A Warsaw-based software company restructures its internal architecture and suddenly faces a question its legal team has never considered: does moving personal data between its own Polish entities require the same compliance steps as a cross-border transfer? The answer is not always obvious. Domestic data flows within Poland sit at the intersection of the Rozporządzenie o Ochronie Danych Osobowych (General Data Protection Regulation, GDPR), Polish implementing legislation, and sector-specific frameworks such as DORA compliance rules for financial entities.
Data transfer from Poland to Poland – meaning the movement of personal data between two separate legal entities both established in Poland – is governed primarily by the GDPR as applied in Polish law, with oversight from the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO). No special "adequacy" mechanism is required because both parties are located within the European Economic Area. However, the transfer still demands a valid legal basis, a data processing agreement or data sharing arrangement, and – where sensitive data is involved – a data protection impact assessment completed before processing begins.
This guide walks through the step-by-step procedure for structuring a lawful domestic data transfer, identifies the most common compliance gaps, and maps three practical business scenarios. It also addresses how AI Act Poland obligations and sector-specific requirements interact with the baseline GDPR framework. Whether you are a Polish entrepreneur consolidating group data, a foreign investor integrating a newly acquired subsidiary, or an in-house team managing a vendor relationship, the framework below applies directly to your situation.
What legal basis governs domestic data transfers within Poland?
The starting point is deceptively simple. Both entities are established in Poland. Both are subject to GDPR Poland rules. No adequacy decision, standard contractual clauses, or binding corporate rules are needed. What remains is the obligation to identify a lawful ground for processing and to formalise the relationship between the data controller and any receiving party. UODO has confirmed in published guidance that domestic transfers do not escape scrutiny simply because they stay within Polish borders – enforcement actions have followed failures at this basic level.
The receiving entity's legal status determines the instrument. Three configurations arise most often:
- Controller-to-controller transfer: each party independently determines the purpose and means of processing. A data sharing agreement is required, and both parties must ensure their privacy notices cover the transfer.
- Controller-to-processor transfer: the receiving party acts on the controller's documented instructions. A data processing agreement (umowa powierzenia przetwarzania danych) is mandatory under GDPR and must contain all prescribed elements.
- Joint controllership: both entities jointly determine purposes and means. A joint controller arrangement must be transparent to data subjects, including a summary of its key terms.
Choosing the wrong instrument carries real consequences. A company that treats a processor relationship as a controller-to-controller arrangement may find itself without a compliant data processing agreement – an omission UODO treats as a standalone infringement. Fines under GDPR reach EUR 10 million or 2% of global annual turnover for procedural violations of this kind. That exposure is irreversible once a UODO audit is underway. Identifying the correct instrument before the transfer begins is the single most important step in the entire process.
Polish corporate legislation also intersects here. Where the transfer occurs between a parent company and its Polish subsidiary, the Kodeks spółek handlowych (Commercial Companies Code, KSH) governs the underlying corporate relationship, but it does not substitute for GDPR compliance. The National Court Register (KRS) filing confirming the group structure is relevant evidence in a UODO investigation but is not itself a legal basis for data processing.
How does the step-by-step procedure work in practice?
A lawful domestic data transfer follows a sequence of five steps. Each step has a defined output, and missing any one of them creates a gap that UODO can identify during an inspection. The timeline from scoping to go-live typically runs four to eight weeks, depending on data complexity and the internal review capacity of both parties. For transfers involving health data or financial records, allow at least ten weeks.
Step 1 – Data mapping and purpose definition (Weeks 1–2). Document what categories of personal data will transfer, the purpose on the receiving side, the legal basis for that purpose, and the anticipated retention period. This output feeds directly into the records of processing activities maintained under GDPR by both parties. The Polish Financial Supervision Authority (KNF) requires financial entities to maintain mapping documentation as part of DORA compliance, adding a parallel obligation for regulated firms.
