Compliance programme design for UAE subsidiaries

A Dubai-based trading group acquires a Polish distribution subsidiary. Within six months, the subsidiary is processing cross-border payments, employing local staff, and handling customer data – yet its compliance framework still mirrors the UAE parent's internal policies, which were written for a different legal environment entirely. Polish regulators do not accept that explanation as a defence.

UAE subsidiaries operating in Poland must build a compliance programme that satisfies Polish and EU law simultaneously. The programme must cover anti-money laundering obligations, whistleblower protection, ESG reporting duties, and data privacy – each governed by separate Polish statutes with their own deadlines and penalty regimes. Failure to implement the required structures within the statutory timeframes exposes both the subsidiary and its board members to personal liability and regulatory sanction.

This guide walks through the design process step by step: what legal instruments apply, how to sequence implementation, where UAE-specific structures create friction with Polish requirements, and what mistakes typically derail the process. Three business scenarios – manufacturing, IT services, and a foreign investor holding structure – illustrate how the framework applies in practice.

What legal obligations apply to a UAE subsidiary operating in Poland?

The starting point is identifying which Polish and EU compliance regimes bind the subsidiary. This depends on its activity, headcount, and financial thresholds – not on where the parent is incorporated. A UAE parent does not insulate the Polish entity from local law.

Anti-money laundering rules under Polish AML legislation (implementing the EU's Fourth and Fifth AML Directives) apply to any entity classified as an "obligated institution." Financial intermediaries, real estate agents, accountants, and certain trading companies all fall within scope. Obligated institutions must appoint an AML compliance officer, implement internal procedures, and report suspicious transactions to the General Inspector of Financial Information (Generalny Inspektor Informacji Finansowej, GIIF). The GIIF can impose fines of up to PLN 1m per violation.

Whistleblower protection became mandatory in Poland following the transposition of EU Directive 2019/1937 into the Ustawa o ochronie sygnalistów (Act on the Protection of Whistleblowers). Companies with 50 or more employees must operate an internal reporting channel and a written whistleblower policy. The channel must be accessible, confidential, and capable of generating a written acknowledgment within seven days of receipt. Failure to establish the channel is a criminal offence carrying a fine of up to PLN 60,000 for the responsible manager.

Data protection obligations under the EU General Data Protection Regulation (GDPR) apply from day one of processing personal data in Poland. The subsidiary must appoint a Data Protection Officer (DPO) if it processes data on a large scale or handles special-category data. The National Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) supervises compliance and can impose fines of up to EUR 20m or 4% of global annual turnover.

AML: GIIF registration and internal procedures
Whistleblower: internal channel for entities with 50+ employees
GDPR: DPO appointment and processing records
ESG reporting: CSRD Poland scope applies from 2025 onward for large entities
Corporate governance: Kodeks spółek handlowych (Commercial Companies Code, KSH) board duties

For a UAE investor entering Poland through a manufacturing subsidiary – say, an aluminium components plant in the Silesia region – all five regimes will apply simultaneously from the date of operational launch.

How should a UAE subsidiary sequence its compliance programme design?

Sequencing matters because some obligations carry statutory deadlines while others can be phased. Getting the order wrong means spending resources on optional enhancements before mandatory structures are in place – which is the most common mistake we see in cross-border set-ups.

Phase one covers the hard-deadline obligations. AML procedures must be in place before the entity begins any activity that triggers obligated-institution status. The whistleblower channel must be operational before the subsidiary crosses the 50-employee threshold – not after. GDPR records of processing activities must exist from the first day personal data is collected. These three obligations are non-negotiable and non-deferrable. A UAE parent that instructs its Polish subsidiary to "align with group policy" before building local structures is creating personal liability for the Polish board members.

Phase two addresses the ESG reporting framework. Under CSRD Poland obligations, large Polish entities (meeting two of three thresholds: 250 employees, EUR 40m turnover, EUR 20m balance sheet) must produce a sustainability report aligned with European Sustainability Reporting Standards (ESRS) from financial year 2025 onward. For UAE subsidiaries that are part of a large group, consolidation reporting may pull the Polish entity into scope even if it does not independently meet the thresholds. A gap analysis should be completed within 90 days of incorporation.

