Recent developments and future prospects

Trends and developments

Have there been any notable recent trends or developments concerning the conduct of online and digital business (both business to business and business to consumer) in your jurisdiction, including any regulatory changes or case law?

Online and digital business in Poland is heavily affected by EU law developments, starting with the General Data Protection Regulation (GDPR). GDPR affects direct marketing, targeted marketing, information obligations and costs related to claims handling (due to individual rights). The Law on the National Cybersecurity System (implementation of the EU Network and Information Security Directive) will affect marketplace platforms, cloud computing providers, search engines and digital infrastructure providers. The upcoming EU e-Privacy Regulation will further affect e-marketing.

Apart from EU law, a landmark judgment was delivered by the Krakow Appellate Court on 18 September 2017 (No I ACa 1494/15). According to the court, a hosting service provider may be held liable if it should have been aware of the illegal nature of the content and has not taken appropriate action, as it may be considered to be intentionally redistributing the infringing content. The judgment concerns chomikuj.pl – a web service (formally a search engine) known for allowing the exchange of content.    

Future prospects

What are the future prospects for digital business in your jurisdiction, including any proposed or potential regulatory reforms and future technological/market developments?

The Ministry of Digitalisation continues to transform Polish administration, making increasingly more matters available online (eg, from October 2018 drivers will no longer be required to carry their car ID or their driving licence). At the same time, increasingly more public duties such as personal data breach notification and data protection officer notification require e-signatures, making it more common in the market.

The Ministry of Finance is working on a reliable system of taxing cryptographic currency exchange.

Legal framework

Legislation

What primary and secondary legislation governs the conduct of digital business in your jurisdiction?

The following primary legislation applies to digital business in Poland:

  • the Entrepreneurs Law of 6 March 2018 – general rules for conducting business in Poland;
  • the Code of Commercial Companies of 15 September 2000 – rules on establishing and running companies and partnerships;
  • the Civil Code of 23 April 1964– rules for contracts and other deeds;
  • the Act on Providing Electronic Services of 18 July 2002;
  • the EU General Data Protection Regulation No. 2016/679 of 27 April 2016;
  • the Copyright and Neighbouring Rights Law of 4 February 1994 (Copyright Law);
  • the Consumer Rights Act of 30 April 2014; and
  • the Tax on Goods and Services Act (the VAT Act) of 11 March 2004
  • the Corporate Income Tax Act of 15 February 1992
  • the Personal Income Tax Act of 26 July 1991

The following secondary legislation applies:

  • the Payment Services Act of 19 August 2011;
  • the Banking Law of 29 August 1997;
  • the Gambling Act of 19 November 2009;
  • the Insurance and Reinsurance Act of 11 September 2015;
  • the Act on Trading in Financial Instruments of 29 July 2005;
  • the Industrial Property Law of 30 June 2000;
  • the Competition and Consumer Protection Act of 16 February 2007; and
  • the Telecommunications Law of 16 July 2004.

Regulatory authorities

Which authorities regulate the conduct of digital business and what is the extent of their powers?

The following supervisory authorities regulate digital business in Poland:

  • the Personal Data Protection Office (UODO);
  • the Electronic Communication Office (UKE); and
  • the Competition and Consumer Protection Office (UOKiK).

Each can impose severe fines – the UODO for lack of compliance with data protection requirements, the UKE for spam and the UOKiK for unfair market practices.

Government policy and regulatory approach

How would you describe the government’s policy and regulatory approach to digital business?

The Polish government tries to facilitate setting up and operating digital businesses. The government’s efforts are not necessarily effective short term, but in the long term their effects are more visible. The Ministry of Digitalisation plays an active role in facilitating digital business in Poland.

Establishing digital businesses

Requirements

What regulatory and procedural requirements govern the establishment of digital businesses in your jurisdiction? To what extent do these requirements and procedures differ from those governing the establishment of brick-and-mortar businesses?

