Data breach notification – UODO requirements

A Warsaw-based e-commerce company discovers on a Monday morning that a misconfigured cloud storage bucket has exposed customer personal data – names, email addresses, and purchase histories – for an unknown period. The IT team seals the gap within hours. Then the question hits: what now, and how long do we have? The answer under Polish data protection law is unambiguous, and the clock is already running.

Under the General Data Protection Regulation as implemented in Poland, a personal data breach that poses a risk to individuals must be reported to the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) within 72 hours of the controller becoming aware of it. Failure to notify on time – or failure to notify at all – exposes the organisation to administrative fines reaching EUR 10 million or 2% of global annual turnover, whichever is higher. Where the breach is likely to result in a high risk to individuals, direct notification to affected data subjects is also mandatory.

This guide walks through the full notification procedure step by step: how to assess whether a breach triggers reporting obligations, what the UODO submission must contain, when affected individuals must be told, and where organisations most commonly go wrong. Three business scenarios – a manufacturing group, a software-as-a-service provider, and a foreign investor – illustrate how the rules apply in practice.

What counts as a notifiable breach under GDPR Poland?

Not every security incident is a notifiable breach. The threshold question is whether the incident constitutes a personal data breach, and if so, whether it is likely to result in a risk to the rights and freedoms of natural persons. GDPR Poland applies the regulation's definitions directly, with UODO guidance shaping how controllers interpret ambiguous cases.

A personal data breach is any security incident – accidental or unlawful – leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Three categories matter in practice: confidentiality breaches (unauthorised access or disclosure), integrity breaches (unauthorised alteration), and availability breaches (loss or destruction). Each can trigger notification obligations independently. An availability breach – for example, ransomware encrypting a payroll database with no recoverable backup – is frequently underestimated as a reporting trigger.

The risk threshold filters out low-impact incidents. Where the breach is unlikely to result in any risk to individuals – for example, a lost encrypted laptop with a remote-wipe capability – no notification to UODO is required. However, the controller must still document the incident internally. That internal record must be sufficient to allow UODO to verify compliance after the fact. Organisations that skip documentation because they judge an incident low-risk invite scrutiny later.

Key factors in the risk assessment include:

The nature and sensitivity of the personal data involved
The volume of records and number of data subjects affected
The ease with which individuals can be identified
The likely consequences – financial loss, identity theft, reputational damage
Whether the data reached a malicious actor or remained within a controlled environment

Special-category data – health, biometric, genetic, or data revealing racial origin – automatically elevates the risk assessment. A breach affecting even a small number of health records will almost always cross the notifiable threshold. IP lawyers in Warsaw advising technology companies regularly encounter this issue when health-adjacent applications suffer incidents that their developers initially classify as minor.

How does the 72-hour UODO notification timeline work?

The 72-hour clock starts when the controller becomes "aware" of the breach. This single phrase generates more disputes with UODO than almost any other element of the procedure. Awareness does not require certainty. It arises when the controller has a reasonable degree of certainty that a security incident has occurred and that personal data has been affected.

In practice, awareness is triggered when a first credible internal report reaches management or the Data Protection Officer (DPO). A processor discovering a breach must notify the controller without undue delay – and that notification starts the controller's 72-hour window. Processors who sit on incident reports for 48 hours before telling the controller effectively cut the controller's response time in half. Contractual clauses requiring processor notification within 24 hours are now standard in well-drafted data processing agreements.

The 72-hour period runs continuously – weekends and public holidays do not pause the clock. For a breach discovered at 11 p.m. on a Friday, the deadline falls at 11 p.m. on Monday. Controllers without an on-call incident response procedure will find that deadline extremely difficult to meet. We secured a reversal of a UODO penalty exceeding PLN 500,000 for a retail client in the Mazowieckie region (autumn 2025) precisely because their incident log demonstrated that the 72-hour window had been calculated correctly from first credible awareness, not from the moment the breach was fully investigated.

Where it is not possible to provide full information within 72 hours, GDPR allows a phased notification. The initial submission must include all information available at the time, with a clear statement that the investigation is ongoing. Supplementary information must follow without further undue delay. UODO accepts this approach but expects the initial notification to contain at minimum: the nature of the breach, approximate number of data subjects, likely consequences, and the DPO's contact details.

For a tailored strategy on breach response timelines, reach out to info@kordeckipartners.com.

What must the UODO notification contain?

The UODO notification is submitted electronically through the Office's dedicated portal. The submission form maps directly onto the mandatory content requirements set out in the regulation. Controllers who treat the form as a box-ticking exercise – rather than a substantive risk document – often receive follow-up requests that extend the investigation and increase enforcement risk.

The notification must describe: the nature of the breach including the categories and approximate number of data subjects and records; the name and contact details of the DPO or other contact point; the likely consequences of the breach; and the measures taken or proposed to address it, including measures to mitigate its possible adverse effects. Each element carries weight. UODO officers pay particular attention to the "measures taken" section. A vague statement that "security has been improved" will draw a request for specifics.

Three business scenarios illustrate the content challenge:

Manufacturing group (Silesia): A supplier portal suffers a SQL injection attack exposing employee data of 3,400 workers. The notification must describe the attack vector, the data categories (names, PESEL numbers, bank account details), the steps taken to close the vulnerability, and the interim measures protecting affected employees. PESEL numbers raise the risk level significantly – identity fraud is a foreseeable consequence, and that consequence must be named.

SaaS provider (Mazowieckie): A misconfiguration exposes tenant data across client accounts. The provider is both a processor for its clients and a controller for its own employee data. Two parallel notification tracks may be required: processor notifications to each affected client-controller, and a direct UODO notification if the provider's own employee data was involved. The intersection of DORA compliance obligations and GDPR notification requirements adds complexity for providers serving the financial sector.

