A Warsaw-based e-commerce platform discovered, on a Monday morning in late autumn 2025, that a misconfigured cloud storage bucket had exposed personal data belonging to roughly 14,000 customers. Names, email addresses, and partial payment records were accessible without authentication for an estimated 72 hours. The internal IT team flagged the incident at 09:00. By 09:45, the question on the table was not whether to notify – it was how to do so correctly, and how fast.
Under Polish data protection law, which implements the General Data Protection Regulation (GDPR) and is supervised by the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO), a controller must notify the supervisory authority within 72 hours of becoming aware of a personal data breach – unless the breach is unlikely to result in a risk to individuals. Where the breach is likely to result in a high risk, affected data subjects must also be notified without undue delay. Failure to comply forfeits the opportunity to demonstrate good-faith mitigation and exposes the controller to administrative fines that may reach EUR 10 million or 2% of global annual turnover, whichever is higher.
This case study walks through the background, the legal strategy our team deployed, the notification process itself, and the lessons that apply to any organisation operating in Poland. The matter has been anonymised. References to specific individuals and company identifiers have been removed.
What was the background to the breach?
The client operated a mid-size online retail platform registered in Poland and subject to the jurisdiction of the UODO as its lead supervisory authority under GDPR Poland rules. The misconfiguration had been introduced three weeks earlier during a routine infrastructure migration. No malicious actor was identified, but the absence of confirmed exfiltration did not eliminate legal exposure. Under Polish data protection law, a breach exists once confidentiality, integrity, or availability of personal data is compromised – regardless of whether harm has materialised.
The exposed dataset included special categories of data for a small subset of users: approximately 340 records contained health-related purchase information. That detail changed the risk calculus entirely. Health data triggers a higher threshold of harm assessment. The client's data protection officer (DPO) had not yet been formally notified internally, which itself raised a procedural concern. The 72-hour clock, under GDPR, starts from the moment the controller – not merely the IT team – becomes aware. Pinning that moment precisely mattered for the notification timeline.
We were instructed at 11:30 on the same day. Our first task was to establish the exact awareness timestamp. Internal email records, ticketing system logs, and the DPO's calendar were reviewed within two hours. The controller's awareness was fixed at 09:00. That left approximately 60 hours to file a valid notification with the UODO.
How did the legal strategy address the 72-hour deadline?
Polish data protection practice requires the notification to the UODO to be submitted via the authority's dedicated online portal. The submission must describe the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. Where full information is not yet available, an initial notification is permitted – followed by supplementary information as the investigation progresses. That phased approach proved essential here.
We secured a reversal of a threatened administrative penalty for a retail client in the Mazowieckie region (autumn 2025) by demonstrating that a phased notification, filed within 48 hours of awareness, satisfied the UODO's procedural expectations even though the full forensic report was not yet available. The authority treated the prompt initial filing as evidence of good-faith compliance.
For the e-commerce client, we prepared a two-stage submission. The first filing – delivered within 44 hours of awareness – covered the confirmed facts: the nature of the misconfiguration, the estimated number of affected individuals, the categories of data exposed, and the immediate containment measures already taken (the bucket had been secured within 90 minutes of discovery). The second filing, submitted on day five, incorporated the forensic vendor's full report and a revised assessment of residual risk.
The presence of health data among the exposed records required a separate analysis. Because that subset created a high risk to the rights and freedoms of natural persons, Polish data protection law required individual notification to those 340 affected users. The notices were drafted in plain language, as GDPR mandates, and sent by email with read-receipt tracking. A dedicated helpline was established for 30 days. That step – often skipped by organisations focused solely on the regulator – substantially reduced the likelihood of individual complaints to the UODO.
- Establish the precise awareness timestamp before filing anything
- File an initial notification within 72 hours, even if the investigation is incomplete
- Identify whether any special category data is involved – it triggers individual notification
- Retain forensic logs and internal communications as evidence of good faith
- Appoint external counsel before the first UODO contact, not after
For organisations with cross-border data flows – a common scenario given Poland's role in European supply chains – the question of which supervisory authority is the lead authority adds further complexity. Foreign investors should also review their obligations under the data transfer from Poland to UAE legal mechanisms framework if their processing involves non-EEA recipients.
What did the UODO process reveal about compliance gaps?
The UODO acknowledged receipt of the initial notification within 24 hours. Over the following three weeks, the authority issued two rounds of written questions. The first round focused on the technical architecture of the cloud environment and the contractual arrangements with the cloud provider (a data processor). The second round addressed the client's record of processing activities and its breach detection procedures.
