A Polish e-commerce company receives a formal notice from the Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO) requesting documentation of its data processing activities. The company's privacy policy was last updated in 2021. Its data processing agreements with three cloud vendors have never been audited. Within weeks, a fine is issued – and the board discovers that "we assumed we were compliant" is not a defence recognised under Polish data protection enforcement practice.

UODO has materially intensified its enforcement activity since 2024, issuing fines that now regularly exceed PLN 1 million for mid-sized controllers. The Office focuses on three recurring failures: inadequate technical and organisational measures, missing or defective data processing agreements, and unlawful cross-border data transfers. Controllers and processors operating in Poland should treat UODO enforcement as a live operational risk, not a theoretical compliance exercise.

This alert covers what has shifted in UODO's enforcement approach, which organisations face the highest exposure, and the immediate steps that reduce fine risk before an inspection arrives.

What has changed in UODO's enforcement approach?

UODO's enforcement posture has moved from reactive complaint-handling toward proactive sector sweeps. The Office now initiates proceedings on its own motion, targeting entire industries rather than waiting for individual data subjects to complain. Healthcare, fintech, and retail have each faced coordinated inspection waves. Controllers that assumed low public profile would shield them from scrutiny are finding that assumption wrong.

Fines have increased in both frequency and size. The maximum penalty under the General Data Protection Regulation (GDPR) remains EUR 20 million or 4% of global annual turnover – whichever is higher. UODO has applied the upper band more willingly since 2024, particularly where a controller failed to cooperate during proceedings or delayed notifying affected data subjects. Delayed notification alone – the statutory window is 72 hours to the supervisory authority – has triggered standalone penalty decisions.

The Office has also sharpened its focus on data transfers outside the European Economic Area. Following the invalidation of earlier transfer mechanisms, UODO scrutinises Standard Contractual Clauses (SCCs) for substantive completeness, not merely formal presence. A controller that attaches SCCs without conducting a Transfer Impact Assessment (TIA) faces the same enforcement risk as one that transfers data with no mechanism at all. For transfers involving Ukrainian entities specifically, the legal framework carries additional complexity – see our analysis of data transfer from Poland to Ukraine: legal mechanisms.

One further shift deserves attention. UODO has begun referencing AI Act Poland obligations in its correspondence with controllers deploying automated decision-making systems. While the AI Act's enforcement architecture is separate, the Office treats inadequate human oversight of automated processing as evidence of systemic GDPR non-compliance. Controllers using algorithmic scoring, profiling, or AI-driven hiring tools should expect this intersection to intensify.

Who is most exposed – and what must they do now?

Exposure is not evenly distributed. UODO's published enforcement decisions reveal a clear pattern: the highest fines fall on controllers that combine multiple failures simultaneously. A single gap – say, an outdated privacy notice – rarely produces a seven-figure penalty on its own. The combination of missing records of processing activities, defective processor agreements, and an unreported personal data breach within the same organisation reliably attracts the upper penalty band.

Three categories of organisation carry elevated risk right now. First, companies processing health data or financial data at scale – both categories are subject to heightened GDPR scrutiny and align with DORA compliance obligations for financial entities. Second, foreign-owned subsidiaries that rely on group-level privacy programmes drafted for another jurisdiction. UODO does not accept "our parent's policy covers this" as a compliance argument. Third, businesses that have grown rapidly since 2021 without updating their data governance infrastructure to match their new processing footprint.

We obtained a withdrawal of UODO enforcement proceedings for a fintech client in Mazowieckie (autumn 2025) by demonstrating that the controller had implemented corrective measures within 30 days of identifying the breach – before the Office had issued its preliminary finding. Speed of remediation is a recognised mitigating factor in UODO's penalty calculus.

The immediate action list is short but non-negotiable:

  • Audit all data processing agreements with vendors and processors – any agreement pre-dating the 2021 SCC update is presumptively defective.
  • Verify that your record of processing activities (ROPA) reflects current data flows, including any AI or automated profiling tools added since the last review.
  • Confirm that your 72-hour breach notification procedure is documented, tested, and assigned to a named individual.
  • Commission a Transfer Impact Assessment for every data transfer to a non-EEA country, including transfers to group entities.
  • Review your data retention schedules – UODO has penalised controllers for retaining personal data beyond the periods stated in their own privacy notices.

For technology companies with IP assets in Poland, data governance intersects with broader IP protection strategy. Controllers whose products embed personal data processing should review our guidance on IP protection strategy for tech companies in Poland. Separately, organisations facing financial stress alongside compliance remediation should note that restructuring tools remain available – the simplified arrangement proceedings framework can protect a business while compliance work proceeds.

We assisted a Warsaw-based SaaS provider in Mazowieckie (spring 2025) in restructuring its entire vendor contract stack – covering 14 processors across six jurisdictions – within 45 days of receiving an UODO preliminary inquiry. The enforcement file was closed without a fine.

The window for voluntary remediation closes the moment UODO issues a formal decision. At that point, the controller's options narrow to appeal before the administrative courts – a process measured in months, not weeks. Acting before inspection is not merely good practice. It is the only reliable way to avoid a penalty that cannot be undone.

Your organisation's specific data processing profile determines whether current gaps are manageable or immediately material. Waiting for UODO to identify the problem forfeits the single most effective mitigating factor available under Polish enforcement practice: demonstrated prior remediation.

To receive an expert assessment of your GDPR compliance exposure under current UODO enforcement priorities, contact info@kordeckipartners.com.

Frequently asked questions

Q: How quickly does UODO typically conclude an enforcement proceeding after issuing a formal notice?

A: Timelines vary, but proceedings initiated by UODO on its own motion typically run between six and eighteen months from first notice to final decision. Proceedings triggered by a data subject complaint can move faster – sometimes concluding within four months. Controllers should not assume that a slow-moving file signals low priority; UODO has issued substantial fines in cases that appeared dormant for over a year.

Q: Is it a misconception that small companies are exempt from GDPR fines in Poland?

A: Yes. UODO has fined organisations with fewer than 50 employees. The GDPR does not create a size-based exemption. The scale of processing, the sensitivity of data involved, and the nature of the violation matter far more than headcount. A small company processing health or financial data at volume faces the same legal framework as a large enterprise.

Q: What does a GDPR compliance audit by an external adviser typically cost and cover?

A: Costs depend on the complexity of the processing environment, but a structured audit for a mid-sized Polish entity typically spans three to six weeks and covers ROPA review, processor agreement audit, transfer mechanism verification, and breach response testing. Engaging counsel before an UODO inquiry is materially less expensive than managing enforcement proceedings after one begins.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to GDPR compliance, data protection enforcement, AI Act readiness, and DORA compliance. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.