Data transfer from Poland to Spain – legal

A Warsaw-based e-commerce company signs a contract with a Spanish logistics provider. Within days, the operations team asks a straightforward question: can we send our customer database to Madrid? The legal answer is less straightforward than the business question suggests. Both Poland and Spain sit inside the European Union, yet the transfer still requires a documented legal basis, a clear understanding of which supervisory authority takes the lead, and internal records that satisfy any future audit.

Data transfers between Poland and Spain are governed by the General Data Protection Regulation (GDPR), which applies uniformly across all EU member states. Because Spain is an EU country, no adequacy decision or supplementary transfer mechanism is required – the transfer is lawful provided the exporter holds a valid legal basis for the underlying processing and has completed the necessary documentation. The Polish supervisory authority, the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO), and its Spanish counterpart, the Agencia Española de Protección de Datos (Spanish Data Protection Agency, AEPD), both enforce the same GDPR framework, though each may interpret procedural requirements differently.

This guide walks through the step-by-step procedure for structuring an intra-EU data transfer from Poland to Spain, covering the legal mechanisms available, the documentation required, common mistakes, and three practical business scenarios. The timeline from initial assessment to compliant transfer typically runs four to eight weeks, depending on the volume of data and the complexity of the processing relationship.

Why does an intra-EU transfer still require a legal mechanism?

Many businesses assume that because both countries share the same regulation, no formalities apply. That assumption forfeits the protection that documented compliance provides. The GDPR requires every transfer of personal data – including transfers within the EU – to rest on a lawful basis, and that basis must be recorded in the controller's processing register. The Personal Data Protection Office (UODO) can audit that register at any time, and an incomplete record exposes the Polish controller to corrective measures.

The starting point is identifying the relationship between the Polish entity and the Spanish recipient. Three configurations arise most often in practice:

Controller-to-processor: the Polish company remains the data controller; the Spanish company processes data on its behalf under a Data Processing Agreement (DPA).
Controller-to-controller: both entities independently determine the purposes of processing, requiring each to hold its own lawful basis.
Joint controllers: both entities jointly determine purposes and means, requiring a written arrangement under GDPR.

Getting this classification right is not a formality. It determines which party bears primary compliance obligations, which supervisory authority is the lead authority for cross-border complaints, and what contractual clauses are mandatory. A Polish IT company that incorrectly treats its Spanish partner as a processor – when in reality the partner independently decides how to use the data – may find itself without a valid legal basis entirely.

One concrete figure matters here: the UODO must respond to a formal complaint within three months. That deadline creates real pressure on controllers to have documentation ready before a complaint is filed, not after.

What are the available legal mechanisms for sending data to Spain?

Because Spain is an EU member state, the transfer mechanisms reserved for third-country transfers – adequacy decisions, standard contractual clauses (SCCs) for international transfers, binding corporate rules – do not apply. The legal basis for the transfer is the same legal basis that authorises the underlying processing. The practical task is selecting that basis correctly and documenting it.

The most common lawful bases in a Poland-to-Spain commercial context are:

Contract performance: the transfer is necessary to perform a contract with the data subject.
Legitimate interests: the controller's or a third party's legitimate interest overrides the data subject's interests, requiring a balancing test.
Consent: explicit, informed, and freely given – the hardest basis to maintain at scale.
Legal obligation: processing is required to comply with a legal requirement binding on the controller.

For business-to-business transfers – for example, a Polish manufacturer sharing employee data with its Spanish subsidiary for payroll processing – the controller-to-processor route with a signed DPA is almost always the right structure. The DPA must contain the mandatory clauses specified under GDPR data processor provisions: subject matter, duration, nature and purpose of processing, type of data, categories of data subjects, and the controller's instructions.

We secured a compliant data-transfer structure for a manufacturing client in the Mazowieckie region (autumn 2025), resolving a six-month impasse with its Spanish parent company over the correct processor classification. The solution reduced the client's audit exposure significantly and was implemented within three weeks of engagement.

For a deeper comparison with transfers to non-EU destinations, the guide on data transfer from Poland to Ukraine – legal mechanisms sets out how the third-country framework differs from the intra-EU route.

What documentation must the Polish controller prepare?

Documentation is where most transfers fail in practice. A valid legal basis is necessary but not sufficient. The Polish controller must also maintain a Record of Processing Activities (Rejestr czynności przetwarzania, RCP) that covers the transfer to Spain. That record must specify the categories of data transferred, the identity of the Spanish recipient, the legal basis, and any retention periods. The UODO can request this record within 72 hours of opening an investigation.

Where the transfer involves a processor relationship, the Data Processing Agreement must be signed before any data moves. This is a hard sequencing rule. Sending data first and signing the DPA later is a compliance failure, even if the DPA is eventually put in place.

The checklist below covers the documents a Polish controller should have in place before the first transfer:

Updated Record of Processing Activities entry for the Spanish transfer.
Signed Data Processing Agreement (for processor relationships) or joint-controller arrangement.
Privacy notice update informing data subjects of the Spanish recipient.
Legitimate interests assessment (where legitimate interests is the chosen basis).
Internal transfer authorisation signed by the Data Protection Officer or equivalent.

One area that generates consistent problems is the privacy notice. Polish controllers often update their processing register but forget to revise the privacy notice visible to data subjects. The Spanish Data Protection Agency (AEPD) has taken enforcement action in cases where data subjects were not informed of transfers to other EU entities. That risk travels back to the Polish controller if the complaint is filed in Poland.

GDPR compliance intersects here with broader digital regulation. Controllers handling financial data should also consider DORA compliance obligations if the Spanish recipient is a financial-sector entity, as the Digital Operational Resilience Act imposes its own contractual requirements on data-sharing arrangements with ICT third-party providers.

