A mid-sized Polish e-commerce operator received a formal notice from the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) after a customer complaint flagged inadequate consent mechanisms on the company's marketing platform. The initial exposure – a potential administrative fine under the General Data Protection Regulation (GDPR) – reached seven figures in Polish zloty. The matter looked straightforward on paper. In practice, the gap between a correctable procedural gap and a permanently recorded enforcement decision was narrower than the client expected.

UODO enforces GDPR in Poland and has issued fines exceeding PLN 4m in individual cases. The regulator applies a structured methodology: it assesses the nature of the infringement, the number of data subjects affected, and the controller's prior compliance history. A timely, documented response – submitted within the 30-day deadline set in UODO's procedural notice – can materially reduce the final penalty and, in some cases, lead to an administrative commitment rather than a formal fine.

This case study traces the background of the matter, the legal strategy applied, the procedural steps taken before UODO, and the lessons that apply to any Polish or foreign-owned entity operating in Poland. The National Court Register (KRS) record of the client confirmed Polish establishment, which placed full GDPR enforcement jurisdiction with UODO as the lead supervisory authority. Three issues – consent architecture, data retention policy, and breach notification timing – drove the entire proceeding.

What triggered the UODO investigation?

The complaint originated from a single data subject. That is not unusual. UODO statistics show that individual complaints remain the primary trigger for formal enforcement proceedings, ahead of ex officio investigations. In this matter, the complainant alleged that the platform's cookie consent banner did not meet the opt-in standard required under GDPR: pre-ticked boxes had been used for third-party marketing cookies, and the withdrawal mechanism required three steps rather than one.

UODO opened a formal proceeding and requested documentation within 30 days. The client's internal team had no prior experience with UODO correspondence. The first draft response acknowledged the deficiency without contextualising it – a common mistake that effectively concedes the infringement before the regulator has completed its own assessment. We were instructed at that point, before the response was filed.

The audit also surfaced two secondary issues. First, the company retained customer transaction data for seven years without a documented legal basis extending beyond the standard contractual limitation period. Second, a minor data breach involving approximately 340 email addresses had occurred eight months earlier and had not been reported to UODO within the 72-hour window required under GDPR. That omission became the most serious element of the case – late breach notification carries its own penalty track, independent of the original consent complaint.

For context on how IP and technology obligations intersect in cross-border operations, see our analysis of IP protection strategy for German tech companies in Poland.

What strategy reduced the penalty exposure?

The defence strategy rested on three pillars: voluntary remediation before the deadline, a structured cooperation posture, and a proportionality argument grounded in UODO's own published enforcement guidelines. GDPR enforcement in Poland – unlike in some western European jurisdictions – rewards documented self-correction. UODO's guidelines explicitly list voluntary compliance measures as a mitigating factor in penalty calculation.

We submitted a remediation plan alongside the formal response. The plan addressed all three issues: the consent banner was rebuilt to a single-click opt-in model within 14 days; the data retention schedule was updated with a documented legal basis matrix covering each category of personal data; and a retrospective breach notification was filed, accompanied by a root-cause analysis and a technical report from a certified auditor. Filing a late breach notification proactively – rather than waiting for UODO to discover the omission – is a recognised mitigation strategy under the regulator's published practice.

We also presented a proportionality argument. The affected data subjects numbered under 400. The breach involved low-sensitivity data (email addresses only, no financial or health data). The company had no prior UODO enforcement history. Under GDPR, each of these factors weighs in the controller's favour. The Polish Financial Supervision Authority (KNF) framework for proportionate regulatory response provided a useful analogy, though UODO operates independently – the parallel helped frame the argument for the client's management team.

We secured a reduction in the administrative fine to PLN 85,000 for a technology client in the Mazowieckie region (winter 2026), down from an initial exposure assessment exceeding PLN 900,000, by applying the same three-pillar approach described above.

How did the UODO process unfold in practice?

UODO proceedings follow a defined administrative path under the Kodeks postępowania administracyjnego (Code of Administrative Procedure, KPA). The regulator issues a formal notice, sets a response deadline (typically 30 days), may request supplementary documentation, and then issues a preliminary decision. The party has the right to respond to the preliminary decision before a final administrative order is issued. That intermediate step is frequently underused by respondents – and is where the most effective advocacy occurs.

In this matter, UODO's preliminary decision proposed a fine of PLN 220,000. Our response to the preliminary decision introduced three new elements: updated technical evidence of the remediated consent system, a statement from the data processor confirming the breach containment measures, and a comparative analysis of fines issued by UODO in analogous cases involving similar data volumes and breach categories. The final fine issued was PLN 65,000 – a reduction of more than 70% from the preliminary figure.

