A Warsaw-based e-commerce company discovers at 9 p.m. on a Friday that its customer database has been exfiltrated. The security team confirms the breach by midnight. The clock is already running. Under Polish and EU data protection law, the company has 72 hours from the moment it becomes aware of the incident to notify the supervisory authority – and missing that window carries consequences that cannot be undone.

Polish data protection law implements the General Data Protection Regulation (GDPR) directly. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) is the national supervisory authority responsible for receiving breach notifications. Controllers must notify UODO within 72 hours of becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. Late or incomplete notification exposes the controller to administrative fines of up to EUR 10 million or 2% of global annual turnover.

This alert sets out what the 72-hour obligation covers, who bears it, and the concrete steps your organisation must take before the deadline expires. It also flags the intersection with sector-specific regimes – including DORA compliance for financial entities and AI Act Poland obligations for AI system providers – where parallel notification duties may apply.

What does the 72-hour rule actually require?

The obligation is triggered the moment a controller becomes "aware" of a breach. UODO and the European Data Protection Board align on this: awareness means a reasonable degree of certainty that a security incident has occurred and that personal data has been affected. You do not need to complete a full forensic investigation first. If your IT team flags an anomaly that plausibly involves personal data, the clock starts.

The notification itself must contain four categories of information. First, a description of the nature of the breach – including the categories and approximate number of data subjects and records involved. Second, the name and contact details of the Data Protection Officer (DPO) or other contact point. Third, a description of the likely consequences of the breach. Fourth, a description of measures taken or proposed to address it.

  • Nature of the incident and data categories affected
  • Approximate number of individuals and records involved
  • DPO or designated contact point details
  • Likely consequences and mitigation measures
  • Basis for any delay beyond 72 hours (if phased notification applies)

GDPR Poland allows phased notification. If all information is not available within 72 hours, the controller may submit an initial notification and supplement it later – but must explain the reason for the delay. UODO has indicated in its published guidance that unexplained gaps in the initial filing weigh against the controller in any subsequent enforcement review. The National Court Register (KRS) filing history of the entity may also be examined to verify organisational capacity claims.

We secured a withdrawal of a UODO enforcement inquiry for a retail client in the Mazowieckie region (autumn 2025) by demonstrating that a phased notification was submitted within 68 hours, with a full supplement filed within five business days.

Who is affected and what are the thresholds?

Every controller established in Poland – or processing data of Polish residents – falls within UODO's jurisdiction. This includes Polish companies, foreign subsidiaries, and non-EU entities that target Polish consumers. Processors do not notify UODO directly; they notify the controller "without undue delay" after becoming aware of a breach, giving the controller time to assess and file. The processor's contractual obligation typically sets a window of 24 to 36 hours to allow the controller to meet the 72-hour deadline.

Not every breach requires UODO notification. The threshold is risk to individuals' rights and freedoms. A breach involving encrypted data where the key is uncompromised, or a brief accidental internal disclosure with no external access, may fall below the threshold. However, the controller must document its risk assessment regardless. UODO inspectors routinely request that documentation during audits, and the absence of a written assessment – even for low-risk incidents – is treated as a compliance gap.

A separate, higher threshold triggers the duty to notify affected individuals directly. Where the breach is likely to result in a high risk to rights and freedoms – for example, exposure of health data, financial credentials, or data enabling identity theft – the controller must also communicate the breach to each affected data subject. This communication must be clear, plain-language, and delivered without undue delay. There is no fixed statutory deadline for this step, but UODO expects it to follow promptly after the supervisory notification.

Sector-specific rules add further layers. Financial entities subject to DORA compliance must also notify the Polish Financial Supervision Authority (KNF) of ICT-related incidents under a parallel regime with different classification criteria and timelines. Providers of AI systems under AI Act Poland obligations may face additional incident reporting duties where the breach affects a high-risk AI system. IP lawyer Warsaw practices and trademark registrants holding sensitive IP data are not exempt from the general GDPR Poland framework.

