A Warsaw-based technology company signs a contract with a Dubai-based partner. Customer data, employee records, and proprietary analytics must flow between the two offices. The IT team asks a simple question: is this legal? The answer is not simple at all.
Transferring personal data from Poland to the United Arab Emirates requires a valid legal mechanism under the Ogólne rozporządzenie o ochronie danych (General Data Protection Regulation, GDPR), which applies in Poland as an EU member state. The UAE does not hold an adequacy decision from the European Commission, meaning free transfer is not permitted by default. Businesses must rely on one of several alternative mechanisms – standard contractual clauses, binding corporate rules, or derogations – before any data leaves Poland for Dubai or Abu Dhabi.
This guide walks through each mechanism step by step, identifies the most common compliance mistakes, and maps three practical business scenarios for Polish and UAE-based companies. Timelines and costs are included for each route.
Why does the UAE lack adequacy status, and what does that mean in practice?
The UAE sits on the list of third countries without an adequacy decision from the European Commission. That status reflects a formal Commission assessment: UAE data protection law does not yet provide a level of protection essentially equivalent to the EU standard. The result is a transfer prohibition by default. Any Polish company sending personal data to the UAE without a valid legal basis faces fines of up to EUR 20 million or 4% of global annual turnover – whichever is higher.
The UAE has made significant legislative strides. The federal Qanun Ittihadi raqm 45 (Federal Decree-Law No. 45 of 2021 on Personal Data Protection, PDPL) came into force in 2022, and the Dubai International Financial Centre (DIFC) operates its own separate data protection framework. Neither framework has yet triggered an EU adequacy finding. Polish companies cannot rely on UAE law alone to justify the transfer.
The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) is the Polish supervisory authority responsible for enforcing GDPR. The UODO has issued guidance confirming that transfers to the UAE must use one of the recognised safeguard mechanisms. Ignoring that guidance is not a theoretical risk – the UODO has issued fines exceeding PLN 1 million in comparable cases. The window to establish a compliant transfer mechanism before a contract goes live is typically 30 to 60 days.
One common misconception is that a bilateral commercial contract between a Polish exporter and a UAE importer is sufficient. It is not. A commercial contract addresses obligations between parties; it does not substitute for the GDPR safeguards owed to data subjects. That distinction forfeits the right to transfer data and can invalidate the underlying commercial arrangement entirely.
What legal mechanisms are available for transferring data from Poland to the UAE?
Three primary mechanisms allow data transfers from Poland to the UAE under GDPR. Each has a different risk profile, timeline, and cost. Choosing the wrong one – or implementing it incorrectly – precludes lawful processing and triggers supervisory scrutiny.
The first and most widely used mechanism is Standard Contractual Clauses (SCCs). The European Commission adopted updated SCCs in June 2021. These are pre-approved contractual modules that controllers and processors sign before any transfer occurs. For a Polish company sending employee data to a UAE HR platform, SCCs are usually the fastest route. Implementation takes 2 to 4 weeks. Legal drafting costs in Poland typically range from PLN 3,000 to PLN 8,000 depending on complexity.
The second mechanism is Binding Corporate Rules (BCRs). BCRs are internal codes of conduct approved by UODO (or another lead EU supervisory authority) for intra-group transfers within a multinational group. Approval takes 12 to 18 months on average and requires a detailed application. BCRs suit large corporate groups with ongoing, high-volume transfers. They are not practical for a single commercial relationship.
The third route covers derogations under GDPR. These include explicit consent of the data subject, performance of a contract with the data subject, and important reasons of public interest. Derogations are narrow. Consent as a transfer basis is fragile – it can be withdrawn at any time. The Naczelny Sąd Administracyjny (Supreme Administrative Court) has confirmed that reliance on consent for systematic transfers is not appropriate. Derogations work for occasional, one-off transfers only.
