A Warsaw-based software company discovered, mid-project, that its internal data-sharing arrangement between two Polish subsidiaries had no documented legal basis. The subsidiaries operated separate legal personalities, separate IT systems, and separate data controller registrations with the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO). What looked like a routine intra-group transfer turned out to require a formal compliance structure – one the client had never built.
Data transfers between two Polish entities are still governed by the General Data Protection Regulation (GDPR), which applies regardless of whether the transfer crosses a national border. Each Polish legal entity that acts as a separate data controller must have a documented legal basis for sharing personal data with another controller – even one within the same corporate group. Without that basis, the transfer is unlawful, and UODO may impose administrative fines of up to EUR 20 million or 4 percent of global annual turnover.
This case study walks through the background of that matter, the legal strategy we applied, the compliance process we ran, and the lessons that apply to any Polish business operating across a multi-entity structure. The issues touched on GDPR Poland requirements, elements of the AI Act Poland framework (the client processed personal data through an automated decision system), and DORA compliance considerations for the group's fintech affiliate.
What was the background and why did the gap exist?
The client group comprised three Polish limited liability companies. The parent held a technology platform; two subsidiaries delivered services to end customers. Data flowed from the subsidiaries to the parent for analytics and product development. No one had questioned the arrangement for four years. The gap surfaced only when the group's external auditors flagged the absence of a data-sharing agreement during a pre-investment due diligence review in Mazowieckie region (winter 2025).
The root cause was a common misconception: that GDPR does not apply to transfers within Poland. It does. The regulation governs any processing of personal data by controllers established in the European Union, regardless of where the recipient is located. A transfer from a Warsaw subsidiary to its Kraków-based parent is subject to the same controller-to-controller rules as a transfer to a counterparty in another EU member state.
Three structural issues compounded the problem. First, the subsidiaries had registered as independent controllers with UODO – not as processors acting on behalf of the parent. Second, the data included special-category information (health-related inferences generated by the platform's recommendation engine). Third, the group had not conducted a data protection impact assessment (DPIA) for the automated processing, which Polish data protection law and GDPR both require when processing is likely to result in high risk to individuals.
- No documented legal basis for controller-to-controller transfers
- No data-sharing agreement between the entities
- No DPIA for high-risk automated processing
- No records of processing activities updated to reflect inter-entity flows
How did we structure the legal strategy?
The strategy rested on three pillars: selecting the correct legal basis, documenting the transfer architecture, and closing the DPIA gap before the investor completed due diligence. The timeline was tight – 30 days to deliver a clean compliance package. We prioritised the legal basis question first, because it determined the form of every downstream document.
For controller-to-controller transfers within the EU, GDPR offers several possible legal bases. Legitimate interests under the regulation was the most commercially practical option here, provided the client could demonstrate that the processing was necessary, proportionate, and did not override the data subjects' rights. We ran a three-part balancing test: purpose assessment, necessity check, and rights-override analysis. The analytics use case passed all three. For the special-category data, legitimate interests alone was insufficient – explicit consent or a specific statutory exemption was required. The client had neither. We recommended restructuring that processing stream to rely on explicit consent collected at onboarding, with a 90-day transition window.
The second pillar was a data-sharing agreement between the two subsidiaries and the parent. This document set out the categories of data transferred, the purposes, the retention periods, the security measures, and the respective obligations of each controller. It also addressed the AI Act Poland dimension: the recommendation engine qualified as a limited-risk AI system, triggering transparency obligations toward users. Embedding those obligations in the data-sharing agreement created a single contractual anchor for both GDPR and AI Act compliance.
For the fintech affiliate, DORA compliance required an additional layer. DORA – the EU Digital Operational Resilience Act, applicable to financial entities from January 2025 – mandates contractual provisions governing ICT-related data access and incident reporting. We added a DORA annex to the intra-group agreement covering the affiliate's data flows. This avoided the need for a separate contract and reduced the administrative burden on the group's in-house team.
What did the compliance process look like in practice?
We delivered the compliance package in four sequential stages, each with a defined output and a hard deadline. The entire process ran over 28 days – two days inside the investor's window. We secured a clean data-protection sign-off for the due diligence process for a technology group in the Mazowieckie region (winter 2025).