Requirements for establishing a digital business in Poland do not differ from requirements for a brick-and-mortar business.

There are no special rules for establishing a digital/e-commerce business. Some limitations may be imposed – in particular:

  • Online gambling is prohibited;
  • Selling prescription drugs (ie, medicinal products) online is prohibited;
  • Payment services are regulated;
  • Advertising alcohol, tobacco, medicinal products, dietary supplements and newborn nutrients is limited or prohibited; and
  • Telecommunications operators and domestic payment institutions must register in a special register.

E-commerce is regulated by the Act on Providing Electronic Services (http://prawo.sejm.gov.pl/isap.nsf/download.xsp/WDU20021441204/U/D20021204Lj.pdf), which implements the EU E-commerce Directive of 8 June 2000.

Digital business can be conducted in the following forms:

<>······http://prawo.sejm.gov.pl/isap.nsf/download.xsp/WDU20180000646/O/D20180646.pdf), while setting up partnerships and companies is regulated by the Code of Commercial Companies (http://prawo.sejm.gov.pl/isap.nsf/download.xsp/WDU20000941037/U/D20001037Lj.pdf) and the Act on the National Court Register   (http://prawo.sejm.gov.pl/isap.nsf/download.xsp/WDU19971210769/U/D19970769Lj.pdf).

Sole proprietorships, partnerships, limited partnerships and limited liability companies may be set up online, provided that one has a Polish qualified electronic signature or a Public Trusted Profile (ePUAP), which can be obtained free of charge from many places in Poland. A foreign person may obtain an ePUAP after obtaining a Polish identification number (PESEL).

A sole proprietorship can be set up online by logging into https://prod.ceidg.gov.pl/CEIDG.CMS.ENGINE/?D;f124ce8a-3e72-4588-8380-63e8ad33621f (English version). A company can be set up online by logging into the S24 portal (https://ekrs.ms.gov.pl/s24/ no English version), completing the relevant forms and signing the forms with a secure electronic signature or ePUAP.

Goods and services can be offered in Poland from another EU country, or a branch or representative office can be opened in Poland.

Electronic contracts and signatures

Electronic contract availability

Are electronic contracts legally valid in your jurisdiction? If so, what rules and restrictions govern their formation (including any mandatory or prohibited provisions and contract formats)?

Yes, electronic contracts are legally valid under Polish law.

An electronic contract formally corresponds to a “documented legal form” as described by the Polish Civil Code. All movables and content can be bought online, as in Poland most contracts do not require any special legal form. However, land or other real estate cannot be bought online, nor can company shares be transferred, as such transactions require confirmation by a notary. 

An online transaction with a consumer must be documented in a durable medium (eg, a pdf receipt should be emailed to a consumer or attached to a parcel with sold goods).

Are there any limitations or restrictions on transactions that can be concluded through electronic contracts?

Land or other real estate, company shares, receivables or other rights resulting from a written instrument cannot be transferred through an electronic contract. Intellectual property (eg, patents, trademarks, utility designs, copyrights and exclusive licences) also cannot be transferred in this way, although non-exclusive licences can be granted electronically. Property rentals can be transacted online, but insurance against earlier termination in case of sale of a rented object cannot.

As in other EU countries, an online transaction with a consumer must be documented in a durable medium (eg, a pdf receipt should be emailed to a consumer or attached to a parcel with sold goods).

Data retention

Do any data retention requirements apply to electronic contracts?

There is no general requirement for the parties to keep data relating to electronic contracts. However, telecommunications operators must keep traffic data for 12 months and, since 2016, enforcement agencies are allowed to conclude agreements with internet operators whereby they can access user data for the preceding 18 months. 

According to the EU General Data Protection Regulation (GDPR), data controllers should not keep data longer than is necessary. In practice, retention periods are based on civil law or tax prescription periods. In July 2018 the general prescription period for civil law claims was lowered from 10 to six years (ending 31 December each year). Therefore, the general retention period should not exceed seven years (one year extra for ‘safety reasons’).

