Poland
AI behavior law: bot and agent disclosure, crawler and training-data rules, automated-agent transactions, and algorithmic decision-making.
Summary
Poland implemented the DSM Directive with a significant delay — the amended Act on Copyright and Related Rights (ustawa o prawie autorskim) entered into force on 20 September 2024, the last EU member state (after Bulgaria) to transpose. The amendment added art. 26² (research TDM) and art. 26³ (general/commercial TDM), the latter permitting TDM unless a rights-holder has made a machine-readable opt-out reservation; robots.txt is recognised as an effective opt-out mechanism. Poland has the full EU sui generis database right (ustawa o ochronie baz danych). Computer access crimes are governed by Kodeks karny art. 267, which requires bypassing a security measure — public pages without technical protection are outside its scope. GDPR applies with the UODO (Urząd Ochrony Danych Osobowych) as DPA; the UODO imposed one of the first major GDPR enforcement actions in the EU for scraping public registries without informing data subjects (Bisnode, 2019). The EU AI Act is binding from August 2025.
Automated-access legality
Carried forward from the crawler-law index. Governs whether automated clients may access public websites in this jurisdiction.
| Dimension | Value |
|---|---|
| Authorization test | security mechanism bypass |
| Public-page carve-out | yes |
| Terms-of-service browsewrap enforceable | notice dependent |
| Terms-of-service clickwrap enforceable | yes |
| Copyright exception model | tdm dual track |
| Text and data mining — commercial status | with optout |
| Text and data mining — opt-out mechanism | robots txt |
| robots.txt legal weight | evidentiary |
| AI training-specific law | binding |
| Privacy regime | GDPR |
| Trespass to chattels | not recognized |
Last reviewed: 2026-05-23. Confidence: medium. Fast-moving area — verify before relying. Not legal advice.