A Warsaw-based e-commerce company discovers at 9 a.m. on a Monday that customer records were exfiltrated over the weekend. The clock is already running. Under Polish data protection law, the company has 72 hours from the moment it became aware of the breach to notify the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO). Missing that window is not a procedural technicality. It triggers enforcement proceedings, administrative fines, and – where affected individuals suffer harm – civil liability that cannot be undone.
Polish data protection law implements the General Data Protection Regulation (GDPR Poland) directly, requiring controllers to notify UODO within 72 hours of becoming aware of a personal data breach that poses a risk to individuals' rights and freedoms. Where the risk is high, the controller must also notify affected data subjects without undue delay. Failure to meet either deadline exposes the organisation to administrative fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher.
This alert covers what the 72-hour rule demands in practice, who bears the notification obligation, and the immediate steps your organisation must take today. It also flags how intersecting regimes – including DORA compliance for financial entities and AI Act Poland obligations for certain automated systems – affect the scope of your response.
What does the 72-hour rule actually require?
The obligation is triggered not by the breach itself but by awareness. A controller "becomes aware" when it has a reasonable degree of certainty that a security incident has occurred and that personal data is involved. That moment starts the 72-hour countdown – regardless of whether the full scope of the breach is known. UODO does not pause the clock while you investigate.
Notification to UODO must include four core elements: a description of the nature of the breach (including categories and approximate number of records affected); the name and contact details of the data protection officer (DPO) or other contact point; a description of the likely consequences; and the measures taken or proposed to address the breach. If all information is not available within 72 hours, the controller may submit an initial notification and supplement it later – but the initial filing must still arrive on time.
UODO operates an online notification portal. Controllers registered with the National Court Register (KRS) should ensure their organisational details are current before a breach occurs. Submitting a notification through the wrong channel or to the wrong supervisory authority – relevant for cross-border breaches handled under the one-stop-shop mechanism – does not satisfy the obligation. We assisted a technology client in Mazowieckie region (autumn 2025) in correcting a misdirected notification that had been filed with a lead supervisory authority in another EU member state, securing UODO's acceptance of the supplemented filing before the enforcement window closed.
The threshold matters. Not every security incident requires notification. The controller must assess whether the breach is "unlikely to result in a risk" to individuals. Low-risk incidents – for example, encrypted data lost on a device where the key is not compromised – may be documented internally without notification. That internal record must be maintained and available for UODO inspection. Underestimating risk to avoid notification is one of the most common errors we see, and it is irreversible once UODO opens an ex officio investigation.
Who is affected and what must they do within 72 hours?
The notification obligation falls on the controller – the entity that determines the purposes and means of processing. Processors have a separate, shorter obligation: they must notify the controller "without undue delay" after becoming aware of a breach, giving the controller enough time to meet its own 72-hour deadline. A processor that delays notification and causes the controller to miss the UODO window shares exposure under contractual data processing agreements and may face independent regulatory scrutiny.
Financial entities subject to DORA compliance face a layered regime. A cyber incident affecting personal data may simultaneously trigger DORA incident reporting to the Polish Financial Supervision Authority (KNF) and GDPR Poland notification to UODO. The timelines differ. DORA's initial notification to KNF must be filed within 4 hours of classifying an incident as major. Controllers in this sector must run parallel notification tracks from the moment of awareness.
Organisations deploying automated decision-making systems covered by AI Act Poland requirements should also assess whether a breach affecting those systems triggers additional transparency obligations toward data subjects. The intersection of AI Act and GDPR notification duties is an emerging compliance area that UODO has signalled it will scrutinise.
Where the breach poses a high risk to individuals – identity theft, financial loss, discrimination, or reputational damage are the standard markers – the controller must also notify affected data subjects directly. That notification must be in plain language, describe the likely consequences, and state the measures taken. There is no fixed deadline beyond "without undue delay," but UODO guidance treats delays beyond five to seven days as presumptively unjustified. For guidance on protecting IP and data assets in cross-border technology operations, see our analysis of IP protection strategy for Italy tech companies in Poland.
What immediate actions should your organisation take now?
Speed and documentation are the two variables that determine whether a breach response succeeds or fails before UODO. Acting fast without recording your reasoning is as damaging as acting slowly. Every step taken in the first 72 hours should be timestamped and attributed to a named decision-maker.
We secured a favourable outcome for a manufacturing client in Lower Silesia (spring 2026) precisely because their incident response log showed a structured, good-faith assessment process – even though the initial risk classification had to be revised upward. UODO treated the revision as evidence of diligence, not evasion.
Immediate action checklist:
- Contain the breach and preserve forensic evidence within the first two hours of awareness.
- Convene the DPO, IT security lead, and legal counsel to conduct the risk assessment – document the meeting and conclusions.
- File the initial UODO notification via the online portal before the 72-hour deadline, even if the investigation is incomplete.
- Notify the processor or controller counterpart (depending on your role) without undue delay.
- Assess whether high-risk thresholds are met and, if so, prepare direct subject notification in plain language.
For organisations with cross-border data flows, the notification obligation may extend beyond UODO. Controllers transferring personal data from Poland to other jurisdictions must also consider whether the breach triggers obligations under the law of the receiving country. Our detailed analysis of data transfer from Poland to France – legal mechanisms addresses the interaction between Polish and French supervisory requirements. Where enforcement follows a breach, understanding how Polish judgments operate procedurally is also relevant; see our step-by-step guide on enforcing a Poland judgment in Poland for context on downstream civil proceedings.
The personal liability dimension should not be overlooked. Board members and senior managers who knowingly delay notification – or who fail to implement adequate breach-detection mechanisms – face personal exposure under Polish administrative and civil law. That exposure is not capped at the corporate fine level. It is a separate, concurrent risk that forfeits the protection of the corporate structure.
Your organisation's specific facts will determine which obligations apply and in what sequence. A generic breach response plan is rarely sufficient when UODO is reviewing your file.
To receive an expert assessment of your data breach notification obligations or to review your incident response procedures, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does the 72-hour deadline apply if we are still investigating and do not know the full scope of the breach?
A: Yes. The deadline runs from awareness of the breach, not from completion of the investigation. Controllers should file an initial notification with the information available and supplement it as the investigation progresses. UODO accepts phased notifications provided the initial filing is timely and the supplementary information is submitted without unnecessary delay.
Q: Is there a minimum number of affected individuals that triggers the notification obligation?
A: No fixed numerical threshold exists under GDPR Poland. The trigger is risk to individuals' rights and freedoms, assessed qualitatively. A breach affecting one individual's health data or financial credentials may require notification, while a breach affecting thousands of anonymised records may not. The risk assessment must be documented regardless of the conclusion.
Q: What is the difference between notifying UODO and notifying affected individuals?
A: Notification to UODO is required whenever the breach poses a risk – any level of risk – to individuals. Notification to affected individuals is required only when the risk is high. The two obligations have different thresholds, different content requirements, and different audiences. Many controllers incorrectly treat them as interchangeable, which leads to either over-notification to individuals or under-notification to UODO. An IP lawyer Warsaw-based or internationally focused should ensure both tracks are managed separately within the incident response plan.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, technology regulation, and IP matters. We work with Polish entrepreneurs, foreign investors, and in-house legal teams on GDPR compliance, breach response, trademark protection, and emerging regulatory frameworks including AI Act Poland and DORA compliance. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.