Under the Act on Providing Electronic Services, there are specific rules for allowed retention of personal data after a specific e-service has concluded, which is limited to scenarios involving claims, advertising, illegitimate use and other laws.

Remedies

Are any special remedies available for the breach of electronic contracts?

As in other EU countries, a consumer has the right to withdraw from an electronic contract within 14 days from delivery of goods or conclusion of a contract for services (except for delivery of content).

As usual, if a payment is made by credit card, a purchaser can also rely on chargeback. Chargeback is a return of funds initiated by the issuing bank on the card holder's behalf following the card holder’s complaint regarding a transaction paid by the credit card.

There are no other specific remedies relating to electronic contracts in Poland.

Electronic signatures

Are electronic signatures legally valid in your jurisdiction? If so, what rules and restrictions govern their use?

Yes, electronic signatures are legally valid in Poland.

A qualified electronic signature equal to a handwritten signature is a paid service currently offered by four Polish institutions. Polish qualified e-signature has a known privacy flaw as it discloses a holder’s ID number (PESEL) and PESEL contains ones date of birth and sex.

For official matters, instead of a qualified electronic signature a Public Trusted Profile (ePUAP) may be used to sign documents. A foreign person may obtain a ePUAP after obtaining a Polish identification number (PESEL).

Most Polish businesses must file monthly Unified Control Files (JPK). A JPK file must be signed electronically, but it is usually handled by accounting offices or accountants.

As a matter of precaution, since 25 May 2018 all Polish businesses must have a qualified electronic signature or a ePUAP. GDPR requires businesses to notify the supervisory authority about personal data breaches within 72 hours of discovering it. In Poland such notification can be made only electronically and requires electronic signature. As increasingly more public duties require e-signature, it is becoming more widespread.

Since September 2018 e-signatures from other EU countries will be recognised by the Polish state on account of the EU eIDAS Regulation (910/2014) on electronic identification and trust services for electronic transactions in the internal market.

Electronic payments

Electronic payment systems

Are there any rules, restrictions or other relevant considerations regarding the use of electronic payment systems in your jurisdiction?

Electronic payment systems are regulated by the Polish Payment Services Act, which implemented the EU Second Payment Services Directive. To provide electronic payment services, each provider must be licensed by the Polish Financial Supervision Authority (PFSA) or notified to the PFSA if licensed in another EU country. There are no formal restrictions on the use of electronic payment systems in Poland.

The most popular e-payment method in Poland is pay-by-link, created and managed by the National Clearing House, which allows customers to pay for goods or services using a single link in their own banks. However, after Poland implemented the Second Payment Services Directive in June 2018, the so-called ‘credential sharing authentication method’ – highly questionable from a security point of view – might gain traction in the market.

Virtual currencies

Are there any rules or restrictions on the use of virtual currencies (eg, Bitcoin)?

There are no formal restrictions on the use of virtual currencies in Poland. However, the strictly formal attitude to virtual currencies taken by Polish banks under the former Anti-money Laundering and Combating Financing of Terrorism Act (AML/CFT Act) meant that no trader on crypto exchanges could have a bank account in Poland.

The new AML/CFT Act, which entered into force on 13 July 2018, introduced a definition of ‘virtual currency’. The act contains only formal obligations for the use of virtual currencies (ie, the obligation to verify the identification of transaction beneficiaries). The tax status of virtual currencies remains uncertain. At present, the government is working to develop a final taxation model.

Data protection and cybersecurity

Collection, use and storage

What rules, restrictions and procedures govern the collection, use and storage of personal data in the course of digital business in your jurisdiction?

The collection, use and storage of personal data in Poland are regulated by the EU General Data Protection Regulation (GDPR) and the Act on Providing Electronic Services, the latter of which (implementing the EU E-commerce Directive) provides specific legal grounds for processing data and limits the scope and retention period for data processing in the course of providing electronic services.

