A Warsaw-based e-commerce company discovers at 11 p.m. on a Friday that its customer database has been exfiltrated. The security team confirms the incident by midnight. The clock is already running. Polish data protection law gives the controller 72 hours from the moment of awareness to notify the supervisory authority – and that deadline does not pause for weekends, public holidays, or ongoing forensic investigations.

Under the General Data Protection Regulation (GDPR), as applied and enforced in Poland by the Office for Personal Data Protection (Urząd Ochrony Danych Osobowych, UODO), controllers must notify UODO of a personal data breach within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals. Where notification cannot be completed within that window, a preliminary report must be filed first, with supplementary information to follow. Failure to notify on time exposes the controller to administrative fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher.

This page explains the full notification framework: who must notify, what the 72-hour clock actually measures, how UODO handles incoming reports, and what cross-border incidents require beyond the Polish procedure. It also covers the separate obligation to inform affected individuals, common procedural mistakes, and a practical checklist for building a defensible response process.

What triggers the obligation to notify UODO?

A personal data breach, under the GDPR framework applied in Poland, is any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The definition is deliberately wide. A misconfigured cloud storage bucket, a ransomware attack that encrypts data without exfiltration, a courier losing a physical file – all qualify. The triggering condition is not harm, but the event itself, combined with a risk threshold.

UODO does not require notification for every breach. The controller must assess whether the breach is likely to result in a risk to the rights and freedoms of natural persons. If the answer is yes, notification is mandatory. If the risk is high, the controller must also notify the affected individuals directly. The assessment must be documented regardless of the outcome – UODO inspectors routinely request the internal risk evaluation during audits.

Three categories of breach consistently cross the risk threshold in UODO's published guidance. First, breaches involving special categories of data: health records, biometric data, political opinions, religious beliefs. Second, breaches affecting large volumes of records or vulnerable groups, including minors. Third, breaches where the data could enable identity theft or financial fraud. In practice, any incident involving more than a handful of records should be presumed notifiable until the risk assessment demonstrates otherwise.

  • Unauthorised external access (hacking, phishing, credential theft)
  • Accidental disclosure to a wrong recipient by email or post
  • Loss or theft of a device containing unencrypted personal data
  • Ransomware encrypting data, even without confirmed exfiltration
  • Insider misuse or unauthorised access by an employee

One common misconception is that a processor's breach does not trigger the controller's obligations. Under Polish data protection practice, a processor must notify the controller without undue delay upon becoming aware of a breach. From that point, the controller's 72-hour clock begins. Controllers who outsource data processing to cloud providers or payroll bureaux must ensure their data processing agreements contain explicit breach notification obligations – and must treat the processor's notification as the starting gun.

How does the 72-hour notification timeline work in practice?

The 72-hour deadline runs from the moment the controller becomes "aware" of the breach. UODO, consistent with European Data Protection Board (EDPB) guidance, interprets awareness as the point when the controller has a reasonable degree of certainty that a security incident has occurred and that personal data has been affected. A vague IT alert does not start the clock. A confirmed incident does.

We secured a reversal of a regulatory finding against a financial services client in the Mazowieckie region (autumn 2025). The authority had argued that awareness arose when the IT team logged an anomaly. We demonstrated that the anomaly log preceded confirmation of data involvement by 18 hours – and that the notification, filed within 72 hours of confirmed awareness, was timely. Documentation of the internal discovery process proved decisive.

UODO's online notification portal (system zgłoszeń naruszeń) accepts preliminary reports. Where the investigation is ongoing at the 72-hour mark, controllers may submit an initial notification stating that full information is not yet available. The supplementary report must follow as soon as the missing information is obtained – typically within a further 7 to 14 days, though UODO expects this gap to be as short as possible. Submitting a placeholder report and then going silent for weeks is a recognised enforcement trigger.

The notification itself must contain five elements: a description of the nature of the breach including the categories and approximate number of data subjects and records concerned; the name and contact details of the data protection officer (DPO) or other contact point; a description of the likely consequences of the breach; a description of the measures taken or proposed to address the breach; and, where relevant, the measures taken to mitigate its possible adverse effects. Missing even one element without explanation can result in a formal deficiency notice from UODO.

When must affected individuals be notified directly?

Direct notification to data subjects is required when a breach is likely to result in a high risk to their rights and freedoms. The threshold is higher than for UODO notification: not merely "risk" but "high risk." In practice, the gap between the two thresholds is narrower than it appears. Breaches involving financial data, identity documents, passwords, or health records almost always meet the high-risk threshold.

