Data transfer from Poland to Poland – legal

A Warsaw-based software company signs a data-processing agreement with a domestic cloud provider. Both parties are registered in Poland. Both servers are located in Poland. The legal team assumes no special rules apply. That assumption is wrong – and discovering it mid-audit can trigger enforcement by the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO), delay product launches, and expose board members to personal liability.

Data transfers within Poland remain subject to the full framework of the General Data Protection Regulation (GDPR Poland) and the Polish Act on Personal Data Protection. Every transfer requires a valid legal basis, a documented controller-processor relationship, and appropriate technical and organisational measures. UODO can impose administrative fines of up to EUR 20 million or 4 % of global annual turnover for violations – and those fines apply even when data never crosses a national border.

This guide walks through the legal mechanisms that govern domestic data transfers in Poland: the applicable bases, the contractual instruments, sector-specific overlays such as DORA compliance and the AI Act Poland requirements, the most common mistakes companies make, and a practical checklist for each business scenario. Readers who also handle cross-border flows will find a relevant comparison in our analysis of GDPR fines in Poland and UODO enforcement trends.

What legal bases govern data transfers within Poland?

Polish data protection law does not distinguish between "domestic" and "international" transfers in the way that GDPR Chapter V does for third-country flows. Instead, every sharing of personal data between two separate legal entities – even two Warsaw companies – must rest on one of the six lawful bases under GDPR, supported by a valid legal instrument defining the parties' roles. UODO has confirmed this position in multiple administrative decisions since 2019.

The three most commercially relevant bases are: contractual necessity (where processing is required to perform a contract with the data subject), legitimate interest (where the controller's interests are not overridden by the data subject's rights), and consent. Consent is the weakest option for B2B transfers – it can be withdrawn at any time, which creates operational risk for ongoing data-sharing arrangements lasting longer than a few months.

Identifying the correct relationship between the parties matters as much as choosing the legal basis. The key distinction is between a podmiot przetwarzający (data processor) and a joint controller (współadministrator). A processor acts only on documented instructions; a joint controller determines the purposes and means of processing independently. Misclassifying the relationship – treating a joint controller as a mere processor – is one of the most frequent findings in UODO audits. The fine in one 2024 enforcement case exceeded PLN 1.5 million for exactly this error.

Legitimate interest requires a documented balancing test before data sharing begins.
Contractual necessity covers only processing strictly required to perform the contract.
Consent must be freely given, specific, and withdrawable without detriment.
Joint controllership requires a published arrangement accessible to data subjects.
Processor status requires a written Data Processing Agreement (DPA) under GDPR.

Foreign investors entering Poland often underestimate this framework. A German investor structuring a Polish subsidiary (a scenario explored further in our tax structuring guide for Poland investors) will need to document intra-group data flows with the same rigour as any third-party transfer – the National Court Register (KRS) registration of the subsidiary as a separate legal entity means it is a distinct controller or processor in law.

How should companies structure Data Processing Agreements for domestic transfers?

A Data Processing Agreement (DPA) is mandatory whenever a controller in Poland engages a processor to handle personal data on its behalf. The agreement must be in writing, cover the subject matter and duration of processing, specify the nature and purpose of the processing, and include the categories of personal data and data subjects involved. UODO treats a missing or incomplete DPA as a standalone infringement, regardless of whether any actual harm occurred.

Polish corporate practice has developed a relatively standardised DPA structure, but several clauses consistently create disputes. Sub-processor authorisation is one. The processor must obtain the controller's prior written consent – either specific or general – before engaging a sub-processor. General authorisation clauses are permitted, but the processor must notify the controller of any intended changes and give the controller a reasonable period (typically 14 days) to object. Failing to build that notice mechanism into the DPA forfeits the controller's ability to manage the supply chain.

We secured a renegotiation of a defective DPA for a fintech client in the Mazowieckie region (autumn 2025), avoiding a potential UODO investigation that had been flagged by the client's data protection officer. The core problem was a sub-processor clause that gave the processor unlimited discretion to engage any cloud infrastructure provider without prior notice – a structure that would not survive UODO scrutiny.