International data transfers

What rules and restrictions apply to the cross-border transfer of personal data collected in the course of digital business?

Cross-border transfer of personal data collected in the course of digital business is subject to the GDPR. Transfer of personal data within the European Union and the European Economic Area is open. However, transfer of data out of the EEA is restricted – in particular, it requires:

  • a decision of the European Union on adequate personal data protection in the relevant third country;
  • a safeguard tool, such as standard data protection clauses executed between an exporter and importer of data or binding corporate rules; or
  • a single instrument or situation, such as explicit and informed consent, agreement or other scenarios unrelated to digital business.

In any case, a data controller must inform data subjects (eg, a consumer or a website visitor) about the intention to transfer their data out of the EEA.

Consumer rights

What rights are afforded to consumers in relation to their personal data?

The rights granted to consumers with regard to the protection of their personal data have been directly regulated by GDPR. The rights of individuals (including consumers) are provided by Articles 15 to 22 of GDPR. The regulation gives consumers the following rights with respect to the protection of their personal data:

  • the right to information about the collection of data;
  • the right of access to data and a copy of the data;
  • the right of rectification and supplementation of data;
  • the right to erasure (ie, to be forgotten);
  • the right to restriction of processing;
  • the right to data portability;
  • the right to object;
  • the right to withdraw consent;
  • the right to appeal to a human against an automated decision;
  • the right to be served (ie, no ignoring);
  • the right to "readability";
  • the right to facilitate (ie, to guide);
  • the right to a timely response;
  • the right to information about rights;
  • the right to easy withdrawal of consent;
  • the right to information about recipients of data;
  • the option of convenient electronic service of rights; and
  • the right to information about data protection breaches.

Cookies

How is the use of cookies regulated?

Cookies are regulated in Article 173 of the Telecommunications Law of 16 July 2004 (which implemented EU Directive 2009/136/EC). The use of cookies is allowed when the website user is informed before the installation of cookies about:

  • the files that the site places on the user's device;
  • for what purpose it is done;
  • how the organisation uses cookie collection software;
  • how to remove the software; and
  • the website’s need to obtain a user’s consent to use cookies.

GDPR also applies to cookies.  Using cookies triggers information duty and requires either a legitimate interest or consent as a basis for processing. At present (Summer 2018) in practice a mixed model prevails in Poland (ie, relying on legitimate interest including for third-party cookies, supplemented with opt out). 

Data breach

What rules and standards govern digital operators’ response to data breaches? Are they subject to any notification requirements in the event of a data breach? What precautionary measures should be taken to avoid data breaches?

Article 33 of GDPR requires data controllers to notify personal data breaches to the relevant supervisory authority (the Personal Data Protection Office in Poland) within 72 hours of becoming aware of the breach, unless there is no risk of violating the rights and freedoms of data subjects. Article 34 of GDPR requires data controllers to inform affected data subjects about the personal data breach if the risk of violating their rights or freedoms is high.

At the moment Article 174a of the Telecommunications Law still requires telecoms operators to notify the relevant supervisory authority (the Personal Data Protection Office in Poland) about data breaches within 24 hours. This is going to change, Article 174a of the Telecommunications Law is going to be repealed and Article 33 of GDPR will apply..

The newly adopted National Cybersecurity System Act requires key service operators to notify an appropriate national computer security incident response team (CSIRT) about a material data breach within 24 hours of detection.

There is no regulation which directly indicates what measures should be taken to avoid data breaches. GDPR and other regulations take a risk-based approach, which requires organisations to adopt security measures adequate to the risk associated with their activity (which should not be confused with adopting measures corresponding to their appetite for risk). Article 32 of GDPR refers to pseudonymisation and encryption as examples of security measures.

Cybersecurity

What cybersecurity regulations and/or standards apply to the conduct of digital business?

