The CE marking was introduced as part of the harmonization of product marking processes within the EU. It is intended to replace all existing conformity markings. The marking itself indicates that the product meets the requirements of the applicable regulations. It is affixed to products intended for introduction into the EEA and Turkish markets, regardless of where they were manufactured.

Main regulations

The main acts that regulate the CE marking of products and the conformity testing that must accompany this process are: Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (consolidated text: OJ L 218, 2008, p. 30, as amended) as well as Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008 on a common framework for the marketing of products, and repealing Council Decision 93/465/EEC (consolidated text: OJ L 218, 2008, p. 82).

CE marking

Although the mark is generally believed to be an abbreviation of the French expression “Conformité Européenne”, no EU legal act provides such an expansion of this abbreviation.

The appearance and method of affixing the CE marking are specified in Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 and Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008, stating that it consists of the initials “CE” presented in the form specified in the regulation. Unless other regulations specify a different height, it shall be at least 5 mm. In all cases, the proportions of the mark must be maintained. It must be affixed so that it is visible, legible, and indelible from the product. The CE marking is followed by the identification number of the notified body, if it was involved in the production control phase. If the CE marking cannot be affixed to the product, it should be affixed to the packaging or accompanying documentation.

Declaration of Conformity

Union harmonisation legislation requires the manufacturer to draw up and sign an EU declaration of conformity before placing the product on the market.

The manufacturer or its authorized representative established within the EU is required to draw up and sign an EU declaration of conformity as part of the conformity assessment procedure provided for in Union harmonisation legislation. The EU declaration of conformity is a document stating that the product complies with all relevant requirements of the applicable legislation.

By drawing up and signing the EU declaration of conformity, the manufacturer takes responsibility for the product’s compliance with the regulations.

The EU declaration of conformity must be continuously updated and kept for ten years from the date the product is placed on the market, unless a different period is specified by law.

According to the model declaration in Decision No 768/2008/EC of 9 July 2008, the declaration should include:

1. unique product identifier,

2. name and address of the manufacturer or authorized representative issuing the declaration,

3. a statement that the declaration is issued under the sole responsibility of the manufacturer,

4. Subject of the declaration (product identifier enabling the reconstruction of its history. Where appropriate, it may include a photo),

5. all relevant provisions of Union harmonisation legislation that the product must comply with, referenced standards or other technical specifications (such as national standards and technical specifications) in a precise, complete and clearly defined manner,

6. Where applicable, name and number of the notified body that issued the certificate,

7. Additional information,

8. Date of issue of the declaration, signature and position or equivalent designation of the authorized person,

Modules

The mark itself is intended to indicate that the product meets the requirements specified in the law. The product is marked with it by the manufacturer, either independently or with the participation of a national authority (conformity assessment body, notified body). For this purpose, the manufacturer assesses conformity using modules (described in the Commission Notice Blue Guide – Implementation of EU product regulations 2022 (i.e. OJ EU C. of 2022 No. 247, p. 1) and Decision No 768/2008/EC of the European Parliament and of the Council of 9 July 2008). The modules refer to both the design and production phases. Conformity assessments can be performed using one or two modules. Assessment modules can refer to one of the phases (e.g. only to the production phase), or to both. If a module refers to only one phase, the assessment consists of two modules, while if it refers to both phases, the assessment consists of one.

There are eight modules in total, but with the addition of variants, their number increases to 16 (A, A1, A2, B, C, C1, C2, D, D1, E, E1, F, F1, G, H, H1). Each subsequent module contains further requirements, along with increasing risks posed by the product. In the “least demanding” module, A, the manufacturer only prepares technical documentation and takes all necessary measures to ensure the production process ensures compliance of manufactured products with the technical documentation, and then affixes the marking to the product. In the highest module, H1, the manufacturer must have an approved quality assurance system (approved by a notified body) for design, production, and inspection and testing of finished products. It is also subject to supervision by a notified body. The notified body may also pay unannounced visits to the manufacturer, during which it may conduct or commission product tests.

Entities involved in conformity assessment

At the outset, it is worth noting that regardless of whether a notified body is involved in the conformity assessment procedure or not, the conformity assessment is the manufacturer’s responsibility, and the declaration of conformity is made under his sole responsibility.

There are three possibilities for the involvement of other entities in the conformity assessment procedure:

– No involvement of external entities. In such a case (and this usually applies to products that the legislator has deemed not to pose such a risk that the manufacturer cannot be entrusted with the independent conformity assessment), the manufacturer prepares the declaration itself (along with the appropriate tests and technical documentation), and conducts the tests, inspections, and guarantees compliance during production.

– Conformity assessment is carried out using an accredited in-house body, i.e., a part of the manufacturer. However, this body cannot perform any tasks other than conformity assessment. It must be independent of commercial, design, and manufacturing entities and must possess the same level of technical competence and impartiality as external assessment bodies. They may conduct assessments within the scope of modules A1, A2, C1, or C2.

– Conducting the assessment with the involvement of an external entity. If the legislator deems such intervention necessary, an external conformity assessment body will participate in the conformity assessment. This body must be impartial and fully independent of the organization or the product it assesses. It must not engage in any activities that might compromise its independence, and it must not have user or other interests in the product being assessed.

Member States are responsible for designating conformity assessment bodies. They must designate bodies (within their jurisdiction) that have the appropriate competence to assess product conformity.

Even though in-house bodies cannot be notified (i.e. they cannot be external conformity assessment bodies), they must demonstrate at least the same level of technical competence as external bodies through accreditation.

Notified bodies

Conformity assessment bodies (referred to as notified bodies in EU legislation) are entities designated by Member States. Appointed notified bodies must then be notified to the European Commission.

They play roles in the conformity assessment process, responsible for activities such as calibration, testing, certification, and inspection. To qualify as a notified body, a body must be a legal entity established in a Member State, but it may operate or employ personnel outside a Member State or even outside the EU.

The bodies must be accredited, which means that the relevant national accreditation body must confirm that the conformity assessment body meets the requirements set by the harmonised standards and any additional requirements for carrying out specific conformity assessment tasks.

Member States may designate a maximum of one national accreditation body. However, they may choose not to designate such a body and instead have accreditation performed in their territory by an accreditation body from another Member State. In both cases (designation or non-designation), Member States are required to notify the European Commission.

Notified bodies are subject to oversight by national notifying authorities and must keep them informed about their activities (including, for example, availability of resources, performance of conformity assessments, subcontracting of work, and conflicts of interest). They must provide, directly or through another body (e.g., a national accreditation body), all information concerning the proper implementation of the conditions under which they were notified, upon request, both to their notifying authorities and to the Commission.

The notifying authority is responsible for the activities of notified bodies. It must remain capable of ensuring monitoring. If such monitoring is not possible, the notifying authority must withdraw or limit the scope of the notification to the extent necessary.

It’s also worth mentioning that the independence requirement (which also means that notified bodies “are and must remain” third parties independent of their clients) does not mean that only state bodies can become notified bodies. On the contrary, both state and private entities can apply for this status, provided their independence, impartiality, and reliability are guaranteed, and they constitute independent legal entities with appropriate rights and obligations.

Product labeling requirement

The CE marking is not required for every product, only for those for which legislation requires it. Currently, these include toys, electrical products, machinery, personal protective equipment, and cranes. It is prohibited to affix the CE marking to products that are not covered by the CE marking regulations.

Changes in the law

There have been no significant recent changes to the legislation governing the CE marking. However, sector-specific regulations necessarily influence the use of the mark. Such as Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on horizontal cybersecurity requirements for products with digital elements and amending Regulations (EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act) (OJ EU L 2024, item 2847, as amended) or Regulation (EU) 2025/40 of the European Parliament and of the Council of 19 December 2024 on packaging and packaging waste, amending Regulation (EU) 2019/1020 and Directive (EU) 2019/904 and repealing Directive 94/62/EC (OJ EU L 2025, item item 40) and acts requiring CE marking of products such as Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) Text with EEA relevance (OJ L 1689, 2024).

In its Annex I, Regulation (EU) 2019/1020 of the European Parliament and of the Council of 20 June 2019 lists Union harmonisation legislation.

In summary, the purpose of the CE marking is to signal that a product meets the requirements of the applicable regulations. It is affixed to the product by the manufacturer, either independently or with the involvement of accredited internal bodies or a notified body, following the conformity assessment module(s) appropriate for the level of risk posed by the product, and under their own responsibility.

CE Marking – what really stands behind those two letters?

CE marking is more than just a symbol on a product – it’s a legal declaration that the product complies with all applicable EU requirements and can be placed on the EEA and Turkish markets, regardless of where it was manufactured.

It is the result of a structured conformity assessment process defined in EU harmonisation legislation (including Regulation (EC) No 765/2008 and Decision No 768/2008/EC). Depending on the level of risk, this process may involve the manufacturer alone, internal accredited bodies, or independent notified bodies.

By affixing the CE mark, the manufacturer takes full responsibility for product compliance. In parallel, an EU Declaration of Conformity must be issued, maintained, and kept up to date, confirming that all relevant legal requirements have been met.

The system is built on risk-based modules – from basic self-assessment to highly controlled certification schemes involving external oversight. This ensures proportional control while maintaining product safety and market access across the EU.

In short: CE marking is not a quality label – it is a regulatory passport for products entering the European market.

#CEMarking #EUCompliance #RegulatoryAffairs #ProductCompliance #ConformityAssessment #CECertification #EURegulation #MarketAccess #ProductSafety #NotifiedBody #TechnicalDocumentation #QualityAssurance #ManufacturingCompliance #IndustrialCompliance #LegalMetrology #EUlaw #ProductTesting #DeclarationOfConformity #RiskAssessment #HarmonisedStandards #BlueGuide #RegulatoryCompliance #EngineeringCompliance #SupplyChainCompliance #ProductRegulations #ComplianceManagement

Artykuł CE marking pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

The most significant changes that influence litigations in Poland will come into force on March 1, 2026. The amendments to the Code of Civil Procedure concern, among other things, powers of attorney, mediation, the computerization of civil proceedings (this element predominates in the amending act), and new rules for service of documents. Many changes concern the use of an information portal in the proceedings, which is also the subject of an amendment to the Act on the System of Common Courts.

The amendment aims to be one of the first steps towards computerizing the entire justice system to meet the needs of the information society. Furthermore, the justification also includes intentions to standardize the use of IT systems across courts, eliminating differences, for example, between different divisions of common courts. For the time being, after all the changes contained in the amending act enter into force, documents filed via the Information Portal will still need to be printed for inclusion in the case file due to the lack of digital records in civil proceedings. However, this is only a temporary solution, as work on digital records is already underway. The legislative authority also emphasizes the importance of gradual implementation and development, so that judges and citizens have an appropriate transitional period to become familiar with these systems.

The Act Amending the Code of Civil Procedure, the Civil Code, and Certain Other Acts introduces the most numerous changes to civil procedure, which are immediately apparent upon first glance, even without reading the entire text. Some of these changes take effect almost immediately, while others will remain in the vacatio legis period for up to a year. Article 12 of the Act establishes a presumption that all amendments will enter into force on March 1, 2026, but provides numerous exceptions to this rule. This provision establishes, in essence, five different effective dates for the new provisions in sections 1-4, and provides the main date mentioned earlier. These dates are March 1, 2027 (within the specified scope), September 10, 2025, June 1, 2026, and November 27, 2025.

The justification for the act also mentions another reason for its creation: the development of the Common Courts Information Portal. The text notes that initially, communication was only possible unilaterally, meaning courts served documents if they had an electronic version of the document being served. However, work on this portal has now enabled two-way electronic communication, which should be utilized to expedite and facilitate civil proceedings. As can be seen, the amending act aims to adapt institutions to technological advances and increasingly new solutions.

The legislator considered it justified to introduce certain transitional periods for the entry into force of new provisions and subjective and objective restrictions.

The first draft regulations requiring discussion are intended to address service. It is recommended that provisions be introduced to regulate this issue, ensuring that service is legally effective only in situations specifically provided for by law. In other words, the possibility of service via the Information Portal will only be effective if the type of document, situation, and circumstances correspond to the provisions in the given case that allow for service in this particular manner. It seems reasonable to specify the moment of service in this manner to avoid procedural problems during civil proceedings. According to the proposed Articles 125 § 1 of the Code of Civil Procedure in conjunction with Article 165 § 4 of the Code of Civil Procedure, the conditions for legally effective service are first to post the document in electronic form on the Information Portal of Common Courts, and then the court delivers to the sender a document confirming receipt of the document in this form.

In terms of service, it seems a good idea to first require professionals to serve documents using the discussed system, as these individuals are more familiar with the current functioning of the justice system and procedures, and therefore, it will be easier for them to familiarize themselves with these new regulations and the resulting solutions. Many professionals have undoubtedly already had frequent contact with the Information Portal of Common Courts in connection with serving their clients and other activities related to the practice of law. This scope of service is intended to cover attorneys, legal counselors, patent attorneys, the General Counsel to the Republic of Poland, and prosecutors (proposed Art. 125 ¹ § 2 of the Code of Civil Procedure). Therefore, if the provision stipulates that delivery of a document via an electronic system is not possible, the document should be submitted via the Information Portal for the service to be legally effective.

