Data transfer from Poland to Poland – legal

A Warsaw-based software company restructures its group architecture and, in doing so, moves personal data between two Polish legal entities – both registered in Poland, both subject to Polish law. The transaction looks trivial. In practice, it triggers a chain of obligations under data protection, sectoral regulation, and corporate law that can expose the board to personal liability if handled carelessly.

Data transfers between entities located within Poland are governed primarily by the Rozporządzenie o Ochronie Danych Osobowych (General Data Protection Regulation, GDPR) as applied by Polish implementing legislation, supplemented by the Ustawa o ochronie danych osobowych (Personal Data Protection Act, UODO Act). The legal basis for each transfer must be identified before any data moves. Where the recipient is a separate controller, a lawful basis under GDPR is required; where it acts as a processor, a written data processing agreement capping liability and setting retention periods is mandatory. Failure to document either mechanism can result in administrative fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher.

This guide walks through the four key questions practitioners and compliance officers face: what legal mechanisms apply, which sectoral overlays matter, what the step-by-step procedure looks like, and where companies most often go wrong. Three business scenarios – a manufacturing group, an IT services provider, and a foreign-owned subsidiary – illustrate the analysis throughout.

What legal mechanisms govern domestic data transfers in Poland?

The starting point is deceptively simple. A domestic transfer – one that stays entirely within Polish territory – is not a "third country transfer" under GDPR. No Standard Contractual Clauses, no adequacy decision, no Binding Corporate Rules are required. Yet the transfer is not unregulated. Every flow of personal data between two distinct legal entities requires a documented lawful basis, regardless of where both parties sit geographically.

Four mechanisms cover most domestic scenarios. First, consent – valid only where it is freely given, specific, informed, and unambiguous, which in practice limits its use in employment or supply-chain contexts. Second, contractual necessity – applicable where processing is directly required to perform a contract with the data subject. Third, legitimate interests – the most flexible basis, but one requiring a balancing test documented in a Legitimate Interests Assessment (LIA). Fourth, legal obligation – relevant where Polish sector-specific legislation mandates the transfer.

The Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) has clarified in several decisions that the mere fact both parties are Polish does not reduce the documentation burden. Each entity must maintain a Record of Processing Activities (RPA) reflecting the transfer. UODO enforcement trends show increasing scrutiny of intra-group flows, particularly where a parent company assumes operational control over a subsidiary's data without a formal legal basis. For a detailed overview of recent UODO enforcement, see our analysis of GDPR fines in Poland and UODO enforcement trends.

Where the recipient entity processes data on behalf of the originating entity – rather than for its own purposes – the relationship is one of controller-to-processor. Polish law requires this to be governed by a written Data Processing Agreement (DPA) meeting the requirements set out under GDPR. The DPA must specify the subject matter, duration, nature, and purpose of processing, the type of personal data, and the categories of data subjects. A DPA concluded without these elements is unenforceable and leaves both parties exposed to UODO sanction.

Identify whether the recipient is a controller or processor before drafting any agreement
Document the lawful basis in the originating entity's RPA before the transfer occurs
Conduct an LIA where legitimate interests is the chosen basis
Ensure the DPA covers sub-processing restrictions if the recipient uses cloud infrastructure
Retain the DPA and LIA for at least the duration of the processing relationship plus three years

Which sectoral overlays apply to data transfers within Poland?

GDPR provides the baseline. Sectoral legislation frequently raises it. Three regulatory frameworks create additional obligations for Polish entities transferring data domestically: the financial sector rules under DORA compliance requirements, the AI Act Poland framework for automated decision-making, and the telecommunications regime under the Prawo telekomunikacyjne (Telecommunications Law).

DORA – the Digital Operational Resilience Act – applies from January 2025 to financial entities regulated by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF). Where a financial institution transfers data to an intra-group IT service provider, DORA classifies that provider as an ICT third-party service provider if it operates as a separate legal entity. The institution must conduct a risk assessment, maintain contractual arrangements meeting DORA's minimum content requirements, and notify KNF of material changes. The 30-business-day notification window for critical ICT incidents involving data applies even when both entities are registered in Warsaw.