Step 2 – Legal instrument selection and drafting (Weeks 2–4). Based on the mapping, select the correct instrument (data processing agreement, data sharing agreement, or joint controller arrangement). Draft the instrument with reference to GDPR requirements. For a data processing agreement, mandatory clauses include the subject matter, duration, nature and purpose of processing, type of personal data, categories of data subjects, and the controller's obligations and rights. Allow at least one round of negotiation – counterparties often push back on sub-processor approval mechanisms.
Step 3 – Data protection impact assessment where required (Weeks 3–6). A data protection impact assessment (DPIA) is mandatory when the transfer involves large-scale processing of sensitive data, systematic profiling, or processing that is likely to result in high risk to individuals. UODO has published a list of processing types that always require a DPIA. Budget at least three weeks for a thorough DPIA, including consultation with the data protection officer (DPO) where one is appointed.
Step 4 – Technical and organisational measures (Weeks 4–7). Confirm that the receiving entity applies security measures appropriate to the risk. Pseudonymisation, encryption in transit, access controls, and audit logging are the baseline. For AI Act Poland purposes, where the transferred data feeds an AI system, additional transparency and human oversight requirements may apply.
Step 5 – Documentation, sign-off, and go-live (Weeks 6–8). Execute the legal instrument, update both parties' records of processing activities, update privacy notices where required, and confirm DPO sign-off. File the DPIA with UODO if the assessment identified high residual risk and prior consultation is needed. Only then should the data flow begin.
What are the most common mistakes and how can they be avoided?
We secured a correction of a UODO enforcement notice for a manufacturing client in the Mazowieckie region (autumn 2025) – the core issue was a data processing agreement signed after the transfer had already begun. The processor had been receiving HR data for six months without any legal instrument in place. UODO treated the entire six-month period as an unlawful processing event, not merely a documentation gap. That distinction matters enormously for calculating potential fines.
The most frequent mistakes cluster around four areas. First, companies conflate the legal basis for their own processing with the instrument governing the transfer. Having a legitimate interest basis for internal analytics does not automatically authorise sharing that data with a group company. The group company needs its own legal basis. Second, data processing agreements are often drafted as one-page addenda with no sub-processor provisions. When the receiving processor later engages a cloud provider, the chain breaks. Third, DPIAs are treated as optional unless a regulator demands one. In practice, any transfer involving employee monitoring data, health records, or profiling for credit decisions requires a DPIA regardless of whether UODO has asked for it.
Fourth – and this affects IT and tech companies most acutely – teams assume that because data never leaves Poland, the transfer is "internal" and therefore unregulated. GDPR draws no such distinction. A transfer between two Polish limited liability companies (spółki z ograniczoną odpowiedzialnością, sp. z o.o.) is a transfer between two separate data controllers or between a controller and a processor, and it demands the same documentation as any other inter-entity flow. Our team obtained a favourable UODO ruling for a fintech client in Lower Silesia (spring 2026) by demonstrating that their data processing agreement predated the transfer by 30 days – the minimum buffer we recommend in all engagements.
IP lawyer Warsaw practices also intersect here. Where the transferred data contains trade secrets or proprietary datasets, intellectual property protections under the ustawa o zwalczaniu nieuczciwej konkurencji (Act on Combating Unfair Competition) layer onto the GDPR framework. Failing to address confidentiality in the data sharing agreement can forfeit trade secret protection entirely – an irreversible consequence once the data has been disclosed without restriction.
How do three business scenarios illustrate the framework?
Concrete scenarios make abstract rules actionable. Three patterns arise most frequently in our practice, each with a distinct compliance profile.
Scenario A – Polish manufacturing group consolidating HR data. A group with four Polish subsidiaries centralises payroll processing at the parent company. Each subsidiary is a separate legal entity registered in the KRS. The parent becomes the processor; each subsidiary remains the controller. Four separate data processing agreements are required – one per subsidiary. The agreements must address cross-subsidiary access controls, because payroll staff at the parent will see data from all four entities. The DPIA is mandatory given the volume of employee data and the systematic processing involved. Timeline: six weeks. Cost: primarily legal drafting time, typically 15–25 hours of external counsel.
