A Warsaw-based e-commerce company detects suspicious activity on its servers at 11 p.m. on a Friday. By Monday morning, the team has confirmed that personal data of thousands of customers was accessed without authorisation. The clock, however, started ticking on Friday – not Monday. Under Polish data protection law, the 72-hour window for notifying the supervisory authority had already begun.

Polish data protection law requires controllers to notify the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO) within 72 hours of becoming aware of a personal data breach, provided the breach is likely to result in a risk to the rights and freedoms of natural persons. Where notification cannot be made within that window, the controller must provide reasons for the delay alongside the notification itself. Failure to comply exposes the organisation to administrative fines of up to EUR 10 million or 2% of global annual turnover – whichever is higher.

This service page sets out the full notification framework: who must notify, what triggers the obligation, how to structure a compliant notification, and where cross-border complications arise. It also identifies the most common procedural mistakes that transform a manageable incident into a regulatory enforcement action.

What triggers the UODO notification obligation?

The obligation arises from the General Data Protection Regulation (GDPR), which applies directly in Poland, and is supervised domestically by UODO. A breach is defined as any security incident leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Not every incident reaches the notification threshold. The controller must assess whether the breach is likely to result in a risk to the rights and freedoms of individuals.

Three categories of breach consistently trigger notification in UODO practice. First, unauthorised access to unencrypted databases containing financial, health, or identity data. Second, accidental disclosure of personal data to the wrong recipient – even a single misdirected email can qualify. Third, ransomware attacks that encrypt data and make it unavailable, even where exfiltration is unconfirmed. UODO has issued guidance indicating that unavailability of data, without confirmed theft, may still require notification if the risk threshold is met.

The risk assessment must be documented. Controllers cannot rely on a verbal decision by the IT department. The assessment should consider the nature of the data, the number of individuals affected, the likely consequences, and any mitigating measures already in place. Encryption of the affected dataset, for example, can reduce the assessed risk level – but only if the encryption keys were not also compromised.

A practical checkpoint: if the breach affects special categories of data (health, biometric, racial or ethnic origin), the risk threshold is almost always met. Controllers dealing with such data should treat notification as the default position and work backwards from there.

How does the 72-hour clock work in practice?

The 72-hour period begins when the controller becomes aware of the breach – not when the breach itself occurred. "Awareness" under GDPR means the controller has a reasonable degree of certainty that a security incident has taken place and that personal data has been affected. A processor discovering a breach must notify the controller without undue delay. That notification restarts the clock for the controller's own 72-hour obligation to UODO.

In practice, the moment of awareness is often contested. UODO has taken the position that awareness cannot be indefinitely deferred by framing an investigation as ongoing. Once the controller has sufficient information to confirm that a breach has occurred – even if its full scope is unknown – the 72 hours begin. Controllers who wait for a complete forensic report before notifying frequently miss the deadline.

The regulation permits a phased notification approach. An initial notification can be submitted within 72 hours with the information available at that time, followed by supplementary notifications as additional details emerge. UODO's online notification portal accepts updates to existing notifications. This mechanism is underused. Many controllers either submit nothing within 72 hours or delay submission until they believe the picture is complete – both approaches carry enforcement risk.

We secured a reversal of a UODO enforcement decision for a technology services client in the Mazowieckie region (autumn 2025). The client had submitted an initial notification within 72 hours but failed to follow up with supplementary information. We demonstrated that the initial submission was substantively compliant and that the absence of a follow-up did not constitute a separate infringement.

  • Document the precise time and date when awareness was established.
  • Assign a named individual responsible for the notification decision.
  • Use UODO's online portal for submission – postal notifications are accepted but create timestamp disputes.
  • Retain all internal communications from the moment of detection.
  • Prepare a notification template in advance so that the 72-hour window is spent on facts, not drafting.

What must a compliant UODO notification contain?

A notification to UODO must include four categories of information. First, a description of the nature of the breach – including, where possible, the categories and approximate number of individuals affected, and the categories and approximate number of personal data records concerned. Second, the name and contact details of the data protection officer (DPO), or another contact point where more information can be obtained. Third, a description of the likely consequences of the breach. Fourth, the measures taken or proposed to address the breach and, where appropriate, to mitigate its possible adverse effects.