In terms of the subject matter limitation, i.e. the indication of documents that will initially be served through the Common Courts Information Portal system, these are notifications of termination of a power of attorney, notifications referred to in Article 136 § 1, 4 and 5 of the Code of Civil Procedure and Article 387 ¹ § 1 of the Code of Civil Procedure, declarations regarding consent to mediation, requests to conduct a remote hearing, appeals, complaints, complaints against a court registrar’s ruling, procedural documents in the course of proceedings resulting from the filing of an appeal, appeal, or complaint against a court registrar’s ruling, requests for service of a judgment together with a justification issued as a result of the examination of an appeal, appeal, or complaint against a court registrar’s ruling, as well as documents supplementing formal deficiencies of such requests. Submitting documents outside this subject matter scope will, however, result in the ineffectiveness of service of the documents in question pursuant to Article 125 ³ § 2 of the Code of Civil Procedure, which the chairman will be obliged to notify the person submitting the document in violation of the above-mentioned rules.

The obligation for the above-mentioned professional entities is to take effect after a one-year transitional period, during which future parties required to submit documents via the Information Portal will have the option to choose whether to submit the indicated document in writing or through the Portal. However, after this period, the submission of specifically designated documents will be mandatory (Article 125 ¹ § 2). According to the legislator, this solution is necessary to ensure a compromise between streamlining civil proceedings and the well-being of the parties, as well as the regularity and stability of the proceedings.

The draft act also provides that it will not be possible to send documents via the Information Portal within a given type of proceedings, namely when filing documents before the Supreme Court (which does not use IT solutions) and within land and mortgage register and registration proceedings (Article 125 ¹ § 3 of the Code of Civil Procedure and Article 511 ^1b of the Code of Civil Procedure).

The provisions of the amending act also address the limitations of the Common Courts Information Portal by introducing a specific exemption from the obligation to submit certain categories of documents through this IT system that, due to their technical parameters, are currently unsuitable for submission in this manner. These include, for example, attachments with excessive memory requirements, pursuant to the proposed Article 125 § 2 § 1 of the Code of Civil Procedure. A list of such documents will be specified, among other things, in a regulation issued pursuant to the statutory authorization in Article 125 § 4. Documents in formats not supported by the information portal, when their content cannot be converted to formats permitted by the regulation, attachments that cannot be digitized (e.g., material samples in cases involving product defects), and attachments whose legible digitization would require the contracting authority to acquire specialized office equipment (e.g., large-format documents), will also be listed.

Furthermore, it is necessary to discuss Article 125 § 2 and § 3 of the Code of Civil Procedure, which introduces certain guarantees for parties and their representatives in the event of a failure or maintenance work on the Information Portal, as well as other reasons for the inability to serve a document that are not the fault of the parties. The essence of the guarantees introduced by this provision is that if the court’s inability to file a document occurs on the last day of the deadline for a given procedural act, the deadline will be extended until the end of the next business day after the day on which the restrictions cease. This rule, it’s worth noting, will apply on that last day for the act regardless of when the obstacles arise. This legislative approach is intended to prevent an excessive number of requests for extension of the deadline, which would result in a slowdown in entire civil proceedings, and to alleviate the need for constant monitoring of the system’s proper operation and the rush associated with filing documents. In connection with the discussion of this draft provision, it should also be noted that there will be an obligation to substantiate the circumstances preventing the submission of a document via the Portal and the authority of the presiding judge to return the document, and the court to reject the document, in the event of failure to comply with this obligation by the attorney-in-fact.

Professional representatives (lawyers, legal advisors, and patent attorneys) registered in the ROBUS system (Register of Persons Taking Part in Court Proceedings) will also be required to include their number on the appropriate list in their power of attorney. This will, of course, no longer be necessary in subsequent submissions.

Further regulations also include changes to the designation of ex officio legal aid. The court will now be able to forward applications to regional legal counsel and bar associations through the Information Portal system, thereby communicating with these organizations.

The proposed Article 128, paragraph 2, of the Code of Civil Procedure also provides for the possibility of attaching copies of attachments to a document along with the document itself via the Information Portal. However, the certification of attachments will be optional, not mandatory, due to the fact that the party submitting the document may not always be able to do so.

Regarding attorneys, another change will be the ability for professional attorneys to electronically certify documents in an IT system or information portal (Article 129, Section 2). This is intended to simplify the process of certifying not only documents but also attachments for attorneys, as under current law, document certification currently occurs when a document is entered into the IT system. This may cause attorneys to have difficulty using attachments if they do not have the originals. Regarding issues related to original documents, changes are also introduced by Article 128, Section 3 of the Code of Civil Procedure, which regulates situations in which the original document must be submitted in written form. This change is intended to eliminate doubts about whether such a requirement should be considered obvious, or whether, for example, a scan of the document should be submitted despite the lack of such a regulation. However, the legislator introduces an exception to the requirement to submit documents via the Information Portal and requires that the document be submitted directly to the court in this required form, bypassing the technological process.

The amended Article 131 1a § 1 expands the list of entities to which the court will be obliged to deliver correspondence via the Information Portal to include court bailiffs and permanent mediators.

Significant changes are also to be introduced under the amending act regarding mediation. From the entry into force of the regulations, in certain categories of cases (commercial cases, construction contracts, and contracts closely related to the construction process for the performance of construction works), the court will refer the parties to a dispute to mediation before the first scheduled hearing. This is intended to promote mediation as a peaceful, effective method that ensures the implementation of agreements within its scope, and relieves courts of the burden of resolving disputes between the parties despite the possibility of reaching an agreement. As indicated in the explanatory memorandum, these changes will incorporate the principle of voluntary mediation by allowing a party to file an objection in the first procedural document following the referral to mediation. This objection will have the effect of relieving the court from referring the dispute to mediation for resolution. It should be noted that, in addition to defining specific categories of cases referred ex officio to mediation, the legislator also specifies that proceedings will be conducted in the types specified in the Act (i.e., cases heard in writ-of-payment proceedings, electronic writ-of-payment proceedings, and payment order proceedings, unless an objection or objection to a payment order has been filed). Court registrars will also be able to issue orders to refer a case to mediation pursuant to the added Article 183 ⁸ § 1 of the Code of Civil Procedure, second sentence. Furthermore, another measure will be introduced in the field of mediation, aimed at increasing the number of cases referred to mediation: the absence of a position regarding a decision to refer a case to mediation will not be treated as an objection to such a decision, but as implied consent. The deadline for taking such a position will be one week. Furthermore, the competent court, regardless of subject matter jurisdiction, will be the district court for approving the settlement. A similar solution is provided for agreements to refer a case to mediation. The bill also stipulates that if the settlement concerns claims covered by different court proceedings, the parties are required to list these proceedings in the settlement and designate the court that will conduct the settlement approval proceedings. If courts of different levels have jurisdiction, the case will be heard by a higher court. Furthermore, the above changes will introduce the possibility of court approval of a mediation settlement at a remote hearing without the parties’ signatures.

From March 1, 2026, Poland’s civil procedure enters a new era of digital-first justice — with sweeping reforms to electronic service of documents, electronic powers of attorney, and the expanded use of the Common Courts Information Portal.

This is not just a technical update. It’s a structural transformation of how litigation will function in practice.

Key changes include:

• Mandatory and expanded electronic delivery via the courts’ IT system
• New rules on when electronic service is legally effective
• Gradual obligations for professional representatives (lawyers, legal advisers, patent attorneys, prosecutors)
• Transitional periods with multiple entry-into-force dates
• New limitations, exceptions, and safeguards for system failures
• Strong push toward full digital case files (beyond temporary paper-based solutions)
• Expanded procedural use of mediation and remote communication

While paper files still remain for now, the direction is clear: Poland is moving toward a fully digital civil justice system, with standardised IT infrastructure across courts.

For practitioners, this means one thing — adaptation is no longer optional.

PolandLaw #CivilProcedure #Litigation #LegalTech #LawReform #DigitalJustice #EJustice #CourtProcedure #LegalInnovation #LawyersOfLinkedIn #AttorneyLife #LegalProfession #CourtSystem #ProceduralLaw #ElectronicService #EFililing #DigitalTransformation #LawAndTechnology #Compliance #Regulation #Mediation #DisputeResolution #PowerOfAttorney #LegalUpdates #FutureOfLaw

Artykuł ELECTRONIC DELIVERY, ELECTRONIC POWER OF ATTORNEY – IMPORTANT CHANGES FOR LITIGATIONS IN POLAND CIVIL PROCEDURE pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

The entry into application of the EU Data Act on 12 September 2025 marks one of the most significant developments in European data regulation since the adoption of the General Data Protection Regulation (GDPR). While the GDPR established a comprehensive framework for the protection of personal data, the Data Act introduces a new legal regime designed to improve access to and use of data generated by connected products and related digital services.

For businesses operating in the European Union, the key challenge is not understanding each regulation in isolation, but determining how they interact in practice. Many organizations already have mature GDPR compliance frameworks, but the Data Act creates additional obligations that require them to share data with users and third parties. Where those datasets contain personal data, compliance with the Data Act must be reconciled with the GDPR.

This article explains the relationship between the Data Act and the GDPR in practical terms. It highlights the main legal issues and outlines the steps businesses should take to prepare.

What Is the Data Act?

The Data Act, Regulation (EU) 2023/2854, is part of the European Union’s broader strategy to build a single market for data. Its purpose is to ensure that users of connected products and related services can access the data they generate and, in certain circumstances, require that such data be shared with third parties.

The regulation is intended to rebalance the relationship between manufacturers, service providers and users. In many industries, companies that design connected products control large volumes of data generated through use of those products. The Data Act seeks to ensure that users are able to benefit from this data rather than being locked into a single ecosystem.

The regulation applies to both personal and non-personal data, which is one of the key differences from the GDPR.

Examples of products and services covered by the Data Act include smart watches, connected vehicles, industrial machinery, medical devices, smart home appliances, agricultural equipment and software applications that process the data generated by such products.

What Is the GDPR?

The GDPR governs the processing of personal data relating to identified or identifiable natural persons. Its objective is to protect privacy and ensure that personal data is processed lawfully, fairly and transparently.

The GDPR applies whenever data relates to an individual and a controller or processor carries out an operation such as collecting, storing, sharing or analyzing that data.

Unlike the Data Act, the GDPR does not grant a broad right of access to all data generated by products. It focuses solely on personal data and establishes rights such as access, rectification, erasure and portability.

The Relationship Between the Data Act and the GDPR

The Data Act expressly states that it is without prejudice to EU and national laws on personal data protection, privacy and confidentiality of communications. In practical terms, this means that the Data Act does not override the GDPR. If a company is required to provide data under the Data Act and the dataset contains personal data, the GDPR continues to apply in full.

This principle has several important consequences.

First, the Data Act does not create a new legal basis for processing personal data. A company cannot rely on the Data Act alone to justify collecting, disclosing or otherwise processing personal data.

Second, organizations must continue to comply with all GDPR principles, including purpose limitation, data minimization, storage limitation and security.

Third, where there is a conflict between the two regulations, the GDPR prevails in relation to personal data.

Why This Matters in Practice

Most data generated by connected products is not purely personal or purely non-personal. Instead, businesses often deal with mixed datasets.

A connected vehicle, for example, may generate information on speed, fuel consumption, component performance, geolocation and driver behavior. Some of this information clearly relates to an identifiable person and therefore qualifies as personal data. Other elements may be technical or operational in nature.

Where personal and non-personal data are inextricably linked, organizations should assume that the GDPR applies to the dataset as a whole unless the data can be effectively separated.

This means that compliance with the Data Act often requires a GDPR analysis before any disclosure can take place.

Practical Example: Smart Watch Data

A consumer uses a smart watch that collects heart rate, sleep patterns, exercise metrics and location information. The consumer wishes to transfer the data to a third-party health application.

Under the Data Act, the user may request access to the data generated by the device and ask the manufacturer to transmit the data to another provider.

Because the dataset contains information relating to an identifiable person, the GDPR applies.

In this scenario, the manufacturer must verify that the request is valid, ensure the transmission is secure and process the data in accordance with the GDPR. The Data Act creates the obligation to provide the data, but the GDPR determines how the transfer must be carried out.

Practical Example: Industrial Equipment

A manufacturing company leases connected machinery that generates data concerning temperature, output, wear and maintenance cycles. The company wants to share this data with an independent maintenance provider.

The Data Act allows the user to request access to the data and to require the data holder to share it with a third party.

If the dataset contains no personal data, the GDPR may not apply.

However, if the data includes operator IDs or logs that can identify employees, GDPR considerations arise. The data holder must assess whether a lawful basis exists for sharing those elements.

Key Roles Under the Data Act and the GDPR

The terminology used by the two regulations differs, but the concepts often overlap. Under the Data Act, the principal roles are the data holder, the user and the data recipient. Under the GDPR, the key roles are the controller and processor. In practice, a data holder will often act as a controller because it determines the purposes and means of processing personal data. A business user receiving data may also become a controller if it decides how the data will be used.

This distinction is important because the recipient of data under the Data Act may inherit independent GDPR obligations.

Data Portability: How the Data Act Expands Existing Rights

The GDPR grants individuals a right to data portability, but this right is limited to personal data provided by the data subject and processed on the basis of consent or contract. The Data Act significantly broadens this concept.

It applies to data generated through the use of connected products and related services, regardless of whether the data is personal or non-personal.

For businesses, this means that existing GDPR portability procedures will usually not be sufficient. Organizations may need entirely new technical and contractual frameworks to handle Data Act requests.

Trade Secrets and Confidential Information

One of the most common concerns raised by businesses is the protection of proprietary information. The Data Act recognizes that data may contain trade secrets and allows data holders to implement safeguards such as confidentiality agreements, access controls and contractual restrictions. However, trade secret protection is not an automatic ground for refusing access. A refusal is permitted only in exceptional circumstances where disclosure would likely cause serious economic harm and where protective measures are insufficient.

