On paper, GDPR compliance looks manageable. In practice, Polish companies – from Warsaw-based tech startups to Silesian manufacturers – regularly fail audits on the same recurring issues. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) has intensified its inspection activity, and fines now reach into the millions of zlotys. Identifying gaps before an audit is far cheaper than remedying them after.

GDPR compliance in Poland is supervised by the UODO, which may impose administrative fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. Polish companies most commonly fail on three fronts: incomplete records of processing activities, unlawful data transfers outside the European Economic Area, and missing or defective data processing agreements with vendors. Each gap is individually sanctionable, and a single inspection can expose all three simultaneously.

This alert covers the three most common compliance gaps identified in Polish company audits, who is affected, and what immediate steps reduce exposure. It also flags how intersecting obligations – including AI Act Poland requirements and DORA compliance for financial entities – compound the risk for companies that treat GDPR as a standalone exercise.

What are the most common GDPR compliance gaps found in Polish companies?

Three gaps appear in almost every Polish GDPR audit. First, the records of processing activities (RoPA) are either missing or outdated – often reflecting the company's structure from 2018, not today. Second, consent mechanisms on websites are technically non-compliant: pre-ticked boxes, bundled consents, or no withdrawal pathway. Third, data processing agreements with IT vendors, cloud providers, and payroll processors are absent or use template language that does not match actual processing operations.

The UODO has made clear that RoPA deficiencies are not a technicality. The record must reflect every processing purpose, legal basis, retention period, and recipient category. A company with 50 employees processing HR, client, and marketing data will typically have 15 to 25 distinct processing activities. Auditors cross-check the RoPA against actual systems. Discrepancies trigger deeper investigation.

Consent failures are particularly common in e-commerce and marketing. Under Polish data protection practice, a pre-ticked checkbox does not constitute valid consent. Consent must be freely given, specific, informed, and unambiguous. Many Polish companies also fail to log consent timestamps and withdrawal events – making it impossible to demonstrate compliance if challenged.

  • RoPA not updated after organisational changes or new software deployments
  • Cookie banners that do not block non-essential cookies before consent
  • Data processing agreements missing mandatory clauses on sub-processors
  • No documented procedure for handling data subject access requests within 30 days
  • Retention schedules defined but not enforced in practice

For companies handling personal data of EU residents outside Poland – for example, transferring HR records to a parent company in a non-EEA country – the gap is often structural. The legal mechanisms for such transfers are specific and mandatory. Our analysis of data transfer from Poland to Cyprus illustrates how even intra-group transfers require a valid legal basis and documented safeguards.

Who is affected and what are the risk thresholds?

Every entity processing personal data of Polish or EU residents falls under GDPR. There is no turnover threshold for applicability. However, enforcement priorities and fine levels vary. The UODO has historically targeted healthcare providers, financial institutions, and large-scale online services first. Since 2024, inspections have expanded to mid-size Polish companies with 50 to 250 employees – a segment that often lacks a dedicated Data Protection Officer (DPO) and treats GDPR as an annual checkbox exercise.

Companies processing data on a large scale, or handling special categories of data (health, biometric, criminal records), must appoint a DPO. Failure to appoint where required is itself a sanctionable breach – separate from any underlying processing violation. The UODO can impose fines for the DPO gap alone, before examining anything else.

(This matters particularly for HR-intensive businesses. A logistics company with 300 drivers processing health certificates and GPS location data almost certainly triggers the DPO appointment obligation – yet many do not have one.)

Financial entities face a compounding layer. DORA compliance, which became mandatory in January 2025, requires ICT risk management frameworks that overlap significantly with GDPR's technical and organisational measures. A company that has not aligned its GDPR security documentation with DORA requirements may fail both regimes in a single audit. Similarly, companies deploying AI-based profiling or automated decision-making tools face AI Act Poland obligations that interact with GDPR's rules on automated processing. Treating these as separate workstreams is a common and costly mistake.

For companies with IP-intensive operations – software houses, tech firms, creative agencies – data protection intersects with intellectual property risk. An IP lawyer Warsaw-based clients consult for trademark or software licensing matters will increasingly encounter GDPR questions embedded in licensing and vendor contracts. Our work on IP protection strategy for Luxembourg tech companies in Poland shows how data and IP obligations converge in cross-border technology arrangements.

What immediate actions should Polish companies take now?

The first action is a gap assessment against the five most common failure points listed above. This does not require a full external audit. An internal review against a structured checklist – covering RoPA completeness, consent mechanisms, DPA coverage, DPO status, and breach notification procedures – takes two to four weeks for a company of 50 to 200 employees and costs far less than a UODO fine.

The 72-hour breach notification deadline is the most operationally dangerous gap. Many Polish companies have no documented incident response procedure. When a breach occurs – a misdirected email containing client data, a ransomware attack, a lost laptop – the clock starts immediately. Failure to notify the UODO within 72 hours is a standalone violation. Documenting a breach response procedure now, before an incident, is the single highest-return compliance action available.

We secured a reversal of a UODO enforcement decision for a retail client in the Mazowieckie region (autumn 2025), where the original finding rested on an undocumented breach response. The client had in fact responded appropriately – but could not demonstrate it. Documentation is not bureaucracy. It is evidence.

For companies whose directors face personal exposure in related regulatory matters, the intersection of data protection and corporate liability is real. Our analysis of fiscal criminal defence strategy for board members illustrates how regulatory failures in one domain can trigger personal liability in another – a pattern increasingly visible in Polish enforcement practice.

A Warsaw-based IT services company we advised in Wielkopolska (spring 2026) identified 11 missing data processing agreements with cloud sub-processors during a pre-audit review. Remediation took six weeks. Had the UODO inspection arrived first, the exposure would have been material. Early identification forecloses that risk entirely.

Immediate action checklist:

  • Review and update RoPA to reflect current processing operations
  • Audit all vendor contracts for data processing agreement clauses
  • Test cookie consent mechanism against UODO technical guidance
  • Confirm DPO appointment status and document the assessment
  • Draft or update the 72-hour breach notification procedure

Specific compliance gaps in your company require tailored analysis. Delaying remediation until an inspection notice arrives precludes the ability to self-correct – and forfeits the mitigating effect that documented good-faith compliance efforts carry in UODO penalty assessments.

To receive an expert assessment of your company's GDPR compliance position, contact info@kordeckipartners.com. Our team will identify your specific gaps, map them to enforcement priorities, and deliver a remediation plan with defined deadlines.

Frequently asked questions

Q: Does a small Polish company with fewer than 250 employees need to maintain records of processing activities?

A: Generally yes. The exemption for companies with fewer than 250 employees is narrow – it applies only where processing is not likely to result in a risk to individuals, is occasional, and does not include special categories of data. Most Polish SMEs process HR data and client data regularly, which takes them outside the exemption. Maintaining a RoPA is standard practice regardless of company size.

Q: How long does a GDPR compliance remediation project typically take?

A: For a Polish company with 50 to 200 employees, a gap assessment takes two to four weeks. Full remediation – updating documentation, revising contracts, implementing technical measures – typically takes two to four months depending on the number and severity of gaps identified. Starting before a UODO inspection notice provides the time needed to remediate properly.

Q: Is it a misconception that GDPR fines only apply to large companies?

A: Yes, it is a misconception. The UODO has imposed fines on companies of all sizes, including sole traders and small businesses. The fine amount scales with factors including the nature of the breach, the number of individuals affected, and whether the company cooperated with the investigation. Small companies are not exempt from enforcement – they are simply less likely to be targeted first, which creates a false sense of security.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, GDPR compliance, AI Act Poland readiness, and IP and technology law. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.