Poland Data Privacy Laws: GDPR & UODO Guide (2026)

Poland operates one of the more active data privacy enforcement regimes in the European Union. The country applies the EU General Data Protection Regulation (GDPR) alongside its own national legislation, the Act of 10 May 2018 on the Protection of Personal Data.

The national supervisory authority, known as UODO (Urzad Ochrony Danych Osobowych), has ramped up enforcement significantly since 2023. It issued nearly 2,000 administrative decisions in 2023 alone and has continued that trajectory with several record-breaking fines in 2025.

This guide covers everything you need to know about data privacy law in Poland, including the legal framework, enforcement actions, penalties, breach notification requirements, and provisions unique to Polish law.

Legal Framework: GDPR and the Polish Personal Data Protection Act

Poland's data privacy regime rests on two pillars. The first is the GDPR itself, which has been directly applicable across all EU member states since May 25, 2018. The second is the Act of 10 May 2018 on the Protection of Personal Data, which the Polish parliament (Sejm) enacted on the same date.

The national act does not replace or duplicate the GDPR. Instead, it supplements the regulation in areas where the GDPR grants member states discretion. These include the structure and powers of the supervisory authority, sector-specific rules for employee data, age of consent for children, and procedural matters related to enforcement and appeals.

A companion law, the Act of 21 February 2019 on Amendments to Certain Acts in Connection with Ensuring the Application of the GDPR, introduced changes to over 160 sector-specific Polish statutes. These amendments brought banking, healthcare, telecommunications, education, and public administration laws into alignment with GDPR requirements.

Key National Provisions

The Polish Personal Data Protection Act addresses several areas that the GDPR leaves to national discretion:

• Supervisory authority structure: Establishes the President of UODO as a state body with the rank of a minister, appointed by the Sejm for a four-year term
• Children's consent: Sets the age of consent for information society services at 16 (the GDPR allows member states to lower this to 13, but Poland chose not to)
• Public body fines: Caps administrative fines for public sector entities at PLN 100,000
• DPO notification: Requires entities to notify UODO of a Data Protection Officer appointment within 14 days
• Journalistic exemptions: Provides broader exemptions for data processing related to journalism, artistic expression, and literary activity
• Certification bodies: Establishes the framework for accreditation of data protection certification bodies

UODO: Poland's Data Protection Authority

The President of the Office for Personal Data Protection (UODO) serves as Poland's independent supervisory authority under the GDPR. This role replaced the former Inspector General for Personal Data Protection (GIODO) when the 2018 act took effect.

Structure and Powers

The UODO President holds the rank of a government minister and is appointed by the Sejm (lower house of parliament) with the consent of the Senate. The appointment is for a four-year term, renewable once.

The authority's powers include:

• Conducting inspections and audits of data controllers and processors
• Issuing binding administrative decisions
• Ordering data processing operations to cease
• Imposing administrative fines up to EUR 20 million or 4% of global annual turnover
• Investigating complaints from data subjects
• Issuing guidelines and recommendations on data protection practices
• Coordinating with other EU supervisory authorities through the European Data Protection Board (EDPB)

Enforcement Approach

UODO issues approximately 2,000 administrative decisions per year. About 90% of those originate from complaints filed by data subjects, with the remaining 10% initiated through the authority's own inspections. Remedial measures are applied in roughly half of all cases, with injunctions issued in about 300 cases and financial penalties imposed in approximately 30 cases annually.

The authority has shifted toward more proactive, inspection-driven enforcement in recent years. Sector-specific inspection plans are published annually, giving organizations advance notice of where UODO intends to focus.

2025-2026 Inspection Priorities

The UODO Sectoral Inspection Plan for 2025 targets four areas:

1. Large-scale EU IT systems: Authorities processing personal data in the Schengen Information System (SIS) and Visa Information System (VIS)
2. Health data security: Entities processing medical information, with a focus on security safeguards
3. Children's data: Processing of children's images, particularly consent from parents and legal guardians
4. Breach documentation: Compliance with Article 33(5) GDPR, requiring documentation of all personal data breaches

For 2026, UODO expanded its focus to five sectors: large-scale EU systems (continuing from 2025), healthcare entities using video surveillance, Public Information Bulletin operators, marketing entities and their legal bases for data processing, and online delivery platforms handling customer data.

Notable Enforcement Actions and Fines

Poland's UODO has imposed several significant fines that demonstrate the authority's willingness to hold both private companies and public institutions accountable.

Poczta Polska: PLN 27 Million (EUR 6.46 Million)

In March 2025, UODO imposed its largest fine to date on state postal operator Poczta Polska. The case stemmed from the May 2020 presidential election, when the government attempted to conduct voting entirely by mail during the COVID-19 pandemic.