- SCCs – fastest route, 2 to 4 weeks, moderate cost, suitable for most commercial relationships
- BCRs – strongest protection, 12 to 18 months, high cost, suitable for corporate groups
- Consent derogation – narrow use, unsuitable for systematic transfers
- Contract performance derogation – limited to direct transfers necessary for the contract
- Transfer Impact Assessment (TIA) – required alongside SCCs to verify UAE safeguards in practice
A Transfer Impact Assessment deserves separate attention. The Trybunał Sprawiedliwości Unii Europejskiej (Court of Justice of the European Union, CJEU) confirmed in the Schrems II ruling that SCCs alone are not always sufficient. The exporter must assess whether UAE law and practice undermine the SCC protections in the specific transfer context. A TIA is not a formality. It requires a documented legal analysis of UAE surveillance law, data subject rights, and available remedies.
We secured a compliant SCC and TIA package for a fintech client exporting payment analytics to a DIFC-licensed partner in Dubai (autumn 2025). The transfer went live within 28 days of instruction.
To discuss which mechanism fits your specific transfer scenario, contact info@kordeckipartners.com
How does the step-by-step compliance procedure work for SCCs?
SCCs are the default mechanism for most Polish-to-UAE transfers. The procedure has five defined steps, and skipping any one of them creates an unlawful transfer. The total timeline from instruction to live transfer is typically 3 to 6 weeks.
Step 1 – Data mapping. The Polish data controller must identify every category of personal data leaving Poland, the purpose of the transfer, the recipient in the UAE, and the legal basis for processing. This mapping typically takes 3 to 5 business days for a mid-sized company. GDPR requires this documentation to be maintained in the Records of Processing Activities (RoPA).
Step 2 – Transfer Impact Assessment. The TIA analyses UAE law to confirm that SCCs can work in practice. Key areas: government access to data, enforcement mechanisms for data subjects, and the DIFC or mainland framework applicable to the UAE recipient. A TIA for a standard B2B transfer takes 5 to 10 business days.
Step 3 – SCC module selection and drafting. The 2021 SCCs contain four modules: controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor. Selecting the wrong module is a common mistake. An IP lawyer in Warsaw familiar with both GDPR Poland requirements and UAE contract law can draft and negotiate the clauses in 5 to 7 business days.
Step 4 – Supplementary measures. Where the TIA reveals risks, supplementary technical or contractual measures are required. Encryption in transit and at rest, pseudonymisation, and contractual notification obligations are the most common additions. These measures must be documented and proportionate to the identified risk.
Step 5 – UODO notification. Most SCC-based transfers do not require prior UODO authorisation. However, if the transfer involves special categories of data (health, biometric, criminal records), the controller must notify UODO before the transfer begins. Notification processing takes up to 30 days.
What are the three most common scenarios – and which mechanism fits each?
Three business scenarios dominate Polish-to-UAE data transfers. Each requires a different compliance approach, timeline, and budget.
Scenario 1 – Manufacturing company with a UAE distribution partner. A Silesian manufacturer shares employee contact data and logistics records with a Dubai-based distributor. The data categories are low-risk. SCCs (controller-to-controller module) combined with a standard TIA are appropriate. Total compliance cost: PLN 5,000 to PLN 10,000. Timeline: 3 to 4 weeks. The manufacturer should update its privacy notice to inform employees of the UAE transfer.
Scenario 2 – IT company using a UAE cloud processor. A Warsaw-based software house stores client data on a UAE-based cloud platform. This is a controller-to-processor relationship. SCCs (module two) are mandatory. The TIA must address the cloud provider's data centre location and applicable UAE surveillance law. The SCC must include a sub-processing clause. Timeline: 4 to 6 weeks. An IP protection strategy should also address the intellectual property embedded in the transferred datasets, particularly where AI Act Poland obligations apply to the processing.
Scenario 3 – Foreign investor structuring a UAE-Poland operation. A UAE investor acquires a Polish subsidiary and wants to centralise HR data in Abu Dhabi. This is an intra-group transfer. BCRs are the long-term solution, but with an 18-month approval timeline, interim SCCs are necessary. DORA compliance obligations may also arise if the group operates in financial services. For structuring questions, the Sp. z o.o. vs SA decision matrix for UAE investors addresses the corporate vehicle choice that affects which entity acts as data controller.