In practice, businesses should assume that most requests will need to be fulfilled, subject to appropriate safeguards.

Smart Contracts

The Data Act introduces specific requirements for smart contracts used to automate data sharing.

Where businesses use blockchain-based or automated systems to execute data-sharing arrangements, those systems must meet standards relating to security, integrity and the ability to terminate or interrupt execution where necessary. Although this aspect of the regulation may not affect all organizations, it is highly relevant to businesses deploying decentralized or automated contractual technologies.

Cloud Switching and Digital Assets

The Data Act also addresses switching between providers of data processing services, including cloud providers. Customers must be able to move digital assets such as applications, configuration files, metadata and access credentials to another provider more easily. Organizations that offer cloud or platform services should review their contractual and technical arrangements to ensure that customers can migrate without undue barriers.

Legal Basis for Processing Personal Data

A recurring misconception is that the Data Act itself authorizes disclosure of personal data. This is incorrect. Whenever personal data is involved, a valid legal basis under the GDPR remains necessary. The applicable legal basis will depend on the circumstances. In some cases, processing may be necessary for the performance of a contract. In others, consent or legitimate interests may be relevant. Where the user requesting the data is a business rather than the individual to whom the data relates, the requesting party may need to demonstrate that it has an independent lawful basis for processing the personal data.

What Businesses Should Do

Organizations should begin by identifying whether they fall within the scope of the Data Act. Businesses that manufacture connected products, provide related services, control access to product-generated data or offer cloud services are the most likely to be affected. The next step is to map the data generated by products and services. This exercise should identify what data is collected, whether it includes personal data, who controls it and with whom it may be shared.

Once the data landscape is understood, businesses should review the legal bases for processing any personal data contained in those datasets.

Policies and procedures should then be updated to address Data Act requests. Existing GDPR processes will rarely be sufficient because they are designed primarily for requests from individuals, not business-to-business data sharing.

Contracts with customers, partners and recipients should be revised to address data use restrictions, confidentiality obligations, trade secret protections and security measures.

Technical teams should ensure that systems can provide data in accessible formats, authenticate requesters, record disclosures and protect sensitive information.

Finally, legal, compliance, IT and customer support teams should be trained so that they understand how to manage requests consistently.

Common Pitfalls

Businesses preparing for the Data Act frequently make several mistakes. The first is assuming that the Data Act overrides the GDPR. In reality, the GDPR remains fully applicable whenever personal data is involved. The second is underestimating the complexity of mixed datasets. The third is relying too heavily on trade secret arguments to resist disclosure. The fourth is failing to update contracts and operational procedures.

The fifth is treating compliance as a purely legal issue rather than a multidisciplinary project involving legal, IT, security and commercial teams.

Enforcement and Business Risk

Failure to comply with the Data Act may result in regulatory investigations, disputes with customers and partners, and reputational damage. Where personal data is mishandled, GDPR enforcement risks also arise, including potentially significant administrative fines. For this reason, businesses should approach the Data Act as a strategic compliance project rather than a narrow contractual exercise.

Conclusion

The Data Act and the GDPR are complementary regulations that pursue different objectives. The GDPR protects individuals and their personal data. The Data Act promotes broader access to data generated by connected products and services. When those datasets contain personal data, organizations must apply both regimes simultaneously. The Data Act creates the obligation to make data available, while the GDPR determines the conditions under which personal data may be processed and shared.

Businesses that rely on connected products, IoT ecosystems, industrial data or cloud services should begin preparing well in advance.

Organizations that invest now in data mapping, contractual updates, technical controls and internal governance will be best positioned to comply with the new rules and to leverage data as a strategic asset.

Client Alert

EU Data Act Applies from 12 September 2025: Is Your Business Ready?

The EU Data Act introduces a new framework governing access to data generated by connected products and related services. It applies from 12 September 2025 and will affect manufacturers, software providers, cloud providers and businesses that rely on connected technologies.

The regulation grants users the right to access data generated by products they use and to request that such data be shared with third parties.

Where the data includes personal data, the GDPR remains fully applicable.

For many organizations, the Data Act will require updates to contracts, technical systems and operational procedures.

Businesses should begin by identifying whether they control product-generated data, determining whether datasets include personal data, and assessing whether existing systems can support secure and compliant data sharing.

Organizations should also review trade secret protections and update agreements with customers and business partners.

Companies that prepare early will be better positioned to meet legal obligations and capitalize on new opportunities arising from increased data portability.

Data Act Implementation Checklist

An effective implementation project should begin with a governance assessment to determine which internal teams will be responsible for legal analysis, technical implementation and operational oversight.

The organization should then conduct a comprehensive data mapping exercise covering all connected products, related services and cloud environments. This exercise should distinguish between personal data, non-personal data and mixed datasets.

A legal review should be undertaken to confirm the GDPR legal bases for processing personal data and to identify any restrictions arising from confidentiality obligations or trade secret protections.

Customer terms, data-sharing agreements, cloud contracts and internal policies should be revised to reflect Data Act requirements.

Technical teams should ensure that systems are capable of exporting data in usable formats, authenticating requesters, logging disclosures and protecting confidential information.

Operational procedures should be established for receiving, reviewing and responding to requests.

Training should be delivered to legal, compliance, IT, security and customer-facing teams.

The EU Data Act Meets the GDPR: What Businesses Need to Know

With the EU Data Act becoming applicable from 12 September 2025, we’re entering a new era of data regulation in Europe — one that doesn’t replace the GDPR, but fundamentally reshapes how it operates in practice.

For many organizations, the challenge is no longer GDPR vs. Data Act, but how both frameworks work together when data is shared, accessed, and reused.

The key reality?
Most data generated by connected products is mixed — personal and non-personal at the same time. And that changes everything.

Key takeaway:

The Data Act creates obligations to share data, but the GDPR still governs how personal data can be processed and transferred. The Data Act never overrides GDPR requirements.

What this means in practice:

• No new legal basis for processing personal data under the Data Act
• GDPR principles (minimization, purpose limitation, security) still fully apply
• Trade secrets don’t automatically block access requests
• Data portability rights are significantly expanded beyond GDPR scope
• Cloud and IoT ecosystems will need major technical and contractual updates

The real challenge for businesses

Compliance is no longer just legal — it’s operational and technical.

Organizations will need to:
Map all product-generated data
Identify where personal data is involved
Update contracts and data-sharing frameworks
Build secure, auditable data access systems
Align legal, IT, and compliance teams

Bottom line:

The Data Act doesn’t replace the GDPR — it adds a new layer of complexity on top of it. Companies that prepare early will not only reduce compliance risk but also gain a competitive advantage in the emerging EU data economy.

Artykuł Interplay Between the Data Act and the GDPR: A Practical Guide for Businesses pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

In the practice of commercial law, an event often occurs in which the legal status of one entity directly impacts the stability and functioning of another. A particular example is the bankruptcy of a shareholder in a commercial company. Although from a legal perspective, the bankruptcy of a shareholder affects their personal assets, in practice it undermines the very foundations of the company’s operations. Shares or stocks, previously part of a stable ownership structure, become part of the bankruptcy estate, over which the trustee assumes control. For the company, this means entering into a relationship with a new, compulsory “shareholder”, whose actions may be fundamental to the company’s future development. Some of the most important information regarding bankruptcy proceedings that a company may wish to obtain includes whether and when the trustee intends to liquidate the shares and who will exercise corporate rights at shareholder meetings. Despite such obvious interdependencies, a commercial company rarely has the formal status of a party to its shareholder’s bankruptcy proceedings. This situation creates a significant conflict between the principle of open court proceedings and the debtor’s privacy. Therefore, it is necessary to consider whether the commercial company has the right to access the bankruptcy case files concerning the shareholder.

Entities authorized to inspect bankruptcy proceedings files

A key provision worth noting is Article 228, Section 1 of the Bankruptcy Law, which states that participants in the proceedings and anyone who sufficiently justifies the need to review court files shall be provided with access to these files via the IT system supporting court proceedings. Participants in bankruptcy proceedings, pursuant to Section III of the Bankruptcy Law, include creditors or their trustees, and the bankrupt, or a trustee appointed by the judge-commissioner if the bankrupt lacks capacity to sue and is not represented by a legal representative. The list of these entities is closed, meaning that only the categories of entities specified in the Act have the status of participant in the proceedings. A bankrupt is someone against whom a bankruptcy order has been issued, so in the example described, this would be a shareholder in a commercial company. A creditor is anyone entitled to satisfaction from the bankruptcy estate, even if the claim does not require filing. If a company is not a direct creditor of a shareholder, it is not included in the list of entities authorized to inspect the proceedings files. Consequently, it should be assumed that a commercial company will not have access to the bankruptcy proceedings files as a participant, due to the fact that it cannot be classified as a bankrupt (or a bankrupt’s trustee) or a creditor (or a creditor’s trustee).

Pursuant to § 6 sec. 1 of the Regulation of the Minister of Justice of November 18, 2021, on the method and procedure for maintaining files for filing claims and collections of documents, as well as for making these files and collections of documents available files for filing claims shall be made available to participants in the proceedings via publicly available IT networks. Additionally, § 6 sec. 2 of this Regulation provides for an expanded group of entities authorized to inspect files, according to which the trustee shall make files for filing claims available in the office or via the IT system to the persons referred to in sec. 1, after they have confirmed their identity, and also to other persons after they have sufficiently justified their need to familiarize themselves with these files, unless the provisions of the Act provide otherwise. This provision confirms the regulations provided for in the Bankruptcy Law and serves as an implementing act for these regulations.

Therefore, it would also be necessary to consider a situation in which a company meets the requirements for the second category of entities authorized to access the case files. This category encompasses entities that can sufficiently justify the need to review the files. The term “sufficiently justify” is of fundamental importance in this provision; as a vague concept, it does not indicate the specific requirements that must be met to meet this requirement. Case law and legal doctrine assume that this term means that it is not necessary to demonstrate this need with detailed evidence; instead, it is sufficient to indicate a real and rational reason why the interested party wishes to access the files. Therefore, it should be recognized that to obtain access to the case files, a company must demonstrate a factual interest, not necessarily a legal interest. The final decision on granting such access rests with the court reviewing the request for access to the files, which assesses whether the indicated reason constitutes a sufficient justification for granting access.

The company as a participant in the bankruptcy proceedings of a shareholder

Shareholder’s declaration of bankruptcy implies a number of consequences in bankruptcy proceedings, including that the bankrupt is obligated to designate and deliver all of their assets to the trustee. From the moment the trustee begins managing the bankrupt’s assets, which become the bankruptcy estate, all actions taken depend on their discretion. The bankruptcy estate includes assets belonging to the bankrupt on the date of the declaration of bankruptcy and acquired by the bankrupt during the bankruptcy proceedings, with some statutory exceptions. It should therefore be stated that the bankruptcy estate also includes the shareholder’s share in the commercial company. When the trustee takes over management of the shareholder’s assets, including their share, it is in the company’s best interest to continuously monitor the trustee’s actions, which may directly impact the exercise of corporate rights in the company. This situation has direct consequences for the company’s operations, particularly with regard to the exercise of shareholding rights and potential changes in the ownership structure. By seeking to determine who exercises corporate rights and whether the shares will be sold by the trustee, the company is pursuing a rational and objectively justified factual interest. Consequently, it should be recognized that such circumstances may constitute sufficient grounds for granting access to bankruptcy case files.

In the case of limited liability companies, shareholder’s declaration of bankruptcy does not constitute grounds for dissolving the company. Therefore, the company has an obvious interest in monitoring bankruptcy files, as the outcome of these proceedings may determine the continued legal existence of the company itself.

A company that does not have the status of a participant in the bankruptcy proceedings of a shareholder

The right to access case files generally applies to parties and participants in the proceedings. However, in bankruptcy proceedings, the circle of entities authorized to inspect files is broader, as it also includes entities that sufficiently justify the need to review the files. To determine whether a company has a factual interest justifying access to the files of bankruptcy proceedings conducted against its shareholder, even though it is neither a party nor a participant in those proceedings, the company’s reason for seeking access to the files should be considered and whether the indicated circumstance may be deemed by the court to constitute sufficient justification for granting such access.

Interested persons who are not participants in the proceedings may be considered to include persons interested in acquiring the bankrupt’s assets, persons interested in concluding contracts with the trustee, and persons interested in the assets of the bankrupt’s creditors, which may be subject to potential enforcement. In the case of a company whose shareholder has declared bankruptcy, the interest in inspecting the files may lie in determining who will exercise the share rights of the bankrupt shareholder, as well as in obtaining information on whether the trustee managing the bankruptcy estate intends to sell the shareholder’s shares. The company may have a legitimate interest in becoming familiar with these circumstances, particularly if it is considering acquiring these shares.

According to the literal wording of the judgment of the Voivodeship Administrative Court in Bydgoszcz of August 21, 2019, II SA/ Bd 402/19, in a situation where the complainant requested access to the files of the bankruptcy proceedings of a specific entity: a complete list of receivables with any supplements, the final plan for the distribution of the bankruptcy estate funds, and information regarding the value of the enterprise determined based on the description and valuation of the enterprise, requesting the provision of information under the public information procedure, the court indicated that this was not public information. Despite this, the court informed the complainant that his request was not inadmissible, but was filed on an incorrect legal basis and, therefore, under an incorrect procedure. In this case, the court found that the indicated information should not be considered public information, but access to the files is available in accordance with the procedure under the Bankruptcy Law. In this situation, the authority correctly pointed out that access to bankruptcy proceedings files, including those of interest to the complainant, was regulated by the provisions of the relevant procedure. As a non-party, after sufficiently justifying the need to review the files, it may do so under Article 228, Section 1 of the Act of 28 February 2003 – Bankruptcy Law, including the possibility of obtaining copies, extracts, and making its own photocopies.

