A Warsaw-based software company acquired a smaller Polish technology firm in early 2025. The transaction looked clean on paper. Then the due diligence team flagged a problem: the target's entire customer dataset – personal data of over 40,000 individuals – was hosted on servers controlled by the acquiring entity's Polish subsidiary, not the target itself. Two separate Polish legal persons held data that, commercially, needed to move in one direction. The question was how to do it lawfully.

Data transfers between two Polish entities are governed primarily by the General Data Protection Regulation (GDPR) as applied in Poland, supplemented by the Polish Personal Data Protection Act (ustawa o ochronie danych osobowych, PDPA). Even when both sender and recipient are domiciled in Poland, the transfer requires a valid legal basis, a documented data-processing or data-sharing agreement, and – where applicable – notification to the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO). No geographic shortcut removes these obligations. Failure to comply exposes both entities to administrative fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher.

This case study traces how our team structured the transfer, resolved the conflicting controller relationships, and built a compliance architecture that survived a subsequent UODO inquiry. Three transferable lessons emerge for any Polish company managing intra-jurisdiction data flows during an M&A transaction or corporate restructuring.

What was the background to the data-transfer dispute?

The acquiring entity – a Warsaw-registered software house – had already absorbed the target's commercial operations before legal formalities caught up. Data that the target had collected under its own privacy notice was sitting on infrastructure owned by a different legal person. Under GDPR applied in Poland, each legal person that determines the purposes and means of processing is a separate controller. Two controllers cannot simply share a dataset without a defined legal mechanism.

The target's privacy notice named it as sole controller. The acquiring entity had no contractual right to process that data. Every day the arrangement continued, both entities were exposed. The UODO has issued fines exceeding PLN 1 million for precisely this type of informal data migration – where operational convenience outpaced legal structure.

Three complicating factors made this matter harder than a standard data-sharing exercise. First, the dataset included special-category health indicators collected through a wellness feature. Second, the target's original consent language was narrow and did not anticipate a change of controller. Third, the IT team had already begun integrating the databases, meaning some records had been duplicated across systems. Our team was brought in six weeks after closing – (a timing that, frankly, should have been before signing).

  • Two separate Polish controllers with overlapping datasets
  • Special-category data without a broad consent base
  • Partially integrated databases at the point of engagement
  • No data-processing agreement in place between the entities
  • Pending UODO inquiry triggered by a data subject complaint

How did the legal strategy address the controller relationship?

The core strategic decision was whether to structure the arrangement as a controller-to-controller transfer under a data-sharing agreement, or to consolidate legal personhood through a merger so that only one controller remained. The merger route would have taken a minimum of three months under Polish commercial law. The client needed a compliant structure within 30 days to respond to the UODO inquiry. We chose the contractual route.

We drafted a joint-controller agreement under GDPR, allocating responsibilities between the two Polish entities for the transitional period. This instrument – rarely used in domestic transactions – allowed both parties to continue processing the shared dataset while the formal controller consolidation was being prepared. The National Court Register (KRS) filing for the eventual merger ran in parallel. The joint-controller agreement specified which entity handled data subject requests, breach notification timelines of 72 hours to UODO, and the retention schedule for duplicated records.

For the special-category health data, a separate legal basis was required. Consent re-collection was impractical for 40,000 individuals. We identified a legitimate-interest pathway available under Polish law for employment-related health processing, applicable because a subset of the dataset related to the target's own employees. The remaining consumer health records required explicit consent refresh. We designed a layered communication campaign – email, in-app notification, and a 14-day response window – that achieved a 68% opt-in rate within the first cycle.

We also advised the client on intersecting obligations under the ustawa o krajowym systemie cyberbezpieczeństwa (Act on the National Cybersecurity System, KSC Act), which implements the NIS2 Directive in Poland. The acquiring entity qualified as an important entity under KSC Act thresholds. Any data migration affecting its core service infrastructure required an internal security assessment and documentation of residual risk – a step the IT team had skipped entirely.

What did the UODO process reveal?

The UODO inquiry arrived as a formal request for information, triggered by a data subject who had noticed their records appearing in communications from the acquiring entity – an entity they had never contracted with. The Office gave the acquiring entity 30 days to respond. This is a standard UODO timeline, but 30 days is tight when the underlying documentation does not yet exist.

Our team prepared the response in three parts. The first part documented the legal basis for the transitional processing under the joint-controller agreement. The second addressed the special-category data, explaining the consent refresh programme and providing response-rate evidence. The third described the technical and organisational measures – encryption standards, access controls, audit logs – that met GDPR requirements as interpreted by Polish supervisory practice.