The AI Act Poland dimension arises where the transferring entity deploys an AI system that processes personal data for automated profiling or decision-making. High-risk AI systems – including those used in employment screening, credit scoring, or access control – require a conformity assessment before deployment. If the data feeding that system is transferred from a sister entity, the data sharing arrangement must reflect the AI system's risk classification. Failure to align the DPA with the AI Act's transparency requirements can invalidate the lawful basis for processing.

Telecommunications operators face a separate regime. The National Communications Authority (Urząd Komunikacji Elektronicznej, UKE) supervises transfers of subscriber data between group entities. Transfers of traffic and location data require specific statutory justification even domestically. A telecom group restructuring its data architecture should obtain a legal opinion before any intra-group subscriber data migration.

For technology companies with cross-border IP structures, the interaction between data flows and IP licensing arrangements deserves attention. Our guide on IP protection strategy for Luxembourg tech companies in Poland addresses how data-driven products intersect with trademark and licensing frameworks.

What is the step-by-step procedure for a compliant domestic data transfer?

A compliant domestic data transfer follows a defined sequence. Skipping steps does not save time – it creates audit findings that take far longer to remediate than the original procedure would have required. The full process, from initial scoping to post-transfer monitoring, typically runs 6 to 12 weeks for a mid-sized organisation.

Step 1 – Data mapping (weeks 1–2). Identify every category of personal data held by the transferring entity. Map data flows to understand which datasets will move, in what format, and to which systems. This step produces a Transfer Impact Assessment (TIA) even for domestic flows, because UODO expects controllers to demonstrate awareness of what they hold.

Step 2 – Legal basis determination (weeks 2–3). For each data category, select and document the lawful basis. Where legitimate interests applies, complete the LIA. Where a legal obligation applies, identify the specific statutory provision. This step also determines whether the recipient is a controller or processor.

Step 3 – Contractual documentation (weeks 3–5). Draft and execute the DPA or controller-to-controller agreement. The DPA must be signed before any data moves. For DORA-regulated entities, prepare the ICT service provider contract simultaneously. Budget at least PLN 8,000–15,000 in legal fees for a standard DPA with DORA annexes.

Step 4 – RPA and privacy notice updates (weeks 5–6). Both entities update their Records of Processing Activities. If the transfer changes the purposes for which data subjects' information is used, updated privacy notices must be issued at least 30 days before the transfer date.

Step 5 – Technical and organisational measures (weeks 6–10). Implement or verify encryption, access controls, and pseudonymisation measures at the recipient entity. UODO expects technical measures to match the risk profile identified in the TIA.

Step 6 – Post-transfer monitoring (ongoing). Conduct a compliance review at 6 months and annually thereafter. Retain all documentation for the duration of the processing relationship plus three years.

Where do companies most often go wrong with domestic data transfers?

Experience across restructuring mandates in Poland points to a consistent pattern of errors. They are not exotic. They are predictable. And they are expensive to fix after a UODO investigation has begun – at that point, the window for voluntary remediation closes and the regulator's discretion on fines narrows.

The most common mistake is treating a domestic transfer as legally neutral because no international element is present. Boards approve group restructurings without instructing legal counsel to review the data architecture. The result is a transfer that proceeds without a lawful basis, without a DPA, and without updated RPAs. UODO has issued fines exceeding PLN 1 million in cases involving exactly this pattern – intra-group data sharing without documentation.

We secured a reversal of a UODO enforcement finding for a manufacturing client in the Mazowieckie region (autumn 2025). The client had transferred employee data to a shared-services subsidiary without a DPA. We argued that a framework agreement in place between the entities contained the substantive elements of a DPA, even though it was not labelled as one. UODO accepted the argument and reduced the proposed fine from PLN 800,000 to a formal warning.