Both rounds exposed gaps that are common across Polish-registered controllers. The processor agreement lacked an explicit clause requiring the processor to notify the controller of a suspected breach within a defined timeframe – Polish data protection practice generally treats 24 hours as the expected standard, even though GDPR sets no fixed processor-to-controller deadline. That omission weakened the client's position when explaining the three-week detection lag.
We obtained interim protective measures for a technology client in Lower Silesia (spring 2026) by demonstrating that a processor's failure to report a suspected incident within 24 hours constituted a material breach of the data processing agreement – allowing the controller to terminate the contract and recover remediation costs exceeding EUR 300,000. That matter illustrates why processor agreement drafting is not a formality. For guidance on protecting technology assets more broadly, see our analysis of IP protection strategy for Germany tech companies in Poland.
The record of processing activities was incomplete. Several processing operations added during the platform's expansion had not been documented. That gap did not directly cause the breach, but it signalled to the UODO that the organisation's data governance framework needed structural improvement. The authority ultimately issued a reprimand rather than a fine – a result attributable to the prompt notification, the immediate containment, and the remediation plan we submitted alongside the second filing. No penalty was imposed. The UODO closed the matter within 11 weeks of the initial notification.
What lessons transfer to other organisations?
Three lessons from this matter apply broadly. First, the 72-hour clock is unforgiving. Organisations that wait for a complete forensic picture before notifying routinely miss the deadline. Polish data protection law – and GDPR as applied by the UODO – permits and encourages phased notifications. The initial filing stops the clock; supplementary detail follows. Any organisation that has not rehearsed this sequence through a tabletop exercise is operating with unnecessary exposure.
Second, processor agreements deserve the same attention as the primary data protection documentation. The UODO's questioning in this matter focused heavily on contractual arrangements. Controllers who cannot demonstrate that their processors are contractually bound to report suspected incidents promptly will struggle to explain detection delays. Organisations operating under the Digital Operational Resilience Act (DORA compliance) framework or subject to AI Act Poland requirements face parallel notification obligations that intersect with GDPR – the documentation burden compounds quickly.
Third, individual notification to data subjects is frequently underweighted. Controllers tend to focus on the regulator. But a well-handled subject notification – clear, timely, offering concrete support – reduces the volume of individual complaints that reach the UODO. Complaints from data subjects are a separate trigger for UODO investigations and carry their own procedural timeline. Suppressing that trigger through good subject communication is both legally sound and commercially sensible. For matters where documentary evidence becomes contested, the standards applicable to expert witnesses in Polish court proceedings may become relevant in subsequent enforcement or litigation.
Organisations in the IP and technology sector – including those managing trademark portfolios or engaging an IP lawyer Warsaw-based practice – should treat data breach response as a standing operational procedure, not a crisis-management improvisation.
The specific facts of your organisation's situation will determine which elements of this framework apply and with what urgency. A breach involving financial data in a regulated sector carries different obligations than one affecting an internal HR system. The risk assessment is not a formality – it is the document the UODO will scrutinise first.
To receive an expert assessment of your organisation's breach notification readiness or to discuss an active incident, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does the 72-hour deadline apply even if the breach turns out to be low-risk?
A: The 72-hour obligation applies as soon as the controller becomes aware of a breach that is not clearly unlikely to result in any risk to individuals. If, after assessment, the risk is determined to be negligible, the controller is not required to notify the UODO – but that conclusion must be documented in the internal breach register with reasoning. Reaching that conclusion takes time, and the clock does not pause during the assessment. Controllers who delay notification while investigating, and then conclude that notification was required, routinely find themselves in breach of the deadline.
Q: What is the cost of a UODO investigation, and how long does it typically take?
A: There is no filing fee for a breach notification. The indirect costs – external counsel, forensic vendors, subject notifications, and remediation – typically range from PLN 50,000 to PLN 500,000 depending on the scale of the breach and the complexity of the processing environment. A straightforward matter where the controller notifies promptly and cooperates fully may close in eight to twelve weeks. Contested investigations, or those involving large-scale breaches, can extend beyond twelve months.
Q: Is it a misconception that only large companies face UODO fines?
A: Yes. The UODO has issued fines against organisations of all sizes, including small businesses and sole traders. The size of the organisation is one factor in the proportionality assessment, but it does not create immunity. Controllers that fail to notify, fail to document their breach register, or fail to implement basic technical measures – regardless of their revenue – remain exposed to administrative penalties. The UODO has also issued reprimands and corrective orders that, while not financial, appear in the public register and carry reputational consequences.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, technology law, and regulatory compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams on GDPR compliance programmes, breach response, DORA readiness, and AI Act Poland preparation. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.