Phase three builds the governance architecture: compliance committee terms of reference, a code of conduct, conflict-of-interest procedures, gifts and hospitality registers, and third-party due diligence protocols. These are not legally mandatory in isolation, but they are required by group-level governance standards and by Polish corporate law duties of care owed by KSH board members. The timeline for phase three is typically three to six months after phase one is complete.

We secured a reversal of a regulatory notice issued to a UAE-owned IT services subsidiary in the Mazowieckie region (spring 2025). The notice related to an absent whistleblower channel. The subsidiary had implemented the UAE parent's "speak-up" hotline – which did not meet the written-acknowledgment and confidentiality requirements of Polish law. Rebuilding the channel and demonstrating procedural compliance took eight weeks.

Where do UAE-specific structures create friction with Polish compliance requirements?

UAE corporate structures frequently include elements that are lawful and commercially standard in the Gulf but create compliance tension in Poland. Identifying these friction points early prevents costly restructuring later.

Nominee arrangements are common in UAE free zone structures. A UAE parent may use nominee shareholders or nominee directors as part of its local licensing requirements. Polish KSH law does not prohibit nominee arrangements outright, but Polish AML rules require the subsidiary to identify and verify its ultimate beneficial owner (UBO) and register that information in the Central Register of Beneficial Owners (Centralny Rejestr Beneficjentów Rzeczywistych, CRBR). Nominee layers that obscure the true UBO create a CRBR filing problem. Non-disclosure or incorrect disclosure carries fines of up to PLN 1m. The subsidiary must map its ownership chain all the way to the natural person who ultimately controls it – regardless of how many UAE free zone entities sit in between.

Cash-intensive payment flows common in Gulf trading structures attract enhanced scrutiny under Polish AML rules. If the subsidiary processes large cash transactions or transfers funds to counterparties in jurisdictions on the Financial Action Task Force (FATF) grey list, it must apply enhanced due diligence (EDD) measures. The GIIF publishes a list of high-risk third countries. UAE was removed from the FATF grey list in 2024, but subsidiaries with legacy payment patterns involving previously grey-listed counterparties should review their transaction monitoring procedures.

Three business scenarios illustrate the friction points most clearly. First, a UAE manufacturing group with a Silesian plant: the plant processes payments to UAE suppliers, triggering AML transaction monitoring duties. Second, a Dubai-based IT company with a Warsaw software house: employee data flows between the Warsaw entity and UAE servers require GDPR transfer mechanisms (Standard Contractual Clauses or an adequacy decision – UAE does not yet benefit from an EU adequacy decision). Third, a UAE holding company owning a Polish real estate vehicle: the holding structure must be fully mapped for CRBR purposes, and the real estate entity may itself be an AML obligated institution.

For a deeper look at cross-border insolvency risks that can arise when UAE group structures interact with Polish law, see our analysis at cross-border insolvency involving Poland and UAE.

What are the most common compliance mistakes – and how do you avoid them?

Most compliance failures in UAE-owned Polish subsidiaries follow a recognisable pattern. Understanding the pattern is the first step to avoiding it. Personal liability for board members, fines of up to EUR 20m, and criminal exposure for managers are the irreversible consequences of getting this wrong.

The most frequent mistake is treating the UAE parent's group compliance manual as a substitute for Polish-law-specific procedures. Group manuals are written for the parent's home jurisdiction or for a generic multinational audience. They typically do not address the GIIF reporting chain, the specific format required for the CRBR filing, or the seven-day acknowledgment requirement under Polish whistleblower law. A Polish compliance officer who relies on a group manual without localising it is not protected by that reliance.

The second common mistake is delayed DPO appointment. Many UAE subsidiaries assume that a DPO is only required once the business reaches significant scale. In practice, any subsidiary processing employee data, customer data, and supplier data simultaneously may already meet the "large scale" threshold under GDPR. The UODO has issued enforcement decisions against companies that delayed DPO appointment by as little as three months after exceeding the threshold.

The third mistake is incomplete CRBR registration. UAE group structures often involve multiple layers of holding companies across different free zones. Each layer must be traced. If the subsidiary registers an intermediate holding company as the UBO rather than the ultimate natural person, the filing is incorrect – and the PLN 1m fine applies to the incorrect filing, not just to a missing one.