UODO's notification form is available on its official website and is structured around these four elements. Controllers should not treat the form as a bureaucratic exercise. Each field is reviewed by UODO inspectors, and vague or incomplete responses – such as "measures are being investigated" in the field for mitigating actions – are routinely flagged for follow-up enquiries. A follow-up enquiry within 30 days of the initial notification is a reliable indicator that an enforcement investigation may follow.

The DPO's role here is procedural as well as substantive. Where a DPO is appointed, UODO expects the DPO to be named in the notification and to be the point of contact for any follow-up. Controllers who have not yet registered their DPO with UODO – a separate obligation under GDPR – face a compounded compliance problem when a breach occurs. Registration with UODO is straightforward and takes under 14 days in normal circumstances.

For foreign-language organisations operating in Poland, the notification must be submitted in Polish. This is not stated explicitly in GDPR but reflects UODO's administrative practice. Controllers without in-house Polish legal capacity should identify a Polish-language submission resource before an incident occurs – not during the 72-hour window.

The requirement to notify affected individuals is separate and applies where the breach is likely to result in a high risk to rights and freedoms. That notification must be made "without undue delay" – a standard that UODO interprets as within 72 hours of the decision to notify, though the regulation does not specify a fixed deadline for individual notification.

What are the cross-border complications for international businesses?

For a German investor with a Polish subsidiary processing data across multiple EU member states, the one-stop-shop mechanism under GDPR determines which supervisory authority is the lead authority. Where the Polish entity is the main establishment – meaning it makes the substantive decisions about data processing – UODO is the lead supervisory authority. Where the main establishment is in another member state, that state's authority leads, but UODO retains jurisdiction over matters affecting Polish data subjects.

The one-stop-shop mechanism does not eliminate UODO's involvement. It channels it. UODO participates as a concerned supervisory authority in cross-border cases and can raise objections to decisions taken by the lead authority. Controllers who assume that notifying their home-country authority discharges all obligations in Poland are exposed to direct UODO enforcement action. This is a recurring mistake among multinational groups with Polish operations.

For businesses subject to the Digital Operational Resilience Act (DORA compliance obligations), incident notification requirements run parallel to GDPR. Financial entities regulated under DORA must report major ICT-related incidents to the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) within timelines that differ from GDPR's 72-hour window. A single ransomware attack on a Polish bank may trigger simultaneous obligations to UODO and KNF. Coordinating those parallel notifications requires a pre-prepared response protocol.

The legal mechanisms for data transfer from Poland to the UAE become relevant when a breach affects data that was being transferred to a third country. In those cases, the controller must assess whether the breach also triggers notification obligations under the third country's law. The UAE, for example, has its own data protection legislation with separate breach notification requirements. Controllers managing cross-border data flows should map their notification obligations across all relevant jurisdictions before a breach occurs.

We obtained interim protective measures for a Pomerania-based fintech client facing simultaneous UODO and KNF notification obligations following an ICT incident (spring 2026). By coordinating the two notification tracks from the outset, we avoided inconsistencies between the two submissions that could have been used against the client in enforcement proceedings.

What are the most common pitfalls in UODO breach notification?

The most frequent error is treating the breach notification process as an IT function rather than a legal one. IT teams are well-placed to identify and contain a breach. They are not well-placed to assess the legal risk threshold, draft a compliant notification, or make the decision to notify affected individuals. Controllers who leave the notification decision to the IT department consistently produce notifications that are technically accurate but legally incomplete.

A second common mistake is over-notifying. Not every security incident requires UODO notification. Controllers who notify as a precaution – to avoid missing a deadline – without first conducting a documented risk assessment create a compliance record that can be used against them in subsequent enforcement proceedings. UODO has indicated that a pattern of precautionary notifications without supporting risk assessments may itself be treated as evidence of inadequate data governance.

A third pitfall is the failure to maintain a breach register. GDPR requires controllers to document all personal data breaches, regardless of whether they are notified to UODO. The register must contain the facts of the breach, its effects, and the remedial action taken. UODO inspectors routinely request the breach register during audits. A controller unable to produce one – or producing one that was created after the audit was announced – faces a separate infringement finding independent of the underlying breach.

Controllers with whistleblower channels face a particular complication: a report submitted through the whistleblower channel may itself constitute or disclose a personal data breach. The intersection of the Whistleblower Protection Act and GDPR notification obligations requires careful handling. The whistleblower's identity must be protected while the breach is investigated and notified.

