WBW Legal

Newsletter

WBW Weremczuk Bobeł & Partners
March 2025

Dear Readers,

 

in the March issue of our newsletter, we draw attention to the parliament’s legislative proceedings concerning a bill aimed at, i.a., tightening the liability regime for employers in relation to offenses against employees. We also elucidate the principal components of the updated guidelines on personal data protection breaches, published by the President of the Personal Data Protection Office. Furthermore, we dissect key amendments to the Commercial Companies Code contained within the recently published government draft. Additionally, we signal the implementation of further provisions of the EU Artificial Intelligence Regulation (AI Act). 

 

Enjoy your read,

WBW Team

 

 

 

Tightening penalties for offenses against employees

Daria Pawlak, paralegal

Sebastian Michalak, associate

 

On February 21, 2025, the new law regulating foreign access to the labor market in Poland was adopted by the Sejm, as previously mentioned in our November newsletter when the bill was still being drafted. During the parliamentary proceedings, amendments were made to the law that toughen the penalties for employers committing offenses against employees. Notably, these changes will be incorporated into the Labor Code and will apply to all employers, even those who do not employ foreigners. The law has been forwarded for further legislative work in the Senate.

 

Tightening penalties for employer offenses

 

Under the previous legal framework, the penalty range for fines imposed on employers for committing most offenses against employee rights started at PLN 1,000 and capped at PLN 30,000. Following the amendment of the regulations, the minimum penalty for such offenses will now be PLN 3,000, while the maximum will increase to PLN 50,000. This applies to actions such as entering into civil law contracts in situations where an employment contract should have been established, failure to provide written confirmation of the employment contract, or terminating the employment relationship with an employee without notice in violation of labor law provisions.

 

Similarly, the amount of fines for offenses related to the failure to pay wages on time, denial of entitled leave, or failure to issue the employment certificate in a timely manner will also increase.

 

New offense in the Labor Code

 

Additionally, the amendment is set to introduce a new type of offense related to the employer’s liability in cases where they fail to pay wages owed to an employee for a period of at least three months. In this instance, the employer will be subject to a fine ranging from PLN 5,000 to PLN 60,000, and may even face a penalty of restriction of liberty.

 

 

 

New guidelines from the President of the Personal Data Protection Office regarding data protection violations

Krzysztof Weremczuk, attorney-at-law, partner

 

The President of the Personal Data Protection Office has published an updated guide addressing the issue of data protection violations. This publication incorporates the latest experiences of supervisory authorities as well as the current guidelines from the European Data Protection Board. The document provides a practical discussion on matters related to identifying and managing incidents that may result in the violation of the rights or freedom of individuals.

 

From the perspective of practical legal transactions, the following elements of the guide appear to be particularly significant:

 

  1. precise guidelines for risk assessment,
  2. clarification of the principles for reporting violations,
  3. documentation and analysis of incidents,
  4. practical examples.

 

What changes in practice are introduced compared to previous guidelines?

 

Compared to the previous version of the guidelines, the latest document introduces a more detailed categorization of incidents and expands the list of recommended corrective actions following a violation. This includes, among other things, international experiences in combating cyberattacks and references from rulings by EU courts, which are intended to facilitate quicker identification of events and better planning of internal processes for organizations. Additionally, greater emphasis is placed on the transparency of actions taken in response to violations, recommending that administrators conduct regular reviews of their procedures and provide more frequent training for employees.

 

An additional novelty is the expanded approach to the so-called risk analysis — the guidelines explicitly indicate that a formal procedure alone is insufficient if it is not accompanied by a systematic assessment of the effectiveness of the implemented safeguards. In practice, this means that administrators must place greater emphasis not only on detecting data protection gaps but also on the immediate implementation of remedial measures and the coherent documentation of each step taken.

 

The updated guide can serve as a valuable source of knowledge for entrepreneurs, public institutions, and all entities that process personal data as part of their operations. We encourage you to review the content of the document and to verify whether the internal procedures and security policies in your organization align with the latest standards.

 

If you have any questions regarding the application of the new guidelines in practice or need to make changes to your personal data protection documentation, please feel free to contact our team.

 

 

 

Abolition of bearer shares and other changes in the Commercial Companies Code

Antonina Godlewska, paralegal

 

In the November issue of our newsletter, we already addressed the topic of planned changes in the Commercial Companies Code concerning private joint-stock companies, limited joint-stock partnerships, and simple joint-stock companies. At that time, only the general assumptions of the bill were known, but the draft law has now been published under project number UD152. Its adoption by the Council of Ministers is scheduled for the first quarter of 2025, and the law is expected to come into force in the second half of 2025. Below, we present the key changes included in the published draft law.

 

Further dematerialization of shares

 

The discussed draft law aims to continue the dematerialization of shares initiated in 2021. At that time, share ledgers were abolished and replaced by a register of shareholders, and each share, regardless of its classification as registered or bearer, was granted the status of a registered share. The proposed amendment plans to eliminate this distinction by introducing a single category of registered shares, which, in line with the project’s objectives, is intended to simplify the legal system and enhance the security of share trading.

 

Protection period for shareholders

 

Previously, the dematerialization of shares provided for a 5-year protection period for physical share certificates. The evidential value of the shares regarding the ability of the shareholder to demonstrate their participation rights to the company was set to last until March 1, 2026. However, due to reported issues related to the loss or destruction of share documents, the amendment to the Commercial Companies Code proposes to extend this period by an additional 2 years. In the event that a shareholder neglects the dematerialization process, they will be able to assert their rights until March 1, 2028.

 

Expansion of the catalog of information disclosed in the National Court Register 

 

The amendment will also impose the obligation to disclose in the National Court Register information regarding the entry in the shareholder register, as well as details about the entity maintaining that shareholder register. This means that the management board (or general partner) will be required to report to the NCR the conclusion of an agreement for maintaining the shareholder register. The law also stipulates the necessity to disclose in the NCR information about shares registered on Distributed Ledger Technology (DLT) accounts.

 

 

 

AI Act – Additional Regulations Have Come into Force

Patryk Halczak, attorney-at-law

 

In June 2024, the EU regulation concerning artificial intelligence, commonly referred to as the AI Act, was adopted. We informed about this legal act and the initial regulations that came into force on August 1, 2024, in our October 2024 newsletter. Recently, on February 2, 2025, another batch of provisions of the AI Act has been enacted, making it certainly worthwhile to revisit this topic.

 

Among the regulations that came into effect at the beginning of February 2025, the most significant appears to be the prohibition on the use and market introduction of particularly dangerous AI systems. “Particularly dangerous” systems are defined as those that, among other things, manipulate user behavior, exploit vulnerabilities to influence their decisions, are used for social scoring that leads to discrimination, or aim to conduct criminal predictions, etc. Violations of these prohibitions may result (from August 2, 2025) in the imposition of an administrative monetary fine of up to €35 million or, if the violator is a company, up to 7% of the total global revenue from the previous year (whichever amount is higher).

 

The next group of provisions of the AI Act will come into force on August 2, 2025, and is certain to attract the attention of a broader range of entities, not only due to the aforementioned penalties but also because it will pertain, among other things, to providers of general-purpose AI models (such as GPT-4 or OpenAI).