The Ministry of Digital Affairs transferred personal data from the PESEL register, covering approximately 30 million adult Polish citizens, to Poczta Polska. This data included names, addresses, and national identification (PESEL) numbers. UODO determined that the transfer lacked a legal basis because the legislation authorizing postal voting had not yet entered into force when the data was shared. The EDPB confirmed that this violated Articles 5(1)(a) and 6(1) of the GDPR. The Minister of Digital Affairs received a separate fine of PLN 100,000, the statutory maximum for public entities.

ING Bank Slaski: EUR 4.37 Million (PLN 18.4 Million)

In August 2025, UODO fined ING Bank Slaski for scanning and storing customers' identity documents without conducting a proper necessity assessment. Between April 2019 and September 2020, the bank routinely scanned identity cards of customers and prospective clients, claiming compliance with anti-money laundering (AML) obligations.

UODO found that the bank exceeded what was required by law. While copying identity documents is permitted under certain AML scenarios, it is not mandatory and must be preceded by a case-by-case assessment of necessity. The EDPB noted approximately 4.7 million people were potentially affected.

McDonald's Polska: EUR 4.02 Million (PLN 16.9 Million)

UODO fined McDonald's Polska after a data breach exposed employee information including PESEL numbers, passport details, job roles, and shift schedules. A third-party processor, 24/7 Communication (fined EUR 43,680 separately), maintained a misconfigured server that left this data publicly accessible.

Key failures included inadequate vendor due diligence, no risk assessment by either party, use of an unapproved sub-processor, and insufficient breach notification to former employees. McDonald's notified former employees through press releases rather than direct communication, which UODO found inadequate under the GDPR's high-risk breach notification requirements.

DPD Polska: PLN 11.46 Million

The courier company DPD Polska received two separate fines totaling over PLN 11 million. The first fine of PLN 6.251 million addressed failures to conclude required data processing agreements with external transport carriers who had access to customer data. The second fine of PLN 5.209 million targeted shortcomings in technical and organizational security measures, including an automated authorization system that generated access credentials without proper identity verification or oversight.

Breach Notification Requirements

Poland follows the GDPR's breach notification framework with some additional national requirements.

Notification to UODO

Controllers must report personal data breaches to UODO within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms. The notification must include the nature of the breach, categories and approximate number of data subjects affected, DPO contact details, likely consequences, and measures taken or proposed to address the breach.

Telecom-Specific Rules

Providers of electronic communication services face a stricter 24-hour notification deadline following breach detection, as required under Polish telecommunications law.

Notification to Data Subjects

When a breach is likely to result in a high risk to natural persons, controllers must also notify the affected individuals without undue delay. This notification must use clear, plain language and describe the breach, the DPO's contact information, the likely consequences, and what steps the individual can take to protect themselves.

DPO Role in Breach Management

A February 2025 UODO guideline clarified a long-standing question about the Data Protection Officer's role in breach response. While the DPO plays an advisory and monitoring role, the DPO should not formally report breaches to UODO on behalf of the organization, should not be responsible for notifying data subjects, and should not make decisions about specific remedial actions. The responsibility for these actions rests with the data controller.

Documentation Obligations

Article 33(5) of the GDPR requires controllers to document all personal data breaches, including those that do not meet the threshold for notification to UODO. This documentation must cover the circumstances of the breach, its consequences, and the remedial actions taken. Breach documentation compliance is a 2025 UODO inspection priority.

Penalties and Sanctions

The penalty framework in Poland combines GDPR-level fines with additional provisions under national law.

GDPR Administrative Fines

The two-tier GDPR fine structure applies in Poland:

• Up to EUR 10 million or 2% of global annual turnover for violations related to controller and processor obligations, certification body requirements, and monitoring body obligations
• Up to EUR 20 million or 4% of global annual turnover for violations of data processing principles, consent conditions, data subject rights, and international transfer rules

Public Sector Cap

Unlike private entities, public bodies in Poland face a maximum fine of PLN 100,000 under the national act. This provision was applied in the Poczta Polska case, where the Minister of Digital Affairs received this maximum amount.

Electronic Communications Fines

Violations of marketing consent and cookie requirements under the Polish Electronic Communications Law carry penalties of up to 3% of the prior calendar year's revenue.

Criminal Penalties

The Polish Personal Data Protection Act also provides for criminal sanctions. Processing personal data when it is not permitted or without authorization can result in a fine, restriction of liberty, or imprisonment for up to two years. If the violation involves special category data (such as health, biometric, or genetic data), the penalty increases to up to three years of imprisonment.

