Poland Recording Laws: One-Party Consent, GDPR, and Deepfake Rules (2026)

How Poland Treats Recording Under Criminal Law

Poland's approach to recording conversations rests on a single dividing line: whether you are inside the conversation or outside it. If you are a participant, you can record. If you are not, recording the conversation is a crime.

This framework sits within Article 267 of the Kodeks karny (Criminal Code), originally enacted on June 6, 1997 (Dz.U. 1997 nr 88 poz. 553) and most recently consolidated in 2024 (Dz.U. 2024 poz. 17). The statute falls under Chapter XXXIII of the Criminal Code, which protects the confidentiality of information and communications. The Polish Constitution reinforces this protection through Article 49, which guarantees that "the freedom and privacy of communication shall be ensured" and that restrictions may be imposed "only in cases and in a manner specified by statute."

Polish courts and legal scholars refer to this system as the "participant rule" rather than a formal one-party consent doctrine. The distinction matters: the question is not whether someone consented to the recording. The question is whether the person pressing record was actively taking part in the exchange being captured.

The Constitutional Foundation: Articles 47 and 49

Before reaching the Criminal Code, Poland's recording law rests on two constitutional guarantees that set the framework for all downstream statutory analysis.

Article 47 of the Constitution of the Republic of Poland (1997) establishes the right to legal protection of private and family life, of honour and good reputation, and of the right to make decisions about one's personal life. This provision creates an affirmative state obligation to protect privacy, not merely to refrain from violating it. Courts applying Article 267 and GDPR enforcement decisions from UODO consistently invoke Article 47 as the underlying value being served.

Article 49 is more specific to communications. It provides that "the freedom and privacy of communication shall be ensured" and permits limitations "only in cases and in a manner specified by statute." Polish constitutional case law and commentary have confirmed that Article 49's protection covers the content of every form of communication, telephone calls, in-person conversations, electronic messages, video calls, and fax, and also the metadata of communication: who spoke to whom, when, for how long, and from where. The Supreme Court's April 2016 ruling in case II CSK 478/15 treated Article 47 as the privacy anchor and Article 45 (right to a fair trial) as the countervailing value when a court must decide whether a secretly made recording is admissible as evidence.

These constitutional provisions do not, by themselves, prohibit participant recording. They protect the interests of the person whose communications are being captured. When the person recording is the same person whose communications are in question (a participant), no violation of Article 47 or Article 49 arises, because the participant was already party to the information exchanged. The criminal offense under Article 267 §3 is precisely calibrated to this constitutional logic: only the non-participant who obtains information they were never meant to receive violates the constitutional interest those articles protect.

Article 51 of the Constitution adds a further layer relevant to recordings that feed into data processing: every person has the right to access information about themselves held by public authorities and to demand its correction. This provision interfaces directly with GDPR's data-subject rights when a recording is held by a public body.

Article 267: Breaking Down Each Paragraph

Article 267 contains four paragraphs. Together they define what constitutes unauthorized acquisition of information, what tools and methods are covered, and what happens when someone shares illegally obtained material.

§1: Unauthorized Access to Information

The first paragraph criminalizes gaining access, without authorization, to information not intended for the perpetrator. It covers three methods: opening a sealed letter, connecting to a telecommunications network, and bypassing or defeating electronic, magnetic, or other protective measures.

Penalties under §1: a fine (grzywna), restriction of liberty (ograniczenie wolności), or imprisonment for up to two years (pozbawienie wolności do lat 2).

§2: Unauthorized Access to IT Systems

The second paragraph extends the prohibition to unauthorized access to the contents of a computer system or telecommunications network. This covers hacking and digital intrusion. While not directly about recording conversations, it overlaps when someone gains access to stored recordings, voicemails, or communication logs without permission.

§3: The Wiretapping Paragraph

This is the provision that governs recording. Article 267 §3 states that a person who, in order to obtain information to which they are not entitled, installs or uses an eavesdropping device (urządzenie podsłuchowe), visual recording device (urządzenie wizualne), or any other device or software, is subject to the same penalties as under §1.