The company’s legal interest in accessing the files of its shareholder’s bankruptcy proceedings

According to Article 75 of the Bankruptcy Law, on the date of declaration of bankruptcy, the bankrupt loses the right of management and the ability to use and dispose of the property included in the bankruptcy estate. These rights are transferred to the trustee, who acts in his or her own name but on the bankrupt’s behalf, administering the entire bankruptcy estate and taking steps to liquidate it or, in the case of arrangement proceedings, to satisfy creditors in accordance with the approved arrangement. Pursuant to Article 61 et seq. of this Act, the bankruptcy estate includes the assets belonging to the bankrupt on the date of declaration of bankruptcy, as well as assets acquired during the proceedings. However, the legislator has provided a list of exclusions (Articles 63–67a), including, in particular, assets exempt from enforcement under the Civil Procedure Code and the portion of the bankrupt’s remuneration for work not subject to seizure. In light of the above regulations, it should be assumed that a shareholder’s share in a commercial company generally forms part of the bankruptcy estate. There is no provision excluding such property rights from bankruptcy proceedings. This is also confirmed by a functional interpretation of the regulations, as the goal of bankruptcy proceedings is to fully satisfy creditors, which supports the inclusion of all assets with economic value in the bankruptcy estate. As a consequence of a shareholder declaring bankruptcy, the trustee acquires the authority to exercise the share rights associated with that share, including, in particular, voting rights, dividend rights, and other corporate and property rights. Importantly, the trustee may also dispose of the share, guided by the interests of the bankruptcy estate and the creditors. The possibility of the trustee disposing of shares has significant consequences for the company itself. In particular, it may lead to a change in the composition of the shareholders through the entry of an entity unacceptable to the existing shareholders, which in practice may impact the stability of the company, the manner in which its affairs are conducted, and even the implementation of its business strategy. For these reasons, it should be recognized that although the company is not formally a participant in the bankruptcy proceedings conducted against its shareholder, it has a specific and real legal interest in obtaining information about the progress of these proceedings. This interest stems from the direct impact of a shareholder’s bankruptcy on the company’s legal and factual situation, including its ownership structure and the manner of exercising corporate rights. The relationship between a shareholder’s bankruptcy and the company’s legal situation is therefore internal, not merely external. The outcome of bankruptcy proceedings, and in particular the trustee’s decisions regarding the exercise or disposal of shareholding rights, directly impacts the company’s operations, justifying the protection afforded to it by the ability to monitor the course of these proceedings.

In summary, a commercial company may be a participant in its shareholder’s bankruptcy proceedings, and thus automatically entitled to access the files if it is found to be a creditor of the shareholder. It may also be granted access to these files as a third party, provided it sufficiently justifies the need to review their contents by demonstrating a real and rational interest in the company’s operations. In practice, this interest may stem, in particular, from the need to determine how shareholder rights are exercised or the trustee’s intention to dispose of shares. It is crucial to emphasize that demonstrating a legal interest is not necessary to obtain access to bankruptcy files – demonstrating a rational justification for the need to review the files is sufficient. Granting access is discretionary and depends on the court’s judgment, which determines whether the circumstances presented by the applicant sufficiently justify such a request. It should also be emphasized that access to such information should be granted only in accordance with the provisions of the Bankruptcy Law, and not pursuant to regulations regarding access to public information.

Can a company gain access to its shareholder’s bankruptcy proceedings files?

In practice, the bankruptcy of a shareholder rarely remains a “private” matter. Once shares become part of the bankruptcy estate, the trustee may influence voting rights, corporate governance, and even the future ownership structure of the company itself.

This raises an important legal question:
Does the company have the right to inspect the bankruptcy files of its shareholder?

Although a company is usually not a formal participant in such proceedings, Polish Bankruptcy Law allows access to entities that can sufficiently justify a real and rational interest in reviewing the files.

For companies, this interest may include:
• determining who exercises shareholder rights during proceedings,
• monitoring the trustee’s actions,
• assessing the potential sale of shares,
• protecting corporate stability and ownership structure.

The article analyzes the balance between transparency of bankruptcy proceedings and the debtor’s privacy, while explaining when a company may successfully request access to bankruptcy files as a third party.

An important issue for corporate governance, restructuring practice, and investor protection.

#BankruptcyLaw #Insolvency #CorporateLaw #CommercialLaw #Restructuring #Shareholders #CorporateGovernance #LegalInsights #BusinessLaw #MergersAndAcquisitions #Trustee #CompanyLaw #Litigation #LegalUpdate #Compliance #CorporateStructure #InvestorRelations #LegalPractice #Governance #BusinessRisk #LawFirm #CorporateDisputes #FinancialRestructuring #PolishLaw #LegalAnalysis

Artykuł Can the company as the third party gain access to its shareholder’s bankruptcy proceedings files pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

Can an AI influencer be held legally accountable? Not directly — but the businesses and creators behind them certainly can.

As AI-generated personas become a powerful tool in marketing, they also raise important legal questions around transparency, advertising disclosures, GDPR compliance, copyright, and the new obligations introduced by the EU AI Act. In my latest article, I explore who bears responsibility for AI influencers, what regulatory requirements apply, and which legal risks companies should address before launching virtual brand ambassadors.

If your business is using AI to engage consumers, this is a topic you cannot afford to ignore.

The topic of AI in the legal community remains fraught with controversy, loopholes, and regulatory needs. The dynamic progress in this area is linked to the emergence of ever- new phenomena—with which the law cannot always keep pace—one of which are so-called AI influencers.

AI influencers are, in other words, figures created within algorithms using artificial intelligence. It may seem that their growing popularity is closely linked to economic and social aspects indicating the tendency to depart from traditional forms of marketing in favor of those generated by artificial intelligence.

This type of solution, however, is not outside the scope of applicable law. AI influencers, like other creators, are subject to requirements regarding liability, transparency, personal data protection, and compliance with EU and national regulations. However, to what extent, who is responsible for them, and what regulatory obligations apply to them are matters of consideration for this study.

AI Influencer – a natural person, a legal person, or maybe something completely different?

Under current regulations, an AI influencer lacks legal personality or the capacity to bear liability. They should be treated as a tool or technological product used by an entrepreneur. Consequently, all responsibility for content generated using them rests with the entity that decides on its publication, i.e., most often the entrepreneur or, alternatively, the entity implementing the system. The prevailing view is that even in situations of a high degree of AI system autonomy, liability is not transferred to the system, as it is not a legal entity.

Can an entrepreneur avoid liability by relying on the autonomy of an AI system?

In the context of civil law, it should be assumed that general principles of tort liability apply. According to Article 415 of the Civil Code, liability rests with the person who caused the damage through their own fault, while Article 355 § 2 of the Civil Code imposes on the entrepreneur an obligation to exercise due diligence, taking into account the professional nature of the activity. In practice, this means that the entrepreneur cannot rely on the autonomy of the AI system as a circumstance excluding liability if they failed to ensure adequate control over the generated content.

AI Influencer and product promotion.

influencer as commercial information is also crucial. Any message intended to promote a product or service is subject to the rigors of, among others, the Consumer Rights Act, particularly regarding disclosure obligations in distance contracts.

Marking advertising content – not only the responsibility of AI influencers

In light of the regulations on combating unfair commercial practices, it should be assumed that the lack of appropriate labeling of advertising content poses a significant legal risk. The Act implementing Directive 2005/29/EC introduces a ban on misleading practices and a so-called “blacklist” of practices prohibited under all circumstances, including surreptitious advertising. Pursuant to Article 7, Section 11 of this Act, it is prohibited to use editorial content to promote a product without clearly disclosing the commercial nature of the message.

In the decision-making practice of the President of the Office of Competition and Consumer Protection, it should be noted that this authority consistently considers the lack of advertising collaboration labeling to be a violation of the collective interests of consumers. Decisions issued emphasize that labeling must be unambiguous, legible, and understandable to the average consumer, and that the use of unclear labeling or concealment may result in the imposition of significant financial penalties. In light of these decisions, it should be assumed that similar standards will apply to content generated by AI influencers.

Human, robot, or artificial creation – that is, misleading action.

AI influencer as a real person is also particularly significant. It should be assumed that failing to disclose the artificial nature of such a persona may be considered misleading, particularly regarding the authenticity of consumer experiences. Such a practice may be classified as a violation of both unfair market practices regulations and transparency principles under EU law.

In this context the application of AI Act is crucial. It should be noted that this act introduces a taxonomy based on the classification of AI systems according to risk level: prohibited systems, high-risk systems, systems subject to transparency obligations, and systems with minimal risk. In the case of AI influencers, it should be assumed that, in principle, they will be classified as systems subject to transparency obligations, unless their functionality includes elements that could significantly influence consumer decisions in a manipulative manner, which could potentially lead to a more restrictive classification.

Supplier and implementing entity – what does this mean for the entrepreneur?

The AI Act clearly distinguishes the roles of the AI system provider and the implementer. The provider is responsible for designing and marketing the system and must meet a number of requirements, including documentation, risk management, and compliance. The implementer, in turn, i.e., the entrepreneur using the AI influencer , is responsible for its use, particularly for compliance with transparency obligations and for the legal consequences of published content.

Article 50 of the AI Act and the information obligation

In light of Article 50 of the AI Act, end users must be informed that they are interacting with content generated by artificial intelligence. Furthermore, manipulative practices, including the use of subliminal techniques or exploitation of particularly vulnerable groups, are prohibited. Violation of the regulation’s provisions may result in the imposition of severe administrative penalties, reaching up to tens of millions of euros or a specified percentage of a company’s annual turnover.

Personal data protection

In the area of personal data protection, the GDPR applies. In particular, attention should be paid to the obligation to conduct a data protection impact assessment (DPIA) pursuant to Article 35 of the GDPR where processing – particularly involving the use of AI – is likely to result in a high risk to the rights and freedoms of natural persons. This applies in particular to behavioral profiling and automated decision-making.

The principle of privacy by design & privacy by default in practice

The principles of privacy by design and privacy by default require the controller to consider data protection at the system design stage and to use default settings that minimize the scope of data processing. In practice, this means that AI influencer mechanisms must be appropriately designed to limit interference with user privacy.

Tailoring content to users and GDPR

Content customization, or profiling, in accordance with Article 4(4) of the GDPR, is a particularly important element of AI influencer marketing activities. It should be assumed that the use of data regarding user preferences, behavior , or location to personalize messages requires meeting certain legal requirements, often including obtaining explicit consent. In the context of Article 22 of the GDPR, consideration should also be given to whether automated decision-making is taking place that produces legal effects or significantly affects a natural person in a similar manner.

CJEU case law and the use of cookies

In this regard, the judgment of the Court of Justice of the European Union in Case C-673/17 (Planet49) is particularly significant. It should be assumed that consent to the use of cookies must be expressed actively and knowingly, and the use of pre-selected consent is inadmissible. This ruling is fundamental to marketing practice, including activities carried out using AI influencers , as it confirms the need to obtain real, prior user consent for tracking and profiling activities.

Law and ethics

From an ethical perspective, however, considered in the context of legal norms, it is necessary to point out the growing importance of the so-called dark web issue. patterns and consumer manipulation. In light of applicable regulations, it should be assumed that designing interfaces or messages in a way that induces users to make decisions they otherwise would not have made may be classified as unfair market practices. In the case of AI influencers , this risk is particularly significant due to the ability to precisely tailor the message to the recipient’s psychological profile.

The problem of AI and copyright

In the field of intellectual property law, it should be assumed that protection is granted only to manifestations of human creative activity. Content generated solely by AI generally does not constitute a work under copyright law, unless the human exercised sufficiently significant control over the creative process to constitute individual creative input. In practice, this leads to the search for alternative forms of protection, such as trade secrets.

At the same time, the risk of violating third-party rights, including copyright and image rights, must be considered. Generating content that resembles existing works or real people may result in liability for damages under the terms of civil law and the Copyright and Related Rights Act.

NIS2 and risk management obligations

Additionally, the obligations arising from the NIS2 Directive should be noted, which focus on risk management, supply chain security, and ensuring system continuity. In the context of AI influencers, this means implementing appropriate security procedures, monitoring vulnerabilities, and developing incident response mechanisms. This directive places the burden of responsibility on the entrepreneur generating content via an AI influencer.

Summary

The use of AI influencers in business requires compliance with various legal regulations, including consumer law, personal data protection, artificial intelligence regulations, and civil law. Current mechanisms are applicable to AI influencer activities , but in an era of constantly evolving technologies and the ever-increasing importance of social marketing, it can be expected that AI influencer activities will also require new solutions.

Bibliography:

Regulation (EU) 2024/1689 of the European Parliament and of the Council (AI Act )

Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)

Directive 2005/29/EC on unfair commercial practices

NIS2 Directive (Directive (EU) 2022/2555)

Act of 23 August 2007 on Counteracting Unfair Market Practices

Act of 16 April 1993 on Combating Unfair Competition

Act of 30 May 2014 on consumer rights

Act of 4 February 1994 on copyright and related rights

Civil Code

Planet49 judgment (C ‑ 673/17) of the Court of Justice of the European Union – regarding consent to cookies and direct marketing

Guidelines for labeling advertising content in social media issued by the Office of Competition and Consumer Protection

Decisions of the President of the Office of Competition and Consumer Protection regarding influencer marketing and surreptitious advertising (the body’s judicial practice, including cases concerning the lack of marking of commercial cooperation)

European Data Protection Board (EDPB) – Guidelines on Profiling and Automated Decision-Making

#AI #ArtificialIntelligence #AIAct #GDPR #InfluencerMarketing #LegalTech #Compliance #ConsumerProtection #Copyright #DataProtection #DigitalMarketing #TechnologyLaw #RiskManagement #NIS2 #EUlaw

Can an AI influencer be held legally accountable? Not directly — but the businesses and creators behind them certainly can.

