Data transfer from Poland to United Kingdom

A Warsaw-based software company signs a contract with a London-based analytics firm. Within days, personal data of Polish employees and customers begins flowing to UK servers. The legal team assumes the UK adequacy decision covers everything. It does not – and the gap between assumption and compliance can cost the company its ability to transfer data at all.

Data transfers from Poland to the United Kingdom are governed by the Ogólne rozporządzenie o ochronie danych (General Data Protection Regulation, GDPR), as implemented in Polish law, and by the UK's post-Brexit adequacy decision issued by the European Commission in June 2021. That decision covers most commercial data flows and remains valid until June 2025, when the European Commission must renew or withdraw it. Controllers relying on the adequacy decision must monitor renewal proceedings actively, because a lapse would immediately require alternative transfer mechanisms.

This guide walks through each available transfer mechanism in order of practical preference, explains the procedural steps and timelines, identifies the three most common mistakes, and presents three business scenarios – manufacturing, IT services, and a foreign investor structure – to illustrate how the choice of mechanism affects day-to-day operations.

What legal mechanisms permit data transfer from Poland to the United Kingdom?

The starting point is the European Commission adequacy decision for the UK, adopted in June 2021. It classified the UK as providing an essentially equivalent level of data protection to the EU. For most controllers, this is the simplest path: no additional safeguards are needed, and data can flow to UK recipients as freely as to any EU member state. The decision covers transfers under both the GDPR and the ustawa o ochronie danych osobowych (Personal Data Protection Act, UODO). Polish supervisory oversight remains with the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO – using the same acronym as the act, which causes frequent confusion in practice).

The adequacy decision has a built-in sunset clause. Unless renewed by the European Commission before June 2025, it expires automatically. Controllers who have not prepared fallback mechanisms face an immediate compliance gap – transfers would become unlawful overnight. That is the lost-opportunity risk: companies that plan ahead retain business continuity; those that do not must scramble for alternatives under time pressure.

Where the adequacy decision does not apply – or as a contingency – three further mechanisms are available. First, standardowe klauzule umowne (Standard Contractual Clauses, SCCs) approved by the European Commission. Second, wiążące reguły korporacyjne (Binding Corporate Rules, BCRs) for intra-group transfers. Third, specific derogations under GDPR for consent, contract performance, or vital interests. Each mechanism has different procedural requirements, timelines, and risk profiles.

The National Court Register (KRS) filing obligations are not directly triggered by a transfer mechanism choice, but corporate structure decisions – discussed in the foreign investor scenario below – interact with transfer planning in ways that matter operationally.

How do Standard Contractual Clauses work for Poland–UK transfers?

SCCs are the most widely used fallback mechanism. The European Commission adopted a modernised SCC set in 2021, covering four transfer scenarios: controller-to-controller, controller-to-processor, processor-to-controller, and processor-to-processor. Polish controllers must use the 2021 version; the older 2004 and 2010 SCCs were invalidated. The clauses must be incorporated verbatim into the data processing agreement – no substantive modifications are permitted, though commercial terms may be added in a separate annex.

Implementation takes between two and six weeks for a straightforward bilateral arrangement. The controller must complete a Transfer Impact Assessment (TIA) – a documented analysis of UK law's effect on the protection offered by the SCCs. Given UK intelligence legislation, particularly the Investigatory Powers Act 2016, TIAs for UK transfers require careful drafting. The Polish Financial Supervision Authority (KNF) has issued sector-specific guidance for financial institutions that adds a further layer of documentation.

We secured a compliant SCC framework for a financial technology client in the Mazowieckie region (autumn 2025), including a TIA that addressed UK surveillance legislation and satisfied both internal audit and a subsequent KNF inquiry. The process took four weeks from instruction to signed agreement.

Key steps for SCC implementation:

Map all data flows to UK recipients and classify by transfer scenario type
Conduct a Transfer Impact Assessment for each recipient country (UK-specific)
Incorporate the correct SCC module verbatim into the processing agreement
Document supplementary measures where the TIA identifies residual risk
Review annually or upon any material change to UK law

SCCs do not require prior approval from the UODO. However, if the TIA concludes that UK law materially undermines the protections, the transfer must be suspended until supplementary measures are in place. Ignoring that conclusion forfeits the legal basis for the transfer entirely – an irreversible compliance failure that regulators treat as a deliberate violation.