The reference to "any other device or software" in the 2024 consolidated text (Dz.U. 2024 poz. 17) is significant. It reflects the legislature's intent to cover commercial stalkerware and spyware applications marketed for intercepting private communications, a category of tool that multiplied rapidly in the years before the 2024 consolidation. Surveillance apps installed on a target's phone without their knowledge fall within §3's scope regardless of whether the app is marketed as a parental-control tool, a fleet-tracking system, or an employee-monitoring solution.

The Supreme Court addressed §3 directly in its ruling of December 30, 2020 (case V KK 363/20). The Court confirmed that intentional acquisition of information not intended for the perpetrator, by means of audio or video recording devices operated without the knowledge of the participants, constitutes a criminal act. The ruling made clear that the type of device is irrelevant. A voice recorder, a smartphone, a hidden camera, dedicated surveillance hardware, or a spy application all qualify. What matters is that the person recording had no right to receive the information being captured.

The ruling also reinforced the prosecution requirement: Article 267 offenses are prosecuted on the motion of the injured party (na wniosek pokrzywdzonego). The state does not pursue these cases on its own. The person whose communication was intercepted must file a formal complaint to trigger criminal proceedings.

§4: Sharing Illegally Obtained Recordings

The fourth paragraph criminalizes disclosing to another person information obtained through any of the methods described in paragraphs one through three. If someone illegally records a conversation and then shares that recording with a colleague, posts it online, or plays it for someone else, they face the same maximum sentence of two years imprisonment.

This means the chain of liability extends beyond the person who pressed record. Anyone who knowingly distributes material obtained through illegal eavesdropping risks prosecution.

The Participant Rule in Practice

The logic behind Poland's recording laws is straightforward. When you are part of a conversation, the information being exchanged is directed at you. You are entitled to receive it. Capturing it on a device does not change that entitlement.

This applies equally to phone calls, face-to-face meetings, video conferences, and voice messages. A person recording their own conversation with a neighbor, a business partner, a landlord, or a government official is not committing a criminal act. There is no requirement to announce that recording is taking place. There is no beep tone requirement. There is no obligation to obtain verbal or written consent before pressing record.

Polish legal scholarship and court decisions consistently support this reading. The Criminal Code criminalizes obtaining information you are not entitled to. If you are a participant, you are entitled to the information being shared with you. Full stop.

That said, the absence of criminal liability does not mean the absence of all consequences. Civil law and data protection law both create separate obligations that can apply even when no crime has been committed. A person who records a private conversation and then publishes it online may face civil claims for violating the other party's personal rights, even though the act of recording itself was lawful.

Phone Calls vs. In-Person Conversations

Polish law draws no distinction between recording a telephone conversation and recording a face-to-face conversation at the level of the Criminal Code. The participant rule applies identically to both.

A participant in a phone call may record it without informing the other party. A participant in a face-to-face meeting may place a voice recorder on the table, or keep a phone recording in a pocket, without telling other attendees. The analysis under Article 267 is the same in both scenarios.

Practically, telephone recordings surface more often as evidence in Polish courts. They appear regularly in labor disputes, contract disagreements, debt collection cases, and harassment proceedings. Courts generally admit participant recordings as evidence, though judges examine the purpose for which the recording was made and whether it was obtained in bad faith.

The Supreme Court established the foundational test for admissibility in its ruling of April 22, 2016 (case II CSK 478/15). In that case, the Court held that a recording may be used as evidence in civil proceedings if the circumstances in which it was made do not indicate a serious violation of the principles of social coexistence (zasady współżycia społecznego), and if admitting it is justified by the need to protect a party's right to a fair trial under Article 45 of the Constitution. The Court balanced the right to privacy under Article 47 of the Constitution against the right to a fair hearing, concluding that privacy is not absolute and must sometimes yield to evidentiary necessity.

A 2024 analysis of Supreme Court decisions confirms that II CSK 478/15 remains the controlling test. Courts applying this standard additionally consider whether the recording person controlled the conversation artificially, tried to provoke the other party, or took advantage of the other person's vulnerability or forced position. Recordings created by manipulating the other speaker carry greater risk of exclusion even if the participant rule is technically satisfied.