As AI-generated personas become a powerful tool in marketing, they also raise important legal questions around transparency, advertising disclosures, GDPR compliance, copyright, and the new obligations introduced by the EU AI Act.

In my latest article, I explore:
• who bears responsibility for AI influencers
• what regulatory requirements apply
• the legal risks companies should address before launching virtual brand ambassadors

AI influencers may not have legal personality, but entrepreneurs using them remain fully responsible for the content they generate and publish.

The article also discusses:
AI Act transparency obligations
misleading commercial practices and hidden advertising
GDPR and profiling risks
copyright and image rights issues
consumer protection requirements
NIS2 and cybersecurity obligations
ethical concerns related to manipulation and dark patterns

As AI-driven marketing evolves faster than regulation, businesses must ensure that innovation goes hand in hand with legal compliance and consumer trust.

If your company is already using AI to engage consumers — or plans to — this is a topic you cannot afford to ignore.

#AI #ArtificialIntelligence #AIAct #GDPR #LegalTech #Compliance #InfluencerMarketing #ConsumerProtection #Copyright #DataProtection #DigitalMarketing #TechnologyLaw #RiskManagement #NIS2 #EULaw #AIGovernance #AICompliance #CyberSecurity #Privacy #AdvertisingLaw #ContentCreators #VirtualInfluencers #EmergingTech #BusinessLaw #Innovation

Artykuł AI Influencer in the light of the law – scope of responsibility, regulatory obligations and legal risks pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

Resignation from the management board of a limited liability company is permissible at any time, regardless of the term of office. Therefore, a sole management board member is not obligated to serve until the end of their term and may terminate their position earlier either through their own resignation or through dismissal by the relevant body. Each of these options leads to the expiry of their mandate, but they differ significantly in terms of procedure and practical consequences.

Legal nature of resignation

Resignation from the management board constitutes a unilateral legal act. Its effectiveness does not depend on the consent or any action of the shareholder or the company. This is based on Article 202 § 5 of the Commercial Companies Code, which refers to the provisions of the Civil Code on termination of an assignment. The mandate holder may terminate the assignment at any time, and the declaration becomes effective upon the addressee having had the opportunity to become familiar with its content, as stipulated in Article 61 § 1 of the Civil Code. Therefore, the mandate expires by operation of law at the time specified by law, not only upon entry in the National Court Register. An entry in the register is solely declaratory in nature, confirming the existing legal status, but does not create it. Its absence does not affect the effectiveness of the resignation, although it may cause practical difficulties in relations with contractors and institutions.

Special procedure for the resignation of the sole member of the management board of a limited liability company

Article 201 § 2 of the Commercial Companies Code allows for the management board of a limited liability company to consist of one person. This is a dispositive provision, meaning that the company agreement may provide otherwise and, for example, require a larger number of management board members. Therefore, before taking any action, the content of the specific company agreement in this regard should be verified.

If the sole member of the management board resigns, no management board seat would be filled after their departure. The legislature anticipated this situation by introducing a separate procedure in Article 202 § 6 of the Commercial Companies Code. According to this procedure, the resignation is submitted to the shareholders, convening a shareholders’ meeting. The resignation statement should be included in the invitation to the meeting or delivered to the shareholders together with the notice of its convening. The meeting is convened by registered mail, courier, or email (if the shareholder has previously consented in writing), sent at least two weeks before the shareholders’ meeting. The procedure in such a case should be as follows:

1/ The member of the management board shall submit a declaration of resignation to the shareholders, and not to another body of the company, e.g. the supervisory board (if established in the company’s articles of association) or to a commercial proxy, if one has been appointed in the company.

2/ At the same time, it convenes a shareholders’ meeting two weeks before the planned meeting, attaching the text of the resignation declaration to the invitation.

3/ The resignation becomes effective on the day following the date for which the meeting was convened. This occurs regardless of whether the meeting actually takes place or whether the shareholders adopt any resolutions.

4/ The effectiveness of the resignation does not depend on the shareholder’s participation in the meeting, the adoption of the resolution or the consent to the resignation.

5/ A subsequent entry in the National Court Register is of a declaratory nature and confirms the existing situation, but does not condition the effectiveness of the resignation.

Who is the proper addressee of the declaration of resignation?

A resignation declaration must be submitted to the shareholders, as they are the entities authorized to appoint and dismiss management board members. It cannot be submitted to the company as a whole, to the sole proxy (if appointed), as this is not the entity authorized to receive such declarations on behalf of the shareholder or the shareholders’ meeting. Ineffective submission of the declaration, for example, to the wrong addressee, has no legal consequences. In such a case, the management board member’s mandate does not expire, and the person formally remains on the management board.

The company with one shareholder

In the case of a single-member company, i.e., one in which all shares are held by a single shareholder, convening a shareholders’ meeting is formal. A physical meeting is not required. It is sufficient for the sole shareholder to receive notice of the meeting along with the content of the resignation declaration, as, pursuant to Article 156 of the Commercial Companies Code, in a single-member company, the powers of the shareholders’ meeting are exercised independently by the sole shareholder. Therefore, there is no need to organize a formal meeting, as delivering the declaration in a manner that allows for review of its content is sufficient. However, for evidentiary purposes, it is recommended to document this action in writing. Proper delivery of the declaration to the shareholder is crucial. In practice, it is recommended to deliver it in a manner that allows for proof of this fact, e.g., by registered mail with acknowledgment of receipt, courier, or electronic means with acknowledgment of receipt. Proper delivery is a necessary condition for assessing the effectiveness of the resignation and its effective date.

The procedure is as follows:

1/ The member of the management board sends a declaration of resignation to the shareholder when convening the shareholders’ meeting;

2/ Because the company has a single shareholder, there is no need to formally convene a shareholders’ meeting. The sole shareholder exercises the powers of the shareholders’ meeting independently.

3/ The resignation becomes effective on the day following the day for which the meeting was called, even though it does not have to be formally held.

4/ A subsequent entry in the National Court Register is of a declaratory nature and confirms the existing situation, but does not condition the effectiveness of the resignation.

Can a company function after the resignation of the sole member of the management board?

The resignation of the sole member of the management board leads to a situation in which no mandate on the management board is filled. This situation is referred to in legal doctrine as a “hull body.” A company without a management board, and therefore a representative body, generally cannot effectively enter into contracts, incur obligations, or sign documents requiring management board representation. However, Polish law permits a company to temporarily operate without a management board, provided that an independent commercial proxy is present. Commercial power of attorney does not automatically expire upon the dismissal or resignation of the management board, as Article 109 § 7 of the Civil Code enumerates the instances in which commercial power of attorney expires, and the absence of a management board is not one of them. This view is also reflected in the case law of the Supreme Court and in rulings of the Supreme Administrative Court, for example, in judgment V CZ 26/16.

An independent commercial proxy may, therefore, temporarily represent the company and manage its day-to-day affairs. However, this situation should be purely temporary. A commercial proxy acts within a limited scope; for example, they cannot sign the company’s financial statements, which can result in serious consequences for failing to submit financial statements for the financial year, such as dissolution of the company without liquidation proceedings if the financial statements are not submitted for two consecutive years. They also cannot grant a special power of attorney for actions that require it (sale or encumbrance of real estate, sale of an enterprise), as these actions are reserved by law exclusively for the management board. Such company representation may also pose a risk of suspension of proceedings, as common courts have varying views on this issue, with some courts suspending proceedings ex officio under Article 174 § 1 item 2 of the Code of Civil Procedure, considering the lack of a management board to be a deficiency that prevents the company from operating, as evidenced by opposing rulings by the District Court in Bydgoszcz, case file VIII Gz 218/19, and the Court of Appeal in Poznań, case file III AUz207/22. Moreover, a long-term lack of management may negatively impact the company’s credibility in the eyes of business partners, who may refuse to enter into contracts with a company represented solely by an independent proxy, fearing for the entity’s stability.

Deletion of a management board member by the registry court and vacancy in the management board

The registry court will remove a management board member from the National Court Register (KRS) based on a submitted application, even if the company does not yet have a new management board. As mentioned earlier, an entry in the National Court Register is declaratory in nature, and the removal of a management board member by the registry court is not a necessary condition for the expiry of their mandate due to resignation. In such a situation, the court cannot refuse to remove a management board member unless the company is in arrears with its financial statements. However, pursuant to Article 24, Section 1a, if the court finds that there is nobody authorized to represent the company or that the body’s composition is deficient, the court may set a deadline and summon the shareholders to appoint or elect this body, subject to a fine. This initiates enforcement proceedings, in which the court may impose a fine of up to PLN 10,000 on the company’s shareholders, which may be imposed multiple times up to a total of PLN 1 million. If new management board members are elected, any unpaid fines will be waived. The court may also, as a last resort, waive or discontinue the compulsory decision and initiate proceedings to dissolve the company without liquidation proceedings, provided that the company has no transferable assets or does not conduct actual business.

Cancellation as an alternative to resignation

Besides resignation, another way for a management board member to terminate their position is through dismissal by an authorized body. In a limited liability company, this is generally the shareholders’ meeting, although this authority may be delegated to another body in the company agreement. In a company with a single shareholder, dismissal occurs by a shareholder resolution without convening a formal meeting. This immediately terminates the management board member’s mandate.

Sources:

P. Pinior, Resignation of a member of a corporate body, ABC.

A. Krokowski, K. Wielgus, Resignation from the mandate by a member of the management board of a limited liability company after the amendment of November 9, 2018, Rejent 2020, No. 5, pp. 65-100.

D. Marciniak, Resignation of the sole member of the management board of a capital company, PPH 2019, no. 12, pp. 52-58.

M. Dumkiewicz [in:] Commercial Companies Code . Updated commentary, Gdańsk 2026.

Resignation of the sole member of the management board in a Polish limited liability company (sp. z o.o.) is possible at any time, but the procedure is more formalized than in the case of an ordinary board member.

Under Article 202 § 6 of the Commercial Companies Code, the last remaining board member must submit the resignation to the shareholders while simultaneously convening a shareholders’ meeting. The resignation becomes effective on the day following the date for which the meeting was convened — regardless of whether the meeting actually takes place.

Importantly:
• resignation is a unilateral legal act,
• KRS entry is only declaratory,
• incorrect delivery of the resignation may render it ineffective,
• a company may temporarily function without a management board if a commercial proxy (prokurent) has been appointed, although this creates significant practical and legal risks.

The issue remains highly relevant in practice, especially in single-shareholder companies and entities facing governance disputes.

#CorporateLaw #Poland #CompanyLaw #ManagementBoard #Resignation #SpZoo #CommercialLaw #KRS #Governance #PolishLaw

Artykuł Resignation of the sole member of the management board of a limited liability company in Poland pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

We recently advised a Polish medtech company developing an innovative artificial intelligence-powered Software as a Medical Device (SaMD) designed to support early detection of cardiovascular disease based on standard electrocardiogram (ECG) recordings.

The client is developing software that performs automated analysis of resting ECG data and generates additional diagnostic insights for physicians. While the patient experience remains identical to a standard ECG examination, the software applies advanced signal processing and AI-driven analytics to extract significantly more information from the underlying electrical activity of the heart. The current version is intended for use in clinical settings, while a next-generation solution is being developed for home use, enabling remote screening and telemedicine-based monitoring.

Grant Funding and Project Scope

The company obtained substantial non-dilutive funding under the SMART Pathway programme (Ścieżka SMART), financed through the European Funds for a Modern Economy programme and administered by the Polish Agency for Enterprise Development (PARP). The project is planned over a 36-month period and includes research and development activities, software engineering, regulatory certification, and a clinical investigation designed to validate the product’s use in home settings.

The grant financing enabled the company to expand its multidisciplinary team, including software engineers, clinicians, and regulatory specialists, and to accelerate product development and market preparation. According to the company, the funding has also created an opportunity to scale internationally following commercialization.

Why the Technology Is Innovative

The software represents a significant advancement in digital cardiology. Traditional ECG interpretation is based on a two-dimensional representation of cardiac electrical activity. By contrast, the client’s technology uses a proprietary analytical method that evaluates cardiac signals in a four-dimensional framework—capturing both spatial and temporal characteristics of myocardial activation.

The AI layer integrates this signal analysis with additional clinical data, such as patient history and supplementary diagnostic findings, to identify subtle abnormalities that may indicate elevated risk of future cardiovascular events, including myocardial infarction or heart failure.

This approach has the potential to:

• improve early detection of coronary artery disease and heart failure;
• support population-level cardiovascular screening;
• enable home-based diagnostic assessments;
• reduce pressure on healthcare systems by prioritizing high-risk patients; and
• enhance physicians’ diagnostic capabilities with automated decision support.

The company ultimately envisions a model in which patients can perform ECG tests at home using a dedicated device and smartphone application, with data transmitted to a telemedicine centre for automated analysis and clinical review.

Regulatory and Clinical Investigation Considerations

As an AI-enabled medical device intended to support clinical decision-making, the software is subject to the EU Medical Devices Regulation (EU) 2017/745 (MDR). The product is undergoing conformity assessment and certification under the current MDR framework.

