ATTENTION – THIS IS AN AUTOMATIC TRANSLATION from Polish
The securing of IT data in Polish criminal proceedings is primarily regulated by Article 218a of the Code of Criminal Procedure. This provision stipulates that entities conducting telecommunications activities, providing electronic services, and digital service providers are obligated to immediately secure, upon request of a court or prosecutor, IT data stored on devices containing such data for a specified period, but no longer than 90 days.
With respect to selected crimes (including sexual offenses against minors, terrorism, and drug offenses), it is possible to combine security with the obligation to prevent access to data, as well as with an order to remove illegal content.
In turn, Article 218b of the Code of Criminal Procedure is a competence-based provision, based on which the Regulation of the Minister of Justice of June 18, 2021, was issued – specifying the method of technical preparation of systems and networks used to transmit information (Journal of Laws 2021, item 1101). This act clarifies detailed requirements for the technical preparation of these systems and networks, as well as data security procedures.
Obligated entities must ensure data security against loss, distortion, unauthorized disclosure, and damage to media, and designate authorized individuals to perform these activities. The regulation requires, among other things, securing data in a manner that allows for subsequent reading (e.g., by saving it on a computer storage medium), preparing a memo of the activities performed, and storing data with access limited to authorized persons.
The institution of computer data security serves as a temporary measure to protect digital material against destruction or modification, which is particularly important due to the ease of tampering with electronic data. At the same time, the regulation serves as a guarantee – it limits the duration of security, requires the release of non-essential data from security, and directs obligations solely to professional entities, thus protecting users’ privacy rights. However, literature indicates that in practice, law enforcement agencies still often use simpler, „classic” methods of documenting digital content, which may weaken the standard of integrity and credibility of IT evidence secured without complying with the rules of Articles 218a-218b of the Code of Criminal Procedure and the above implementing provisions.
At the same time, it is important to remember the regulation of Article 47, paragraph 1, point 1 of the Act of July 12, 2024 – Electronic Communications Law, according to which a telecommunications undertaking is generally obliged, at its own expense, to retain and store certain identification data generated in the public telecommunications network or processed by it, within the territory of the Republic of Poland, for a period of 12 months from the date of the connection or unsuccessful connection attempt, and to destroy such data upon the expiry of this period, except for those secured in accordance with separate provisions. Therefore, a request by law enforcement authorities or the Court after the expiry of the so-called „restriction period” may be considered ineffective. data retention period (i.e. the above-mentioned 12 months) may prove ineffective, as the data may have been deleted by the telecommunications undertaking after the expiry of the above-mentioned statutory retention period.