Non-participant recording of telephone communications, for example tapping a line without being on the call, installing a call-intercepting app on someone's phone without their knowledge, or using a network-level interception device, falls squarely under Article 267 §3 and is criminal.

Recording Police and Public Officials

Polish law does not contain an explicit statute permitting citizens to film police officers, but the participant rule and the low expectation of privacy that applies to official conduct in public together produce a practical answer: recording police officers and other public officials while they perform their duties in public is generally permissible.

The Constitutional Tribunal has recognized that Article 54 of the Constitution (freedom of expression, including receipt and communication of information) supports the right to document the exercise of public power. The European Court of Human Rights has also confirmed, in several cases involving Poland, that documenting police conduct in public spaces falls within the sphere of expression protected under Article 10 of the European Convention on Human Rights.

In practice, two limits apply. First, a citizen who records a police encounter is a participant only in the sense that the officer is speaking to or interacting with them; recording a different officer's interaction with a third party, from a distance, without being part of that exchange, raises a closer question. Courts have generally declined to treat such recordings as criminal, treating them as an extension of the right to observe and report on public conduct. Second, obstructing police operations in order to record them is a separate offense; recording must not interfere with the lawful exercise of police powers.

Police departments in Poland may themselves record interviews with suspects under procedures governed by the Code of Criminal Procedure. Citizens being questioned are not entitled to a copy of the police recording in the same way they would be entitled to copies under GDPR (police processing of personal data for law enforcement purposes falls outside GDPR and is governed by the Law Enforcement Directive, implemented in Polish law by the Act of June 14, 2018 on the protection of personal data processed in connection with preventing and combating crime).

GDPR and UODO Enforcement

Recording a conversation creates personal data whenever the recording captures a voice, a name, a phone number, or other identifying information. Once personal data is involved and the recording is used outside of purely personal or household activity, the General Data Protection Regulation (Regulation (EU) 2016/679) applies.

In Poland, the supervisory authority responsible for enforcing GDPR is the Urząd Ochrony Danych Osobowych (UODO), the Personal Data Protection Office. UODO operates under the framework of both the GDPR and the Polish Act on Personal Data Protection of May 10, 2018.

GDPR requires every controller processing personal data through recordings to identify a valid legal basis under Article 6(1). The bases most commonly relied upon for recording are:

• Consent (Article 6(1)(a)): The data subject gives clear, specific, informed, and unambiguous consent to the recording.
• Legitimate interest (Article 6(1)(f)): The controller has a legitimate interest that outweighs the individual's privacy rights, documented through a formal balancing test.
• Legal obligation (Article 6(1)(c)): A statute requires the recording, as in certain financial services or public safety contexts.
• Contract performance (Article 6(1)(b)): Recording is necessary to perform or document a contractual obligation.

The Warsaw Centre for Intoxicated Persons Case

UODO's enforcement track record on audio recording crystallized in a decision issued on June 23, 2022 (case DKN.5131.51.2021). The authority fined the Warsaw Centre for Intoxicated Persons (Stołeczny Ośrodek dla Osób Nietrzeźwych) PLN 10,000 for operating a surveillance system that captured both video and audio without any valid legal basis.

The facility had recorded sound through its monitoring system from 2016 through December 2021, retaining footage for 30 to 60 days. UODO found that no provision of the applicable legislation, including the Act on Upbringing in Sobriety and Counteracting Alcoholism (Ustawa o wychowaniu w trzeźwości i przeciwdziałaniu alkoholizmowi), authorized audio recording at the facility. The controller attempted to invoke Article 6(1)(c) GDPR, arguing compliance with a legal obligation, but UODO rejected this, finding no statutory basis for capturing sound.

UODO stated explicitly that "audio-visual recording is undoubtedly a greater form of interference with privacy than video alone" and that controllers "should not choose solutions that contain functions that are not necessary." The decision cited EDPB Guidelines 3/19 on video surveillance, which recommend that audio recording in surveillance systems should generally be disabled unless an explicit legal basis exists.

The Voivodeship Administrative Court in Warsaw upheld the fine on October 28, 2022. The decision stands as the leading Polish authority on audio recording without a valid legal basis.