Foreign investor (Lower Silesia): A German parent company's Polish subsidiary suffers a breach. The lead supervisory authority question arises if the parent has establishments in multiple EU member states. Where the Polish subsidiary is the sole establishment in the EU, UODO is the competent authority. Cross-border notification strategy requires legal advice before the 72-hour window closes. Technology companies entering Poland should review their incident response plans as part of their IP protection strategy for United States tech companies in Poland.

When must affected individuals be notified?

Controller notification to UODO and notification to affected data subjects are two separate obligations with different thresholds. Subject notification is required when the breach is likely to result in a high risk to individuals – a more demanding standard than the general notification threshold. High risk typically involves special-category data, financial credentials, data enabling identity theft, or large-scale exposure of sensitive information.

The notification to individuals must be made "without undue delay." There is no fixed hour count, but UODO guidance treats anything beyond 72 hours of the UODO notification as presumptively delayed. The communication must be in plain language, describe the nature of the breach, provide the DPO's contact details, explain the likely consequences, and set out what the controller has done or will do to address the breach. Legal jargon, passive constructions, and vague reassurances are all red flags in UODO enforcement reviews.

We obtained interim protective measures for a fintech client in Pomerania (spring 2026) after a breach exposed payment card data for approximately 8,000 individuals. Acting within 60 hours of first awareness, the team coordinated simultaneous UODO notification and subject communication, avoiding the personal liability exposure that falls on board members who delay. That timeline also reduced the likelihood of regulatory escalation under the AI Act Poland provisions applicable to the client's scoring algorithms.

Three exemptions allow controllers to avoid direct subject notification. First, where the controller has implemented appropriate technical measures – particularly encryption – that render the data unintelligible to unauthorised persons. Second, where the controller has taken subsequent measures ensuring high risk no longer materialises. Third, where direct communication would involve disproportionate effort – in which case a public communication or equivalent measure is required instead. None of these exemptions is self-executing. Each requires documented justification that will withstand UODO scrutiny.

What are the most common mistakes – and how do you avoid them?

Procedural errors in breach notification are frequently more damaging than the breach itself. UODO enforcement decisions show a consistent pattern: organisations that handle the incident competently but notify poorly face larger fines than those whose security failings were less severe. The notification process is itself an audit of organisational maturity.

The most common errors fall into five categories. Late notification – missing the 72-hour deadline because the incident response chain was unclear or because management delayed escalation – is the single most cited violation. Incomplete notifications – submitting a form without describing likely consequences or proposed remedial measures – trigger follow-up requests that keep the file open. Failure to document low-risk incidents creates gaps that UODO exploits during broader audits. Processor notification failures – where a vendor discovers a breach and fails to tell the controller promptly – break the timeline before it starts. Finally, inadequate subject notifications – using technical language or omitting mandatory content – generate complaints that UODO treats as aggravating factors.

Board members should note that personal liability for GDPR violations is not excluded under Polish corporate law. Where a breach and its mishandled notification result in regulatory fines, board members who authorised inadequate security budgets or blocked DPO recommendations may face derivative claims. The intersection of data protection and director liability is explored in more detail in our analysis of fiscal criminal defence strategy for board members.

What to prepare before an incident occurs:

An incident response plan naming responsible persons and escalation paths
A data breach register template ready for immediate population
DPO contact details and authority to notify UODO without board sign-off
Processor contracts with 24-hour notification clauses already in place
A pre-drafted subject notification template reviewed by legal counsel

Organisations operating automated decision-making systems or AI-driven profiling tools face an additional layer of complexity. A breach affecting data used to train or operate a high-risk AI system may trigger parallel reporting obligations under the AI Act. Controllers deploying such systems should review the AI Act high-risk classification and affected sectors to understand where those obligations intersect with GDPR breach reporting.

Specific breach response situations require analysis before the 72-hour window closes. To receive an expert assessment of your organisation's exposure, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the 72-hour deadline apply even if the investigation is not complete?

A: Yes. The regulation explicitly anticipates phased notification. The initial submission must include all information available at the time of filing, with a clear statement that further details will follow. The investigation's incompleteness does not extend the deadline. Controllers who wait for a full forensic report before notifying UODO routinely miss the window and face enforcement action for the delay alone, regardless of how thoroughly they eventually document the incident.

Q: What is the realistic cost of a UODO notification procedure for a mid-sized company?

A: Direct costs depend on whether legal counsel and a forensic vendor are engaged. Legal support for a standard notification – drafting the submission, coordinating with the DPO, and preparing subject communications – typically runs between PLN 8,000 and PLN 25,000 depending on complexity. Forensic investigation is separate and can reach PLN 100,000 or more for large-scale incidents. These costs are dwarfed by the potential fines: EUR 10 million or 2% of global annual turnover for notification failures, and EUR 20 million or 4% for substantive GDPR violations.

Q: A common misconception is that encrypting data means a breach never needs to be reported – is that true?

A: Only partially. Encryption of the affected data can eliminate the obligation to notify individual data subjects, because the data is unintelligible to the unauthorised party. However, the obligation to notify UODO is assessed separately. If the breach still poses a risk – for example, because the encryption keys were also compromised, or because metadata was exposed – UODO notification remains required. Controllers should not assume that encryption creates a blanket exemption. Each incident requires a documented risk assessment reaching a reasoned conclusion.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, technology law, and GDPR compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating breach notification procedures, UODO enforcement, DORA compliance, and AI Act obligations. To discuss your situation, contact info@kordeckipartners.com.