Data transfer from Poland to Poland – legal

A Warsaw-based software house decides to migrate its entire customer database from one internal server to another – both located in Poland, both operated by Polish entities. The legal team signs off on the project in ten minutes. No cross-border transfer, no third-country adequacy decision required. Simple, right? In practice, the transaction can still trigger obligations under three separate regulatory regimes, and missing any one of them forfeits the company's ability to rely on that data in future enforcement proceedings.

Transferring personal data between Polish entities – or between systems physically located in Poland – remains fully subject to the General Data Protection Regulation (GDPR) as implemented in Polish law, the Polish Act on Personal Data Protection administered by the Personal Data Protection Office (Urząd Ochrony Danych Osobowych, UODO), and, for regulated sectors, additional rules under the Digital Operational Resilience Act (DORA) and the AI Act. The legal basis for the transfer must be identified before data moves. Failure to document that basis exposes the controller to administrative fines of up to EUR 20 million or 4 percent of global annual turnover.

This page maps the legal mechanisms available for domestic data transfers in Poland, identifies the instruments most suitable for different business models, and flags the pitfalls that most often produce enforcement exposure. The structure follows the logic a compliance team should apply: first, establish the regulatory framework; second, select the right instrument; third, check the sector-specific overlay; finally, run the self-assessment checklist before go-live.

What regulatory framework governs domestic data transfers in Poland?

Poland does not operate a separate domestic data-transfer regime. The GDPR applies directly. The UODO – Poland's national supervisory authority – enforces it alongside the Polish Act on Personal Data Protection (ustawa o ochronie danych osobowych), which covers gaps the GDPR leaves to member states. Two institutions matter most at the outset: the UODO and the National Court Register (Krajowy Rejestr Sądowy, KRS), which provides the corporate identity data needed to verify that the receiving entity is a legitimate Polish processor or controller.

The first question is always whether the transfer is controller-to-controller or controller-to-processor. The distinction determines the instrument required. A controller-to-processor transfer requires a data processing agreement (DPA) that satisfies GDPR requirements. A controller-to-controller transfer requires a lawful basis for the disclosure – consent, contract, legitimate interest, or one of the other six bases enumerated in the regulation. Neither scenario is exempt simply because both parties are domiciled in Poland.

Domestic transfers also fall within the scope of DORA for financial entities. Banks, insurance undertakings, and investment firms supervised by the Polish Financial Supervision Authority (Komisja Nadzoru Finansowego, KNF) must treat any data migration as an ICT change event. That means a pre-migration risk assessment, documented approval, and post-migration testing – all within timeframes set by the KNF. The DORA compliance calendar runs from January 2025, so any domestic transfer project launched after that date must account for these obligations.

Finally, if the data relates to AI system outputs or training datasets, the AI Act overlay applies. High-risk AI systems as classified under the AI Act must maintain data governance documentation that survives any internal transfer. Missing that documentation at the point of transfer precludes reliance on the system's outputs in regulatory or judicial proceedings.

Which legal instruments apply to data transfers between Polish entities?

Four instruments cover the vast majority of domestic transfer scenarios. The correct choice depends on the relationship between the parties, the sensitivity of the data, and the sector in which the controller operates. Selecting the wrong instrument does not make the transfer unlawful per se, but it creates evidentiary gaps that the UODO will exploit in an audit. The UODO completed 47 formal investigations in 2024 alone, and documentation deficiencies featured in the majority of findings.

The first and most common instrument is the data processing agreement. It is mandatory whenever a controller instructs a separate legal entity to process personal data on its behalf. Under Polish corporate legislation, even a wholly owned subsidiary is a separate legal entity. A parent company in Warsaw transferring HR data to its subsidiary in Kraków must execute a DPA. The agreement must specify the subject matter, duration, nature, and purpose of the processing, as well as the categories of data and data subjects. A DPA without these elements is treated as non-existent by the UODO.

The second instrument is the joint controller agreement. Where two Polish entities jointly determine the purposes and means of processing, they must enter into an arrangement that reflects their respective responsibilities. This is common in group structures where a shared CRM or ERP platform serves multiple legal entities. The arrangement must be made available to data subjects on request.