The fine in this case was modest at PLN 10,000 (roughly EUR 2,200), partly because the controller cooperated with UODO and ceased audio recording before the final decision. But GDPR allows maximum fines of EUR 20 million or four percent of global annual turnover for serious violations. Organizations processing recordings at scale face substantially higher exposure.

UODO Enforcement Trajectory 2024 to 2026

UODO's enforcement activity has escalated significantly since the Warsaw Centre decision. UODO issues approximately 2,000 administrative decisions annually, though financial penalties remain relatively rare, appearing in roughly 30 cases per year. The authority focuses disproportionately on intentional violations and failures to notify data breaches.

In September 2024, UODO imposed a fine of PLN 4,053,173 (approximately EUR 969,659) on mBank for failing to notify affected data subjects of a personal data breach, as required under GDPR Article 34.

In 2025, UODO imposed its largest fine to date on Poczta Polska, the state postal operator. The fine of PLN 27,124,816 (approximately EUR 6.44 million) arose from Poczta Polska's unlawful disclosure and processing of personal data of approximately 30 million citizens drawn from the PESEL population register during the May 2020 postal elections conducted by government order during the COVID-19 pandemic.

UODO's 2026 enforcement priorities include healthcare entities using video surveillance, with specific attention to whether audio recording capabilities are disabled by default. Organizations in the healthcare sector that have not reviewed their surveillance systems since the 2022 Warsaw Centre decision should treat UODO's 2026 focus as a direct compliance signal.

Workplace Recording and Employer Obligations

Employer surveillance of employees is regulated by Article 22(2) of the Kodeks pracy (Labor Code), introduced by amendments that took effect on May 25, 2018. These provisions work in tandem with GDPR requirements.

What Employers Can Do: Video Monitoring

Under Article 22(2) §1, an employer may introduce video monitoring (monitoring wizyjny) in the workplace when it is necessary for one of four enumerated purposes:

1. Ensuring the safety of employees
2. Protecting property
3. Controlling production processes
4. Maintaining the confidentiality of information whose disclosure could harm the employer

This list is exhaustive. Using cameras to monitor working time, track breaks, or observe off-duty behavior does not fit within the authorized purposes.

Video monitoring may not cover restrooms, changing rooms, canteens, smoking rooms, or trade union premises. An exception exists where the employer demonstrates necessity and obtains agreement from employee representatives, but even then, footage must be processed to prevent identification of individuals (for example, by blurring faces).

What Employers Cannot Do: Audio Recording

The Labor Code provision authorizes visual monitoring. It says nothing about audio. UODO's position, reinforced by the 2022 Warsaw Centre decision, is that audio recording in workplace surveillance systems is impermissible unless a specific statute authorizes it for that particular type of facility or function.

Polish law reserves audio surveillance authority primarily to law enforcement and security services operating under judicial oversight. An employer who installs microphones in the office, records phone calls of employees without statutory authorization, or enables audio capture on security cameras faces both GDPR enforcement action and potential criminal liability under Article 267 if employees were not participants in the captured conversations.

Employee Recording of Employers

The flip side of the participant rule benefits workers. An employee who records a conversation with a supervisor, a performance review, a meeting with HR, or a phone call with a manager is not committing a crime under Polish law, because the employee is a participant.

Polish labor courts have admitted employee-made recordings as evidence in wrongful termination cases, mobbing (workplace bullying) claims, and discrimination proceedings. The Supreme Court's April 2016 ruling in case II CSK 478/15 applies in the labor context as well: the recording is admissible if the method of obtaining it does not violate the principles of social coexistence and if the evidence serves the interest of a fair hearing.

Employer Compliance Checklist

Before activating any monitoring system, employers must:

1. Document the specific legal basis under Article 22(2) and GDPR Article 6(1).
2. Consult with the works council or employee representatives if one exists.
3. Notify all employees in writing at least two weeks before monitoring begins.
4. Include monitoring details in employment contracts or onboarding documentation.
5. Post visible signs or notices at entrances to monitored areas.
6. Retain video recordings for no longer than three months from the date of capture, unless footage is needed as evidence in pending legal proceedings.
7. Disable audio recording on all surveillance equipment unless an explicit statutory basis exists.

