A Warsaw-based software company acquires a Kraków subsidiary. Within days, the integration team asks a question that sounds simple: can we move customer data between the two Polish entities? The answer depends on at least four overlapping legal regimes – and getting it wrong can trigger fines, injunctions, and reputational damage that is very difficult to reverse.

Data transfers between two entities both located in Poland are governed primarily by the General Data Protection Regulation (GDPR) as applied in Polish law, the Ustawa o ochronie danych osobowych (Personal Data Protection Act, UODO), and sector-specific rules including the Digital Operational Resilience Act (DORA) for financial services. The key legal mechanisms include a valid legal basis under GDPR, data processing agreements, intra-group transfer protocols, and – where trade secrets are involved – contractual confidentiality arrangements. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO Office) can impose fines of up to EUR 20 million or four percent of global annual turnover for serious breaches.

This page sets out the regulatory framework, the instruments available, the most common pitfalls, cross-border considerations for foreign-owned Polish entities, and a practical self-assessment checklist. Each section includes at least one concrete figure or deadline so you can calibrate your compliance timeline.

What legal framework governs data transfers within Poland?

The starting point is GDPR, which applies directly in Poland and is supplemented by the Personal Data Protection Act. Both instruments treat intra-Polish transfers as fully subject to the regulation – there is no domestic exemption. The Urząd Ochrony Danych Osobowych (Personal Data Protection Office, UODO Office) supervises compliance and has issued guidance confirming that transfers between two Polish companies, even within the same corporate group, require a valid legal basis. The National Court Register (KRS) records corporate relationships, but registration alone does not create a lawful basis for sharing personal data.

Three legal bases are most commonly used in a commercial context. First, a contractual necessity basis applies where data processing is required to perform a contract with the data subject. Second, a legitimate interests basis may cover intra-group transfers, but only after a documented balancing test. Third, explicit consent remains available but is rarely practical for large employee or customer datasets. Choosing the wrong basis is one of the most frequent compliance errors – and it cannot always be corrected retrospectively.

Sector regulation adds further layers. For financial institutions, DORA compliance requires documented ICT risk management procedures governing all data flows, including domestic ones. The Polish Financial Supervision Authority (KNF) has indicated that DORA audit cycles will begin in earnest from January 2025, with corrective measures expected within 60 days of an identified deficiency. Entities subject to the AI Act Poland provisions must also document data lineage for training datasets, even when both source and destination are in Poland.

The practical takeaway: treat every intra-Polish data transfer as if it were a cross-border transfer. The documentation requirements are nearly identical, and regulators have shown little tolerance for the assumption that domestic flows are lower risk.

Which instruments are available for lawful intra-Polish data transfers?

Polish law offers several instruments for structuring a lawful transfer. The choice depends on the relationship between the parties, the sensitivity of the data, and the commercial timeline. Each instrument has a different implementation cost and a different risk profile if challenged by the UODO Office.

The most widely used instrument is a Data Processing Agreement (DPA) under GDPR. A DPA is mandatory whenever a controller instructs a processor to handle personal data on its behalf. It must specify the subject matter, duration, nature, and purpose of processing. Failure to have a signed DPA before data flows begin is an immediate enforcement trigger – the UODO Office has issued fines exceeding EUR 1 million in cases where DPAs were absent or materially deficient.

  • Data Processing Agreement – required for controller-to-processor flows
  • Joint Controller Agreement – required where two entities jointly determine purposes and means
  • Intra-group data transfer protocol – recommended for multi-entity corporate groups
  • Confidentiality and trade secret agreement – essential where transferred data constitutes a trade secret
  • Consent mechanism – available but limited to specific, freely given, informed, and unambiguous consent

Where two entities jointly determine the purposes and means of processing – common after an acquisition or a joint venture – a Joint Controller Agreement is required. This instrument is frequently overlooked. Our team secured a reversal of a regulatory enforcement notice for a manufacturing client in the Mazowieckie region (autumn 2025) precisely because we identified the joint-controller relationship before the UODO Office did.

Trade secrets require separate treatment. Where the transferred dataset includes customer lists, pricing algorithms, or proprietary technical data, the ustawa o zwalczaniu nieuczciwej konkurencji (Act on Combating Unfair Competition, ZNKU) provides protection, but only if the holder has taken reasonable steps to keep the information confidential. A well-drafted confidentiality agreement, combined with access controls and audit logs, is the minimum standard. For a deeper analysis of this area, see our guide on trade secret protection strategies under Polish law.

To receive an expert assessment of your data transfer instruments, contact info@kordeckipartners.com.

What are the most common pitfalls in domestic data transfer compliance?

In practice, domestic data transfer projects fail for predictable reasons. Identifying them early saves significant remediation cost – and avoids the irreversible consequence of a UODO Office investigation, which can run for 18 months or more and generate findings that become public.

The first and most common pitfall is assuming that a privacy policy update is sufficient. It is not. A privacy policy informs data subjects; it does not create a lawful basis between two companies. Many businesses – particularly those integrating acquired entities quickly – discover this gap only when a data subject complaint triggers a UODO inquiry. At that point, retroactive documentation is possible but carries reduced credibility with the regulator.

The second pitfall is failing to conduct a Transfer Impact Assessment (TIA) for sensitive data categories. Health data, biometric data, and data revealing trade union membership attract heightened scrutiny. Processing these categories without a documented necessity assessment and appropriate safeguards can result in fines at the upper end of the GDPR scale – up to EUR 20 million.

The third pitfall involves IT architecture. Data is often transferred via shared cloud infrastructure, API integrations, or joint CRM systems. Each of these constitutes a data flow under GDPR, even if no human operator manually moves a file. GDPR Poland enforcement has increasingly focused on automated transfers that were never mapped in the company's Record of Processing Activities (RoPA). An unmapped flow is, by definition, an unlawful one.