Data processing agreement (DPA) – controller to processor
Joint controller arrangement – shared purpose and means
Internal data sharing policy – intra-group, single controller
Legitimate interest assessment (LIA) – controller-to-controller disclosure

The third instrument – the internal data sharing policy – applies where the transferring and receiving entities are treated as a single controller under a group-wide privacy governance framework. This is rare in practice. Polish corporate law does not recognise a group as a single legal person, so the single-controller argument requires careful documentation of unified decision-making over data purposes and means.

The fourth is the legitimate interest assessment, used when one controller discloses data to another without a DPA framework. The LIA must balance the controller's interest against the data subject's rights and freedoms. For sensitive data categories – health, biometric, criminal records – legitimate interest is not available. The assessment must be documented and retained for at least three years from the date of the transfer.

What are the most common pitfalls in domestic Polish data transfers?

We secured the reversal of a UODO enforcement notice for a logistics client in the Mazowieckie region (autumn 2025). The original transfer had been structured as a DPA, but the processor's sub-processor chain had not been documented. The controller lost access to 18 months of operational data during the investigation. The lesson: a technically correct primary instrument fails if the downstream processing chain is not mapped.

The most frequent pitfall is missing sub-processor authorisation. A DPA must either list approved sub-processors or grant general written authorisation subject to notification. If the processor engages a Polish cloud provider without prior written consent from the controller, the entire transfer chain is compromised. The UODO treats this as a breach of the DPA, not merely a contractual deficiency.

The second pitfall is inadequate records of processing activities (ROPA). Under GDPR, every controller and processor with more than 250 employees – and, in practice, most smaller entities handling sensitive data – must maintain a ROPA. A domestic transfer that is not reflected in the ROPA creates an audit trail gap. The UODO cross-references ROPA entries against DPA registers during inspections. Discrepancies trigger follow-up requests that can extend an audit by 60 days.

Third: failure to conduct a Data Protection Impact Assessment (DPIA) before high-risk transfers. The UODO's list of processing operations requiring a DPIA includes large-scale processing of employee data, systematic monitoring of publicly accessible areas, and processing of health data. A domestic server migration that moves any of these categories requires a DPIA before the transfer, not after. Running the DPIA retrospectively forfeits the ability to demonstrate prior compliance.

For a practical comparison of how domestic obligations interact with cross-border requirements, see our analysis of data transfer from Poland to the Netherlands, which maps the additional adequacy and SCCs layer that applies once data leaves Polish jurisdiction.

How do DORA and the AI Act affect domestic data transfers in Poland?

Our team obtained interim protective measures for a fintech client in Lower Silesia (spring 2026), preventing a competitor from accessing a shared data environment during an ownership dispute. The case turned on whether the original domestic data transfer had been documented as an ICT change event under DORA. It had not. That omission nearly cost the client its operational licence.

DORA's ICT risk management framework treats any significant data migration as a reportable event. For entities supervised by the KNF, a domestic transfer affecting critical or important functions must be notified to the KNF within 4 hours of classification as a major incident. The classification threshold is low: any transfer that disrupts data availability for more than two hours qualifies. Financial entities that fail to notify face supervisory measures including mandatory remediation plans and, ultimately, licence suspension.

The AI Act introduces a parallel documentation obligation for high-risk AI systems. Under the Act's data governance requirements, training data and validation datasets must be subject to examination for biases and errors before use. If a domestic transfer moves training data between systems, the receiving system must re-run the data governance examination unless the controller can demonstrate that the data's integrity has been preserved throughout the transfer. This is not a one-time obligation – it recurs each time the dataset is materially altered or relocated.

GDPR Poland compliance intersects with both regimes. The UODO has published guidance indicating that DORA incident reports and AI Act conformity assessments do not substitute for GDPR documentation. Controllers must maintain separate records under each regime. An IP lawyer in Warsaw advising on a combined DORA and GDPR project should map the three documentation streams at the outset to avoid duplication of effort and gaps in coverage. For a detailed analysis of AI Act classification thresholds, see our guide on AI Act high-risk classification and affected sectors.

What practical steps should businesses take before transferring data domestically?