Recording in Public Places

Recording in publicly accessible spaces follows separate rules shaped by the lower expectation of privacy that applies in public settings.

In parks, streets, public transport, shopping centers, and government buildings, individuals generally may record their surroundings. Article 23 of the Kodeks cywilny (Civil Code) protects a person's image (wizerunek) as a personal right, but Polish case law recognizes that people appearing incidentally in public settings have limited grounds to object to being captured on camera.

Key limitations on public recording include:

Publishing identifiable images of individuals without their consent requires a legal basis. Polish copyright law (Ustawa o prawie autorskim i prawach pokrewnych, Art. 81) requires consent to disseminate a recognizable likeness unless the person is a public figure acting in an official capacity, the person forms part of a larger crowd or public event, or another statutory exception applies.

Private property open to the public, such as shopping centers, stadiums, and museums, may restrict or prohibit recording under their internal regulations. Violating these rules can result in removal from the premises and potentially trespass liability.

Government and public officials acting in their official capacity may be recorded in public without their consent. Polish law recognizes a broad right to document the actions of public servants and elected officials.

Voyeurism and Non-Consensual Intimate Images

Article 191a of the Kodeks karny provides specific and serious protection against intimate recording without consent, covering both live recording and the distribution of intimate imagery.

Article 191a §1 criminalizes two distinct acts: (1) recording the image of a naked person or a person engaged in sexual activity, where the recording is made through violence, illegal threat, or deceit; and (2) distributing the image of a naked person or a person engaged in sexual activity without their consent. The same penalty applies to both acts: imprisonment from 3 months to 5 years.

Three features of Article 191a are worth noting. First, the recording element requires that it was obtained by violence, illegal threat, or deceit. A recording made surreptitiously, without any coercive element, may still trigger liability under the distribution provision if it is later shared. Second, the provision applies regardless of whether the act occurs in a public or private location. Voyeuristic recording in a changing room and illicitly capturing intimate images in a private home are both within scope. Third, the law covers both real intimate images and AI-generated or deepfake intimate imagery produced without the subject's consent, though deepfake-specific provisions are addressed more directly in the 2024 Criminal Justice Bill discussed below.

Revenge pornography is fully covered under Article 191a. Polish law enforcement prosecutes distribution of intimate images without consent regardless of whether the images were originally obtained with consent inside a relationship. The ending of a consensual relationship does not create a right to distribute intimate recordings made during it.

Aggravated forms: Where distribution is carried out at scale, through organized groups, or with intent to gain financial benefit, courts may treat the conduct as meriting sentences toward the upper end of the five-year range.

Victims of Article 191a violations may simultaneously pursue civil claims under Civil Code Articles 23 and 24 for violation of personal dignity and image, and GDPR enforcement through UODO if the intimate images contain personal data processed without a legal basis.

Civil Liability for Recording

Even where no criminal offense has been committed, recording can generate civil liability for violating personal rights (dobra osobiste) under Articles 23 and 24 of the Civil Code.

Article 23 provides that personal rights, including health, freedom, honor, name, image, and the confidentiality of correspondence, are protected under civil law independently of any protection offered by other statutes. Article 24 allows a person whose personal rights are threatened to demand that the threatening conduct cease, and to seek monetary compensation (zadośćuczynienie) where a violation has occurred.

Polish courts have recognized recording as a potential violation of:

• Privacy (prywatność)
• The confidentiality of correspondence and communication (tajemnica korespondencji)
• Personal dignity and reputation (godność, dobre imię)

A person whose personal rights are violated through recording may seek:

• An injunction ordering the recording to be deleted or its distribution to cease
• A public apology published in a specified medium
• Monetary compensation, which courts have awarded in amounts ranging from several thousand to several hundred thousand PLN depending on the severity and scope of the violation

Civil and criminal liability are independent tracks. A person may face both simultaneously. For example, someone who illegally eavesdrops on a private conversation and then posts it on social media could face criminal prosecution under Article 267 §3, criminal charges for sharing the recording under §4, and a civil lawsuit for violation of personal rights under Articles 23 and 24 of the Civil Code.