We secured a favourable outcome: the UODO closed the inquiry without a fine, issuing only a corrective recommendation regarding the retention schedule for duplicated records. We had identified this gap ourselves and included a remediation timeline in our submission – a gesture that demonstrably influenced the Office's assessment. (UODO decisions are not published with full reasoning in all cases, but the pattern across published decisions shows that proactive disclosure of identified gaps consistently reduces sanction severity.)

We had previously structured a similar data-migration framework for a manufacturing client in the Mazowieckie region (autumn 2024), where the dataset involved supplier contracts rather than consumer personal data. That engagement confirmed a repeatable methodology: document first, migrate second, notify third. The Warsaw matter followed the same sequence.

What lessons apply to future intra-Poland data transfers?

The most transferable lesson is structural: legal basis must be confirmed before data moves, not after. In M&A contexts, data mapping should be a closing condition, not a post-closing remediation task. Every dataset the target controls needs a corresponding answer to three questions – who is the controller, what is the legal basis, and does the acquirer's intended use fall within the original processing purpose?

For companies managing ongoing intra-group data flows within Poland – between a parent and its Polish subsidiary, for example – a data-processing agreement under GDPR is the standard instrument where the subsidiary processes data solely on the parent's instructions. Where both entities exercise independent judgment over processing purposes, a joint-controller agreement is required instead. Conflating the two is one of the most common compliance errors we encounter. It also creates personal liability exposure for board members of both entities under Polish corporate legislation.

The intersection with AI Act Poland obligations is increasingly relevant. Where the transferred dataset will feed a machine-learning system, the transfer documentation must address the AI Act's data governance requirements for high-risk AI systems. DORA compliance adds a further layer for financial sector entities: any data migration affecting ICT infrastructure must be logged as a change event under internal ICT risk management frameworks, with a 72-hour notification window for significant incidents. For IP-intensive businesses, the transfer agreement should also confirm ownership of any derivative datasets – a point explored in our analysis of IP protection strategy for Romania tech companies in Poland.

Foreign investors structuring Polish operations should note that GDPR Poland enforcement by UODO has become more assertive since 2023. Trademark and brand data held in CRM systems carries the same GDPR exposure as any other personal data. An IP lawyer Warsaw-based or otherwise advising on data-driven acquisitions must integrate GDPR analysis from the outset. For employment data specifically – a category that appeared in our matter – the obligations intersect with Polish labour law, as detailed in our guide on employment law compliance for Poland companies in Poland. Swiss and other non-EU technology investors face additional considerations addressed in our note on IP protection strategy for Switzerland tech companies in Poland.

What to prepare before any intra-Poland data transfer:

  • Data map identifying all datasets, controllers, and processing purposes
  • Confirmed legal basis for each dataset under GDPR
  • Executed data-processing or joint-controller agreement
  • Updated privacy notices reflecting the new controller or joint-controller arrangement
  • Internal security assessment and, where required, KSC Act documentation

Your company's specific situation may not mirror the facts above. The consequences of an undocumented transfer – an active UODO inquiry, fines reaching EUR 20 million, and reputational damage that forfeits customer trust built over years – are not reversible once the supervisory process begins.

If your organisation is managing a data migration, acquisition, or restructuring involving Polish-domiciled entities and datasets, contact info@kordeckipartners.com. We will map the controller relationships, identify the applicable legal bases, and draft the agreements needed to close the compliance gap before regulators act.

Frequently asked questions

Q: Does GDPR apply to data transfers between two companies both located in Poland?

A: Yes. The GDPR applies to any processing of personal data by a controller or processor established in the European Union, regardless of whether the sender and recipient are in the same member state. A transfer between two Polish legal persons requires a valid legal basis, a documented agreement, and – where the transfer changes the controller – updated privacy notices. The UODO supervises compliance and may open an inquiry on the basis of a single data subject complaint.

Q: How long does it take to put a compliant data-transfer structure in place?

A: A standard controller-to-controller data-sharing agreement or data-processing agreement can be drafted and executed within five to ten business days where the data map already exists. Where the data map must be built from scratch – the common situation in post-closing M&A remediation – the full process typically takes four to six weeks. Special-category data requiring consent refresh adds a further two to four weeks for the communication cycle. Beginning before the transaction closes reduces total elapsed time significantly.

Q: Is it a misconception that intra-group transfers within Poland are automatically lawful?

A: Yes, and it is a widespread one. Corporate group membership does not create a legal basis for data sharing under GDPR. Each legal entity in a group is a separate controller unless a valid instrument – a data-processing agreement, joint-controller agreement, or binding corporate rules – governs the flow. The UODO has confirmed this position in published decisions. Relying on group ownership as an implicit authorisation is a compliance failure that exposes both the sending and receiving entity to administrative liability.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, technology transactions, and AI regulation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams managing GDPR compliance, data transfers, and IP-intensive acquisitions. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.