The following checklist applies to any domestic data transfer project in Poland, regardless of size. Each item corresponds to a specific enforcement risk identified by the UODO in published decisions over the past 24 months. Completing the checklist before go-live reduces audit exposure and preserves evidentiary integrity.

Identify the legal basis for the transfer and document it in the ROPA before data moves
Execute or update the DPA or joint controller arrangement, including sub-processor schedule
Conduct a DPIA if the transfer involves sensitive, employee, or large-scale consumer data
For KNF-supervised entities: classify the transfer under DORA and file any required ICT change notification
For AI systems: run data governance examination on the receiving system post-transfer

The checklist should be completed in sequence. Step one cannot be skipped on the basis that the transfer is "internal." The UODO does not recognise informality as a mitigating factor. Controllers that present a completed checklist during an inspection consistently receive lower penalty assessments than those that rely on retrospective documentation.

Trademark and IP considerations also arise where the transferred data includes proprietary algorithms, client lists, or creative works. Polish intellectual property law – administered through the courts with jurisdiction over IP disputes – requires that any transfer of data constituting a trade secret be accompanied by a confidentiality agreement. The absence of such an agreement can convert an otherwise lawful data transfer into an actionable disclosure under the Act on Combating Unfair Competition (ustawa o zwalczaniu nieuczciwej konkurencji). For cross-border disputes arising from domestic data transfers, our disputes practice in Poland handles enforcement and injunctive relief.

Three business scenarios illustrate where the checklist adds most value. A manufacturing company in Silesia migrating its ERP system between two Polish entities needs, at minimum, a DPA and an updated ROPA – the transfer typically involves employee and supplier data. An IT company restructuring its internal data architecture across Polish subsidiaries must address joint controller arrangements and sub-processor chains. A foreign investor establishing a Polish holding structure faces all of the above, plus KRS verification of each entity's legal standing before any data sharing begins.

Frequently asked questions

Q: Does a domestic data transfer between a Polish parent and its Polish subsidiary require a formal agreement?

A: Yes. Under Polish corporate legislation, a subsidiary is a separate legal entity. A transfer of personal data from the parent to the subsidiary – even for payroll or HR purposes – requires either a data processing agreement (if the subsidiary acts as processor) or a joint controller arrangement (if both entities determine processing purposes jointly). An internal group policy is not a substitute unless it meets the substantive requirements of the GDPR. The UODO has issued fines in precisely this scenario.

Q: How long does it take to prepare the documentation for a domestic data transfer project?

A: For a straightforward controller-to-processor transfer with a clean sub-processor chain, a DPA and updated ROPA can be prepared in 5 to 10 business days. Where a DPIA is required, add 10 to 15 business days for the assessment and internal consultation cycle. DORA-regulated entities should allow an additional 5 business days for ICT change classification and notification. Starting documentation after the transfer has begun is the most common mistake – it forfeits the ability to demonstrate prior compliance and typically doubles the remediation cost.

Q: Is it a misconception that GDPR only applies to cross-border transfers?

A: Yes – this is one of the most persistent misconceptions in practice. The GDPR applies to all processing of personal data by controllers and processors established in the European Union, regardless of whether the data crosses a border. A transfer between two offices in Warsaw is subject to the same lawful-basis, documentation, and accountability requirements as a transfer from Warsaw to Amsterdam. The additional adequacy and standard contractual clauses layer applies only when data leaves the European Economic Area entirely. Domestic Polish transfers carry no exemption from the core GDPR obligations.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, technology regulation, and IP matters. We advise on GDPR compliance programmes, DORA implementation for KNF-supervised entities, AI Act readiness assessments, and domestic and cross-border data transfer structuring. We work with Polish entrepreneurs, foreign investors, and in-house legal teams. To discuss your situation, contact info@kordeckipartners.com.

Specific situations require specific analysis. A domestic data transfer that looks routine on paper can carry enforcement exposure across three regulatory regimes simultaneously. Identifying that exposure before the transfer – not after a UODO audit notice arrives – is the difference between a manageable compliance project and an irreversible evidentiary loss.

If your company is planning a data migration, restructuring its internal data architecture, or responding to a UODO inquiry, our team will map the applicable instruments, prepare the required documentation, and coordinate the DORA and AI Act overlay where relevant. Contact info@kordeckipartners.com.