For companies operating in the financial sector, DORA compliance adds a second layer of requirements. The Digital Operational Resilience Act, applicable from January 2025, requires Polish financial entities supervised by the Komisja Nadzoru Finansowego (Polish Financial Supervision Authority, KNF) to include specific contractual provisions in ICT third-party agreements. Those provisions overlap with, but do not replace, the GDPR DPA requirements. A single agreement must satisfy both frameworks simultaneously – which means DPA templates designed before January 2025 almost certainly need revision.

What are the AI Act obligations for data-intensive processing in Poland?

The AI Act Poland dimension is relevant wherever domestic data transfers feed an automated decision-making system or a system classified as high-risk under the EU AI Act. The AI Act became applicable in phases from August 2024. By August 2026, providers and deployers of high-risk AI systems must maintain technical documentation, implement risk management systems, and ensure human oversight – all of which require documented data flows as a foundation.

For domestic transfers specifically, the AI Act intersects with GDPR in two ways. First, training data for AI models must have a documented legal basis under GDPR. If a Polish company transfers customer data to an internal AI team for model training, that transfer requires either a separate legitimate-interest assessment or an explicit contractual basis. Second, automated decision-making that produces legal or similarly significant effects on individuals requires a specific GDPR basis – legitimate interest alone is not sufficient.

Manufacturing companies face a particular challenge here. A factory in Silesia using AI-driven quality control that processes worker performance data is both a GDPR controller and, from August 2026, a deployer of a high-risk AI system under Annex III of the AI Act. The data transfers from production-floor sensors to the AI platform must be documented under both frameworks. Failing to align the two compliance programmes creates a gap that regulators can exploit – and the Polish supervisory authority for the AI Act has not yet been formally designated, meaning UODO may exercise interim oversight.

Our team obtained interim contractual protections for a technology client in Lower Silesia (spring 2026) whose AI-driven HR platform was processing employee data without a consolidated legal basis. The solution combined a legitimate-interest assessment, a revised DPA with the platform vendor, and an internal data-flow map registered with the client's data protection officer – completed within 30 days of instruction.

What are the most common mistakes in domestic data transfer compliance?

Step-by-step compliance programmes fail most often at three points: documentation gaps, incorrect role classification, and overlooked sector rules. Each of these mistakes carries a distinct risk profile – and correcting them after a UODO investigation begins is significantly harder than addressing them proactively. UODO's average investigation timeline runs between 12 and 18 months, during which the company bears the burden of demonstrating compliance.

Documentation gaps are the most prevalent. Polish companies frequently rely on data-sharing arrangements that were agreed verbally or via email chains rather than a formal DPA. GDPR requires the agreement to be in writing – and "writing" under Polish law includes electronic documents with a qualified electronic signature, but not informal email exchanges. A company that cannot produce a signed DPA within 72 hours of a UODO request is effectively presumed non-compliant. That presumption is very difficult to rebut.

Incorrect role classification – treating a joint controller as a processor – is the second most common error. The practical test is whether the other party determines the purposes of processing independently. If a marketing partner decides which customer segments to target with your data, it is a joint controller, not a processor. Joint controllership requires a published arrangement under GDPR, accessible to data subjects, setting out each party's responsibilities. Many Polish companies skip this step entirely, assuming a DPA is sufficient.

Missing or unsigned DPA – most common UODO finding.
Processor treated as joint controller (or vice versa) – triggers separate infringement.
Sub-processor list not maintained or not disclosed to the controller.
Legitimate-interest assessment not documented before transfer begins.

The third category – overlooked sector rules – is growing in importance. DORA compliance obligations for financial entities, the AI Act's documentation requirements, and the Prawo telekomunikacyjne (Telecommunications Law) rules for electronic communications providers all impose data-handling obligations that sit alongside GDPR. An IP lawyer Warsaw-based practice advising a fintech client must check all three frameworks before signing off on any data-sharing arrangement. Our work on IP and technology matters across multiple jurisdictions, including the United States, reflects how these overlapping frameworks play out in practice – see our IP and tech practice page for US-Poland matters.