A key component of the funded project is a clinical investigation involving patients who will use the software in home settings. ECG recordings will be transmitted to a collaborating medical centre, where they will be analysed using the client’s software to assess the reliability, safety, and usability of the home-use model.

Our Legal Support

We advised the client on the preparation and negotiation of the clinical investigation agreement with the healthcare institution participating in the study.

This work included legal support on:

• allocation of responsibilities between the sponsor and the investigation site;
• compliance with MDR requirements governing clinical investigations;
• patient data processing and GDPR compliance;
• ownership and use rights relating to clinical data and study results;
• confidentiality and protection of proprietary algorithms;
• insurance and liability arrangements;
• publication rights; and
• termination and post-study obligations.

Particular attention was given to the contractual treatment of software-generated data and outputs, including rights to use clinical datasets for algorithm refinement and future regulatory submissions.

Key Legal Challenges for AI-Based SaMD Companies

The project illustrates several legal issues that are increasingly relevant for AI-enabled medtech businesses:

1. Clinical Evidence Generation

AI-based software must be supported by robust clinical evidence demonstrating safety and performance. Well-structured agreements with clinical partners are essential to secure access to data and ensure regulatory compliance.

2. Data Governance

Training and validating machine-learning models requires clear legal rights to process and reuse patient data while maintaining compliance with GDPR and ethical standards.

3. Intellectual Property Protection

Clinical collaborations should safeguard ownership of proprietary algorithms, software, and derivative models, while addressing rights to jointly generated study data.

4. Grant Compliance

Projects funded through public programmes involve specific contractual obligations relating to eligible costs, milestones, reporting, and dissemination.

5. Transition to Home Use

Moving from physician-supervised use to direct-to-consumer or home-based deployment raises additional regulatory and liability considerations, including usability, cybersecurity, and telemedicine integration.

Conclusion

This engagement highlights the legal and regulatory complexity involved in bringing AI-driven Software as a Medical Device solutions to market. The combination of innovative signal analysis, artificial intelligence, telemedicine, and grant-funded R&D creates significant opportunities, but also requires careful legal structuring at every stage of development.

Our support helped the client establish a compliant contractual framework for its clinical investigation, enabling it to generate the evidence necessary to advance certification and prepare for commercialization in Poland and international markets.

Artykuł Legal Alert: Advising an AI-Powered Software as a Medical Device Developer on Clinical Investigation Agreements and Grant-Funded Innovation pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

Labor law is a key area of the legal system, directly impacting the professional and social situation of millions of employees and employers. Dynamic changes in the labor market, technological progress, and economic conditions necessitate adapting legal regulations to new realities. Recently, we have observed increased legislative activity in this area, not only in Poland but also in the EU. The Labor Code is amended almost annually. This year, 2026 will be no different. This time, however, the amendments will affect a very large portion of society and will address issues such as seniority, salary transparency, recruitment neutrality, and even the gender pay gap. Therefore, for context, it is worth reviewing the new regulations that entered into force at the end of 2025, and then moving on to those that await us this year. At the end of this article, we will also highlight possible legal changes that have been announced for a long time. Their implementation is highly probable and could bring significant changes. Therefore, it is worth being aware of them.

Collective labor agreements

The Act on Collective Bargaining Agreements and Collective Agreements entered into force on December 13, 2025. The new regulations eliminate the current registration of agreements by District Labor Inspectorates and the Ministry and introduce the National Register of Collective Bargaining Agreements (KEUZP), which will record all collective agreements and agreements. All regulations are transferred from the Labor Code to the new Act of November 5, 2025, on Collective Bargaining Agreements and Collective Agreements. The changes are intended to facilitate the conclusion and registration of collective agreements, streamline procedures, and support social dialogue between employers and trade unions through, among other things, an open catalog of matters regulated by collective agreements, the possibility of concluding them for a fixed or indefinite period, and simplifying the procedure for extending a multi-employer agreement. It is worth noting that agreements, additional protocols, and collective agreements will be registered in an electronic system, not in paper form. The agreement will come into effect on the date specified therein, but not earlier than the date of proper notification to KEUZP. During the transition period (since there is a two-year deadline for establishing the KEUZP) before the KEUZP is fully operational, new agreements and protocols are submitted electronically to the Ministry of Family, Labor, and Social Policy. The act promotes mediation, allowing for the use of a mediator or expert during negotiations. The new regulations allow for broader regulation of issues such as work -life balance, gender equality, anti-mobbing procedures , and the use of artificial intelligence (AI) in the workplace. The principle of benefit (the provisions of the agreement cannot be less favorable than the Labor Code) and the principle that the agreement automatically becomes part of the employment relationship have been maintained.

Pay transparency and neutrality in recruitment

As of December 24, 2025, changes to job advertisements and the recruitment process itself came into effect. This means that job advertisements must use gender-neutral job titles. This means that both the job advertisement and the job title should not suggest the candidate’s gender. For example, when hiring an administrative assistant, the job advertisement should indicate that the position is being sought for administrative work or an administrative assistant. Additionally, candidates must know the salary for the position they are applying for (either in the form of a salary range or a specific amount). This information should be included in the advertisement or at the latest before the interview. This remuneration includes all its components, including annual bonuses (wage-related) and a company laptop (non-wage-related). Art. 221 of the Labor Code, which prevents employers from asking about job candidates’ salary histories (current and past earnings), while employees gain the right to information about the average salary levels of employees performing the same work or work of equal value, broken down by gender. The regulations are intended to impact the recruitment process, making it more transparent and clear, and also to prevent the pay gap from shifting between companies. From the employer’s perspective, this will mean changes to job ad templates, recruitment processes, mandatory salary disclosure (including all elements), and the risk of claims or compensation for non-compliance with the new requirements.

Seniority and minimum wage

From January 1, 2026, the rules for calculating length of service are changing. In accordance with Article 302¹ § 1-7 of the Labor Code, length of service will include not only periods of employment under an employment relationship, but also numerous forms of professional activity and the status of individuals performing work outside of an employment contract. If these periods overlap, the most favorable period for the employee will be included. This provision comes into effect on January 1, 2026, for entities operating in the public finance sector, and on May 1, 2026, for other employers. Length of service will include: mandate contracts, service contracts, performance of an agency contract, being a collaborator with a person performing the previously mentioned activity, membership in an agricultural production cooperative, and membership in a cooperative of agricultural circles, if covered by pension and disability insurance during these periods. Gainful employment abroad on a basis other than an employment relationship will also be included. The changes will result in, among other things, longer leave (from 20 to 26 days after reaching 10 years of service), higher severance pay, seniority or anniversary bonuses, and a longer notice period. The seniority allowance will only be valid upon confirmation through appropriate documentation. The employee has 24 months to do so, and after that time, the employer will not be obligated to include it. Pursuant to Article 302¹, Sections 11–13 of the Labor Code, the method for confirming periods of professional activity that are to be included in the length of service depends on the type of activity performed. Legislators have introduced three separate types of certificates issued by the Social Insurance Institution (ZUS). Effective January 1, the minimum wage will also increase to PLN 4,806 gross, while the minimum hourly rate for individuals accepting contracts or providing services will be PLN 31.30. The increase in the minimum wage also affects other rates when calculating salaries and benefits, so it is worth paying attention to this, for example, the maximum statutory severance pay is PLN 72,090 gross.

Change in sick leave

From January 1, 2026, the issue of sick leave will also change, most importantly, expanding the scope of the Social Insurance Institution (ZUS). Due to the abuse of sick leave, more inspections will be introduced. The amendment introduces new provisions, allowing employees to combine sick leave with work for another employer in justified cases. Furthermore, during sick leave, employees will be able to perform minor tasks, such as answering the phone, replying to emails, or signing documents. The payment of sick leave benefits will also change and will apply from the first day of sick leave. As a result, the obligation to pay the employee’s salary and settle the claim with the Social Insurance Institution (ZUS) will be transferred to ZUS itself, while the employer will be released from this obligation. The issuance of ZUS medical certificates will be accelerated through reorganization and standardization. The procedure for issuing certificates will be supported by medical assistants, and the deadlines will be significantly shortened, and in justified cases, a nurse or physiotherapist will be able to issue a certificate. ZUS will also be able to request medical documentation from doctors and facilities and verify the validity of care allowances. Under the new regulations, if a person taking sick leave is employed, they may lose their entitlement to sickness benefits for the entire sick leave period. However, the legislature has provided an important exception. If an employee has two employment contracts and the sick leave is valid only with one employer, they can continue working for the other employer without fear of losing their entitlement to benefits. The condition is that the duties of the second job do not interfere with treatment or delay recovery.

The increasing digitalization of labor law and changes in holiday pay

As of January 27, 2026, the written form requirement for certain labor law documents will be abolished. In practice, this means that written form will no longer be required for information about workplace monitoring, notification of the transfer of a workplace or part thereof, notification to a trade union of the intention to terminate an employee’s employment contract and reasoned objections from a trade union, employee requests regarding the introduction of certain working time systems, requests for an individual work schedule, requests for time off for overtime, requests for remote work, and occupational health and safety procedures related to risk assessment and the provision of instructions. As a reminder, written form requires the document to be signed with a handwritten signature or a qualified electronic signature compliant with the EU eIDAS regulation. Once the changes come into effect, the documents indicated above can be prepared in paper or electronic form. The electronic form will include both documents with a qualified electronic signature (electronic form as defined in Article 78¹ of the Civil Code) and emails, provided they enable the identification of the person submitting the declaration. Until now, the deadline for paying compensation for unused vacation leave was not explicitly stipulated in applicable regulations. However, following the changes, employers will be obligated to pay this compensation on the last salary payment date or within 10 days of the date of termination of employment (if the salary payment date falls before the date of termination). Changing the compensation payment deadline will allow employers to avoid potential errors in calculating the compensation amount, which they will be able to calculate after the termination of employment and will reduce the burden on employers by reducing the number of payments for salary or vacation compensation. The project also ensures greater employee representation in matters related to the company social benefits fund at employers without trade unions.

Pay Transparency Directive

Poland has until June 7, 2026, to implement the provisions of Directive 2023/970; the amendment to the Labor Code represents the first step in this direction. The directive includes, among other things, the obligation to report the gender pay gap, initially in large companies with over 250 employees. If the gap exceeds 5% and is not justified by objective criteria, the employer will be required to conduct a pay assessment in conjunction with trade unions or employee representatives. The amendment to the Labor Code represents the first step towards implementing Directive 2023/970 in Poland. Furthermore, a pay structure must be introduced within companies, which means tables classifying positions within specific pay groups. Ultimately, employees will be entitled to information on the average remuneration of employees performing the same work or work of equal value. Furthermore, job evaluation will be mandatory, meaning the establishment of a hierarchy of positions within the company and objective criteria, such as qualifications, effort, responsibility, and working conditions (not personal characteristics) for a given position. This is intended to establish a foundation for proving that people in different positions are performing “work of equal value.” It’s also worth mentioning that the new regulations will result in new sanctions for non-compliance, including full compensation (back pay, bonuses) for employees who have been victims of pay discrimination. Importantly, the burden of proof has shifted to the employer.

Possible Changes in Counteracting Mobbing and Discrimination

The planned entry into force is 21 days after publication in the Journal of Laws. The draft amendment to the Labor Code concerning mobbing has been adopted by the Standing Committee of the Council of Ministers and is continuing its legislative work. The amendment will include a change in the definition of mobbing, specifying that it is persistent harassment of an employee that is repetitive, recurrent, or permanent. Incidental inappropriate behavior is excluded from mobbing, which is intended to reduce the number of false accusations. The new regulations clearly state that mobbing can take verbal, nonverbal, and physical forms, which are not covered by the current Labor Code. The intention of the perpetrator’s behavior and the occurrence of a harmful effect are excluded from the assessment of whether mobbing has occurred. Furthermore, possible perpetrators of mobbing are listed as supervisors, co-workers, and subordinates (the perpetrator can be a single person or a group). Ordering or inciting this type of violence is equated to mobbing in terms of punishment. Every employer is obligated to implement procedures to prevent mobbing and to quickly and effectively respond to reports of this type. Due to growing employee awareness of their rights, the importance of redress is also growing. Every employee experiencing abuse is entitled to compensation of at least six times the minimum wage. If both mobbing and a violation of the principle of equal treatment occur, the victim is entitled to compensation of at least three times the minimum wage. As far as civil liability for mobbing in the workplace is concerned , the employer is generally liable, but he or she may be exempted from liability if he or she implements appropriate anti-mobbing regulations and the victim’s co-worker commits mobbing (according to the draft act of 30 May 2025 amending the Labor Code and the Civil Procedure Code, art. 9433). Furthermore, the draft assumes the unification of defined forms of harassment (simple) and its qualified form (sexual harassment), following the example of the currently applicable provisions regarding sexual harassment, as actions occurring physically, verbally and non-verbally, the introduction of the principle of the distribution of the burden of proof in cases concerning the violation of the principle of equal treatment by placing the burden of proof on the employee by placing the burden of proof on the employer to prove that the violation of the principle of equal treatment did not occur, specifying that the obligation to counteract violations of the principle of equal treatment and mobbing is fulfilled by applying preventive measures, detecting and reacting quickly and appropriately, as well as by taking appropriate measures. corrective measures and support for people affected by unequal treatment, supplementing the code catalogue of employer obligations to counteract violations of dignity and other personal rights of employees.

Major Changes to Polish Labour Law in 2026 – What Employers Need to Prepare For

2026 brings one of the most significant waves of labour law reforms in recent years in Poland. The upcoming amendments will reshape recruitment processes, pay transparency obligations, seniority calculations, sick leave procedures, workplace digitisation, collective bargaining, and anti-mobbing responsibilities.