The client also avoided a public enforcement listing on UODO's website. UODO publishes summaries of enforcement decisions, and a named listing carries reputational cost well beyond the financial penalty. Keeping the matter within the administrative proceeding – rather than triggering an appeal that would extend the public record – was a deliberate strategic choice. For employment-related data processing questions that often arise in parallel GDPR audits, the analysis of severance pay calculation under the Polish Labour Code addresses the HR data retention dimension.

Our team also obtained a formal commitment from UODO – recorded in the decision – that no further proceedings would be initiated on the same factual basis, provided the remediation plan was implemented within 60 days. That commitment is not standard. It requires a specific request, supported by evidence that the remediation is genuine and complete.

What are the transferable lessons for GDPR compliance in Poland?

Three lessons apply across sectors. First, the 72-hour breach notification deadline is absolute. There is no grace period, no informal extension, and no benefit to delay. A late notification filed proactively – with a root-cause analysis – is treated more favourably than one filed under compulsion. Controllers who discover a potential breach should begin the UODO notification process immediately, even before the internal investigation is complete, using the "best available information" standard that GDPR expressly permits.

Second, consent architecture is audited against the single-click withdrawal standard. If your platform requires more steps to withdraw consent than to grant it, UODO will treat that asymmetry as a structural infringement. The fix is technical and inexpensive. The penalty for leaving it unaddressed is not.

Third, data retention schedules must be documented with a legal basis for each category. A generic "we keep data for seven years" policy is insufficient. Controllers should maintain a record of processing activities (ROPA) that maps each data category to a specific legal basis – contract performance, legal obligation, legitimate interest, or consent – with a defined retention period for each. UODO inspects ROPA documentation in virtually every formal proceeding.

  • File breach notifications within 72 hours – use best available information if the investigation is incomplete
  • Audit consent banners for single-click withdrawal parity
  • Maintain a ROPA with a documented legal basis per data category
  • Respond to UODO notices within the 30-day deadline with a remediation plan attached
  • Use the preliminary decision stage to introduce new evidence and proportionality arguments

AI Act Poland obligations and DORA compliance requirements are now adding new data governance layers for technology and financial sector clients. Both frameworks interact directly with GDPR Poland obligations – particularly around automated decision-making and incident reporting. Entities already managing UODO enforcement risk should map these new requirements against their existing data protection programmes before the respective implementation deadlines. For cross-border data flows involving non-EU entities, our guide on data transfer from Poland to Cyprus – legal mechanisms sets out the applicable transfer tools.

We secured a favourable UODO administrative commitment for a Warsaw-based IT services company in the Mazowieckie region (spring 2026), avoiding a public enforcement listing and limiting the financial penalty to below PLN 100,000 on an initial exposure exceeding PLN 700,000.

Your company's specific situation – the number of data subjects, breach history, and current consent architecture – determines which arguments carry the most weight before UODO. Acting before a formal notice arrives forecloses the most damaging outcomes.

To receive an expert assessment of your GDPR Poland exposure and UODO response strategy, contact info@kordeckipartners.com.

Frequently asked questions

Q: How long does a UODO enforcement proceeding typically take?

A: Most formal proceedings conclude within six to twelve months from the initial notice. Complex cases involving multiple infringement tracks – such as combined consent and breach notification failures – can extend to eighteen months. The preliminary decision stage typically arrives three to five months after the initial response deadline. Engaging legal counsel before the first response is filed shortens the overall timeline by avoiding supplementary information requests.

Q: Is it a misconception that only large companies receive significant GDPR fines in Poland?

A: Yes. UODO has issued fines against entities of all sizes, including sole traders and small online retailers. The size of the controller is one factor in the penalty calculation, but the nature of the infringement and the number of affected data subjects carry equal or greater weight. A small e-commerce operator with a structural consent defect affecting thousands of users faces a proportionally higher penalty than a large enterprise with an isolated, promptly remediated breach.

Q: What does a GDPR compliance audit by KORDECKI & Partners typically cost?

A: A focused GDPR audit covering consent architecture, ROPA documentation, and breach notification procedures is scoped individually based on the size of the data processing operation and the number of systems reviewed. Engagements for mid-sized Polish entities typically complete within four to six weeks. The audit deliverable includes a prioritised remediation matrix and a draft ROPA template. Contact info@kordeckipartners.com for a scoped proposal.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to IP, technology law, AI regulation, DORA compliance, trademark matters, and GDPR enforcement defence. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. Our IP lawyer Warsaw practice handles UODO proceedings, data protection audits, and cross-border technology transactions. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.