Article 212 and defamation: Publishing a recording that contains false imputations against another person can additionally trigger Article 212 of the Criminal Code. Basic defamation carries a fine, restriction of liberty, or up to one year imprisonment. Defamation committed through mass media, which Polish courts have consistently interpreted to include publication on widely accessible online platforms, carries up to two years imprisonment. Publishing a recording that exposes private conduct and harms the subject's reputation, even if the underlying conduct actually occurred, can amount to defamation if the publication is made with malicious intent or in a manner designed to humiliate rather than to inform a genuine public interest.

Business Compliance for Call Recording

Polish businesses that record telephone calls with customers or partners must navigate overlapping obligations under criminal law, GDPR, the Labor Code, and the Electronic Communications Law (Prawo komunikacji elektronicznej, which replaced the Prawo telekomunikacyjne effective November 10, 2024).

The 2024 Electronic Communications Law expanded coverage to include interpersonal communication services that do not use publicly assigned numbering resources. This means messaging platforms, email services, and video conferencing tools used in business settings are now subject to the same data retention obligations as traditional telephony. Businesses that record video calls or chat logs must address those recordings under the same compliance framework as telephone recordings.

A compliant call recording program typically includes:

1. Pre-call notification: Inform the caller at the start of the conversation that recording is taking place, using a pre-recorded announcement or a verbal statement by the agent.
2. Purpose specification: State the reason for recording. Common purposes include quality assurance, training, documentation of orders or instructions, and dispute resolution.
3. Legal basis documentation: Identify and document the GDPR legal basis. For customer calls, legitimate interest (Article 6(1)(f)) is the most common basis. The balancing test must be completed in writing and available for UODO inspection.
4. Access controls: Limit access to recordings to staff who require them for the documented purpose.
5. Retention limits: Define and enforce a retention period. Three to six months is standard for quality monitoring. Calls documented for legal or contractual purposes may be retained longer, but indefinite storage violates GDPR's data minimization principle.
6. Data processing agreements: Execute Article 28 GDPR data processing agreements with any external vendor that stores, processes, or transmits the recordings.
7. Privacy notices: Address recording in both employee-facing privacy policies and customer-facing privacy notices.
8. Opt-out mechanism: Where consent is the legal basis, provide a meaningful way for the caller to decline recording.

Failure to comply exposes the business to UODO enforcement, which has grown more active year over year. In 2022 alone, UODO issued 2,030 administrative decisions, including 20 decisions imposing fines totaling PLN 7,850,861 (approximately EUR 1.87 million).

Deepfakes and AI-Generated Content

Poland has moved on multiple fronts to address deepfake recording and AI-synthesized media. Three legal frameworks now apply simultaneously: domestic criminal legislation, EU platform regulation under the Digital Services Act, and EU AI Act transparency obligations.

The 2024 Criminal Justice Bill

Poland enacted legislation in 2024 targeting deepfake content directly. The law makes it illegal to create, share, or possess deepfakes for fraud, injuring another person, misleading others, political manipulation, or producing non-consensual intimate content. Penalties reach up to five years imprisonment depending on the severity and purpose of the offense. Platforms hosting harmful deepfake content must remove it upon notification and must cooperate with law enforcement to identify the material and its origin.

The legislation fills a gap that existed before 2024: while existing Criminal Code provisions (Article 267 on unauthorized information acquisition, Article 191a on intimate recordings, Article 212 on defamation, and Article 286 on fraud) all captured elements of deepfake misuse, no single provision addressed the full spectrum of harms deepfakes create. As of early 2026, the 2024 law has not yet been the subject of a reported court decision, meaning that the precise contours of terms like "misleading others" and the platform notification standard have not been judicially defined.

UODO's Enforcement Against Deepfake Advertising

In 2024 and early 2025, UODO took direct action against Meta for displaying deepfake advertisements using the likenesses of two public figures without authorization. In both cases, UODO imposed interim protective measures under Article 66(1) of the GDPR and Article 70(1)(2) of the Polish Data Protection Act, ordering Meta to stop processing the personal data of those individuals in connection with the deepfake ads for a period of three months.