We assisted a Wielkopolska-based manufacturing subsidiary of a UAE conglomerate (winter 2025) in correcting a CRBR filing that had listed a Dubai free zone company as the UBO. The correction required re-mapping a four-tier ownership chain and submitting amended documentation to the CRBR within the 14-day correction window to avoid the full penalty.

To compare how the same compliance design process works for a Central European subsidiary structure, the guide on compliance programme design for Czech Republic subsidiaries in Poland sets out a useful parallel framework.

What should a UAE subsidiary prepare before launching its compliance programme?

A compliance programme launch without preparation wastes time and creates gaps. The following checklist identifies the documents and decisions that must be in place before implementation begins. Missing any item typically adds four to eight weeks to the overall timeline.

Full ownership chain map identifying the ultimate beneficial owner down to natural-person level
Employee headcount confirmation and projected 12-month hiring plan (determines whistleblower channel deadline)
List of all jurisdictions to which the subsidiary transfers personal data (determines GDPR transfer mechanism needed)
Activity classification confirming whether the subsidiary is an AML obligated institution under Polish law
Financial threshold analysis for CSRD Poland applicability (turnover, balance sheet, headcount)

Once this preparatory information is assembled, the compliance design process typically takes 60 to 90 days for a subsidiary of 50 to 200 employees. Larger entities or those with complex UAE ownership chains should budget 120 days. The cost of external legal support for the full programme design – gap analysis, procedure drafting, CRBR filing, DPO appointment support, and whistleblower channel implementation – typically ranges from PLN 30,000 to PLN 90,000 depending on scope and complexity.

The decision matrix is straightforward. A subsidiary that is an AML obligated institution, has 50+ employees, and processes personal data at scale must run all three phases in parallel, not sequentially. A subsidiary below the 50-employee threshold that is not an obligated institution can defer phases two and three but must still complete GDPR compliance and CRBR registration from day one.

For a full overview of our ESG and compliance services for foreign-owned Polish entities, visit our ESG compliance practice page.

Specific compliance gaps in your UAE subsidiary's Polish operations carry irreversible consequences – a missing whistleblower channel is a criminal offence, an incorrect CRBR filing attracts a PLN 1m fine, and delayed GDPR compliance can trigger an UODO audit that precludes a clean regulatory record for years. These are not risks that resolve themselves over time.

If your UAE subsidiary is operating in Poland without a localised compliance programme – or if you are planning a Polish market entry and need the programme built before launch – our team will conduct a gap analysis, draft the required procedures, and manage the regulatory filings: contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the UAE parent's existing AML programme satisfy Polish requirements?

A: No. Polish AML law requires procedures specifically adapted to Polish regulatory requirements, including a defined reporting line to the GIIF and transaction monitoring calibrated to Polish risk categories. A UAE-law AML programme will not satisfy these requirements. The Polish subsidiary must adopt its own standalone AML procedures, even if they are informed by the group framework. The subsidiary's compliance officer bears personal responsibility for the adequacy of those procedures.

Q: How long does it take to implement a whistleblower channel, and what does it cost?

A: Implementation typically takes four to six weeks from the decision to proceed. The process involves drafting the internal policy, selecting a reporting channel (dedicated email, dedicated phone line, or third-party platform), and consulting with employee representatives if a works council exists. External legal support for the full implementation – policy drafting, employee notification, and testing – typically costs between PLN 8,000 and PLN 20,000 depending on entity size. The channel must be operational before the subsidiary reaches 50 employees, not after.

Q: Is a Data Protection Officer mandatory for every UAE subsidiary in Poland?

A: Not automatically. A DPO is mandatory if the subsidiary's core activities involve large-scale processing of personal data, systematic monitoring of individuals, or processing of special-category data (health, biometrics, criminal records). Many UAE subsidiaries in Poland – particularly those in trading, manufacturing, or IT services – will meet at least one of these criteria once they are operational at normal commercial scale. A formal assessment should be completed within 30 days of the subsidiary beginning data processing activities. Delaying this assessment is itself a compliance risk under GDPR.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to ESG compliance, AML programme design, whistleblower implementation, and cross-border regulatory matters. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.