Practical checklist and business scenarios

Compliance with domestic data transfer rules in Poland can be broken into a manageable sequence. The timeline from initial data-flow mapping to a fully documented compliance programme typically runs six to twelve weeks for a mid-sized company, depending on the number of processors and the complexity of the data architecture. Budget for external legal review should be factored in from week one – retrofitting documentation after a UODO audit notice arrives costs three to five times more than proactive structuring.

What to prepare before any domestic data transfer:

Data-flow map identifying all personal data categories, sources, and recipients.
Role assessment for each recipient – controller, joint controller, or processor.
Signed DPA or joint-controller arrangement for each data-sharing relationship.
Legitimate-interest assessment (where that basis is relied upon) filed in the Records of Processing Activities (RoPA).
Sub-processor list with notification mechanism and objection window of at least 14 days.

Three business scenarios illustrate how the framework applies in practice. A manufacturing company in Wielkopolska sharing employee data with an HR software provider needs a DPA with sub-processor controls and, from August 2026, an AI Act risk assessment if the software uses automated scoring. An IT company in Pomerania providing white-label analytics to Polish clients is likely a processor for each client – it needs individual DPAs and must resist any temptation to aggregate client data across engagements without explicit authorisation. A foreign investor establishing a Polish holding structure needs to document the intra-group data flows from day one: the KRS-registered Polish entity is a separate controller, and group-internal transfers require the same legal instruments as third-party transfers.

The trademark and IP dimension arises where data transfers involve proprietary datasets, trade secrets, or software. Polish intellectual property law, administered through the Urząd Patentowy Rzeczypospolitej Polskiej (Patent Office of the Republic of Poland, UPRP), protects databases as a distinct category. A data-sharing agreement that grants broad access to a proprietary database may inadvertently transfer IP rights unless the agreement expressly limits the scope of use. This is a frequent oversight in DPAs drafted without IP review.

Frequently asked questions

Q: Does GDPR apply to data transfers between two Polish companies that share no personal data of EU citizens outside Poland?

A: Yes. GDPR applies to any processing of personal data by a controller or processor established in Poland, regardless of the nationality of the data subjects or the location of the servers. The regulation does not require a cross-border element to trigger compliance obligations. Even a transfer of employee data between two Warsaw entities requires a valid legal basis and, where a processor is involved, a written Data Processing Agreement.

Q: How long does it take to negotiate and execute a compliant DPA for a domestic data-sharing arrangement?

A: A straightforward DPA between two companies with no sector-specific overlay can be negotiated and signed within two to four weeks. Where DORA compliance requirements apply – for financial entities supervised by KNF – the agreement must include additional contractual provisions, and the timeline typically extends to six to eight weeks. Complex arrangements involving AI systems or multi-party joint controllership may require ten to twelve weeks. Starting the process before the data transfer begins is essential: GDPR does not permit retroactive authorisation.

Q: Is it a common misconception that intra-group data transfers within Poland do not require formal documentation?

A: It is one of the most persistent misconceptions in Polish data protection practice. Corporate group membership does not create a legal basis for data sharing under GDPR. Each KRS-registered entity in a group is a separate legal person and therefore a separate controller or processor. Intra-group transfers require the same legal instruments as third-party transfers: a DPA where one entity processes on behalf of another, or a joint-controller arrangement where both entities determine the purposes of processing. UODO has issued fines in cases involving exactly this misunderstanding.

For a tailored strategy on structuring your domestic data transfer compliance programme, reach out to info@kordeckipartners.com.

Your company's specific data architecture may involve overlapping obligations under GDPR, DORA, and the AI Act – any one of which can trigger enforcement if documentation is incomplete. Acting before a UODO audit notice arrives is the only way to avoid the irreversible consequence of a public administrative decision on the UODO register.

If your organisation is mapping data flows, renegotiating DPAs, or building an AI Act compliance programme in Poland, we will conduct a structured legal review, identify role-classification risks, and draft the necessary instruments: info@kordeckipartners.com.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, IP, technology law, and regulatory compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.