On paper, GDPR enforcement in Poland looks predictable. In practice, the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) has shifted its posture sharply over the past 18 months – moving from isolated, high-profile cases toward systematic, sector-wide investigations that expose mid-market companies to fines they never anticipated. The question is no longer whether UODO will act, but when and against whom.

UODO enforces GDPR in Poland as the national supervisory authority designated under Polish data protection legislation. Fines may reach EUR 20 million or 4% of global annual turnover, whichever is higher. Enforcement has accelerated since late 2024, with UODO prioritising healthcare, financial services, and technology operators – including those deploying AI-driven processing tools.

This alert covers three areas: what has changed in UODO's enforcement approach, who is now in the crosshairs, and what steps your organisation should take before the next inspection cycle begins. Each section includes a concrete action item with a deadline.

What has changed in UODO's enforcement approach?

UODO's enforcement model has evolved from reactive complaint-handling to proactive, thematic sweeps. The office now coordinates with the European Data Protection Board and runs parallel investigations across multiple data controllers in a single sector. A single complaint can trigger a sweep affecting dozens of companies. Response windows are short – UODO typically sets 7-day deadlines for initial document production.

Three structural shifts define the new approach. First, UODO has expanded its use of on-site inspections, including unannounced visits. Second, it has begun scrutinising data processor contracts with particular attention to sub-processing chains – a gap that catches many organisations off guard. Third, the office is applying GDPR accountability requirements more strictly, demanding documented evidence of data protection impact assessments (DPIAs) rather than accepting verbal assurances.

The intersection with AI Act Poland obligations is already visible. UODO has flagged automated decision-making systems as a priority for 2026 inspections. Organisations using AI-driven profiling, credit scoring, or HR screening tools face simultaneous scrutiny under both GDPR Poland rules and emerging AI Act requirements. This dual-track exposure is new – and it is not theoretical. (DORA compliance obligations for financial entities add a third layer for banks and payment institutions.)

We secured a suspension of a UODO enforcement procedure for a fintech operator in the Mazowieckie region (autumn 2025), allowing the client to remediate its sub-processor documentation before a formal fine decision was issued. The margin was narrow – the client had fewer than 14 days to produce corrected contracts.

For a practical overview of cross-border data flows that frequently trigger UODO scrutiny, see our guide on data transfer from Poland to Cyprus: legal mechanisms.

Who is affected – and at what thresholds?

UODO's current enforcement priorities target three categories of data controller. Healthcare providers processing special-category data under Polish health legislation face the highest inspection frequency. Financial institutions – particularly those subject to DORA compliance timelines – are the second priority. Technology companies deploying automated processing, including those with IP lawyer Warsaw-advised software licensing structures, form the third group. All three categories face fines up to EUR 20 million for systemic failures.

Size is not a shield. Polish data protection law does not create a formal SME carve-out. UODO has fined organisations with fewer than 50 employees where the processing activity was high-risk. The relevant threshold is not headcount – it is the nature and scale of the data processed. A small e-commerce operator processing payment data for 500,000 customers carries more exposure than a large manufacturer processing employee HR records for 200 staff.

Three specific triggers now appear in nearly every UODO enforcement file:

  • Absence of a valid data processing agreement with cloud or SaaS sub-processors
  • No documented DPIA for high-risk processing activities introduced after May 2023
  • Failure to notify UODO of a personal data breach within the 72-hour statutory window

The 72-hour breach notification deadline is the single most common violation UODO cites. Many organisations discover a breach on a Friday afternoon and assume the weekend does not count. It does. The clock runs from the moment the controller becomes aware – not from the moment an internal investigation concludes. Fines for late notification have ranged from PLN 100,000 to over PLN 1 million in recent decisions.

Our team obtained a reduction of a proposed UODO fine from PLN 800,000 to PLN 120,000 for a healthcare operator in Małopolska (spring 2026) by demonstrating that the breach notification, though delayed by 18 hours, was accompanied by immediate remediation measures and a documented root-cause analysis. Mitigating factors matter – but only if they are evidenced in writing before UODO issues its preliminary decision.

What should your organisation do now?

The window for proactive remediation is open – but it closes the moment UODO sends its first letter. Three immediate actions reduce exposure materially. Each has a recommended completion deadline. Organisations that complete all three before an inspection is announced are in a substantially stronger position to avoid or reduce fines.

What to prepare before the next UODO inspection cycle:

  • Audit all data processing agreements and sub-processor annexes – target completion within 30 days
  • Complete or update DPIAs for any AI-driven or automated processing introduced since January 2024
  • Test your 72-hour breach notification procedure with a tabletop exercise – document the outcome
  • Map cross-border data transfers and confirm valid transfer mechanisms (SCCs or adequacy decisions)
  • Designate a named internal contact for UODO correspondence with authority to respond within 7 days

The AI Act Poland timeline adds urgency. High-risk AI systems deployed by Polish operators must meet GDPR accountability standards as a precondition for AI Act conformity. Organisations that have not completed their DPIA inventory by mid-2026 risk simultaneous enforcement under two regulatory frameworks. The consequences are not additive – they are compounding, because each violation can be treated as evidence of systemic non-compliance in the other proceeding.

For organisations considering structural changes to reduce data processing exposure – including corporate restructuring options – our analysis of preventive restructuring in Poland: four available types sets out the available instruments. Separately, organisations deploying AI tools should review our detailed breakdown of AI Act high-risk classification: affected sectors and systems before their next DPIA cycle.

Trademark and IP lawyer Warsaw considerations also arise where data processing relates to customer profiling tied to brand assets or licensed datasets – a growing area of intersection between IP and data protection that UODO has begun to flag in technology-sector inspections.

Your organisation's specific data processing profile determines which enforcement risk is most immediate. Waiting for UODO's letter before acting forfeits the most effective remediation options and precludes the mitigation arguments that reduce fines most significantly.

To receive an expert assessment of your GDPR compliance posture and UODO enforcement exposure, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does UODO give advance notice before an inspection?

A: UODO may conduct both announced and unannounced inspections under Polish data protection legislation. Announced inspections typically provide 7 days' notice, but the office has conducted same-day visits in cases involving suspected ongoing violations. Organisations should maintain their compliance documentation in a state ready for immediate production at all times, not only when an inspection is anticipated.

Q: What is the most common misconception about the 72-hour breach notification rule?

A: Many controllers believe the 72-hour window begins when an internal investigation is complete. It does not. The clock starts when the controller first becomes aware that a breach has likely occurred – even if the full scope is not yet known. UODO accepts a partial notification followed by a supplement, but the initial notification must be filed within 72 hours of first awareness. Missing this window is the single most frequently cited violation in recent Polish enforcement decisions.

Q: How long does a UODO enforcement proceeding typically take, and what does it cost?

A: A standard UODO proceeding from initial correspondence to final decision runs between 6 and 18 months, depending on complexity and whether the controller exercises its right to be heard. Legal costs for representation through a full proceeding typically range from PLN 30,000 to PLN 120,000, depending on the volume of documentation and whether the matter proceeds to administrative court review. Early engagement – before the preliminary decision is issued – consistently produces better outcomes at lower cost.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to GDPR compliance, UODO enforcement defence, AI Act readiness, and data protection strategy. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.