Stage one (days 1–7) was a data mapping exercise. We interviewed the data protection officers (DPOs) of each entity, reviewed the existing records of processing activities, and mapped every data flow between the three companies. The mapping identified 14 distinct transfer streams, of which 9 lacked any documented legal basis.
Stage two (days 8–14) was legal basis analysis and DPIA drafting. We completed the balancing test for legitimate interests across all 9 streams and drafted the DPIA for the automated decision system. The DPIA flagged two residual risks requiring mitigation: the absence of a meaningful opt-out mechanism and the lack of human review for decisions affecting individual creditworthiness. The client committed to implementing both mitigations within 60 days.
Stage three (days 15–21) was document drafting: the data-sharing agreement, the DORA annex, and updated records of processing activities for all three entities. We also drafted a revised privacy notice for end users, incorporating the AI Act transparency language. For further context on cross-border data transfer mechanisms, see our analysis of data transfer from Poland to the UAE, which addresses the additional layers that apply when the recipient is in a third country.
Stage four (days 22–28) was review, execution, and delivery to the investor's legal advisers. All documents were signed by authorised representatives of each entity and lodged in the group's compliance repository. The IP lawyer Warsaw team coordinating the due diligence confirmed acceptance without further queries.
What lessons apply to other Polish multi-entity structures?
The central lesson is that legal entity boundaries matter under GDPR, even within a single corporate group. A Polish holding structure is not a single controller by default. Each entity with its own registration, its own IT infrastructure, and its own contractual relationships with data subjects is likely a separate controller – and separate controllers need a legal basis to share data with each other.
The second lesson concerns timing. Data protection compliance is most expensive when it is reactive. The client in this matter faced a 30-day deadline and a compressed budget. Businesses that map their data flows annually – and update those maps when corporate structures change – rarely face this kind of pressure. An annual review costs a fraction of an emergency compliance sprint. For businesses managing employment data across entities, the principles overlap with labour law obligations; our note on severance pay calculation under the Polish Labour Code illustrates how data and employment compliance intersect in practice.
The third lesson is about IP and technology strategy. Companies that develop proprietary platforms should consider data governance as part of their IP protection framework from the outset. A platform whose data flows are undocumented is a platform with a compliance liability attached to its core asset. Our guide on IP protection strategy for Switzerland tech companies in Poland addresses how to structure that integration for cross-border technology businesses.
- Map all intra-group data flows before any M&A or investment process begins
- Confirm the controller or processor status of each entity independently
- Conduct a DPIA for any automated processing that affects individuals
- Align GDPR, AI Act, and DORA obligations in a single contractual framework where possible
- Review and update records of processing activities at least once per year
Trademark and IP considerations also arise where the platform's brand identity or proprietary datasets are transferred between entities. A transfer that bundles personal data with trade secrets or licensed software needs layered agreements – one for data protection, one for IP. Treating them as a single document creates ambiguity that can be exploited in a dispute. The UODO has no jurisdiction over IP rights, but a court dealing with an IP claim will scrutinise the data governance documents as evidence of the parties' intentions.
To discuss how intra-group data transfer compliance applies to your structure, email info@kordeckipartners.com.
Frequently asked questions
Q: Does GDPR apply to data transfers between two Polish companies in the same group?
A: Yes. GDPR applies to any processing of personal data by controllers established in the EU, regardless of the nationality or location of the recipient. Two Polish companies with separate legal personalities are separate controllers unless they have formally designated one as a processor acting on behalf of the other. Each transfer between them requires a documented legal basis under the regulation.
Q: How long does it take to put an intra-group data-sharing agreement in place?
A: A straightforward agreement between two entities with a single transfer stream can be drafted and executed within 10 to 14 days. Where multiple entities are involved, where special-category data is processed, or where DORA or AI Act obligations must be incorporated, the process typically takes 25 to 35 days. The longest phase is usually data mapping, not drafting.
Q: Is a DPIA always required for automated decision-making within a Polish corporate group?
A: Not always, but frequently. A DPIA is required when processing is likely to result in high risk to individuals. Automated decision-making that produces legal or similarly significant effects on individuals – including creditworthiness assessments, employment decisions, or health-related inferences – almost always meets that threshold. UODO publishes a list of processing types that presumptively require a DPIA; businesses should consult that list before deploying any automated system that uses personal data.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, AI Act compliance, DORA compliance, and technology transactions. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.