In July 2018 Poland adopted the National Cybersecurity System Act (implementing the EU Network and Information Systems Directive (2016/1148 of 6 July 2016)). Among other things, the act:

  • sets rules for responding to cybersecurity-related incidents;
  • clarifies the categories of incidents, which vary depending on the type of entity that reports them and the degree of impact (ie, thresholds);
  • distinguishes between serious incidents reported by public entities and critical incidents;
  • enables the establishment of sectoral cybersecurity teams to support the handling of major incidents in cooperation with the appropriate national-level CSIRT; and
  • assumes the appointment of the Government Plenipotentiary for Cybersecurity and the College for Cybersecurity in order to strengthen the coordination of activities and the exchange of information between institutions responsible for cybersecurity.

Article 32 of GDPR also refers to cybersecurity. However, in practice there is no legal act setting a technical cybersecurity standard. In 2004 the minister of internal affairs and administration issued a regulation setting specific data protection security levels and data protection security measures based on the previous Data Protection Act 1997, but it has been derogated due to GDPR.

Is cybersecurity insurance available and commonly purchased?

Yes, cybersecurity insurance is available in Poland but it is not yet commonly purchased. The interest in cyber risk policies is increasing because of GDPR. Insurance against cyberattacks is available on the Polish market. Most local insurers offer this type of insurance, but their products are far from advanced. Foreign insurers tend to offer a better approach and conditions.

The Polish cybersecurity risk insurance market is underdeveloped. There is a general conviction that insurance coverage cannot protect against administrative fines. While this is technically true, insurers have devised legally acceptable ways to mitigate the financial consequences of fines.

Encryption

Are there regulations or restrictions on the use of encryption?

There are no general legal acts in Poland on encryption. A recently derogated regulation of the minister of internal affairs and administration from 2004 required encryption of mobile computers and online authentication (https at the time). Articles 32 and 34 of GDPR encourage the use of encryption.

The general rule is that the organisation itself will decide whether it implements a security measure such as data encryption and which type of encryption it will use.

However, the use of strong encryption is regulated. Over-the-counter products are generally allowed, but use of more advanced encryption technology requires the prior consent of the Polish Internal Security Agency, according to EU Regulation 428/2009 of 5 May 2009 and corresponding Polish legal acts.

Government interception/retention

What rules and procedures govern the authorities’ interception of communications and access to consumer data?

Telecommunications operators must keep traffic data for 12 months to allow access for law enforcement agencies. There can be over a million effective requests per year (1,222,314 for 2017 according to Panoptykon.org). Since 2016, law enforcement agencies are allowed to conclude agreements with internet operators whereby they can access user data for the preceding 18 months.

The rules of access to private information – in particular to electronic data (eg, data logs and the length of logs) and information transmitted electronically (eg, private messages and telephone conversations) – are set out in the Act of Police of 6 April 1990, as amended by the Act of Police of 15 January 2016 and other acts.

Law enforcement authorities may undertake the following activities, among other things:

  • obtain and record the content of telephone conversations;
  • obtain and record images and conversations on public transport and non-public places;
  • obtain and record the content of email correspondence or other electronic communications (eg, social media);
  • obtain and record data contained on IT data carriers, end devices and information and tele-information systems (eg, call lists, telephone location data and Internet Protocol addresses); and
  • access and control the content of parcels (eg, traditional correspondence).

These activities may be carried out for up to three months, or up to 18 months with the permission of a provincial court.

Advertising and marketing

Regulation

What rules govern digital advertising and marketing in your jurisdiction?

In Poland there are no specific legal rules on digital advertising.

EU law has had the biggest impact on digital advertising and marketing in Poland, in particular the General Data Protection Regulation (GDPR) and the implementation of EU directives through the Act on Providing Electronic Services and the Telecommunications Law.

GDPR limits targeted advertising, the sale of personal data and direct marketing of third parties. The Act on Providing Electronic Services and the Telecommunications Law prohibit unsolicited email marketing and other direct electronic messages, as well as unsolicited marketing calls and text messages.