Three business scenarios: manufacturing, IT services, and foreign investors

Abstract rules become clearer through concrete situations. Three scenarios illustrate how the legal framework applies in practice and where each type of business is most likely to make mistakes.

Manufacturing company with a Spanish distribution partner. A Polish manufacturer shares customer order data with a Spanish distributor that fulfils orders locally. The Spanish distributor independently decides how to handle customer communications. This is a controller-to-controller transfer. Each entity needs its own lawful basis. The Polish manufacturer must update its privacy notice to name the Spanish distributor as a separate controller. A DPA alone is insufficient – and many manufacturers sign one anyway, creating a false sense of compliance.

IT services company with a Spanish client. A Warsaw-based software house processes personal data on behalf of a Spanish SaaS company. Here the Polish entity is the processor, not the controller. The Spanish client (controller) must initiate the DPA, and the Polish processor must ensure its own sub-processors are also contractually bound. Under GDPR, the processor cannot engage a sub-processor without prior written authorisation from the controller. Missing that authorisation – even for a cloud-storage provider used internally – is a breach.

Our team obtained interim measures protecting a data-processing arrangement worth over EUR 3m for an IT client in Lower Silesia (spring 2025), after the Spanish controller threatened to terminate the contract over an undocumented sub-processor. The matter was resolved within four weeks through a retroactive authorisation process and a revised DPA.

Foreign investor establishing a Polish subsidiary. A Spanish parent company transfers HR data of Polish employees to its Madrid headquarters for consolidated reporting. The parent acts as controller; the Polish subsidiary is a separate controller for local employment purposes. This joint-processing scenario requires both a DPA and a documented legitimate-interests assessment covering the intra-group transfer. The UODO has signalled that intra-group transfers are not automatically exempt from documentation requirements, regardless of the corporate relationship. For investors considering cross-border IP and employment structures, the guide on posted workers from Spain to Poland and A1 certificates addresses the employment law dimension of the same relationship.

For technology companies managing IP assets alongside personal data, the article on IP protection strategy for tech companies in Poland provides a useful parallel framework for structuring cross-border arrangements.

What are the most common mistakes and how can they be avoided?

Step-by-step compliance is straightforward on paper. In practice, four mistakes account for the majority of enforcement exposure in Poland-to-Spain transfers.

Treating intra-EU as no-formality. The absence of a third-country mechanism does not mean the absence of documentation. GDPR obligations – lawful basis, transparency, record-keeping – apply to every processing activity, including transfers within the EU. The UODO has issued corrective decisions against Polish controllers who relied on EU membership as a substitute for compliance documentation.

Misclassifying the processing relationship. As the three scenarios above illustrate, the controller/processor distinction determines the entire compliance structure. A misclassification discovered during a UODO audit can require retroactive restructuring of contracts, updated privacy notices, and fresh data-subject notifications – all within a deadline imposed by the regulator. That timeline can be as short as 30 days.

Failing to update privacy notices. Data subjects must be informed of recipients or categories of recipients of their data. Naming "our business partners" is insufficient. The AEPD and the UODO both expect specific identification of entities receiving personal data, at least by category and country.

Ignoring the AI Act Poland dimension. Controllers using AI-based tools to process personal data transferred to Spain – for example, automated profiling or decision-making systems – must now layer AI Act obligations on top of GDPR requirements. The AI Act introduces risk classification, transparency duties, and prohibited practices that interact directly with GDPR's automated decision-making provisions. Ignoring this interaction is an increasingly common mistake as AI tools become standard in commercial operations.

Personal liability is not theoretical here. Under Polish administrative law, the UODO can impose fines of up to EUR 20 million or four percent of global annual turnover – whichever is higher – for serious infringements. That exposure is irreversible once a decision is issued; appeals through the administrative courts take 18 to 24 months on average.

Specific advice for businesses transferring data in the context of trademark or IP licensing arrangements is available from an IP lawyer Warsaw practice. GDPR and IP law interact when licensing databases, customer lists, or proprietary datasets cross borders.

Frequently asked questions

Q: Do we need a Data Processing Agreement for every transfer to Spain, or only for some?

A: A Data Processing Agreement is mandatory only where the Spanish recipient processes personal data on behalf of the Polish controller – that is, in a controller-to-processor relationship. Where the Spanish entity acts as an independent controller, a DPA is not the correct instrument; instead, each party needs its own lawful basis and the privacy notice must identify the Spanish entity as a separate controller. Using a DPA in a controller-to-controller situation creates a false compliance structure and may actually obscure the absence of a valid lawful basis.

Q: How long does it take to put a compliant transfer structure in place?

A: For a straightforward controller-to-processor transfer with a single Spanish recipient, the process typically takes two to four weeks. That covers legal-basis assessment, DPA drafting and negotiation, privacy-notice update, and processing-register amendment. More complex structures – joint controllers, multiple recipients, AI-based processing – can take six to ten weeks. Starting the process after the transfer has already begun increases both the timeline and the remediation cost.

Q: Is consent a reliable legal basis for transfers to Spanish business partners?

A: Consent is rarely the right basis for business-to-business data transfers. GDPR requires consent to be freely given, specific, informed, and unambiguous. In employment or commercial relationships, consent is often not freely given because of the power imbalance between the parties. If the data subject later withdraws consent, the entire transfer becomes unlawful retroactively – which is an irreversible compliance failure. Contract performance or legitimate interests are generally more durable bases for commercial transfer relationships. The UODO has issued guidance confirming that consent should not be used as a default basis where another basis is available.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, technology regulation, and cross-border compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams on GDPR implementation, AI Act readiness, DORA compliance, and IP protection strategy. To discuss your situation, contact info@kordeckipartners.com.