Key legal developments include:

Pay Transparency & Recruitment
Employers will be required to:
disclose salary ranges already at recruitment stage,
use gender-neutral job advertisements,
avoid asking candidates about salary history,
provide access to information on average remuneration levels.

These changes are part of the implementation of the EU Pay Transparency Directive and are intended to reduce the gender pay gap and strengthen equal treatment standards.

New Rules on Seniority
From 2026, periods worked under civil law contracts, agency agreements, and even certain forms of work performed abroad may count toward employment seniority. This will directly affect:

• annual leave entitlement,
• notice periods,
• severance payments,
• seniority bonuses.

Changes to Sick Leave
The Social Insurance Institution (ZUS) will take over payment of sickness benefits from day one of absence, while inspections related to sick leave abuse will intensify. Employees may also perform limited professional activities during sick leave under specific conditions.

Digitalisation of Employment Documentation
Many employment-related documents will no longer require written form and may be processed electronically, significantly reducing administrative burdens for employers.

Collective Bargaining Reform
The new National Register of Collective Bargaining Agreements (KEUZP) introduces electronic registration and broader possibilities for regulating workplace matters, including AI usage, work-life balance, and anti-mobbing measures.

Anti-Mobbing & Anti-Discrimination
Planned amendments will broaden the definition of mobbing, strengthen employer obligations regarding preventive procedures, and shift the burden of proof in discrimination cases increasingly toward employers.

LabourLaw #EmploymentLaw #Poland #HRCompliance #PayTransparency #EqualPay #Recruitment #HumanResources #CorporateLaw #EmploymentRights #WorkplaceCompliance #GenderEquality #EUlaw #Mobbing #DiscriminationLaw #SalaryTransparency #DigitalHR #CollectiveBargaining #LegalUpdate #FutureOfWork

Artykuł Overview of the most important changes in Polish labor law in 2026 pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

The supervisory board is one of the key bodies of a company, performing the function of constant oversight of the company’s activities in all areas of its operation. Its constitutional position is established as a separate body from the management board, deprived of the authority to manage the company’s affairs, but equipped with control instruments aimed at protecting the interests of the company and its shareholders. This structure is based on a clear separation of decision-making and supervisory functions, which, at least at the normative level, is intended to ensure the proper functioning of corporate governance mechanisms. However, business practice and extensive case law demonstrate that the boundaries between the powers of the supervisory board and the management board are not always clear. In particular, disputes focus on the scope of the supervisory board’s interference in the company’s day-to-day operations, the nature and effects of its resolutions, its communication relations with the management board, and the legal consequences of exceeding its authority. These issues most often arise in the context of the civil liability of supervisory board members and the assessment of the legality of their actions under the provisions of the Commercial Companies Code. The purpose of this article is to present selected issues related to the functioning of the supervisory board in companies against the background of court case law. This analysis focuses in particular on the liability of supervisory board members for damages, conflicts of authority with the management board, the risk of violating the law while performing supervisory functions, and formal issues related to the composition and operation of company bodies. This approach allows us to present the supervisory board not only as a formal control body, but also as an entity that actually contributes to shaping the company’s legal situation and bears the consequences of its actions or omissions.

Liability for damages of members of the supervisory board in a limited liability company

One of the constitutive features of a limited liability company is the lack of liability of shareholders for the company’s obligations, which, however, applies exclusively to the ownership sphere. The liability of individuals actually participating in the management and supervision of the company’s operations, particularly members of its governing bodies, is shaped differently. While the legal status and liability of management board members are the subject of extensive doctrinal and case law analysis, the liability of supervisory board members remains relatively less frequently discussed, even though they also bear a real risk of legal liability for improper performance of their duties. The basic regulation of the civil liability of supervisory board members in a limited liability company is contained in Article 293 of the Commercial Companies Code, which establishes an autonomous basis for the liability for damages of members of the company’s governing bodies, while excluding the application of the general principles of tortious liability of the Civil Code. Under this provision,

a supervisory board member is liable to the company for damage caused by an act or omission contrary to the law or the provisions of the company’s articles of association, unless they are not at fault.

This structure is based on contractual liability (ex contractu), based on a special contractual bond between the company and a member of its governing body. Case law has established that liability under Article 293 of the Commercial Companies Code requires the cumulative fulfillment of four conditions: damage to the company, an adequate causal link between the conduct of the governing body member and the resulting damage, unlawfulness of the act or omission, and fault, which, importantly, is subject to a statutory presumption. This liability covers both actual losses and lost profits that the company could have expected had the supervisory board member not culpably breached their duties. Of particular importance with respect to the supervisory board is the heightened degree of due diligence resulting from the professional nature of the role performed. As indicated in the case law, supervisory board members are required not only to formally perform control functions but also to actively and professionally oversee the company’s operations, including ongoing assessment of its financial condition and responding to signals indicating a threat to the company’s financial interests. Ignorance of the company’s economic situation, especially in the event of a risk of insolvency, cannot constitute a circumstance excluding liability. The scope of liability of supervisory board members is determined not only by statutory provisions, in particular Articles 214, 219, and 222 of the Commercial Companies Code, but also by the provisions of the company agreement, which may provide for an extended list of supervisory or consultative duties.

It should be emphasized that this liability is assessed according to the concept of individual fault, not the collective fault of the body, although, in principle, it is joint and several towards the company. This means that the company may seek redress of damages both from all board members jointly and from each of them individually, while maintaining recourse claims between members of the body. A significant limitation of the liability of supervisory board members is the introduction of the so-called “severance clause” into Article 293 § 3 of the Commercial Companies Code. The business judgment rule states that a member of a supervisory board is not liable for damage resulting from an unsuccessful business decision if they acted loyally to the company and within the limits of reasonable business risk, based on available information, analyses, and opinions. However, the burden of proof in this regard rests with the supervisory board member, who must demonstrate that they have met the conditions excluding their guilt. Case law also emphasizes that the liability of supervisory board members is not excluded by the fact that management board members are also liable. In certain circumstances, joint and several liability for damages of both bodies to the company is possible if the damage resulted from their unlawful and culpable conduct. This leads to the conclusion that the supervisory board is not merely a formal body, but an entity actually burdened with the risk of financial liability for improper supervision of the company’s operations.

Competence and communication conflicts between the supervisory board and the management board

The case law of common and administrative courts clearly emphasizes the need for a strict delineation of the powers of the supervisory board and the management board, treating this division as a fundamental element of proper corporate governance in companies. Disputes in this regard arise primarily in situations in which the supervisory board, although formally exercising its supervisory powers, encroaches on the management of the company’s affairs, which are statutorily reserved for the management board. The Supreme Administrative Court’s judgment of June 26, 2019, case no. I FSK 1228/17, clearly emphasized that the actions of supervisory board members cannot involve the actual assumption of management powers, even if this is done pursuant to resolutions of the shareholders’ meeting. In this case, the practice of concluding agreements with supervisory board members under which they performed activities typical of management boards, such as deciding on pricing policy, employment, or production plans, was questioned. The Supreme Administrative Court found that such actions lead to a blurring of the normative division of powers between company bodies, which is inconsistent with the structure of a capital company and the principle of the exclusive right of the management board to manage the company’s affairs. A similar position is presented in civil court case law, which consistently indicates that the supervisory board is not a management body, and its role is limited to ongoing oversight of the company’s operations. The Supreme Court’s judgment of May 17, 2018, V CSK 322/17, emphasized that the exercise of control powers, regardless of their normative basis, must be consistent with the purpose of supervision and must not lead to the de facto paralysis of the management board’s activities. Although the case concerned the right to individual control of a shareholder, the arguments presented therein remain fully relevant also in the context of the supervisory board-management relationship, indicating that control instruments cannot be used in a manner inconsistent with the functional division of roles within the company. The Court of Appeal in Katowice highlighted the issue of communication conflicts in its judgment of January 31, 2017, V ACa 350/16, emphasizing that the manner in which control rights are exercised cannot lead to harassment of the company’s governing bodies or create artificial barriers to its operation. The court clearly stated that the right of control, even if broadly applicable, cannot be exercised in a manner that disrupts the ongoing management of the company, which is also crucial for assessing the relationship between the supervisory board and the management board. The judgment of the Court of Appeal in Szczecin of December 12, 2013, I ACa 774/13, also has significant implications for assessing the limits of supervisory board interference. It stated that the establishment of a supervisory board cannot lead to excessive concentration of organizational power in a single body if this would weaken the checks and balances within the company. This judgment indirectly confirms that the supervisory board should be viewed as an element of the control system, not as a substitute for company management. Based on the aforementioned case law, it can be concluded that conflicts of authority and communication between the supervisory board and the management board constitute one of the most frequently encountered problems in the operation of capital companies. Courts have consistently held that the boundary between supervision and management of the company’s affairs is strictly normative in nature and cannot be shifted by resolutions of company bodies or established corporate practice.

Non-compliance of the supervisory board’s actions with the law and the consequences of defective resolutions

Court case law clearly highlights the problem of supervisory board actions being inconsistent with the law, most often manifesting itself through defective resolutions adopted by company bodies or the execution of resolutions that are inconsistent with the law. Courts consistently emphasize that, despite lacking the authority to manage the company’s affairs, the supervisory board remains a body obligated to operate within the bounds of the law, and violating these boundaries has significant legal consequences, both organizationally and in terms of accountability. In the judgment of the Supreme Administrative Court of June 26, 2019, Case I FSK 1228/17, it was noted that resolutions of company bodies that circumvent the statutory separation of powers between the management board and the supervisory board cannot constitute an effective legal basis for the actions of supervisory board members. In the case at hand, supervisory board members, by relying on a resolution of the shareholders’ meeting, performed activities that were actually part of the company’s management. The court clearly stated that a resolution inconsistent with the Act does not legalize actions contrary to the provisions of the Commercial Companies Code, even if it has not been formally eliminated from legal circulation. Case law also emphasizes that a resolution’s inconsistency with the Act does not always lead to its absolute invalidity, but may result in its repeal or a declaration of invalidity by a constitutive court ruling. This circumstance has important practical significance, as until a final and binding decision is issued, the resolution may formally function in legal circulation. However, this does not mean that it protects supervisory board members from the negative consequences of actions taken pursuant to it if such actions violate mandatory provisions.

The issue of the unlawfulness of supervisory board actions is also closely linked to case law concerning violations of the structure of company bodies. Courts have indicated that a supervisory board that actually takes over management functions or interferes in the day-to-day management of the company’s affairs is acting ultra vires, which leads to questioning the effectiveness of the actions taken. In such cases, not only is Article 107 of the Commercial Companies Code violated but also 219 § 1 of the Commercial Companies Code, which defines the supervisory nature of the supervisory board, and also violates the fundamental principle of legality of the actions of a company’s governing bodies. Case law also emphasizes that the obligation to ensure the company’s compliance with the law also extends to the supervisory board itself. This means that this body cannot justify its own violations by arguing that it is acting in the company’s interest, nor can it rely on instructions from the shareholders’ meeting. Action contrary to the law, even if motivated by the company’s economic interest, remains unlawful and may result in civil liability, and in certain cases, tax or organizational liability.

Appointment and dismissal of management board members – formal errors and their consequences

One of the significant issues emerging in case law concerning the functioning of the supervisory board is the formal irregularities related to the appointment and dismissal of management board members, particularly in the context of the prohibition on combining functions and the consequences of violating it. These disputes focus not only on assessing the validity of personnel resolutions, but also on the legal consequences that defective personnel decisions have for the supervisory board itself as a body participating in the management board appointment process. In the judgment of the Supreme Administrative Court of June 26, 2019, I FSK 1228/17, the court explicitly addressed the consequences of violating Article 214 of the Commercial Companies Code, which prohibits combining the functions of a supervisory board member with certain positions within the company, including the position of a management board member. The Supreme Administrative Court indicated that the appointment of a supervisory board member to the management board raises significant doubts as to the legal consequences of such an action, although neither case law nor legal doctrine has developed a uniform position in this regard. On the one hand, the view is presented that the appointment of a supervisory board member to the management board results in the expiration of their mandate on the supervisory board by operation of law. On the other hand, it is pointed out that a violation of the prohibition on combining functions results in the invalidity of the legal act that led to a violation of Article 214 of the Commercial Companies Code.

However, the Supreme Administrative Court emphasized that, in light of established case law, a resolution of the shareholders’ meeting inconsistent with the Act is not automatically invalid, but may be subject to revocation by a constitutive court ruling. Consequently, there are no grounds for the automatic application of the sanctions under Article 58 of the Civil Code if the legislature has provided for a specific procedure for reviewing resolutions of company bodies. This ruling is significant from the perspective of the supervisory board as a body, as it highlights the high legal risk associated with adopting or implementing defective personnel resolutions, even if they are formally legally binding. When participating in the procedure of appointing or dismissing management board members, the supervisory board cannot limit itself solely to the formal implementation of resolutions of the shareholders’ meeting, but should always review their compliance with mandatory provisions, particularly those governing the structure of company bodies. Case law also emphasizes that formal errors in the appointment of company bodies can have consequences that extend beyond the sphere of commercial law, affecting the assessment of the validity of actions undertaken by the management board, the company’s tax relations, and the scope of civil liability of the members of the bodies. A defective appointment of a management board member can lead to undermining the effectiveness of their actions and, in the longer term, to attributing responsibility to the bodies that allowed such a state of affairs to arise.