Other acts prohibit or limit advertising certain products or services, such as gambling, alcohol, tobacco, medicinal products, dietary supplements and new-born nutrients. Lawyers, notaries, doctors and pharmacies are prohibited from advertising their services.

Advertising must not give rise to unfair competition or market practices. 

Are there any specific regulations governing the use of targeted advertising?

Targeted advertising is regulated by GDPR, the Telecommunications Law and the Act on the Prevention of Unfair Market Practices.

The Telecommunications Law regulates the use of cookies, in particular requiring notification of and consent to their use. Cookies and similar technologies (eg, Facebook pixel or other beacons) serve to identify user preferences. GDPR regulates monitoring and profiling and the resulting targeted advertising. There is ongoing debate over the extent to which GDPR limits the programmatic advertising model (ie, ‘ad tech’). Thus far the supervisory authorities have not taken a stance on the issue.

Restrictions

Are there any restrictions or limitations on goods and services that can be advertised, marketed and sold online?

There are several restrictions on goods and services that can be advertised, marketed and sold online, including the following:

  • Tobacco products – prohibition on advertising and selling tobacco products (understood as distance selling).
  • Medicinal products – prohibition on advertising medicinal products (ie, prescribed medication) to the general public, and prohibition on selling both prescribed and over-the-counter (OTC) medication if the sale of the OTC medication is restricted by age.
  • Gambling activities – limitations on advertising and marketing online gambling activities, as follows:
    • advertising and marketing is allowed only on the websites indicated in the gambling company’s licence;
    • prohibition on online gambling activities organised by entities which do not belong to the state monopoly and other unlicensed online gambling activities; and
    • limitation on advertising betting transactions.
  • Food products – limitations on advertising, marketing and selling certain food products, including the following:
    • infant formula advertisements can be published only in scientific publications specialising in the dissemination of knowledge in the field of childcare or academic publications, and should be limited to information confirmed by the research. Infant formulae should not be advertised at the place of sale;
    • prohibition on marketing infant formulae and infant feeding items through distribution of discount coupons, special sales and offering or providing free or reduced-price samples or other promotional items to consumers;
    • food items can be sold online only with a licence from the competent body; and
    • dietary supplement advertisements cannot contain clams or suggestions that a varied and balanced diet cannot supply sufficient amounts of nutritional elements.
  • Alcohol – prohibition on advertising alcohol online, with the exception of beers. However, beer advertisements cannot be directed to children (ie, in practice they can be displayed only after 10:00pm). Liquors over 4.5% alcohol by volume (except beers) cannot be sold online.
  • Products containing psychotropic or narcotic drugs – prohibition on advertising and promoting products containing psychotropic or narcotic drugs.

Spam messages

What rules and restrictions govern the sending of spam messages?

Spam (ie, unsolicited direct marketing messages) is regulated by Article 10 of the Act on Providing Electronic Services and Article 172 of the Telecommunications Law.

Electronic or telephone direct marketing requires the user’s prior consent, irrespective of whether the user is an individual or an organisation.

Sending spam may give rise to legal liability, including civil liability, criminal liability and administrative fines imposed by the president of the Office of Electronic Communications, the president of the Office of Competition and Consumer Protection or the president of the Personal Data Protection Office (where illegal personal data processing is involved).

Digital content and IP issues

Required notices

Are websites and any other digital content required to display certain legal notices or other information in your jurisdiction?

The scope of information that must be displayed to users of digital content is governed by:

  • the Act on Providing Electronic Services;
  • the EU General Data Protection Regulation (GDPR); and
  • the Telecommunications Law.

In practice, websites use terms and conditions and a privacy policy to comply with these requirements. 

Terms and conditions should describe the types and scope of services provided, technical conditions, a prohibition on posting illegal content, conditions for concluding and terminating contracts and claims handling terms. Usually choice of law and choice of court clauses are included. Information that must be provided in a privacy policy revolves around the identity of the ‘service provider’, use of data provided by the website user and information regarding cookies. The scope of the required information may change soon due to the forthcoming EU e-Privacy Regulation.

