Poland Data Privacy Laws: GDPR, UODO & 2026 Guide

Poland's data privacy is governed by the EU General Data Protection Regulation, Regulation (EU) 2016/679, together with the national Act of 10 May 2018 on the Protection of Personal Data. Both laws entered force on 25 May 2018 and are enforced by UODO, Poland's independent supervisory authority.

Poland operates one of the more active data privacy enforcement regimes in the European Union. The country applies the EU General Data Protection Regulation (GDPR), Regulation (EU) 2016/679, alongside its own national legislation, the Act of 10 May 2018 on the Protection of Personal Data. Both instruments entered force on 25 May 2018. The national supervisory authority, UODO (Urzad Ochrony Danych Osobowych), significantly raised its enforcement profile in 2024 and 2025, imposing record fines and processing more than 8,000 complaints per year.

Information last verified on 2026-05-19. This article presents general legal information about the Polish data protection framework. It has not been reviewed by a licensed lawyer and does not constitute legal advice.

Jurisdiction scope: This article covers Poland's data privacy framework under the GDPR, the Polish Personal Data Protection Act of 10 May 2018, and the Act of 21 February 2019 amending sectoral statutes. It does not address Polish criminal law on surveillance; for recording consent rules in Poland, see Poland Recording Laws. For the broader EU framework, see EU Data Privacy Laws.

Constitutional Basis: Articles 47 and 51

Poland's data protection framework has constitutional roots that predate the GDPR. The Polish Constitution of 2 April 1997 established two overlapping privacy guarantees that underpin all subsequent data protection legislation.

Article 47 provides the general right to privacy: "Everyone shall have the right to legal protection of his private and family life, of his honor and good reputation and to make decisions about his personal life." This provision forms the broad constitutional basis for protecting personal autonomy against interference, including by the state. Poland's former Inspector General for Personal Data Protection (GIODO, UODO's predecessor) recognized Article 47 as one of the two constitutional pillars of Polish data protection law, noting that it protects the individual's private sphere from unjustified intrusion.

Article 51 addresses informational autonomy specifically. It guarantees every person the right to refuse to disclose information about themselves unless required by statute, provides a right of access to official documents and data collections concerning oneself, and establishes the right to demand correction or deletion of inaccurate, incomplete, or unlawfully collected information. Article 51(5) delegates the detail of these guarantees to statute, which is the direct basis for the 2018 Personal Data Protection Act.

These constitutional rights are supplemented by Article 49 (freedom and secrecy of communication) and Article 30 (inherent human dignity as the source of all constitutional freedoms). Together, they form the constitutional architecture that obliges the Polish legislature to maintain a strong personal data protection regime and that Polish courts use to assess proportionality when data processing restrictions are challenged.

"Everyone shall have the right to legal protection of his private and family life, of his honor and good reputation and to make decisions about his personal life."

• Constitution of the Republic of Poland, Art. 47 (1997)

Legal Framework: GDPR and the Polish Personal Data Protection Act 2018

Poland's data privacy regime rests on two statutory pillars. The GDPR is directly applicable across all EU member states and has been in force since 25 May 2018. The Act of 10 May 2018 on the Protection of Personal Data (the implementing act) was enacted by the Sejm on the same date and supplements the GDPR in areas where the regulation expressly grants member states discretion.

The national act does not replicate or override GDPR provisions. Its principal functions are: establishing the structure, mandate, and appointment procedure for UODO; fixing the national age of digital consent at 16; capping fines for public bodies at PLN 100,000; setting the 14-day DPO notification deadline; providing broader exemptions for journalistic, artistic, and literary data processing; and establishing procedural rules for enforcement proceedings and judicial appeals.

A companion statute, the Act of 21 February 2019 on Amendments to Certain Acts in Connection with Ensuring the Application of the GDPR, amended more than 160 sector-specific Polish laws. These amendments brought banking, healthcare, telecommunications, labour, education, and public administration legislation into alignment with GDPR requirements, ensuring that sector-specific statutes no longer conflicted with the regulation's principles on lawfulness, purpose limitation, and data minimization.