Our team obtained interim measures protecting assets worth over EUR 5m for a German investor's subsidiary in Lower Silesia (spring 2026). That matter involved a data breach at a joint venture – and the cross-border notification obligation was the first procedural issue resolved, before any civil claim. Speed of notification directly affected the investor's ability to limit downstream liability.

The communication to affected individuals must be in plain language. It must describe the nature of the breach, provide the DPO's contact details, describe the likely consequences, and explain the measures the controller has taken or proposes to take. UODO has criticised notices that are written in legal jargon or that omit practical guidance – for example, advising individuals to change passwords or monitor their bank accounts. The communication must be direct: email, SMS, or written letter. A generic website post does not satisfy the requirement unless direct contact is genuinely impossible.

There are three circumstances in which individual notification may be postponed or replaced. First, where the controller has implemented appropriate technical measures – such as encryption – that render the data unintelligible to unauthorised persons. Second, where the controller has taken subsequent measures that ensure the high risk is no longer likely to materialise. Third, where individual notification would involve a disproportionate effort, in which case a public communication or equivalent measure may substitute. UODO scrutinises reliance on the disproportionate-effort exemption closely. It is not a cost-saving mechanism.

For advice on structuring your individual notification process, contact info@kordeckipartners.com.

What are the cross-border and multi-jurisdictional considerations?

Poland's UODO is the competent supervisory authority for controllers and processors established in Poland, and for controllers outside the European Economic Area (EEA) who target Polish data subjects. Where a controller operates across multiple EU member states and has its main establishment in another country – say, Germany or the Netherlands – the lead supervisory authority mechanism applies. UODO then acts as a concerned authority, not the lead.

The lead supervisory authority framework does not reduce the urgency of the 72-hour deadline. The controller must still notify the lead authority within 72 hours. UODO will be notified by the lead authority in parallel. Controllers with Polish operations who are tempted to route everything through their headquarters' lead authority should be aware that UODO actively monitors compliance for Polish-established entities and will intervene if the one-stop-shop mechanism is being used to delay or dilute notification.

For non-EEA companies with a Polish representative under GDPR, the representative's role in the notification process must be defined in advance. UODO expects the representative to be genuinely reachable and operationally involved – not merely a registered address. Controllers entering the Polish market through a local subsidiary should also consider whether that subsidiary qualifies as a controller in its own right, which would make it independently subject to UODO's jurisdiction. For strategic guidance on structuring Polish market entry, see our analysis of data transfer from Poland to UAE: legal mechanisms.

Sector-specific obligations layer on top of GDPR. Financial institutions subject to DORA compliance requirements face additional incident reporting timelines to the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) that run in parallel with UODO notification. Healthcare entities report to the National Health Fund (Narodowy Fundusz Zdrowia, NFZ) as well. Coordinating simultaneous notifications to multiple authorities – with different forms, different deadlines, and different information requirements – is one of the most practically demanding aspects of breach response in Poland. For boards considering personal exposure in multi-authority scenarios, our article on board liability and personal exposure is directly relevant.

What are the common pitfalls and how can they be avoided?

The most frequent enforcement pattern in UODO decisions involves not the breach itself, but the response. Controllers are penalised for late notification, incomplete notification, failure to document the risk assessment, and failure to notify individuals when the high-risk threshold was met. Each of these failures is avoidable with a documented incident response procedure prepared before any breach occurs.

Pitfall one: treating the 72-hour clock as a business-hours clock. It is not. The period runs continuously from the moment of confirmed awareness. A breach confirmed at 6 p.m. on a Thursday means notification is due by 6 p.m. on Sunday. Controllers without an on-call DPO or legal contact will miss this deadline. UODO does not accept "the office was closed" as justification for late filing.

Pitfall two: waiting for the forensic investigation to conclude before notifying. UODO's two-stage process – preliminary notification followed by supplementary report – exists precisely to allow notification before the full picture is known. Filing a preliminary report within 72 hours, even with incomplete information, preserves the controller's legal position. Waiting for certainty forfeits it.

