Data transfer from Poland to Poland – legal

A Warsaw-based software company restructures its internal operations. It splits data processing between a parent entity and a newly incorporated Polish subsidiary. Both entities are registered in Poland. The legal team assumes no data transfer rules apply. That assumption is wrong – and the consequences of getting it wrong can include regulatory fines, voided contractual arrangements, and lost access to data assets.

Data transfers between two entities both established in Poland remain subject to the General Data Protection Regulation (GDPR) and Polish implementing legislation. The legal basis for processing must be identified for each transfer, controller-processor agreements must be in place where required, and the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) retains full supervisory authority. Fines for non-compliance can reach EUR 20 million or 4% of global annual turnover, whichever is higher.

This guide explains the step-by-step legal framework for domestic data transfers in Poland. It covers the applicable legal mechanisms, the most common structural scenarios, practical pitfalls, and what businesses should prepare before transferring data between Polish entities.

What legal framework governs data transfers between Polish entities?

The starting point is the GDPR, which applies to any processing of personal data by an organisation established in the European Union – including transfers between two Polish companies. Polish implementing legislation, primarily the Act on the Protection of Personal Data (ustawa o ochronie danych osobowych), supplements the GDPR with national procedural rules. The UODO supervises compliance and can impose administrative sanctions within 30 days of completing an investigation in straightforward cases, though complex matters take considerably longer.

The critical first step is determining the relationship between the parties. Are both entities independent controllers? Is one a processor acting on behalf of the other? Or is this a joint-controller arrangement? Each classification triggers different obligations. A controller-to-controller transfer requires a separate legal basis under GDPR. A controller-to-processor transfer requires a data processing agreement (DPA) meeting specific content requirements. Joint controllers must document their respective responsibilities in a written arrangement.

Three foundational questions govern every domestic transfer:

What category of personal data is being transferred?
What is the legal basis for processing on the receiving side?
Is a data processing agreement or joint-controller arrangement required?

Special categories of data – including health records, biometric data, and trade union membership – require an additional legal basis beyond the standard six available under GDPR. Businesses transferring HR data between a parent and a Polish subsidiary frequently overlook this requirement. The UODO has issued guidance specifically addressing intra-group transfers, confirming that group membership does not itself constitute a legal basis for processing.

For businesses operating under the Digital Operational Resilience Act (DORA compliance), data flows between Polish financial entities and their Polish IT service providers must also satisfy DORA's contractual requirements for ICT third-party risk management – layering obligations on top of the GDPR baseline.

How should businesses structure the data processing agreement?

When one Polish entity processes personal data on behalf of another, a data processing agreement is not optional – it is mandatory under GDPR. The agreement must specify the subject matter, duration, nature, and purpose of the processing. It must also describe the type of personal data involved and the categories of data subjects. Failure to have a compliant DPA in place means the processor is acting without authority, exposing both parties to regulatory action.

We secured a reversal of a UODO enforcement notice for a logistics client in the Mazowieckie region (autumn 2025). The original notice had been issued because the company's DPA with its Polish IT subcontractor lacked provisions on sub-processing authorisation. Adding a single clause – requiring prior written consent for engaging sub-processors – resolved the compliance gap.

A compliant DPA must address at minimum:

Processing instructions and the controller's right to issue them
Confidentiality obligations for processor personnel
Technical and organisational security measures
Sub-processor rules, including prior authorisation
Return or deletion of data on contract termination

The timeline for putting a DPA in place is short. Processing should not begin until the agreement is signed. In practice, many businesses start data flows before documentation is complete – a pattern the UODO treats as an aggravating factor when calculating fines. Budget at least two weeks for internal review, negotiation, and execution of a DPA, particularly where the processor handles special-category data.

For IP-intensive businesses, the DPA should also address ownership of derived data and outputs. An AI Act Poland compliance project, for instance, may involve a Polish technology vendor processing training data on behalf of a client. If the DPA is silent on intellectual property rights in model outputs, a dispute over ownership becomes almost inevitable. Engaging an IP lawyer Warsaw-side during DPA drafting prevents that dispute from arising.

What are the most common mistakes in domestic data transfers?

The most frequent error is treating a domestic transfer as legally invisible. Controllers assume that because both parties are Polish, no formal steps are needed. GDPR makes no such distinction. Every transfer of personal data between separate legal entities – even two Polish limited liability companies (spółki z ograniczoną odpowiedzialnością, sp. z o.o.) within the same corporate group – requires a legal basis and, where applicable, a DPA.

The second common mistake is using a DPA template that does not reflect the actual processing activity. Generic templates downloaded from the internet frequently omit provisions on sub-processor chains, security incident notification timelines (72 hours under GDPR), and data subject rights assistance. A UODO audit will test each of these provisions against operational reality.

The third mistake involves data minimisation. When restructuring data flows, businesses often transfer entire databases rather than the subset actually needed for the new processing purpose. Transferring more data than necessary violates the data minimisation principle and increases the exposure if a breach occurs. The UODO has issued fines exceeding PLN 1 million in cases where data minimisation failures were combined with inadequate security measures.

A practical self-assessment checkpoint: before any domestic transfer, the controller should be able to answer three questions in writing. What is the legal basis? What DPA or arrangement governs the transfer? What data is being transferred and why? If any answer is missing, the transfer should be paused.

