Questions to Ombudsman and Tax Authority regarding data security, personal GDPR data privacy and commercial sensitivity
The Polish mandatory National e-Invoice System (KSeF) set to be implemented from 1 February 2026, has raised significant concerns among entrepreneurs regarding trade data security and GDPR compliance. They have raised concerns with the Ombudsman (Rzecznika Praw Obywatelskich) who responsibility to protect civil and human rights implied by the Constitution of Poland and other legislative acts
KSeF, established by the amended Act on Tax on Goods and Services of June 16, 2023, aims to streamline the issuance and collection of structured invoices. However, an audit earlier this year revealed issues with the IT architecture, affecting its performance, security, and maintainability. This led to a delay of implementation from mid-2024 to early 2026.
On 1 February 2026, the obligation will apply to taxpayers whose sales value exceeds PLN 200 million, and from April 1, 2026 – to all entrepreneurs.
Businesses fear that the extensive data collected by KSeF, including sensitive trade data, will be vulnerable as it centralizes critical business information. This data encompasses details about transactions such as what is sold, to whom, and for how much, which are integral to maintaining competitive advantage. They worry about potential access to this data by both system users and state authorities, compromising confidentiality and potentially violating GDPR and privacy rights.
National Tax Administration challenged by Ombudsman
The Ombudsman has received numerous complaints and forwarded them to the head of the National Tax Administration. The complaints stress that consolidating sensitive business data in one place poses a significant risk. Trade secrets, as defined by Polish law, include a wide array of business-critical information that should remain confidential to prevent unfair competition. Past legal precedents affirm the importance of protecting such information to maintain equal competition among businesses.
Moreover, there are concerns about compliance with GDPR and constitutional rights to privacy and data protection. The Constitution mandates that data collected by public authorities should be limited to what is necessary, emphasizing the need for adequate safeguards for personal data.
In response, the Deputy Ombudsman has requested clarifications from the National Tax Administration regarding data collection, the sharing of information, and security measures within KSeF to address these apprehensions. The goal is to ensure that the new system does not infringe upon the rights to privacy, trade secret protection, and fair competition, as enshrined in both national and European laws.