Based on the Telecommunications Law, as of July 2018 Polish websites should display cookie use notices and gather consent for use of cookies. Moreover, depending on the way a website uses cookies, a further personal data protection notice may be required based on GDPR and use of cookies may be dependent on separate data protection consent or the legitimate interest of the owner of the site and its partners, depending on interpretation.

Liability for content

What rules govern liability for online or other digital content that is defamatory or infringes another party’s IP rights?

The author of the content is liable for infringements caused by it. The Act on Providing Electronic Services excludes internet providers from liability under mere conduit and caching exceptions. A data hosting provider is by default free from liability until it obtains a credible notice of the unlawful character of particular content. On notification the hosting service provider must block the allegedly infringing content in order to remain free from liability (so-called ‘notice and takedown’). According to a Polish Supreme Court ruling of 30 September 2016 (I CSK 598/15), proactive monitoring of the website content prevents the website owner from relying on the hosting exception, as doing so would potentially make it aware of the infringing content.

The Act on Providing Electronic Services implements the EU E-Commerce Directive (corresponding to the US Digital Millennium Copyright Act).

How can liability be excluded or limited?

The Act on Providing Electronic Services limits the liability of telecommunications service providers, cache service providers and hosting services providers.

Telecommunications service providers

Telecommunications service providers are not liable for the content where they do not:

  • initiate the transmission;
  • choose the recipient of the transmission; or
  • choose or modify information subject to the transmission.

This exclusion also applies to automatic and short-term intermediate storage of transmitted data, if the storage is intended solely for the purpose of carrying out the transmission and the data is not stored for longer than is normally necessary for carrying out the transmission.

Cache service providers

Cache service providers are not liable for the content where they:

  • do not modify the data;
  • use recognised and common IT techniques defining technical parameters of access to the data and its actualisation; and
  • do not interfere with using such IT techniques in the scope of collecting information about the usage of the collected data, provided that the cache service provider immediately deletes or takes down the data after receiving information that the data was deleted from the original source of transmission or was taken down, or that a court or another competent office had ordered the deletion or takedown of the data. 

Hosting services providers

Hosting services providers are not liable for the content where they are not aware of the unlawful character of the content and, after receiving an official or credible notice of such unlawful content or related activities, take the content down immediately.

Which parties can be held liable for defamatory or infringing content? Can contingent liability be extended to internet service providers (ISPs)?

Apart from the parties that originally put the illegal content on the Internet, hosting services providers may be held liable if they should have been aware of the illegal nature of the content and have not taken appropriate action, as they may be considered as intentionally redistributing the infringing content (Krakow Appellate Court judgment of 18 September 2017, I ACa 1494/15; the judgement relates to chomikuj.pl, a web service known for allowing the exchange of illegal content).

In Poland liability for illegal content cannot be extended to an internet service provider.

Content takedowns

What rules and procedures govern content takedowns? Can ISPs remove defamatory or infringing content without permission?

Content takedowns are regulated by the Act on Providing Electronic Services. An ISP does not need to take any action (there is no three-strikes rule in Poland), while a hosting service provider may decide to take down questionable content to avoid liability. According to the act, the hosting provider should take down the defamatory or infringing content upon receiving an official or credible notice of the unlawful character of the content or related activities in order to avoid liability for the content.

No permission is needed for a takedown based on credible information. However, the hosting provider should give the author of the content prior notice of the forthcoming takedown in order to avoid liability for damages incurred by the author as a result of the takedown.

There are no detailed rules regarding the notice-and-takedown mechanism. Legislative work on developing a detailed procedure has been underway for six years, with little results.

Domain names

What rules, restrictions and procedures govern the licensing of domain names?

The licensing of domain names is based on a civil law agreement between the registrant and NASK, the registrar for top-level ‘.pl’ domains.