For businesses also subject to sanctions screening obligations, data transfers that route personal information through third-party processors must be assessed for sanctions exposure. A Polish company transferring customer data to a Polish processing partner should verify that the partner's systems do not interact with sanctioned entities or jurisdictions – an often-overlooked intersection between data protection and trade compliance.

How do the three main business scenarios differ in practice?

Three scenarios arise most frequently in our practice. Each has a distinct legal structure, timeline, and cost profile.

Manufacturing company with a Polish shared services centre. A manufacturer in Silesia transfers employee data – payroll, health records, disciplinary files – to a Polish shared services entity. The shared services centre acts as a processor. A DPA is required. Because health records are special-category data, an additional legal basis (typically employment law necessity) must be identified. The DPA should be in place before the first payroll run. Implementation typically takes three to four weeks, including a data mapping exercise. External legal costs for a standard DPA in this scenario range from PLN 8,000 to PLN 15,000.

IT company transferring development data to a Polish subsidiary. A Warsaw-based technology firm transfers pseudonymised customer data to a Polish subsidiary for software testing. If the data remains pseudonymised and access is restricted to the subsidiary's developers, the legal exposure is lower – but a DPA is still required. The subsidiary is a processor. The DPA must specify that the data may not be re-identified and must be deleted after testing. Timeline: one to two weeks for a straightforward arrangement. The AI Act Poland framework may also apply if the testing involves AI system development.

We obtained a clean UODO compliance assessment for a technology client in Lower Silesia (spring 2026) after restructuring its intra-group data flows. The key change was converting an informal data-sharing arrangement into a documented DPA with sub-processor controls. The process took six weeks end to end.

Foreign investor establishing a Polish operating subsidiary. A German parent company incorporates a Polish sp. z o.o. and transfers customer data from the parent's CRM to the Polish entity. Even though the transfer originates outside Poland, the Polish subsidiary's processing is governed by GDPR Poland rules from the moment it begins. The Polish entity must have its own legal basis for processing. If the German parent retains control over processing purposes, a joint-controller arrangement may be more accurate than a processor relationship. Mischaracterising the relationship is one of the most common errors in foreign investor structures. Timeline: four to six weeks for a full data governance setup, including privacy notices, DPA or joint-controller agreement, and records of processing activities.

Frequently asked questions

Q: Does GDPR apply to data transfers between two companies in the same Polish corporate group?

A: Yes. Group membership does not create a legal basis for data processing or transfer. Each intra-group transfer requires an independent legal basis – such as legitimate interests, contractual necessity, or legal obligation – and a data processing agreement where one entity acts as a processor for another. The UODO has confirmed this position in published guidance and enforcement decisions.

Q: How long does it take to put a compliant data processing agreement in place, and what does it cost?

A: A standard DPA for a domestic controller-processor relationship typically takes two to four weeks to negotiate and execute, depending on complexity. Legal costs range from PLN 5,000 for a simple arrangement to PLN 20,000 or more where special-category data or sub-processor chains are involved. Businesses should factor in internal review time and the cost of a data mapping exercise if one has not been completed recently.

Q: Is a data processing agreement still required if the processor only handles anonymised data?

A: Truly anonymised data falls outside the scope of GDPR entirely, because it cannot be linked to an identifiable individual. However, the threshold for genuine anonymisation is high. Pseudonymised data – where re-identification is possible with additional information – remains personal data and requires a DPA. Businesses frequently believe their data is anonymised when it is in fact pseudonymised. A legal and technical assessment of the anonymisation method is advisable before relying on this exemption.

What should businesses prepare before transferring data domestically?

Preparation reduces both legal risk and implementation time. The following checklist applies to any domestic data transfer between separate Polish legal entities:

Complete a data mapping exercise identifying what data is transferred, by whom, to whom, and for what purpose
Determine the legal relationship: controller-to-controller, controller-to-processor, or joint controllers
Identify the legal basis for processing on the receiving side, including any additional basis for special-category data
Draft, negotiate, and execute a data processing agreement or joint-controller arrangement before the transfer begins
Update the records of processing activities (RoPA) to reflect the new data flow

For businesses operating under DORA compliance requirements, add a step: verify that the ICT third-party risk management provisions in your service contracts align with DORA's contractual standards. Where a Polish IT vendor is also a data processor, a single integrated agreement addressing both GDPR and DORA obligations is more efficient than two separate documents.

Trademark and IP considerations arise where the transferred data includes proprietary datasets, training data, or branded content. Ensuring that the DPA addresses intellectual property ownership – and that the processor's use of the data is strictly limited to the specified purpose – protects the controller's IP position. An IP lawyer Warsaw-side should review DPAs involving AI training data or commercially sensitive datasets.

Businesses planning cross-border transfers after establishing domestic compliance should review the framework for transfers to EU member states. Our guide on data transfer from Poland to France sets out how the domestic baseline maps onto cross-border requirements. For businesses with sanctions exposure, the sanctions screening obligations for Polish companies guide addresses how data processor relationships interact with trade compliance. And for businesses developing or deploying AI systems, our analysis of AI Act high-risk classification explains how data processing arrangements must be structured to satisfy AI Act Poland requirements.

Specific circumstances require tailored advice. A domestic data transfer that appears straightforward can involve overlapping obligations under GDPR, DORA, and sector-specific regulation. Acting without a complete picture forfeits the opportunity to structure the arrangement correctly from the outset – an opportunity that is far harder to recover once a UODO investigation begins.

To discuss how the domestic data transfer framework applies to your company's structure, email info@kordeckipartners.com.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, technology law, and AI regulation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.