Compensation Claims

Data subjects in Poland can pursue civil compensation for material or non-material damage resulting from GDPR violations. These claims can be brought independently of any administrative proceedings by UODO. Non-profit organizations may also represent data subjects in compensation claims under Articles 8 and 31 of Polish procedural codes.

Polish-Specific Data Protection Provisions

Several aspects of Poland's data privacy regime reflect national legal traditions and priorities that go beyond the standard GDPR framework.

PESEL Number Protection

The PESEL (Powszechny Elektroniczny System Ewidencji Ludnosci) is Poland's universal 11-digit personal identification number, assigned to every citizen and permanent resident. UODO has described the PESEL number as one of the most important categories of personal data in Poland, second only to a person's name.

Because PESEL numbers are permanent and cannot be changed (except in cases such as gender reassignment), their unauthorized disclosure creates lasting privacy risks. The Poczta Polska case underscored this concern, as PESEL numbers for 30 million citizens were transferred without a proper legal basis. Polish data protection practice treats PESEL numbers with particular sensitivity, and their collection and processing require clear legal justification.

Employee Monitoring

Poland's Labor Code contains specific provisions governing workplace monitoring that supplement the GDPR:

• Video monitoring is permitted for employee safety, property protection, production control, and confidential information protection
• Cameras cannot be placed in toilets, changing rooms, canteens, or social rooms
• Audio recording via monitoring is not permitted because the Labor Code does not provide a legal basis for sound recording through monitoring systems
• Employers must inform employees about monitoring at least two weeks before implementation
• Email and internet monitoring is permitted but must be disclosed in workplace regulations

Children's Data Consent

Poland set the age of consent for children's data processing in information society services at 16, the maximum allowed under the GDPR. Some EU member states have lowered this threshold (to 13, 14, or 15), but Poland chose to maintain the higher standard. Processing data of children under 16 requires verifiable parental or legal guardian consent.

Cookies and Electronic Marketing

Under Article 398 of the Polish Electronic Communications Law, any electronic marketing communication, including email, SMS, and automated calls, requires the prior consent of the recipient. This applies across business-to-consumer and business-to-business contexts. Cookie consent requires clear advance notification about the purpose of data storage and affirmative user action.

Cross-Border Data Transfers

As an EU member state, Poland follows the GDPR framework for international data transfers. Transfers to countries with an EU adequacy decision are permitted without additional safeguards. For transfers to other countries, organizations must use Standard Contractual Clauses (SCCs), Binding Corporate Rules, or other approved mechanisms.

A Transfer Impact Assessment (TIA) is mandatory when transferring data to countries without an adequacy decision. The assessment must evaluate whether the recipient country's laws effectively protect data subject rights and whether additional technical measures (such as encryption, pseudonymization, or end-to-end encryption) are needed.

Data Protection Impact Assessments

DPIAs are mandatory when processing is likely to result in a high risk to individuals' rights and freedoms. This includes large-scale processing of special category data, systematic monitoring of public areas, and automated decision-making with legal effects. If a DPIA indicates high residual risk, the controller must consult UODO before proceeding with the processing.

Data Subject Rights in Poland

Polish data subjects enjoy the full range of rights guaranteed by the GDPR:

• Right of access: Individuals can request confirmation of whether their data is being processed and obtain a copy
• Right to rectification: Correction of inaccurate or incomplete personal data
• Right to erasure: Deletion of personal data when it is no longer necessary, consent is withdrawn, or processing is unlawful
• Right to restrict processing: Temporary limitation of processing while disputes are resolved
• Right to data portability: Receiving personal data in a structured, machine-readable format
• Right to object: Objection to processing based on legitimate interests or for direct marketing purposes
• Right against automated decision-making: Protection from decisions based solely on automated processing that produce legal or similarly significant effects

The Polish act provides specific exemptions for data processing related to journalistic, artistic, or literary activity. These exemptions are broader than in some other EU member states and reflect Poland's constitutional protections for freedom of expression.

Data Protection Officers in Poland

When Appointment Is Mandatory

A DPO must be appointed when the organization is a public authority or body (excluding courts in their judicial capacity), when core activities require regular and systematic large-scale monitoring of individuals, or when core activities involve large-scale processing of special category data or criminal conviction data.

Polish-Specific DPO Rules

Poland adds several national requirements to the GDPR's DPO framework:

• The controller or processor must notify UODO of the DPO appointment within 14 days
• The DPO's name, surname, and contact information (email or phone) must be published on the organization's website immediately after appointment
• If the organization has no website, this information must be made available in a publicly accessible manner at the place of business
• The DPO receives employment protection and cannot be dismissed or penalized for performing their duties
• The DPO must operate independently and may not receive instructions on how to perform their tasks