  • Appoint a DPO or designate a breach-response contact with 24/7 availability
  • Maintain a breach register documenting every incident, including those not notified
  • Prepare notification templates in advance for UODO and for data subjects
  • Establish a written escalation protocol from IT to legal to management

Pitfall three: underestimating the documentation obligation. UODO inspectors, during both routine and triggered audits, request the controller's breach register. This register must contain every breach, notified or not, with the risk assessment justifying the decision. Controllers who cannot produce this register face a separate enforcement finding, independent of whether the original breach was handled correctly. For technology companies operating across jurisdictions, our guide on IP protection strategy for US tech companies in Poland covers related documentation obligations under Polish law.

Pitfall four: assuming that GDPR Poland compliance is equivalent to AI Act Poland or DORA compliance. These are separate regulatory regimes with separate notification obligations. A breach at a financial institution may simultaneously trigger GDPR notification to UODO, DORA incident reporting to KNF, and – if AI systems are involved – emerging AI Act Poland obligations. Building a single breach-response plan that addresses only GDPR creates a false sense of security.

What should your breach response checklist include?

A defensible breach response is built before the breach occurs. The checklist below reflects the minimum preparation that UODO expects from controllers of any size. Larger organisations and those handling special categories of data should extend this framework significantly.

First, containment and initial assessment within the first four hours of confirmed awareness. This means isolating affected systems, preserving logs, and making an initial determination of whether personal data is involved. The four-hour window is not a legal deadline – but it is the practical threshold for keeping the 72-hour notification window workable.

  • Confirm whether personal data has been affected and identify the categories involved
  • Estimate the number of data subjects and records affected
  • Assess the likely risk level: low, medium, or high
  • Determine whether UODO notification is required and whether individual notification is required
  • File preliminary UODO notification if the 72-hour deadline cannot be met with full information

Second, the breach register entry must be completed regardless of whether formal notification is filed. The register must record the facts of the breach, the risk assessment, the decision on notification, and the reasoning. This document is the primary evidence in any subsequent UODO audit. Controllers who record "no notification required" without a written risk assessment are particularly exposed.

Third, individual notification – where required – must be drafted in plain language and dispatched without undue delay after the high-risk determination is made. "Undue delay" in UODO's practice means days, not weeks. Controllers who complete their UODO notification and then spend three weeks drafting the individual communication will face enforcement findings on that separate obligation.

Post-incident review is the step most controllers skip. UODO expects controllers to demonstrate that a breach has led to technical or organisational improvements. A breach followed by no documented remediation is a signal, during any subsequent audit, that the controller's security measures remain inadequate. The review should be completed within 30 days and documented in writing.

Specific breach response requires tailored legal input. For a structured assessment of your organisation's notification obligations and response procedures, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the 72-hour deadline apply to processors as well as controllers?

A: Processors are not required to notify UODO directly. Their obligation is to notify the controller without undue delay upon becoming aware of a breach. In practice, data processing agreements should specify a maximum notification window – typically 24 to 48 hours – to give the controller enough time to meet its own 72-hour UODO deadline. A processor that delays notification to the controller, causing the controller to miss the UODO deadline, may be held jointly responsible under the GDPR enforcement framework.

Q: What is the cost of non-compliance with UODO notification requirements?

A: UODO may impose fines of up to EUR 10 million or 2% of total worldwide annual turnover for the preceding financial year, whichever is higher, for failure to notify a breach. For breaches involving special categories of data or systematic failures, the upper tier applies: up to EUR 20 million or 4% of global turnover. Beyond financial penalties, UODO may issue corrective orders, require specific technical measures, or impose temporary or permanent processing bans. Reputational damage and civil liability claims from affected individuals add further exposure.

Q: Is a DPO mandatory for all Polish controllers?

A: Under GDPR as applied in Poland, a Data Protection Officer is mandatory for public authorities, for controllers whose core activities require large-scale systematic monitoring of individuals, and for controllers whose core activities involve large-scale processing of special categories of data. Many private-sector companies do not meet these thresholds. However, UODO's enforcement decisions consistently show that controllers without a DPO who suffer a breach face greater difficulty demonstrating accountability – because there is no designated internal expert to coordinate the notification process. Voluntary appointment of a DPO or a designated privacy officer is a recognised risk-mitigation measure, even where it is not legally required.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, technology regulation, and breach response. We advise Polish entrepreneurs, foreign investors, and in-house legal teams on GDPR Poland compliance, UODO enforcement, DORA compliance, AI Act Poland obligations, and cross-border data transfer frameworks. Our IP and technology practice includes trademark, IP lawyer Warsaw matters, and integrated regulatory advisory. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.