The limits of the supervisory board’s independence as a company body – the supervisory board as a control body, not a decision-making body

Court case law consistently emphasizes the functional separation of the supervisory board and the management board, resulting from the structure of a company’s governing bodies. Courts emphasize that the supervisory board, even when acting with the belief that it protects the company’s interests, is not authorized to undertake decision-making or management actions unless the law or the articles of association expressly grants it such authority. The case law indicates that the supervisory board’s independence is purely functional, not competency-based. This means that the supervisory board acts independently only within the framework of its control powers, not in the management of the company’s affairs. Crossing this line leads to a situation in which the supervisory board effectively replaces the management board, which is inconsistent with the systemic division of roles in a limited liability company. Courts emphasize that supervisory board resolutions adopted outside the scope of its authority have no legal effect, regardless of their formal existence. This applies in particular to resolutions that interfere with the status of management board members, the manner of conducting the company’s affairs, or the performance of activities that the legislature has reserved exclusively for the management board or the shareholders’ meeting. In such cases, the supervisory board does not act as a corporate body in the substantive sense, but merely expresses a position devoid of legal significance. Case law also emphasizes that the supervisory board’s lack of competence cannot be cured by either corporate practice or long-standing shareholder tolerance. Even a well-established supervisory board’s mode of operation does not extend its powers beyond those stipulated by law or the company’s articles of association. Consequently, courts assume that the limits of the supervisory board’s independence are absolute, and exceeding them not only results in defective actions but can also constitute the basis for further legal consequences, including liability of supervisory board members or the elimination of resolutions from legal circulation.

The liability of the supervisory board towards the company’s creditors – exceptional nature and limits of admissibility

In the context of the functioning of the supervisory board in companies, the issue of its potential liability towards the company’s creditors deserves particular attention. Generally, the civil liability of supervisory board members is internal in nature and directed towards the company itself, finding its basis in the provisions of the Commercial Companies Code, specifically Article 293 of the Commercial Companies Code in relation to limited liability companies and Article 483 of the Commercial Companies Code in relation to joint-stock companies. However, these provisions do not establish a direct basis for the supervisory board’s liability towards third parties, including the company’s creditors, which in practice leads to significant interpretational doubts regarding the scope of protection of creditors’ interests in situations of improper performance of supervisory functions. Unlike Article 299 of the Commercial Companies Code, which specifically and autonomously governs the liability of management board members towards creditors in the event of ineffective enforcement against the company, the legislator did not provide a similar liability mechanism for supervisory board members. The lack of such a regulation, however, does not completely exclude creditors from pursuing claims against supervisory board members, but rather necessitates recourse to the general principles of civil liability provided for in the Civil Code. Legal doctrine and case law indicate that, in exceptional cases, such liability may be based on Article 415 of the Civil Code if the culpable act or omission of a supervisory board member constituted an independent source of damage to the creditor.

The condition for assigning such liability is, in particular, demonstrating that the supervisory board member had a specific supervisory obligation, the failure to perform of which was unlawful and culpable, and that there was an adequate causal relationship between this omission and the damage suffered by the creditor. A general reference to the exercise of a supervisory function or the company’s insolvency alone is not sufficient in this regard. A supervisory board member’s tortious liability may only arise when their inaction or tolerance of obvious violations of the law by the management board directly led to a deterioration of the company’s financial situation and, consequently, to a loss of creditor’s property rights. Case law emphasizes that the obligation to file a bankruptcy petition rests with the management board members, not the supervisory board, which precludes the possibility of attributing liability to board members solely for failing to file such a petition. Potential liability of the supervisory board to creditors cannot therefore consist in a simple transfer of the provisions of Article 299 of the Commercial Companies Code to another company body, but must be based on an individual assessment of the conduct of a specific supervisory board member as someone who, through their own culpable omission, contributed to the damage. From a systemic perspective, it should therefore be recognized that the liability of supervisory board members to creditors is extremely exceptional and cannot circumvent the statutory principles of liability of management board members. At the same time, however, it cannot be ruled out a priori in situations where the lack of proper supervision takes the form of a gross and unlawful omission, exceeding the limits of the organizational risk associated with performing supervisory functions. This approach allows for maintaining a balance between protecting creditors’ interests and the principle of separation of powers and responsibilities among the corporate bodies.

As a side note, it should be noted that the Supreme Court’s decision of January 15, 2025 (case file number I CSK 1220/24), concerns the civil liability of persons performing management functions and does not directly address the liability of supervisory board members. However, this ruling has systemic significance, as it confirms the autonomous nature of tort liability regulated in Article 415 of the Civil Code relative to the specific liability regimes provided for in the Commercial Companies Code. The Supreme Court indicated that the lack of grounds for attributing liability under Article 299 of the Commercial Companies Code does not exclude the possibility of pursuing claims for damages under general civil law principles. In this respect, this ruling does not constitute a basis for the supervisory board’s liability to creditors, but rather confirms the availability of civil law remedies in situations where the specific regimes do not apply.

In the context of civil liability of members of company governing bodies, the Supreme Court’s judgment of April 14, 2016 (II CSK 430/15) is significant. It stated that Article 293 of the Commercial Companies Code also covers conduct constituting a tort within the meaning of Article 415 of the Commercial Companies Code, provided it is within the organizational relationship between the member of the governing body and the company. It should be emphasized, however, that this ruling applies solely to liability towards the company itself and does not address third-party claims. It thus indirectly confirms that in relations with creditors, the liability of members of governing bodies—including, potentially, supervisory board members—may be considered solely on the basis of general principles of civil law, and not on the basis of Article 293 of the Commercial Companies Code.

In the context of tort liability, the judgment of the Court of Appeal in Warsaw of 25 June 2021 (VII AGa 699/20) is of significant importance, emphasizing that the mere failure to perform or improper performance of an obligation, even culpable, does not constitute unlawfulness within the meaning of Article 415 of the Civil Code. For tort liability to arise, a violation of a generally applicable legal norm is necessary, not merely an obligation arising from a specific contractual relationship. This ruling is also significant in the context of the liability of members of company governing bodies, indicating that the possibility of third parties invoking the tort regime requires demonstrating qualified unlawfulness that goes beyond the sphere of organizational liability towards the company.

The above leads to the conclusion that the liability of supervisory board members towards the company’s creditors may only be of an incidental and subsidiary nature, based on the general principles of civil law and limited to situations of qualified, unlawful conduct going beyond the sphere of corporate supervision.

Supervisory board responsibilities and how they may impact creditors’ rights (based on the company’s articles of association)

The company’s articles of association indicate that the supervisory board was designed as a body with real influence on the company’s operations, not merely a formal body. Its responsibilities encompass not only traditional oversight of the company’s operations but also important organizational and financial decisions, including the appointment and dismissal of management board members, review of financial plans, and approval of key asset-related transactions. This structure of the supervisory board significantly strengthens its role in the company’s internal control system.

Of particular significance is the fact that, according to the agreement, the supervisory board is responsible for the proper composition of the management board, while also specifying the minimum composition of this body. Therefore, the operation of a company with a management board staffed in violation of the agreement should trigger the supervisory board’s obligation to respond. Long-term tolerance of such a situation can hardly be considered organizationally neutral, especially when it affects the basic structure of the company’s governing bodies.

While actions taken by a management board operating with defective composition are generally effective against third parties, this does not mean that the lack of proper board composition is irrelevant. It can increase the risk of decisions that burden the company financially or organizationally, which in the long run also impacts the position of creditors. In this sense, oversight failures do not have to remain solely a company’s internal problem.

The supervisory board’s importance in protecting creditors’ interests is further reinforced by its broad range of financial powers, including approving budgets, recovery plans, and consenting to significant company liabilities. With this supervision model in place, failure to address obvious irregularities in the management board’s operations may be viewed as inadequate performance of supervisory duties, especially if the company’s financial situation deteriorated during that time.

Consequently, although the liability of supervisory board members towards creditors is exceptional, an analysis of the company’s articles of association demonstrates that the manner in which supervision is exercised can have real significance beyond the sphere of internal corporate relations. This applies particularly to situations in which the supervisory board’s failure to respond to organizational irregularities results in damage to creditors.

Artykuł Can supervisory board bear liability vis-à-vis creditors of the company or shareholders? pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.

An unauthorized transaction is a financial transaction made without the consent of the account or cardholder, for example, as a result of data theft. In such a situation, the bank is obligated to return the funds unless it can prove the customer’s intentional act or gross negligence.

Currently, there is a noticeable increase in unauthorized transactions. This causes payers and banks to lose nearly a billion złoty annually. The Polish Financial Ombudsman is noticing a growing number of requests for intervention regarding unauthorized payment transactions. In the first half of 2020 alone, it received 416 requests. This is more than in all of 2018, when there were 367. In 2019, there were 612 requests, an increase of almost 60%. It is worth noting that in the first half of 2020, requests regarding unauthorized transactions accounted for 80% of all requests related to violations of the Payment Services Act.

Legal definition

The Payment Services Act [1] (which has been harmonized with EU law[2]) lacks a definition of an unauthorized transaction, but it can be derived from Article 40(1) of the Act. A payment transaction is considered authorized if the payer has consented to executing the payment transaction in the manner provided for in the contract between the payer and their payment service provider. Consent may also apply to subsequent payment transactions. In simple terms, an unauthorized payment transaction is one to which the payer has not consented, i.e., has not authorized it. Authorization should be distinguished from authentication, i.e., a technical act involving the provision of payer data, use of an appropriate financial token, etc. An authenticated transaction may remain unauthorized due to the use of various manipulation and social engineering techniques, such as phishing.

Bank account agreement

Pursuant to Article 725 of the Civil Code, through a bank account agreement, the bank undertakes to the account holder, for a specified or unspecified period, to hold their funds and, if the agreement so provides, to conduct monetary settlements on their behalf. The bank is therefore the owner of the funds and should ensure their security.

• the funds become the property of the bank
• the account holder’s entitlement constitutes a claim against the bank, and its size is indicated by the account balance.

Possibility of receiving a refund

It is possible to obtain a refund from a bank in the event of an unauthorized transaction. The Payment Services Act, in this case, assumes a shift in the burden of proof from the customer to the bank (reversed burden of proof). Article 45, paragraph 1 of the Act states that the user’s provider bears the burden of proving that the payment transaction was authorized and correctly recorded in the provider’s payment transaction processing system and that it was not affected by a technical failure or other defect related to the payment service provided by that provider, including the provider providing the payment transaction initiation service.

Under the Act, the bank is obligated to respond to a complaint within 15 days (and exceptionally within 35 days in particularly complex cases). If the response deadline is extended, the bank must inform the client within 15 days of the extension and the basis for it. Communication is in writing, but with the client’s consent, electronic contact is also possible. If the complaint is upheld, the refund must be made immediately, within one business day of notification to the bank. If the bank disagrees with the client, it must notify law enforcement authorities and may then waive the refund. The payer will be required to return the funds once the bank proves that the client:

• himself made the transaction in order to defraud the bank or
• has intentionally or through gross negligence violated the user’s obligations.

The user’s obligations are as follows:

• immediately report theft of funds or unauthorized third-party access to the account,
• using the account in accordance with the contractual terms,
• storing individual authentication data with due diligence (in particular not making them available to unauthorized persons).

Accidental transfer and unauthorized transaction

Unauthorized transactions should be distinguished from erroneous transfers. In the case of a transfer, the payer intends to complete the transaction (authorizes) and confirms login details (authenticates), but due to an error, the funds are transferred to the wrong recipient’s bank account. The customer should immediately notify the bank of the error. The bank will contact the recipient of the erroneous transfer within three days, informing them of the consequences of failing to refund within 30 business days. The bank will provide the recipient with a technical account to eliminate the risk of data leaks. The payer receives the refund from the technical account. The recipient remains anonymous and cannot be charged any fees. The bank may, however, pass on the costs of the refund to the payer. If the recipient of the transfer does not transfer the funds to the technical account within 30 days, the bank will share the recipient’s data with the payer, who will then be able to pursue civil claims.

Exceptions to the return obligation

Pursuant to Article 46 of the Payment Services Act: “the payer is liable for unauthorized payment transactions up to (…) the equivalent of EUR 50 (…) if the unauthorized transaction is a result of: using a payment instrument lost by the payer or stolen from the payer, or misappropriation of a payment instrument. The above provision cannot be applied in the event that:

• the payer had no possibility of detecting the theft of the payment instrument before executing the payment transaction, except in the case of intentional action by the payer, or
• the loss of the payment instrument before the execution of the payment transaction was caused by an act or omission on the part of an employee of the bank’s supplier.

[1]Act of 19 August 2011 on payment services (consolidated text: Journal of Laws of 2025, item 611, as amended).

[2]Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC, 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC (OJ EU L 337, 2015, No. 337, p. 35, as amended)

Unauthorized transactions are becoming an increasingly serious challenge for both customers and financial institutions. Banks are generally required to refund stolen funds unless they can prove intentional misconduct or gross negligence by the customer. It is also important to distinguish unauthorized transactions from accidental transfers, where the payer willingly authorizes the payment but sends it to the wrong account. Growing cyber threats and phishing attacks highlight the importance of financial awareness, data protection, and rapid response to suspicious activity.

UnauthorizedTransactions #CyberSecurity #BankingSecurity #FinancialSafety #FraudPrevention #DigitalBanking #PaymentSecurity #PhishingAwareness #FinancialEducation #RiskManagement #ConsumerProtection #CyberFraud #FinTech #DataProtection #OnlineSecurity

Artykuł Unauthorized Transactions and Consumer Protection in Modern Banking pochodzi z serwisu KIELTYKA GLADKOWSKI LEGAL | CROSS BORDER POLISH LAW FIRM RANKED IN THE LEGAL 500 EMEA SINCE 2019.