We advised a Małopolska-based e-commerce group on restructuring its data flows to a UAE parent following an acquisition (spring 2026). The interim SCC package was operational within 35 days.
Comparing the UAE transfer route with other third-country transfers is instructive. The data transfer from Poland to Cyprus is simpler – Cyprus is an EU member state, so no transfer mechanism is needed. The UAE route is materially more complex and requires active legal management.
Your specific transfer scenario may involve trademark data, customer databases, or proprietary analytics. Each category carries different risk. Failing to categorise correctly forfeits the ability to rely on lighter-touch mechanisms and may require UODO notification.
To receive a tailored assessment of your Poland-to-UAE data transfer structure, contact info@kordeckipartners.com
What are the most common compliance mistakes – and how can they be avoided?
Data transfer compliance failures follow predictable patterns. Identifying them in advance avoids the irreversible consequence of a UODO investigation, which can freeze the transfer and trigger fines exceeding EUR 10 million.
The first mistake is treating SCCs as a one-time exercise. SCCs must be reviewed whenever the transfer changes materially – new data categories, new UAE sub-processors, or a change in UAE law. A Polish company that signed SCCs in 2022 and has not reviewed them since 2021 SCC adoption is likely non-compliant today. GDPR requires ongoing accountability, not a single sign-and-forget approach.
The second mistake is omitting the TIA. Many companies execute SCCs without conducting any Transfer Impact Assessment. This is a direct violation of GDPR requirements post-Schrems II. UODO can request the TIA documentation at any time. Absence of a TIA is treated as evidence of a systemic compliance failure.
The third mistake is incorrect module selection. Controller-to-processor SCCs impose data processing instructions and audit rights on the UAE processor. Using controller-to-controller SCCs for a processor relationship removes those protections. The mismatch creates personal liability for the Polish data controller's management board.
- Review SCCs after any material change to the transfer
- Document the TIA before the transfer goes live
- Select the correct SCC module for the actual relationship
- Update the RoPA to reflect the UAE transfer
- Notify UODO before transferring special category data
One further risk applies specifically to DIFC-based recipients. The DIFC Data Protection Law operates separately from mainland UAE law. A TIA conducted for a mainland UAE recipient is not automatically valid for a DIFC entity. The two regimes require separate analysis. Missing this distinction is a frequent error in cross-border deals involving Dubai's financial centre.
Frequently asked questions
Q: How long does it take to establish a compliant data transfer mechanism to the UAE?
A: For Standard Contractual Clauses, the typical timeline is 3 to 6 weeks from instruction to live transfer. This includes data mapping, Transfer Impact Assessment, SCC drafting, and any supplementary measures. Binding Corporate Rules take 12 to 18 months and require UODO approval. Companies with an urgent commercial deadline should begin the SCC process at least 30 days before the intended transfer date.
Q: Is it a misconception that a commercial contract with a UAE partner is sufficient for GDPR compliance?
A: Yes, this is one of the most common misconceptions. A commercial agreement governs obligations between the contracting parties, but GDPR safeguards are owed to the data subjects – the individuals whose data is being transferred. Standard Contractual Clauses are a separate legal instrument and must be executed in addition to the commercial contract. Relying on the commercial contract alone precludes lawful transfer and exposes the Polish company to supervisory action.
Q: What costs should a Polish company budget for a UAE data transfer compliance project?
A: For a standard B2B transfer using SCCs, legal costs in Poland range from PLN 5,000 to PLN 15,000 depending on the complexity of data categories and the number of UAE recipients. A Transfer Impact Assessment for a DIFC-based recipient typically costs more than one for a mainland UAE entity, given the dual-framework analysis required. Internal costs – staff time for data mapping and RoPA updates – add to the total. BCR applications involve significantly higher investment, often exceeding PLN 50,000 in legal fees alone.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, IP, and technology law. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating cross-border data transfer requirements. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.