A Kraków-based software house completes its first external privacy review and discovers that three of its data processing agreements are missing entirely, its employee monitoring policy has never been communicated to staff, and its cookie banner still relies on pre-ticked boxes. None of these gaps were intentional. They accumulated quietly over years of rapid growth, each one a potential trigger for enforcement by the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) – Poland's national supervisory authority under EU data protection law.
A GDPR audit in Poland is a structured review of how an organisation collects, processes, stores, and shares personal data, measured against the requirements of the General Data Protection Regulation and Polish implementing legislation. The audit typically covers six areas: legal bases for processing, data subject rights procedures, processor contracts, security measures, breach notification readiness, and records of processing activities. A complete internal audit takes four to eight weeks and costs between PLN 15,000 and PLN 60,000 depending on company size and data complexity.
This guide walks through the most common compliance gaps found in Polish companies, explains what regulators look for, and sets out practical steps to close the deficiencies before they become enforcement cases. The guide is structured as follows: audit scope and preparation, the five most frequent gaps, sector-specific scenarios, and a self-assessment checklist.
What does a GDPR audit in Poland actually cover?
The audit scope is broader than most companies expect. Under Polish data protection practice, a compliant audit reviews not only technical safeguards but also organisational measures, contractual arrangements, and the internal culture around data handling. The UODO has the power to impose administrative fines of up to EUR 20 million or 4% of global annual turnover – whichever is higher. That ceiling makes even a mid-size Polish company a meaningful enforcement target.
The audit begins with mapping. Every processing activity must be documented in a rejestr czynności przetwarzania (Record of Processing Activities, RoPA). Polish companies frequently underestimate the number of processing activities they run. A manufacturing firm with 200 employees may operate 30 to 40 distinct processing streams – payroll, access control, CCTV, customer CRM, supplier databases, and more.
After mapping comes legal-basis verification. Each processing stream requires a documented lawful basis: consent, contract, legal obligation, vital interests, public task, or legitimate interests. Legitimate interests requires a balancing test recorded in writing. Many Polish companies apply it without documentation, which the UODO treats as a compliance gap in its own right.
The audit also reviews data subject rights infrastructure. Can the company respond to a subject access request within 30 days? Is there a deletion workflow? These are procedural questions, but the UODO has fined organisations specifically for failing to respond to individual rights requests on time.
- RoPA completeness and currency
- Legal basis documentation per processing activity
- Data processing agreements with all processors
- Privacy notices (employees, customers, website visitors)
- Breach detection and 72-hour notification procedure
What are the five most common GDPR compliance gaps found in Polish companies?
Gap identification is where audit value concentrates. Across enforcement decisions published by the UODO and sector reviews conducted by European supervisory authorities, five gaps appear consistently in Polish organisations of all sizes. Understanding them in advance allows a company to self-assess before commissioning a full external review.
Gap 1 – Missing or defective processor agreements. Polish companies frequently engage cloud providers, payroll processors, and marketing platforms without a written data processing agreement (umowa powierzenia przetwarzania danych). Under EU data protection law, processing by a third party without a compliant contract is an unlawful transfer of responsibility. The UODO has issued fines for this gap alone, with penalties reaching six figures in PLN.
Gap 2 – Unlawful consent mechanisms. Cookie banners that use pre-ticked boxes, bundled consent for multiple purposes, or no genuine opt-out mechanism remain widespread on Polish websites. Consent must be freely given, specific, informed, and unambiguous. A banner that does not meet these criteria means all processing based on that consent is unlawful from the moment of collection.
Gap 3 – Incomplete employee privacy notices. Polish labour law requires employers to inform employees about processing their personal data. Many companies issue a generic notice at onboarding and never update it. When monitoring systems – email scanning, GPS tracking, or access logs – are introduced later, a fresh notice is required at least two weeks before activation. Failure to notify forfeits the employer's right to rely on the monitoring data in disciplinary proceedings.
Gap 4 – No documented retention schedule. Data minimisation and storage limitation are core GDPR principles. Yet retention schedules are absent from the majority of Polish company documentation sets. Without them, personal data accumulates indefinitely – increasing both the risk of a breach and the potential scope of any fine.
Gap 5 – Inadequate breach response procedures. The 72-hour notification window to the UODO is short. Companies that discover a breach on a Friday afternoon and have no documented escalation path routinely miss the deadline. Late notification is itself a separate infringement, compounding the original incident.
We identified all five of these gaps during a compliance review for a fintech client in Mazowieckie region (autumn 2025). Closing them reduced the client's estimated enforcement exposure by a material margin before a planned Series B fundraising round.
How do compliance gaps differ across manufacturing, IT, and foreign-investor scenarios?
Context shapes risk. Three business scenarios illustrate how the same regulatory framework produces different priority gaps depending on the company's sector and ownership structure.
Scenario 1 – Manufacturing company (200 employees, Silesia). The dominant gap in manufacturing is employee monitoring. CCTV, production-line sensors, and access-control systems generate continuous personal data streams. Polish labour law sets strict conditions for workplace monitoring: a written company policy, works council consultation where applicable, and advance notice to employees. A manufacturer that installed cameras without following this procedure faces dual exposure – under data protection law and under the Kodeks pracy (Labour Code). Retention of CCTV footage beyond three months (or longer if needed for pending proceedings) is also a frequent finding.