When are Binding Corporate Rules the right instrument?

BCRs are appropriate for multinational groups that transfer personal data between affiliated entities across multiple jurisdictions, including the UK. A BCR package approved by a lead EU supervisory authority covers all intra-group transfers to the listed third countries. The process is long – typically 18 to 36 months from initial submission – and expensive, with external legal fees often exceeding EUR 50,000 for a full BCR programme. For a group with an established UK subsidiary and ongoing high-volume data flows, however, BCRs offer the most durable and operationally flexible solution.

The UODO can act as lead supervisory authority for BCR applications where the group's EU headquarters or main establishment is in Poland. Approval requires a detailed privacy policy, data subject rights procedures, internal audit mechanisms, and cooperation clauses binding all group members. Post-Brexit, the UK's Information Commissioner's Office (ICO) operates a parallel BCR regime under UK GDPR. Groups seeking coverage in both directions – EU to UK and UK to EU – may need to maintain two separate BCR instruments, which doubles the administrative burden.

For most Polish SMEs, BCRs are disproportionate. The instrument suits groups with at least three affiliated entities, regular high-volume transfers, and internal data protection resources. A manufacturing group with production in Poland, a holding company in the UK, and a distribution subsidiary in Germany would be a typical BCR candidate.

What are the three most common mistakes in Poland–UK data transfers?

The first mistake is assuming the adequacy decision is permanent. It is not. Controllers who build their entire transfer programme on the adequacy decision without a BCR or SCC fallback face an existential compliance gap if the decision lapses or is challenged. The correct approach is to maintain SCCs as a parallel instrument, even while the adequacy decision is in force.

The second mistake is using outdated SCC templates. Several Polish companies continue to rely on the 2004 controller-to-processor clauses. Those clauses have no legal effect for transfers initiated after December 2022. Any transfer resting on them is legally unprotected – personal liability of the data protection officer and administrative fines of up to EUR 20 million or 4% of global annual turnover are the consequence.

The third mistake is neglecting the Transfer Impact Assessment. Many controllers treat the TIA as a box-ticking exercise, copying a generic template without analysing UK surveillance law. The UODO has signalled, in guidance published in 2023, that it will scrutinise TIA quality in the event of a complaint or audit. A TIA that does not engage with the Investigatory Powers Act 2016 will not satisfy the regulator.

For context on how similar transfer issues arise in other third-country relationships, our analysis of data transfer from Poland to Cyprus sets out the adequacy and SCC framework in a different jurisdiction, with useful comparative observations on TIA methodology.

How do the three business scenarios affect mechanism choice?

Manufacturing companies typically transfer HR data – payroll records, health and safety files, employee monitoring data – to a UK parent or shared services centre. The volume is regular but not enormous. SCCs are the appropriate mechanism. The controller-to-processor module applies where the UK entity processes data on behalf of the Polish entity; the controller-to-controller module applies where the UK entity determines its own processing purposes. Many manufacturing clients incorrectly use the processor module for a UK parent that is actually a joint controller, which invalidates the legal basis entirely.

IT services companies face a more complex picture. They often act as processors for EU clients and sub-processors for UK clients simultaneously. GDPR Poland compliance requires them to maintain a Record of Processing Activities (RPA) that maps every transfer, every recipient, and every mechanism. For IT companies subject to ustawa o krajowym systemie cyberbezpieczeństwa (Act on the National Cybersecurity System), DORA compliance obligations add a further layer of contractual requirements for ICT service providers – relevant for any fintech or financial infrastructure operator. The IP lawyer Warsaw market has seen a surge in requests for combined data transfer and IP licensing agreements where software is hosted on UK servers; those arrangements require both SCC coverage and a separate IP licence addressing jurisdiction and governing law.

