A Milan-based software company had been processing customer data jointly with its Warsaw subsidiary for two years. The arrangement worked well operationally. Then a routine internal audit flagged that no formal transfer mechanism had ever been documented. Both entities were handling personal data of Polish and Italian data subjects, moving records across borders without a legal basis that would satisfy either the Polish supervisory authority or its Italian counterpart. The exposure was real, and the window to remediate it quietly was closing fast.

Transferring personal data from Poland to Italy is legally permissible under the General Data Protection Regulation (GDPR), because Italy is an EU member state and no additional adequacy decision or standard contractual clause is required for intra-EU flows. The transfer must still rest on a valid processing ground, a documented controller or processor relationship, and records of processing activities maintained under Polish data protection law. Failure to establish this documentation before a supervisory inquiry precludes the informal remediation route and forces a formal response to the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO).

This case study traces how we structured the compliance remediation for an anonymised Italian technology group with a Polish subsidiary. It covers the background facts, the legal strategy we chose, the process we followed, and the lessons that apply to any cross-border data arrangement between Poland and Italy.

What was the background to this matter?

The client operated a software-as-a-service platform serving mid-market manufacturers across Central Europe. The Warsaw entity handled onboarding, customer support, and first-level data processing. The Milan parent ran analytics, product development, and stored master data on servers hosted in Italy. Both entities were nominally controllers of overlapping data sets. Neither had executed a data processing agreement (DPA) with the other, and the internal privacy policy had not been updated since the original GDPR implementation in 2018.

The audit identified three distinct risk layers. First, the absence of a DPA between the Polish and Italian entities meant there was no documented legal basis for the data flows. Second, the records of processing activities (ROPAs) held by the Warsaw entity listed only domestic processing activities. Third, the platform used a third-party analytics tool hosted outside the EU, which introduced a potential onward transfer issue entirely separate from the Poland-Italy flow.

The client's in-house team had assumed that intra-EU data transfers required no documentation beyond the GDPR's general processing grounds. That assumption is understandable but incorrect. (GDPR compliance for intra-EU flows still demands a clear controller-processor or joint-controller framework, documented roles, and instructions in writing.) The UODO has issued enforcement decisions where this precise gap – undocumented intra-EU flows – formed the basis of a finding.

  • No executed DPA between Polish and Italian entities
  • ROPAs incomplete for cross-border processing activities
  • Third-party analytics tool creating an unaddressed onward transfer
  • No data retention schedule aligned across both jurisdictions

What legal strategy did we recommend?

Our first recommendation was to classify the relationship correctly before drafting any document. Under GDPR, the Polish and Italian entities could be structured as joint controllers, as a controller and processor, or as two independent controllers. The classification determines which obligations attach to each party and which contractual instrument is required. Getting this wrong – drafting a processor agreement when the relationship is actually joint-controller – creates a compliance gap that survives the documentation exercise.

After reviewing the data flows in detail, we concluded that the two entities were joint controllers of the customer onboarding data set. Each determined the purposes and means of processing independently but in relation to the same individuals. Polish corporate law and EU data protection law both require that joint controllers establish their respective responsibilities in a transparent arrangement, with a single point of contact for data subjects. We drafted a joint-controller agreement (JCA) governed by Polish law, with a dispute resolution clause pointing to the courts of Warsaw.

For the analytics tool, the strategy was different. The vendor was a US-based provider relying on the EU-US Data Privacy Framework (DPF) for its transfer mechanism. We verified the vendor's DPF certification through the official list maintained by the US Department of Commerce. Certification was current, which meant the onward transfer from Italy to the US was covered. We documented that verification in the ROPA and added a contractual obligation on the vendor to notify the client within 72 hours of any change in certification status.

We also advised the client on the interaction between GDPR and the AI Act (Regulation 2024/1689). The analytics tool incorporated a recommendation engine that fell within the AI Act's definition of a general-purpose AI model. That classification imposed additional transparency and documentation obligations that sat alongside – not instead of – the GDPR requirements. Addressing both frameworks in a single remediation exercise was more efficient than treating them sequentially. This intersection between GDPR Poland compliance and AI Act Poland obligations is increasingly common in technology-sector mandates.

How did the remediation process unfold?

We ran the remediation in three phases over a period of approximately 90 days. Phase one, lasting 30 days, was a structured data mapping exercise. We interviewed the Warsaw operations team, reviewed system architecture documentation, and traced every category of personal data from collection point to final storage. The output was a revised ROPA for the Polish entity, covering 14 distinct processing activities, with transfer destinations, retention periods, and legal bases recorded for each.

We secured a reversal of a potential UODO enforcement referral for a technology client in the Mazowieckie region (spring 2025) by completing the ROPA and submitting it voluntarily before any formal inquiry was opened. That timing matters. UODO's published guidance indicates that voluntary remediation before an inquiry opens is treated as a mitigating factor in any subsequent assessment of proportionality.

