On paper, GDPR compliance looks manageable. In practice, the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) – Poland's data protection supervisory authority – has sharpened its enforcement posture considerably over the past eighteen months. Fines that once seemed theoretical are now landing on mid-sized companies, not just multinationals. For any organisation processing personal data in Poland, the risk is immediate and the margin for delay is narrow.

UODO enforcement has intensified across three areas: inadequate technical safeguards, failure to respond to data subject requests within 30 days, and unlawful data transfers to third countries. Fines under the General Data Protection Regulation (GDPR) can reach EUR 20 million or 4% of global annual turnover, whichever is higher. Polish companies and foreign operators with Polish establishments are equally exposed.

This alert covers what has changed in UODO's enforcement approach, which organisations face the highest exposure, and the concrete steps that reduce liability within a defined timeframe. It also flags intersections with the EU AI Act and DORA compliance requirements that are reshaping data governance obligations in 2026.

What has shifted in UODO's enforcement approach?

UODO's recent decisions signal a clear move away from warnings toward financial penalties. The Office has issued fines in the PLN 100,000 to PLN 2 million range against entities that previously received corrective guidance but failed to act. Three enforcement patterns now dominate the caseload.

First, UODO is targeting organisations that lack documented data processing agreements with vendors. Under GDPR Poland obligations, every controller must have a written contract with each processor – no exceptions for small suppliers or short-term engagements. Second, the Office is scrutinising responses to data subject access requests. The 30-day deadline is treated as absolute; partial responses do not stop the clock. Third, cross-border data transfers are under active review. Transfers to countries outside the European Economic Area without an adequacy decision or Standard Contractual Clauses (SCCs) in place have drawn the largest penalties. Our article on data transfer from Poland to the UAE sets out the legal mechanisms that apply in that specific corridor.

The enforcement shift is not coincidental. UODO received additional investigative resources and has coordinated with the European Data Protection Board (EDPB) on cross-border cases. Complaints from data subjects – up sharply since 2024 – now trigger formal investigations within 60 days rather than the informal inquiries that once absorbed months. Any organisation that has not reviewed its GDPR posture in the past twelve months should treat that gap as a live compliance deficit.

  • Documented processor agreements – mandatory for every vendor relationship
  • Data subject request log – tracked with timestamps against the 30-day limit
  • Transfer impact assessments – required before any data leaves the EEA
  • Breach notification readiness – UODO must be notified within 72 hours of discovery
  • Records of processing activities – audited by UODO in the majority of recent investigations

We helped a technology client in Mazowieckie region avoid a potential fine exceeding PLN 800,000 by restructuring its vendor agreements and implementing a request-tracking protocol (autumn 2025). The intervention took four weeks – well within the window UODO typically allows before escalating to a penalty decision.

Who is most exposed – and what should you do now?

Exposure is not limited to large data controllers. UODO has made clear that company size does not reduce the standard of compliance. Organisations in healthcare, fintech, HR technology, and e-commerce face the highest scrutiny because they process sensitive or high-volume personal data. Foreign investors operating through Polish subsidiaries are equally at risk – the National Court Register (KRS) establishment triggers full GDPR jurisdiction regardless of where the parent company is incorporated.

The intersection with newer regulatory frameworks adds urgency. The EU AI Act imposes data governance requirements on AI systems deployed in Poland, many of which rely on personal data processed under GDPR. DORA compliance – mandatory for financial entities from January 2025 – requires ICT risk management frameworks that overlap directly with GDPR's security obligations. An organisation that addresses GDPR in isolation may still face enforcement exposure under these parallel regimes. IP protection strategy, including trademark portfolios managed by an IP lawyer in Warsaw, increasingly intersects with data processing obligations where proprietary datasets are involved.

Non-compete and employment arrangements also carry a data dimension. Employee monitoring, background checks, and HR data retention policies are all areas where UODO has issued corrective decisions in 2025. Our analysis of non-compete clauses in Poland addresses the employment law side; the data layer requires separate attention.

The immediate action list is short but non-negotiable. Any gap here forfeits the ability to argue good-faith compliance – a factor UODO weighs when setting fine amounts.

  • Audit all processor agreements within 30 days
  • Verify transfer mechanisms for any data sent outside the EEA
  • Test your 72-hour breach notification procedure against a realistic scenario

We assisted a financial services client in Lower Silesia in mapping its AI-driven customer profiling tool against both GDPR and AI Act Poland requirements, resolving a dual-regime exposure before a scheduled UODO inspection (spring 2026). Acting before the inspection – rather than responding to it – reduced the remediation cost by an estimated 60%.

Specific situations require specific analysis. If your organisation processes personal data at scale, operates across borders, or has not updated its GDPR documentation since 2023, the risk of a UODO investigation is no longer remote. To receive an expert assessment of your data protection posture, contact info@kordeckipartners.com.

Frequently asked questions

Q: How quickly does UODO act after receiving a complaint?

A: Since 2024, UODO has been opening formal investigations within 60 days of a data subject complaint. The Office sends an initial information request to the controller, typically allowing 14 days to respond. Failure to respond within that window is itself treated as an aggravating factor in any subsequent penalty decision.

Q: Does GDPR apply to a foreign company with only a Polish branch?

A: Yes. Registration in the National Court Register (KRS) as a branch or subsidiary establishes an "establishment" under GDPR, bringing the entity within UODO's direct jurisdiction. The parent company's location is irrelevant. Controllers should designate a local data protection contact and ensure their records of processing activities cover Polish operations specifically.

Q: Is a data protection officer (DPO) mandatory for all Polish companies?

A: Not universally. A DPO is required where core activities involve large-scale processing of sensitive data, systematic monitoring of individuals, or public authority functions. Many mid-sized companies fall outside this threshold but still benefit from appointing a DPO voluntarily – UODO treats the presence of a DPO as a mitigating factor when assessing fines. The appointment must be registered with UODO within 14 days.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, IP, technology law, and GDPR compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating UODO enforcement, AI Act Poland requirements, and DORA compliance obligations. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.