The AI Act Poland implementation adds a further layer for controllers using AI systems. Where a breach affects data processed by an AI system classified as high-risk under the AI Act, the controller may face concurrent obligations under both GDPR and AI Act supervisory frameworks. This intersection is not yet fully worked out in UODO practice, but controllers deploying high-risk AI systems should build dual-track notification protocols into their incident response plans.

What should your organisation prepare before a breach occurs?

Preparation is not optional. UODO's enforcement decisions consistently distinguish between controllers who had a documented incident response plan and those who improvised. The distinction affects both the finding of infringement and the quantum of any fine. A controller demonstrating that it had adequate procedures in place, that it activated those procedures promptly, and that it notified UODO within 72 hours, is in a materially better position than one that cannot produce any pre-incident documentation.

The checklist below reflects the minimum preparation standard that UODO expects from controllers operating at any scale. For organisations processing special categories of data, or operating in regulated sectors, each item should be supplemented by sector-specific protocols.

  • Draft and test an incident response plan that assigns roles, timelines, and escalation paths.
  • Register your DPO with UODO – or confirm that DPO appointment is not mandatory for your organisation.
  • Establish a breach register template and ensure it is maintained from the first day of operations.
  • Identify your lead supervisory authority if you operate across multiple EU member states.
  • Map your cross-border data flows and the notification obligations in each jurisdiction.

For organisations with IP-intensive operations, the risk profile extends beyond personal data. A breach affecting trade secrets or proprietary source code may not trigger GDPR notification but may require immediate action under IP law. The IP protection strategy for tech companies in Poland addresses how to structure pre-breach protections for both personal data and IP assets simultaneously.

Three business scenarios illustrate the preparation gap. A manufacturing company in Silesia with 500 employees discovers a breach affecting employee health records. Without a pre-prepared notification template, it takes 48 hours to agree the notification text internally – leaving only 24 hours for UODO submission. An IT firm in Małopolska processes data for EU clients under processor agreements. Its contracts do not specify a processor-to-controller notification timeline. When a breach occurs, the processor notifies the controller on day 3, leaving the controller with less than 24 hours. A foreign investor entering Poland through a newly incorporated subsidiary has no DPO, no breach register, and no incident response plan. Its first UODO interaction is a notification submitted 96 hours after awareness – already out of time.

Each scenario is avoidable. The preparation cost is a fraction of the enforcement exposure. UODO fines in Poland have reached EUR 2.8 million in a single case. The personal liability of board members for GDPR infringements – under Polish corporate legislation – is a separate and increasingly enforced risk.

Specific circumstances require specific advice. A generic incident response plan copied from a compliance template does not reflect your organisation's data flows, processor relationships, or regulatory exposure. Treating a breach as a documentation exercise rather than a legal emergency forfeits the mitigating credit that prompt and well-structured notification provides. That credit is not recoverable after the fact.

To receive an expert assessment of your organisation's GDPR breach notification readiness, contact info@kordeckipartners.com.

Frequently asked questions

Q: Does the 72-hour deadline apply even if the breach investigation is not complete?

A: Yes. UODO expects an initial notification within 72 hours of awareness, even if the full scope of the breach is not yet known. Controllers may submit supplementary information as the investigation progresses. Waiting for a complete forensic report before notifying is one of the most common – and most penalised – errors in Polish breach notification practice. The phased notification mechanism exists precisely to accommodate incomplete information at the point of initial notification.

Q: What is the cost of engaging KORDECKI & Partners to manage a breach notification?

A: Engagement scope and cost depend on the complexity of the breach, the number of affected individuals, and whether cross-border or sector-specific obligations are involved. A single-jurisdiction notification for a contained breach is typically handled on a fixed-fee basis. Multi-jurisdiction incidents, or those involving parallel UODO and KNF obligations, are scoped separately. Contact info@kordeckipartners.com for a same-day assessment.

Q: Is it a misconception that only large companies need to notify UODO?

A: It is a misconception. The notification obligation applies to any controller, regardless of size, where the risk threshold is met. Small and medium enterprises are subject to the same 72-hour deadline and the same fine structure as multinational corporations. UODO has issued fines against organisations with fewer than 50 employees. The exemption for small organisations that some controllers assume exists under GDPR applies only to the mandatory DPO appointment – it does not affect breach notification obligations.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, breach notification, and technology regulation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.