What must your organisation do right now?

The first 72 hours are operational, not legal. Your internal response plan must be activated before legal counsel drafts the notification. Three actions must happen in parallel: containment of the breach, assessment of the data involved, and preparation of the UODO filing. Waiting for a complete forensic report before starting the notification is the most common – and most costly – mistake controllers make.

  • Activate your incident response plan and log the time of awareness
  • Identify data categories, approximate record count, and affected individuals
  • Assess risk level: low risk (document only), risk (notify UODO), high risk (notify UODO + individuals)
  • Prepare and submit the UODO notification via the authority's online portal
  • Brief your DPO and, where applicable, notify processors or sub-processors

UODO accepts notifications through its electronic platform. The form requires the controller's identification details, a description of the incident, and the four information categories listed above. Controllers without a DPO must designate a named contact. For cross-border breaches – where data subjects in multiple EU member states are affected – the lead supervisory authority mechanism under GDPR Poland applies, and UODO may act as lead or cooperating authority depending on the controller's main establishment. For entities transferring data internationally, the legal mechanisms applicable to data transfers from Poland to Cyprus or to data transfers from Poland to the UAE must be reviewed to confirm that transfer safeguards remain intact after the breach.

Our team obtained a favourable UODO assessment for a fintech client in Lower Silesia (spring 2026) by coordinating simultaneous UODO and KNF notifications within 48 hours of breach awareness, avoiding the compounding penalties that a sequential approach would have triggered.

Corporate governance matters here too. Board members of the affected entity bear responsibility for ensuring the organisation has the internal capacity to meet the 72-hour deadline. Where that capacity is absent – no DPO, no incident response plan, no data mapping – personal liability of directors for organisational failures is a live risk. Reviewing your corporate and M&A structure in Poland can clarify where accountability sits within group structures.

What to prepare before a breach occurs:

  • A documented data map identifying personal data categories and storage locations
  • A written incident response plan with named roles and a 72-hour action timeline
  • A DPO appointment or designated contact point registered with UODO
  • Template UODO notification form, pre-populated with static controller information

Specific situations require tailored analysis. A breach affecting only internal HR records carries different risk and notification obligations than one exposing payment card data or health records. The risk assessment is not a formality – it is the document that determines whether UODO views your response as compliant or negligent. Controllers that cannot produce a contemporaneous written assessment forfeits the procedural protections that a documented, good-faith response provides.

To discuss how the 72-hour notification obligation applies to your organisation's specific data environment, email info@kordeckipartners.com.

Frequently asked questions

Q: Does the 72-hour clock run from when the breach occurred or when we discovered it?

A: The clock runs from the moment the controller becomes aware – not from when the breach actually happened. Awareness means a reasonable degree of certainty that an incident has occurred and personal data is involved. If your IT team flags a suspected exfiltration, that moment of internal awareness starts the 72-hour period, even if the full scope is not yet known.

Q: What happens if we miss the 72-hour deadline?

A: A late notification does not automatically result in a fine, but it is an aggravating factor in UODO's enforcement assessment. The authority will examine why the deadline was missed and whether the controller had adequate internal procedures. Fines for notification failures can reach EUR 10 million or 2% of global annual turnover. Repeated failures or evidence of deliberate delay significantly increase the penalty risk.

Q: Do we need to notify individuals affected by every breach?

A: No. Individual notification is required only where the breach is likely to result in a high risk to the rights and freedoms of those individuals. Examples include exposure of health data, financial credentials, or information enabling identity theft. For lower-risk breaches, notification to UODO (or internal documentation if below the UODO threshold) is sufficient. The controller must assess and document the risk level in every case.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, technology regulation, and IP matters. We advise on GDPR Poland compliance, UODO notification procedures, DORA compliance for financial entities, and AI Act Poland obligations. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.