Scenario B – IT company sharing customer data with a Polish analytics partner. A Warsaw-based SaaS provider transfers pseudonymised user behaviour data to a Polish data analytics firm for product improvement. The analytics firm acts as a processor. The data processing agreement must specify that the analytics firm may not use the data for its own purposes – a common point of dispute. Because the data is pseudonymised but not anonymised, GDPR applies in full. The transfer should be assessed against AI Act Poland requirements if the analytics firm uses the data to train or fine-tune a machine learning model. If the model is classified as high-risk under the AI Act, additional conformity obligations arise before the data can be used. Timeline: four weeks for a standard transfer; eight weeks if AI Act review is needed.
Scenario C – Foreign investor integrating a Polish acquisition. A German investor acquires a Polish sp. z o.o. and wants to integrate the Polish entity's customer database into the group CRM. Even though the acquirer now owns 100% of the Polish company, the two entities remain separate legal persons. The Polish entity is the controller of its customer data. Transferring that data to a group CRM operated by the German parent is a cross-border transfer to Germany – not a domestic transfer – and requires a separate legal mechanism. However, if the Polish entity retains control and the German parent merely provides technical infrastructure as a processor, a data processing agreement governs the arrangement. The distinction between these two structures determines whether standard contractual clauses are needed. For an overview of cross-border mechanisms, see our analysis of data transfer from Poland to Cyprus – legal mechanisms.
For foreign investors establishing a Polish presence, the IP and data strategy should be integrated from day one. Our guide on IP protection strategy for Italy tech companies in Poland addresses how to structure data and IP assets in a Polish subsidiary in a way that supports both compliance and commercial objectives.
Each scenario requires a checklist review before go-live. What to prepare:
- Data mapping document identifying categories, purposes, and legal bases
- Executed legal instrument (data processing agreement, data sharing agreement, or joint controller arrangement)
- Completed DPIA where required, with DPO sign-off
- Updated records of processing activities for both parties
- Revised privacy notices reflecting the new data flow
Tech companies considering equity incentive structures for employees who handle sensitive data should also review ESOP structuring for Polish startups and tech companies, since access to personal data by option-holders creates additional documentation obligations under GDPR.
The specific facts of your situation determine which instruments apply and how long the process takes. An incomplete or post-hoc documentation approach precludes a clean compliance position and forfeits the ability to demonstrate accountability to UODO – a requirement that cannot be reconstructed after the fact.
To receive an expert assessment of your domestic data transfer structure, contact info@kordeckipartners.com.
Frequently asked questions
Q: Does a data processing agreement need to be signed before or after the data transfer begins?
A: The data processing agreement must be in place before any personal data is transferred to the processor. UODO treats the absence of an agreement at the time of transfer as a standalone infringement, separate from any issues with the underlying processing. A retroactively signed agreement does not cure the period during which data flowed without documentation. Budget at least two weeks for drafting, negotiation, and execution before the planned go-live date.
Q: Is a DPIA always required for domestic transfers within Poland?
A: No. A data protection impact assessment is required only when the processing is likely to result in a high risk to individuals. UODO has published a list of processing types that always trigger this obligation – including large-scale processing of health data, systematic monitoring of employees, and profiling that produces legal or similarly significant effects. For routine transfers of standard business data between two Polish entities, a DPIA is not mandatory, though a brief risk assessment is good practice.
Q: Can a trademark or trade secret be protected through the data sharing agreement?
A: Yes, and it should be. Where the transferred dataset contains proprietary information – whether a customer list, a pricing algorithm, or a trained AI model – the data sharing agreement should include confidentiality obligations and restrictions on use that go beyond GDPR requirements. The Act on Combating Unfair Competition protects trade secrets, but that protection depends on the holder having taken reasonable steps to maintain secrecy. A data sharing agreement without confidentiality provisions may be treated as evidence that no such steps were taken, which forfeits trade secret status.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, IP, technology law, and GDPR compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.