UODO found that Meta had failed to verify the authenticity of data used in the advertisements, creating a substantial risk of irreparable harm to the reputation and privacy of the individuals depicted. One case involved a businessperson whose image appeared in fake financial platform ads with fabricated endorsements. The second involved a journalist whose likeness was used in deepfake content falsely claiming her death, imprisonment, or domestic violence.

The primary jurisdiction for these cases was deferred to the Irish Data Protection Commission as Meta's lead supervisory authority under GDPR's one-stop-shop mechanism. However, UODO's interim orders demonstrated that Polish authorities will act under GDPR's emergency provisions when immediate harm is at risk, even when final authority lies with another EU supervisory body.

EU AI Act Article 50: Deepfake Labeling from August 2026

The EU Artificial Intelligence Act (Regulation (EU) 2024/1689), which entered into force on August 1, 2024, imposes transparency obligations on providers and deployers of generative AI systems under Article 50. These obligations become enforceable on August 2, 2026.

Under Article 50, providers of AI systems that generate or manipulate audio, image, or video content must mark that content in a machine-readable format indicating it is artificially generated or manipulated. Deployers of generative AI systems for professional purposes must clearly disclose when content constitutes a deepfake. Content published for purposes of informing the public on matters of public interest requires disclosure of AI involvement. The European Commission published the first draft of its Code of Practice on AI-generated content transparency in December 2025, with a final version expected by June 2026.

For Polish businesses using AI tools that generate or modify voice recordings, video recordings, or synthetic audio, August 2026 is the compliance deadline. UODO will supervise high-risk AI systems in coordination with the AI Act's governance framework.

Digital Services Act Platform Obligations

The Digital Services Act (Regulation (EU) 2022/2065) became fully applicable from February 17, 2024, for all online platforms operating in the EU, including Poland. Very large online platforms (VLOPs) and very large online search engines (VLOSEs) must assess and mitigate systemic risks, which explicitly include the dissemination of harmful deepfake content. The DSA requires fast removal of illegal content, including NCII and manipulated media constituting harassment or defamation. Poland's Digital Services Coordinator coordinates DSA enforcement domestically.

UODO's September 2025 Deepfake Proposal

On September 18, 2025, the President of UODO formally requested the Prime Minister introduce dedicated legislation protecting individuals from harmful deepfakes. The proposal identified gaps in current law: limited liability for deepfake creators, insufficient platform obligations for proactive detection, and the absence of fast formal mechanisms for victims to obtain removal of harmful content. UODO proposed mandatory platform detection and labeling systems, rapid content removal processes, legal accountability for both creators and distributors, and a public education program on deepfake risks. As of early 2026, this proposal remains under deliberation.

Cross-Border Recording

Recording laws become more complex when a call or recording spans two countries. The applicable law depends on which jurisdiction's connection to the recording is strongest, and different legal systems reach different answers.

The Polish Rule in Cross-Border Calls

Under Polish criminal law, Article 267 applies to conduct occurring on Polish territory. A person physically in Poland who records a call with someone in another country is subject to Polish law for their side of the recording. Because Poland follows the participant rule, a Polish participant recording their own side of a cross-border call commits no offense under Polish law.

The position of the other party matters when that person is in a two-party consent jurisdiction. Germany, for example, requires all-party consent for recording private telephone conversations under §201 of the Strafgesetzbuch. A Polish resident recording a call with a German contact commits no offense under Polish law, but the German contact's rights under German law must be separately analyzed if any legal use of the recording is contemplated in Germany.

GDPR as the Cross-Border Framework

GDPR applies whenever a controller established in the EU processes personal data, regardless of where the data subjects are located. It also applies to non-EU controllers who offer goods or services to EU residents or who monitor the behavior of EU residents. This means that a company based outside Poland that records calls with Polish customers must comply with GDPR's legal basis requirements, even if the company has no physical presence in Poland.

For cross-border calls between EU member states, GDPR provides a unified framework: the same legal basis rules, the same data subject rights, the same retention limits, and the same UODO (or equivalent DPA) enforcement track apply whether the call crosses from Poland to Germany, France, or Italy. The lead supervisory authority for a multinational company's cross-border processing is determined by the company's main establishment under the one-stop-shop mechanism. Poland-based UODO will be the lead authority for companies whose EU headquarters or main decision-making center sits in Poland.