We obtained interim protective measures for a technology client in Lower Silesia (spring 2026) after an undisclosed API integration exposed customer data to an acquiring entity before the DPA was signed. The lesson: data architecture review must precede – not follow – the legal documentation process.

How do cross-border structures affect intra-Polish data transfers?

Many Polish entities are subsidiaries of foreign parent companies. This creates a layered compliance problem. The intra-Polish transfer between two local subsidiaries may be lawful on its face. But if the data then flows upstream to a parent in a third country – or if the parent has remote access to Polish systems – additional transfer mechanisms are required, and the domestic transfer cannot be treated in isolation.

Standard Contractual Clauses (SCCs) issued by the European Commission remain the primary instrument for transfers to non-EEA countries. Where a Polish entity transfers data to a US parent, the EU-US Data Privacy Framework (DPF) is available if the recipient is DPF-certified. For transfers to countries without an adequacy decision – including many CIS jurisdictions – SCCs must be accompanied by a TIA, and supplementary technical measures (encryption, pseudonymisation) may be required. The deadline for updating legacy SCCs to the 2021 version passed on 27 December 2022. Any entity still using the old clauses is operating outside the legal framework.

Foreign investors structuring their Polish entry should also consider how GDPR Poland interacts with their home jurisdiction's data laws. A German investor, for example, may be subject to the Bundesdatenschutzgesetz in addition to GDPR. For broader guidance on structuring a Polish investment, our article on buying property in Poland as a foreign national addresses related structural considerations.

Tech companies with Ukrainian founders or operations face an additional layer. Ukrainian data protection law has been progressively aligned with GDPR, but gaps remain. For a detailed analysis of IP and data strategy for Ukrainian tech companies operating in Poland, see our guide on IP protection strategy for Ukraine tech companies in Poland. An IP lawyer Warsaw-based can coordinate the data and IP documentation in a single engagement, which reduces both cost and inconsistency risk.

For a tailored strategy on cross-border data transfer structuring, reach out to info@kordeckipartners.com.

What should your organisation prepare before transferring data?

Self-assessment is the first line of defence. The checklist below reflects the minimum documentation standard expected by the UODO Office in a compliance review. Each item corresponds to a specific enforcement risk if absent. Most organisations can complete this review within 30 days with appropriate legal support.

  • Map all data flows – identify every system, API, and manual process that moves personal data between entities
  • Confirm legal basis – document the specific GDPR basis for each processing activity and retain the balancing test for legitimate interests
  • Execute agreements – ensure DPAs and Joint Controller Agreements are signed before data flows begin, not after
  • Update the RoPA – include all intra-group transfers, automated flows, and third-party processor chains
  • Review sector-specific requirements – DORA compliance, AI Act Poland documentation, and KNF guidance where applicable

The RoPA is particularly important. Under GDPR, it must be maintained in writing (including electronic form) and made available to the UODO Office on request – typically within 72 hours of a formal inquiry. An outdated or incomplete RoPA is treated as evidence of systemic non-compliance, not merely an administrative oversight.

For manufacturing clients, the practical challenge is legacy ERP systems that were not designed with GDPR data mapping in mind. For IT companies, the challenge is the speed of product development – new data flows are created faster than legal documentation can follow. For foreign investors, the challenge is aligning Polish compliance with group-level data governance frameworks that may have been drafted under a different legal system.

Trademark and IP considerations also arise where the transferred dataset includes branded content, proprietary algorithms, or software source code. In those cases, the transfer instrument must address both GDPR compliance and IP ownership – two issues that are frequently handled by separate teams and therefore fall through the gaps. An integrated approach, coordinated by an IP lawyer Warsaw-based with data protection expertise, is the most efficient solution.

Frequently asked questions

Q: Do we need a Data Processing Agreement even if both entities are in the same Polish corporate group?

A: Yes. GDPR does not provide an intra-group exemption from the DPA requirement. Where one group entity processes personal data on behalf of another, a DPA is mandatory regardless of ownership structure. The agreement must specify the subject matter, duration, nature, and purpose of processing. A group-level data protection policy does not substitute for entity-level agreements.

Q: How long does it take to implement a compliant intra-Polish data transfer framework?

A: For a mid-sized company with between 50 and 500 employees, a full data transfer framework – including data mapping, RoPA update, DPAs, and Joint Controller Agreements where required – typically takes between 6 and 12 weeks. The timeline depends on the complexity of the IT architecture and the availability of internal stakeholders. Sector-specific requirements under DORA compliance or the AI Act Poland can extend the timeline by an additional 4 to 6 weeks.

Q: Is it a misconception that GDPR only applies to transfers outside Poland or the EU?

A: Yes, and it is a very common one. GDPR applies to all processing of personal data by controllers or processors established in the EU, regardless of where the data subject or the recipient is located. Domestic transfers between two Polish entities are fully subject to GDPR and UODO Office supervision. The cross-border transfer rules in Chapter V of GDPR are an additional layer on top of the general rules – they do not replace them for domestic flows.

KORDECKI & Partners is a law firm based in Warsaw and Krakow, advising business clients across 30 jurisdictions. Our team combines expertise in Polish and international law with a practical approach to data protection, IP, and technology regulation. We work with Polish entrepreneurs, foreign investors, and in-house legal teams navigating GDPR Poland compliance, DORA compliance, AI Act Poland obligations, and intra-group data transfer structuring. To discuss your situation, contact info@kordeckipartners.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. KORDECKI & Partners assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@kordeckipartners.com.