Scenario 2 – IT company (SaaS product, Warsaw). For technology companies, the critical gap is usually the data processing agreement chain. An IT firm acting as a processor for its clients must have compliant agreements upstream (with clients) and downstream (with sub-processors such as cloud infrastructure providers). Many Polish SaaS companies sign client DPAs without auditing their own sub-processor stack. This creates a contractual gap that surfaces during enterprise due diligence – and has caused deals to stall. Foreign investors conducting IP due diligence often review GDPR compliance alongside IP ownership; see our analysis of development agreements in Poland: structure and risks for the overlap between IP assignment and data processing obligations.
Scenario 3 – Foreign investor entering Poland. A German or Swedish technology company establishing a Polish subsidiary faces a specific challenge: it must comply with both the EU-wide GDPR framework and Polish national implementing rules. Poland's national legislation adds requirements around employee data, special category data in healthcare, and sector-specific rules for financial services. The Komisja Nadzoru Finansowego (Polish Financial Supervision Authority, KNF) applies GDPR requirements in parallel with financial sector obligations. For technology companies entering from Nordic markets, our guide on IP protection strategy for Swedish tech companies in Poland covers the intersection of data, IP, and market-entry compliance.
A cross-border investor scenario also raises questions about international data transfers. Transfers outside the European Economic Area require either an adequacy decision, Standard Contractual Clauses, or another approved mechanism. Polish subsidiaries of non-EU groups frequently transfer HR and operational data to parent-company systems without documenting the transfer mechanism – a gap that regulators across the EU have prioritised.
What is the step-by-step procedure for closing compliance gaps?
Closing gaps systematically takes less time than most companies expect. A structured remediation programme for a mid-size Polish company can be completed in six to ten weeks. The key is sequencing: fix the highest-risk items first, document everything, and do not treat the audit as a one-time exercise.
Week 1–2: Mapping and gap identification. Compile the RoPA from scratch or update the existing version. Interview department heads. List every system that processes personal data. Assign a legal basis to each activity. Flag every activity without a documented basis as a priority gap.
Week 3–4: Contractual remediation. Identify every third-party vendor that processes personal data on your behalf. Issue or update data processing agreements. For technology companies, this means reviewing the entire sub-processor chain. Standard Contractual Clauses should be checked for the post-Schrems II transfer impact assessment requirement.
Week 5–6: Policy and notice updates. Redraft privacy notices for employees, customers, and website visitors. Update the cookie banner to remove pre-ticked boxes and ensure genuine opt-out. Introduce or update the retention schedule. Publish an accessible privacy policy on the company website.
Week 7–8: Procedural implementation. Document the breach response escalation path and test it with a tabletop exercise. Establish a subject access request workflow with a 30-day response tracker. Train the team responsible for receiving and handling data subject requests.
We supported a logistics operator in Małopolska in completing this full cycle within eight weeks (spring 2025), enabling the company to respond confidently to a UODO inquiry that arrived shortly after the programme concluded.
For technology companies with complex IP and data structures, compliance work often runs in parallel with IP strategy reviews. Our guide on IP protection strategy for Hungarian tech companies in Poland addresses how data compliance and IP ownership interact in cross-border technology deals.
What to prepare before your GDPR audit:
- Current organisational chart and list of all data systems in use
- Existing RoPA (even if incomplete or outdated)
- All third-party vendor contracts involving personal data
- Employee privacy notices and monitoring policies
- Any prior UODO correspondence or internal incident records
Leaving these gaps unaddressed is not a static risk. The UODO has increased its inspection programme year on year. Personal liability of management board members for systemic non-compliance is a real consequence – and one that precludes retrospective correction once an investigation opens.
Every company's specific data architecture and operational model shapes which gaps are most urgent. A generic checklist does not replace a targeted review of your actual processing activities.
To receive an expert assessment of your company's GDPR compliance position, contact info@kordeckipartners.com. Our team will review your RoPA, processor contracts, and breach procedures – and identify the three to five items that carry the highest enforcement risk for your specific situation.
Frequently asked questions
Q: How long does a GDPR compliance audit take for a Polish company of 50 to 100 employees?
A: For a company of that size, a structured external audit typically takes three to five weeks. The first week covers data mapping and RoPA review. The second and third weeks address contractual gaps and policy documents. Implementation of corrective measures adds two to three further weeks depending on the number of gaps identified. Total cost for an external review at this scale usually falls between PLN 15,000 and PLN 30,000.
Q: Is it a common misconception that GDPR only applies to companies handling large volumes of data?
A: Yes – this is one of the most frequent misunderstandings among Polish SMEs. The GDPR applies to any organisation that processes personal data of EU residents, regardless of company size or data volume. Small companies are exempt from certain obligations (such as appointing a Data Protection Officer in some cases), but the core requirements – lawful basis, privacy notices, processor agreements, breach notification – apply universally. The UODO has opened investigations against companies with fewer than 20 employees.
Q: What is the difference between a Data Protection Officer and external GDPR counsel?
A: A Data Protection Officer (DPO) is a formally designated individual – internal or external – responsible for ongoing monitoring of compliance, staff training, and acting as the contact point for the UODO. Appointment is mandatory for certain categories of organisations, including those conducting large-scale systematic monitoring or processing special category data. External GDPR counsel, by contrast, provides legal advice on specific compliance questions, conducts audits, and drafts documentation. The two roles complement each other. A company may appoint external counsel as its DPO, provided the arrangement avoids conflicts of interest under Polish data protection practice.
KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to GDPR compliance, technology regulation, and IP protection. We advise on AI Act Poland readiness, DORA compliance for financial entities, trademark registration, and full-cycle data protection programmes. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.