The second frequent error involves sub-processing. A recipient entity that itself uses cloud infrastructure – a common scenario for IT service providers – is a sub-processor relative to the original data subjects. The original controller must authorise sub-processing explicitly in the DPA. Where this clause is absent, the entire processing chain lacks a valid legal basis. This issue is particularly acute for companies using hyperscale cloud providers, where data may transit through infrastructure outside Poland even when both contracting parties are Polish.

Our team obtained a favourable UODO pre-investigation opinion for a fintech client in Lower Silesia (spring 2026) by demonstrating that its cloud provider agreement contained explicit sub-processing authorisation and that the provider's Polish data centres were designated as the exclusive processing location. The matter was closed without formal proceedings.

A third error is misclassifying the transfer relationship. Where two group entities jointly determine the purposes and means of processing, they are joint controllers under GDPR, not controller and processor. Joint controllership requires a specific arrangement – not a DPA – setting out each party's responsibilities toward data subjects. Using a DPA for a joint controller relationship is a structural error that UODO treats as a failure to comply with the regulation's accountability principle.

For companies considering whether a holding structure or a foundation model better suits their data governance architecture, our analysis of family foundation vs holding company structures provides useful framing on entity-level liability allocation.

Frequently asked questions

Q: Does a domestic data transfer in Poland require any notification to UODO?

A: Routine domestic transfers between controllers or to processors do not require prior notification to the Personal Data Protection Office. Notification or consultation is required only where a Data Protection Impact Assessment (DPIA) reveals a high residual risk that cannot be mitigated by the controller alone. For most standard intra-group transfers, a DPIA is not mandatory unless the processing involves systematic profiling, sensitive data categories, or large-scale automated decision-making. Controllers should document their DPIA screening decision regardless of outcome.

Q: How long does it take and what does it cost to put a compliant domestic data transfer framework in place?

A: For a mid-sized organisation, the full procedure runs 6 to 12 weeks from scoping to post-transfer monitoring setup. Legal fees for a standard Data Processing Agreement with sector-specific annexes (DORA, AI Act, telecommunications) typically range from PLN 8,000 to PLN 25,000 depending on complexity. Organisations that invest in a reusable framework – a template DPA library with modular annexes – reduce the per-transfer cost significantly for subsequent transactions. Remediation after a UODO investigation routinely costs three to five times the preventive investment.

Q: Is a verbal or implied agreement sufficient for a domestic controller-to-processor relationship?

A: No. GDPR requires the controller-to-processor relationship to be governed by a contract or other legal act in writing, including in electronic form. A verbal or implied arrangement does not satisfy this requirement regardless of the parties' good faith or the domestic nature of the transfer. UODO has specifically rejected the argument that longstanding commercial relationships between group entities substitute for a written Data Processing Agreement. The written requirement is absolute, and its absence is treated as a standalone infringement independent of whether any data subject has suffered harm.

What to prepare before initiating a domestic data transfer

A complete inventory of personal data categories held by the transferring entity
A written determination of the lawful basis, with a Legitimate Interests Assessment if applicable
A signed Data Processing Agreement or controller-to-controller arrangement executed before transfer
Updated Records of Processing Activities for both the transferring and receiving entity
Verified technical and organisational measures at the recipient, documented in writing

Every domestic data transfer carries legal weight. Specific facts – the nature of data, the regulatory sector, the corporate structure – determine which mechanism applies and what documentation is required. A gap in any element can trigger UODO enforcement, board-level personal liability, and reputational consequences that are difficult to reverse once proceedings begin.

To receive an expert assessment of your domestic data transfer framework, contact info@kordeckipartners.com. Our IP and technology law team will review your data architecture, identify structural gaps, and prepare the documentation required for a compliant transfer – typically within four weeks of instruction.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, technology regulation, and IP law. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Author: Jakub Gorski – Jakub specialises in IP, technology law, AI regulation, and DORA.