We obtained interim measures protecting a data processing arrangement worth over EUR 3m for an IT services client in Lower Silesia (spring 2026), after a UK counterparty attempted to terminate a processing agreement by invoking a post-Brexit force majeure clause. The SCC framework – properly implemented – gave the Polish client enforceable rights before both the Polish court and the ICO.

Foreign investors structuring a Polish entry often ask whether to route data through a UK holding company or directly from a Polish operating entity. The answer depends on the volume and sensitivity of the data, the group's BCR status, and the tax structure – which interacts with data governance in ways that are easy to overlook. For the tax dimension of UK-Poland structures, our guide on the double tax treaty between Poland and the United Kingdom addresses the treaty provisions that affect holding company choices, which in turn affect where data controllers are legally established.

Tech companies – whether Polish or foreign – should also consider how the EU AI Act Poland obligations interact with data transfer. AI systems processing personal data that is transferred to UK-based training or inference infrastructure require both a transfer mechanism and an AI Act compliance assessment. Trademark and IP protection for AI outputs adds a further layer; our article on IP protection strategy for Switzerland tech companies in Poland addresses the IP lawyer Warsaw perspective on cross-border IP and data governance, with observations applicable to UK-bound structures.

What to prepare before initiating a Poland–UK data transfer programme:

Full data flow map identifying every UK recipient, data category, and transfer frequency
Confirmation of whether the adequacy decision covers the specific processing activity
Completed Transfer Impact Assessment addressing UK surveillance legislation
Signed SCC addendum (correct module) or BCR approval documentation
Updated Record of Processing Activities reflecting the new transfer

Controllers who complete these steps before initiating transfers are in a materially stronger position in the event of a UODO audit. Those who skip the TIA or use outdated SCCs precludes themselves from relying on any safe harbour – a consequence that cannot be remedied retroactively once a complaint has been filed.

Every data transfer programme involves specific facts that generic guidance cannot fully address. The adequacy decision renewal timeline, the UK ICO's evolving guidance, and individual group structures all affect which mechanism is optimal for your organisation.

To receive an expert assessment of your Poland–UK data transfer framework, contact info@kordeckipartners.com. Our team will review your data flow map, identify gaps in your current SCC or adequacy reliance, and deliver a remediation plan within ten business days.

Frequently asked questions

Q: Does the UK adequacy decision cover all types of personal data, including special category data?

A: The adequacy decision covers personal data generally, including special category data such as health records and biometric data. However, controllers transferring special category data must satisfy both the transfer mechanism requirement and the separate legal basis for processing that category under GDPR. The adequacy decision does not remove the obligation to identify a specific condition for processing sensitive data – it only addresses the transfer channel. Controllers in regulated sectors should also check whether sector-specific rules impose additional requirements beyond the GDPR baseline.

Q: How long does it take to implement Standard Contractual Clauses for a Poland–UK transfer?

A: Implementation typically takes two to six weeks for a straightforward bilateral arrangement between a Polish controller and a UK processor or controller. The timeline extends where multiple recipients are involved, where the Transfer Impact Assessment identifies residual risk requiring supplementary measures, or where the UK counterparty's legal team requires negotiation of the commercial annex. BCRs, by contrast, require 18 to 36 months. Controllers facing an imminent adequacy decision expiry should treat six weeks as the minimum planning horizon for SCC implementation.

Q: Is it a common misconception that Brexit ended GDPR obligations for UK companies receiving Polish data?

A: Yes. UK companies that receive personal data from Polish controllers remain subject to UK GDPR, which mirrors the EU GDPR in most material respects. The Polish controller's obligations are governed by EU GDPR; the UK recipient's obligations are governed by UK GDPR. The two regimes are currently aligned but divergence is possible over time. Polish controllers should include a clause in their SCCs or data processing agreements requiring the UK recipient to notify them promptly of any material change to UK data protection law – particularly any divergence from the EU standard that would affect the adequacy decision's validity.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, IP, and technology law. We advise on GDPR Poland compliance, AI Act Poland readiness, DORA compliance for financial institutions, and cross-border data transfer programmes involving the UK, Switzerland, and other third countries. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.