy may be disclosed, but does not indicate what specific information may be disclosed.
The insurance industry is subject to specific regulations regarding the processing of personal data.
Pursuant to Article 35(7) of the Insurance Law, both the insurance company and persons employed by it, as well as persons and entities through which the insurance company performs its insurance activities, are obliged to maintain secrecy concerning individual insurance contracts.
The Insurance Law also provides that an insurance company may process personal data, including personal data covered by the obligation of secrecy (referred to in Article 35) in the event of a justified suspicion that an offence has been committed to the detriment of the insurance company for the purpose and to the extent necessary to prevent that offence (Article 35a of the Insurance Law).
Article 15 of the GDPR shall not apply to the processing of personal data by an insurance company to the extent that it is necessary for the proper performance of tasks relating to the prevention of money laundering and terrorist financing and the prevention of crimes (Article 35b of the Insurance Law).
Moreover, pursuant to Article 38(1) of the Insurance Law, an insurance company may obtain, against payment, from entities carrying out medical activities information on circumstances related to the assessment of insurance risk and verification of data provided by the person about their state of health, determination of the person’s right to benefit under the insurance agreement concluded, and the amount of such benefit. However, the insurance company’s request for information requires the consent of the insured or the person for whose account the insurance contract is to be concluded, or their legal representative.
In addition, the Insurance Law provides that an insurance company may obtain data from the National Health Fund of Poland, such as the names and addresses of healthcare providers who have provided healthcare services in connection with the accident or random event that is the basis for determining its liability and the amount of compensation or benefits. The insurance company’s request for such information requires the consent of the insured or their statutory representative.
Upon the request of another insurance company, an insurance company may, with the consent of the data subject or their legal representative, make the personal data processed by it available to that insurance company, in the scope necessary to assess the insurance risk and verify the data provided by the policyholder, the insured, or the person for whose account the insurance contract is to be concluded.
Additionally, the Insurance Law allows taking decisions by the insurance company in individual cases based exclusively on automated processing, including profiling, of personal data in order to: (i) perform insurance risk assessment in the case of personal data concerning the insured; and (ii) perform insurance operations provided for in the Insurance Law.
The basing of a decision on automated processing has been allowed against the condition, in accordance with Article 41(1)(a) of the Insurance Law, that the person concerned by the automated decision is provided with the right to receive adequate explanations regarding the grounds for the decision taken, to contest the decision, to express their own position, and to obtain human intervention.
In this regard, decisions based on automated processing can only be made on the basis of the categories of data concerning an individual that are listed in the Insurance Law.
It should also be noted that the UODO has issued guidelines on, inter alia, the treatment of insurance brokers as controllers of personal data.
In addition, there have been interpretations and guidelines concerning the processing of data in connection with social and health insurance.
The rules of functioning of payment service providers, as well as specific rights and obligations related to the processing of personal data are set forth in the Act of 19 August 2011 on Payment Services (only available in Polish here) (’the Payment Services Act’).
The Payment Services Act specifies, among other things, that pursuant to the Article 10, providers are entitled to process personal data to the extent necessary to prevent, investigate, and detect fraud related to the payment services provided, the operation of a payment scheme, or the operation of a payment system by the competent authorities.
Providers are not required to perform the obligations referred to in Article 15 of the GDPR to the extent that this is necessary for the proper performance of AML/CFT and crime prevention tasks.
Recommendation D refers to the principles of cooperation of a bank with external IT service providers. Similar guidelines were issued for pension, insurance and reinsurance companies, cooperative savings, and credit unions.
A notice has also been published regarding the processing of information by supervised entities in cloud computing, public or hybrid.
In the event of a data protection breach, the general principles set out in the GDPR apply. Among other things, financial institutions are required to perform a robust risk analysis.
There are no sector-specific requirements for financial institutions adopting the use FinTech, such as InsureTech, RegTech, blockchain, and artificial intelligence (’AI’). The PFSA has launched a virtual sandbox to test innovations, including those based on blockchain technology. Based on the results of the tests, the entrepreneur can decide whether to apply for the appropriate permission or license.
The PFSA has published a position paper on the application of robo-advice. The position statement aims to ensure the uniform application of robo-advice by the financial institutions concerned, while taking into account adequate protection of clients, especially non-professional investors.
Financial institutions may be subject to various penalties depending on the type, severity, and extent of the breach. In connection with a breach of the GDPR, an institution may be subject to the sanctions provided for under the GDPR, including financial penalties.
The AML/CFT Law provides for administrative and criminal penalties for violations of its provisions.
Administrative sanctions include: publication of information about the obliged institution and the scope of violation of the AML/CFT Law by the institution in the Public Information Bulletin on the website of the office serving the minister competent for public finance; an order to cease certain activities by the obliged institution; withdrawal of a license or permit or removal from the register of regulated activities; a ban on performing duties in a managerial position by a person responsible for a violation of the AML/CFT Law by the obliged institution, for a period not exceeding one year; and/or a financial penalty.
In the case of certain breaches, the financial penalty may amount to PLN 20,868,500 (approx. €4,430) for a natural person, and for a legal person or an organisational unit without legal personality, up to PLN 23,557,724 (approx. €5 million) or up to 10% of the turnover shown in the last approved financial statement for the financial year.
In turn, the disclosure or use of information constituting banking secrecy is punishable by a fine of up to PLN 1 million (approx. €212, 250) and imprisonment of up to three years.
Regardless of the sanctions provided for in the various laws, violations may have a significant impact on the decision of the PFSA to revoke licenses and permits required to conduct regulated activities.