KG LEGAL \ INFO
BLOG

Blog home > IT, NEW TECHNOLOGIES, MEDIA AND COMMUNICATION TECHNOLOGY LAW > Hosting services and related legal requirements

Hosting services and related legal requirements

Publication date: March 05, 2025

The hosting service consists of sharing space on a server, which allows for storing website files and ensures their availability on the network. Hosting service providers offer different types of servers and technologies, which differ in terms of performance, security and price. Choosing the right hosting depends on the individual needs of the user deciding on such a service.

There are several types of hosting:

  • Shared hosting – this involves many different websites using one server. Each user has a space allocated on the server to store files. This is the cheapest type of hosting, but it also means that each user also has other parameters in common, such as processor performance or RAM. This type of hosting is most often used by small and medium-sized websites.
  • Cloud hosting – the hosting service client receives space not on the server, but in the cloud, which has no limitations such as disk capacity or data transfer. This type of hosting provides a high standard of security and bandwidth. Cloud hosting works well for sites that generate a lot of traffic and have dynamically changing needs.
  • VPS hosting – a virtual private server, which is an equivalent of a physical server. Each user has a specific amount of resources on it, such as a processor, RAM or disk, and does not share them with others. This is an optimal solution for medium and large websites.
  • Dedicated hosting – a physical server rented entirely by one user. The user has full control over the server and does not share server resources with anyone. This is the most expensive type of hosting, which guarantees the highest level of security, privacy and performance. This type of hosting is optimal for specialized and demanding websites that need high computing power.

Legal regulations related to the hosting service in the Polish legal system.

The hosting service is regulated in Poland by a number of legal acts that define the obligations of both providers and users of such a service. This issue is regulated not only by national acts, but also by EU legislation such as Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and Regulation (EU) 2022/2065 on the single market for digital services and amending Directive 2000/31/EC ( Digital Services Act).

  • Civil Code

The hosting agreement is not directly regulated in this legal act, but it is based on the provisions of the Code regarding service contracts. This means that the relationship between the service provider and the service recipient is shaped by general clauses regarding the law of obligations.

  • Act on the provision of services by electronic means of 18 July 2002.

This Act imposes on hosting service providers in the form of:

  • Information obligation – the service provider must clearly and precisely define the terms of service provision, including the principles of their use and possible restrictions, the terms of concluding and terminating the contract for the provision of services by electronic means and the complaint procedure (Article 8 of the Act). In addition, Article 6 obliges the service provider to provide the service recipient with access to information on specific risks related to the use of the service provided by electronic means, as well as the functions and purpose of the software or data functions and purpose of the software or data that are not part of the content of the service, entered by the service provider into the IT system used by the service recipient;
  • Ensuring security – the service provider is obliged to ensure appropriate technical and organizational measures to protect data against unauthorized access, modification and loss, damage or destruction (Article 11);
  • Personal data protection – the service provider must comply with the provisions on the protection of personal data. Personal data that the service provider may process in order to perform the contract are: the surname and names of the service recipient, PESEL registration number or passport number, identity card number or other document confirming identity, permanent residence address, correspondence address, data used to verify the electronic signature of the service recipient, electronic addresses of the service recipient.

In accordance with Article 14 of the above Act, the hosting service provider shall not be liable for the stored data if it had no knowledge of the unlawful nature of the data or the activities related to it or, after obtaining knowledge of the unlawful nature of the data, took action to remove or prevent access to such data.

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR)

This regulation imposes a number of obligations on hosting service providers acting as processors related to the protection of personal data:

  • The hosting service provider is obliged to process data only on the documented instructions of the controller, to ensure that persons authorized to process data have committed to ensuring confidentiality, to implement appropriate technical and organizational measures to protect data, not to engage another processor without the prior consent of the controller, to assist the controller in fulfilling obligations related to data security, to delete or return data after the service has been terminated (Article 28);
  • Service providers must implement appropriate security measures such as pseudonymisation and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems, the ability to quickly restore the availability of data in the event of an incident and regular testing and evaluation of the effectiveness of the measures implemented (Article 32);
  • In the event of a data protection breach, the hosting service provider is obliged to immediately report this fact to the controller so that the controller can inform the supervisory authority within 72 hours (Article 33).
  • Regulation (EU) 2022/2065 on the single market for digital services and amending Directive 2000/31/EC (Digital Services Act)

The Digital Services Act is a regulation that introduces new obligations for Internet service providers, including hosting services. This regulation imposes a number of obligations on hosting service providers to increase security and transparency on the Internet. Under this act, Internet service providers must:

  • Designate contact points for direct electronic communication with Member State authorities, the Council and the European Commission (Article 11)
  • Service providers must implement mechanisms that allow users to report illegal content. These mechanisms must be easily accessible and user-friendly and must allow reporting to be done electronically only (Article 16)
  • Providers are required to regularly publish reports on content moderation, including information on the number of removed or blocked content and the reasons for such action (Articles 14 and 17)
  • The Regulation imposes an obligation to cooperate with the relevant authorities in the event of a suspected violation of the law, including providing them with the necessary content upon request. (Article 18)

Hosting Agreements

Hosting agreements are a key document regulating the relationship between the hosting service provider and the client. To ensure transparency of cooperation and protection of the interests of both parties, the hosting agreement should include elements such as:

  • Designation of the parties to the contract, such as precise data identifying the service provider and the service recipient, i.e. name and surname or company name, address of residence or registered office and appropriate identification numbers such as PESEL (Identification Number) or KRS (National Court Register);
  • Definition of the subject of the contract: a detailed description of the service provided, including the type of hosting, technical parameters of the server and any additional services;
  • Contract duration: the term of the contract and the terms of its extension or termination;
  • Fees and payment terms: Information on service costs, payment terms, possible additional fees and consequences for late payments;
  • Service Level Agreement (SLA): Definition of service parameters such as server availability, failure response time, backup policy and ensuring the security of server resources, server monitoring and continuity of operation of servers and related services;
  • Obligations of the parties: Detailed definition of the obligations of the service provider (e.g. providing technical support) and the service recipient (e.g. compliance with the regulations, not posting illegal content);
  • Personal data protection: Provisions regarding the processing and protection of personal data in accordance with applicable regulations, including GDPR. In the event of entrusting data processing, it is necessary to conclude an appropriate contract;
  • Liability and limitations: Rules regarding the liability of the parties for possible damages, including exclusions and limitations of the service provider’s liability and complaint procedures;
  • Final provisions: Clauses regarding the possibility of introducing changes to the contract, resolving disputes, and jurisdiction of the courts.

Fulfilling the obligations of a hosting provider in practice

Hosting companies operating on the Polish market must ensure compliance with the requirements required by law. An example of this is the implementation of comprehensive solutions used by the cyberfolks.pl operator aimed at protecting data and ensuring high availability and security of processing systems such as disk arrays and regular copies of data, which allows for their recovery in the event of a failure, fire protection to eliminate the destruction of the data processing site by fire, power supply protection ensuring continuity of services in the form of power failures, access protection measures preventing unauthorized persons from entering the server room and organizational solutions in the form of internal regulations emphasizing data protection. Thanks to the implementation of security measures, the user has a guarantee of high quality of service provision, service stability and data protection.

UP