Phase two, running from day 31 to day 60, covered contract execution. We finalised the JCA between the Polish and Italian entities. The agreement allocated data subject request handling to the Warsaw entity for Polish data subjects and to the Milan entity for Italian data subjects. Response time was set at 30 days, consistent with GDPR's standard deadline. We also updated the client-facing privacy notice to disclose the joint-controller arrangement and identify both entities by name and address.

Phase three addressed the third-party vendor ecosystem. We reviewed 11 processors used by the Warsaw entity. Three required updated DPAs. One required replacement because the vendor could not demonstrate an adequate transfer mechanism for data routed through a Singapore data centre. The remediation closed within the 90-day window. The client filed a voluntary disclosure with UODO summarising the steps taken, which was acknowledged without further action within 45 days.

What lessons apply to similar Poland-Italy data arrangements?

The most transferable lesson is that intra-EU does not mean unregulated. Many businesses operating between Poland and Italy treat the absence of a third-country transfer requirement as permission to skip documentation entirely. It is not. GDPR's accountability principle requires that every processing activity – including flows between Warsaw and Milan – be documented, assigned a legal basis, and governed by a written agreement where a controller-processor or joint-controller relationship exists.

Our team obtained a clean compliance sign-off for a fintech subsidiary operating across Lower Silesia and northern Italy (autumn 2025), after restructuring its data governance framework from scratch. The exercise took 60 days and cost a fraction of what a UODO enforcement proceeding would have required in legal fees and management time alone.

The second lesson concerns the DORA compliance dimension for financial sector clients. The Digital Operational Resilience Act (DORA) applies to financial entities operating in Poland and Italy from January 2025. DORA imposes contractual requirements on ICT service providers that overlap substantially with GDPR processor obligations. A financial entity transferring data between its Polish and Italian operations must ensure its ICT contracts satisfy both frameworks simultaneously. Treating them as separate workstreams doubles the effort and creates inconsistencies that regulators notice.

The third lesson is strategic. Clients who engage an IP lawyer Warsaw team with Italy-specific experience early in a cross-border arrangement avoid the remediation cost entirely. The JCA and ROPA we eventually produced could have been drafted at the outset for a fraction of the remediation budget. For companies expanding from Poland into Italy – or the reverse – the right moment to structure data governance is before the first data flow, not after the first audit finding.

For businesses considering similar cross-border structures, the following preparation is essential:

  • Map every data flow between the Polish and Italian entities before drafting any agreement
  • Classify the relationship (joint controller, controller-processor, or independent controllers) with legal advice
  • Execute a JCA or DPA before the first live data transfer occurs
  • Verify any onward transfers to non-EU vendors against the current DPF list or applicable SCCs
  • Update ROPAs to reflect cross-border flows, with retention periods and transfer destinations recorded

Businesses planning cross-border data operations between Poland and Italy should also consider the interaction with IP protection strategy frameworks, particularly where the data being transferred includes trade secrets, source code, or proprietary datasets that carry independent IP value. Similarly, companies expanding into adjacent Central European markets will find the analysis in our IP protection strategy for Hungary tech companies in Poland directly relevant to structuring multi-jurisdictional data governance.

The specific facts of your company's cross-border data arrangement will determine which mechanism applies and how quickly remediation must move. Waiting for a supervisory inquiry to arrive forfeits the mitigating effect of voluntary disclosure – an irreversible consequence that no amount of subsequent cooperation fully reverses.

If your company transfers personal data between Poland and Italy without a documented legal framework, we will conduct a structured data flow audit, classify the controller relationships, and draft the required agreements within an agreed timeline: info@kordeckipartners.com.

Frequently asked questions

Q: Does transferring data from Poland to Italy require standard contractual clauses?

A: No. Italy is an EU member state, so no standard contractual clauses or adequacy decision is needed for the transfer itself. However, the underlying processing must rest on a valid GDPR legal basis, and any controller-processor or joint-controller relationship must be documented in a written agreement. Absence of that documentation is itself a GDPR violation, even though the transfer is technically intra-EU.

Q: How long does a GDPR remediation exercise typically take for a Poland-Italy arrangement?

A: A structured remediation covering data mapping, ROPA updates, and contract execution typically takes 60 to 90 days for a company of mid-market size. The timeline depends on the number of processing activities, the complexity of the vendor ecosystem, and the availability of internal stakeholders for interviews. Voluntary disclosure to the Personal Data Protection Office (UODO) filed after remediation is usually acknowledged within 30 to 45 days.

Q: Is it a common misconception that GDPR only matters for transfers outside the EU?

A: Yes, and it is one of the most frequently encountered compliance gaps in cross-border European operations. GDPR's accountability and documentation obligations apply to every processing activity regardless of whether data crosses an EU external border. The regulation requires records of processing activities, documented legal bases, and written agreements between controllers and processors for all data flows – including those between Warsaw and Milan. The absence of a transfer to a third country does not reduce these obligations.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, technology law, and cross-border compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating GDPR, the AI Act, DORA, and related frameworks. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.