The usual rules governing trademarks apply, limiting room for cybersquatting.

How are domain name disputes resolved in your jurisdiction?

Domain name disputes are resolved by arbitration courts if a registrant is a business or by civil courts if a domain is not related to a business activity.

Business domain disputes are usually decided by the Arbitration Court at the Polish Information and Telecommunications Chamber or by the Arbitration Court at the Polish Chamber of Commerce. Disputes in which one of the parties is a consumer are usually decided by a civil court.

Decisions of arbitration courts and civil courts should rely on general rules of intellectual property, including unfair competition and trademarks. The listed arbitrators are lawyers specialising in IP and IT law in Poland.

What special measures and safeguards should rights holders consider in protecting their online/digital content?

A rights holder publishing its digital content should state applicable conditions of use and redistribution (eg, a licence). However, digital rights management is not widespread. Electronic copies may be watermarked or otherwise marked with a purchaser’s name. Where infringing content is identified, a cease and desist letter may be addressed to the infringer. A rights holder may also apply to a court for an interim measure (eg, a prohibitory injunction) prior to filing a statement of claim. Such interim measure proceedings are usually held ex parte (ie, without the knowledge and participation of the alleged infringer). A rights holder may also seek help from the police or prosecutors, as IP rights violations usually constitute a crime.

Where infringement has been discovered, it is sensible to visit a notary public to obtain a notarial protocol confirming the existence and details of the infringement at that specific time (based on print-outs or screenshots from infringing websites). The courts in Poland may not accept private screenshots as valid evidence (as they tend to be formalistic).

Tax issues

Online sales

How are online sales taxed?

The main taxes are as follows:

  • tax on goods and services (value added tax) under the Tax on Goods and Services Act of 11 March 2004;
  • corporate income tax under the Corporate Income Tax Act of 15 February 1992 (if the digital business is conducted by a corporation);
  • personal income tax under the Personal Income Tax Act of 26 July 1991 (if the digital business is conducted by individuals or a partnership of individuals); and
  • civil law transactions tax under the Act of 9 September 2000 on civil law transactions tax for occasional non-business sales.

Other taxes

What other tax liabilities arise in respect of the conduct of digital business in your jurisdiction?

No other taxes are specific to online sales. Business-to-consumer operations must have a cash register (for registering and calculating transactions). Social security obligations apply, but depend on the number of employees and the nature of the relationship (eg, employment, civil law contract, business-to-business or sole proprietorship), rather than the nature of the activity.

Jurisdiction, governing law and dispute resolution

Jurisdiction and governing law

How do the courts determine jurisdiction and governing law in relation to online/digital transactions and disputes?

The EU Rome I Regulation (593/2008) of 17 June 2008 on the law applicable to contractual obligations applies to online transactions and disputes. Choice of law and court may be made in the terms and conditions of the online service in business-to-business relations. In business-to-consumer transactions, in practice the law of the consumer’s place of residence is applied if the offer is addressed to consumers in a particular country. Consumers may sue before a court of their place of residence.

Courts

Are there any specialist courts in your jurisdiction which deal with online/digital issues and disputes?

There are no specialist courts dealing with online or digital issues. Issues related to EU trademarks or industrial design rights are handled by the Court of EU Trademarks and Industrial Designs – XXII Section of the District Court of Warsaw – which consists of two judges.

Alternative dispute resolution

What alternative dispute resolution (ADR) methods are available for online/digital disputes? How common is ADR for online/digital disputes in your jurisdiction?

Business domain disputes are usually decided by the Arbitration Court at the Polish Information and Telecommunications Chamber or by the Arbitration Court at the Polish Chamber of Commerce. Disputes in which one of the parties is a consumer are usually decided by a civil court.

Decisions of arbitration courts and civil courts should rely on general rules of intellectual property, including unfair competition and trademarks. The listed arbitrators are lawyers specialising in IP and IT law in Poland.