Cross-Border GDPR Enforcement Regulation

Regulation (EU) 2025/2518, adopted by the Council in November 2025 and entering into force in December 2025 (application date: April 2, 2027), introduces additional procedural rules to accelerate cross-border GDPR enforcement. It streamlines cooperation between the lead supervisory authority and concerned supervisory authorities and introduces binding resolution procedures for cross-border complaints. For Polish residents whose personal data is processed through recordings by multinational companies, this regulation strengthens the ability to obtain redress without being routed through a foreign DPA indefinitely.

Practical Rule for Businesses

When recording calls that cross into jurisdictions with stricter consent requirements than Poland's, the safest practice is to apply the strictest rule that applies to any party on the call. A call center in Poland serving German customers should treat the call as subject to all-party consent requirements, because German law applies to the German party's side of the conversation and disputes arising in Germany would be analyzed under German law.

Penalties at a Glance

Offense	Legal Provision	Maximum Penalty
Non-participant eavesdropping	Art. 267 §3 Kodeks karny	2 years imprisonment
Sharing an illegally obtained recording	Art. 267 §4 Kodeks karny	2 years imprisonment
Voyeuristic intimate recording (with coercion)	Art. 191a §1 Kodeks karny	5 years imprisonment
Distributing intimate images without consent	Art. 191a §1 Kodeks karny	5 years imprisonment
Deepfake fraud, deception, or NCII	2024 Criminal Justice Bill	5 years imprisonment
Defamation via online publication of recording	Art. 212 §2 Kodeks karny	2 years imprisonment
Audio surveillance without GDPR legal basis	Art. 6(1) GDPR via UODO	EUR 20 million or 4% of global turnover
Employer audio monitoring without basis	Labor Code Art. 22(2) + GDPR	UODO administrative fine
Failure to label AI-generated audio or video	EU AI Act Art. 50 (from Aug 2026)	EU AI Act penalty regime
Violation of personal rights via recording	Art. 23-24 Kodeks cywilny	Civil damages (court-determined)
Publishing identifiable image without consent	Copyright Law Art. 81	Civil damages

Recent Legal Developments

Several significant changes have reshaped Poland's recording law landscape since 2024.

Electronic Communications Law (November 2024): Poland's new Electronic Communications Law (Prawo komunikacji elektronicznej) replaced the 2004 Telecommunications Law effective November 10, 2024. The new law expanded coverage to messaging platforms, email, and video conferencing tools. Businesses that record video calls or maintain chat logs now face the same data retention compliance requirements that previously applied only to traditional telephone systems.

2024 Criminal Justice Bill on Deepfakes: The 2024 legislation targeting deepfake creation, distribution, and possession represents Poland's most significant criminal law update in the recording space in several years. Penalties of up to five years imprisonment signal that deepfake misuse is treated as a serious offense equivalent in severity to voyeuristic recording. The law also imposes platform obligations for content removal on notification.

UODO v. Meta (2024-2025): UODO's interim orders against Meta established that GDPR Article 66(1) emergency powers can be invoked against platforms that fail to verify the authenticity of personal data used in AI-generated advertising, even where final jurisdiction lies with another EU DPA. This signals that Polish residents depicted in deepfake content have a domestic enforcement path available without waiting for the Irish DPA.

EU AI Act Article 50 (August 2026): The obligation to label AI-generated audio, video, and images in machine-readable format becomes enforceable across all EU member states, including Poland, on August 2, 2026. UODO will supervise compliance for controllers operating in Poland.

UODO Deepfake Proposal (September 2025): UODO's request to the Prime Minister for standalone deepfake legislation signaled that Poland's existing criminal and data protection framework is viewed, even by the regulator itself, as incomplete. Dedicated national legislation may follow in 2026.

Cross-Border GDPR Enforcement Regulation (December 2025): Regulation (EU) 2025/2518 streamlines how DPAs across the EU cooperate on cross-border cases, with application from April 2027. Polish residents recording cross-border calls with businesses headquartered in other EU member states gain a clearer enforcement path.