Key National Provisions at a Glance

UODO: Poland's Supervisory Authority

The President of the Office for Personal Data Protection (UODO) serves as Poland's independent supervisory authority under Article 51 of the GDPR. UODO replaced the former Inspector General for Personal Data Protection (GIODO) when the 2018 act entered force.

Structure and Appointment

The UODO President holds the rank of a government minister and is appointed by the Sejm (lower house of parliament) with the Senate's consent. The term is four years, renewable once. The GDPR requires supervisory authorities to act with complete independence; the UODO President cannot receive instructions from the government on substantive data protection decisions.

Powers

UODO's enforcement toolkit includes:

• Conducting planned and ad hoc inspections at data controllers and processors
• Issuing binding administrative decisions (orders to comply, orders to cease processing, orders to erase data)
• Imposing administrative fines up to EUR 20 million or 4% of global annual turnover
• Investigating complaints filed by data subjects
• Consulting on draft legislation (779 opinions issued in 2024 alone)
• Coordinating with EU supervisory authorities through the European Data Protection Board (EDPB)
• Providing guidance, codes of conduct, and certification frameworks

2024 Annual Report Statistics

The 2024 Annual Report, presented by the UODO President, shows a significant escalation in both complaint volume and fine values:

• 8,056 complaints received: over 1,000 more than in 2023
• 1,719 administrative decisions issued
• 27 administrative fines totalling PLN 13,907,740 across 22 cases (PLN 1,230,331 in 2023, a tenfold increase in total fine value)
• 14,842 personal data breach reports received
• 50 entities inspected under the sectoral inspection plan
• 779 opinions on draft legislation

The jump in fine totals reflects a structural shift: UODO moved away from predominantly small remedial penalties toward larger, deterrence-oriented fines for systemic violations by major commercial actors.

Inspection Priorities

UODO publishes annual sectoral inspection plans, giving organizations advance notice of targeted sectors. The 2025 plan targeted: large-scale EU IT systems (SIS/VIS data); health data security; children's data processing (consent by parents and guardians); and breach documentation under Article 33(5) GDPR.

The 2026 sectoral inspection plan, published on 8 January 2026, targets five areas:

1. Authorities processing data in large-scale EU systems (SIS/VIS, continuing from 2025)
2. Healthcare entities using video surveillance (security of children's data in particular)
3. Operators of the Public Information Bulletin (BIP)
4. Marketing entities and their legal bases for data processing
5. Online delivery platforms handling customer data

Legal Bases and Consent

The GDPR's six legal bases for processing apply in Poland without modification: consent, contract, legal obligation, vital interests, public task, and legitimate interests (Articles 6(1)(a)-(f)). Consent under Article 7 must be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and consent extracted as a condition of service are invalid.

For special-category data (Article 9: health, biometric, genetic, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation, or criminal convictions), an additional condition from Article 9(2) must be satisfied, most commonly explicit consent or processing necessary for healthcare.

Children's Consent

Poland exercises the Article 8 member-state option at the maximum level: 16 years. Processing personal data of children under 16 in information society services requires verifiable consent from the holder of parental responsibility. Controllers must make reasonable efforts to verify that parental consent has been given, and may not rely on a child's misrepresentation of age to retain data once the misrepresentation is discovered.

Employee Data

The Labour Code (as amended by the 2019 sectoral act) governs processing of employee personal data alongside the GDPR. Employers may process the data categories specified in Article 22(1) of the Labour Code without relying on consent; consent is valid only for data beyond that statutory list. The key implication is that employee consent is generally not a reliable GDPR legal basis for processing employment data, because consent given in an employment relationship is rarely freely given.

Data Subject Rights

Polish data subjects hold the full suite of GDPR rights:

• Right of access (Art. 15): Confirmation of processing, copy of data, and supplementary information about recipients, retention periods, and other rights.
• Right to rectification (Art. 16): Correction of inaccurate data and completion of incomplete data.
• Right to erasure (Art. 17): Deletion when data is no longer necessary, consent is withdrawn, processing is unlawful, or a legal obligation requires erasure.
• Right to restriction (Art. 18): Temporary suspension of processing while accuracy disputes or objections are resolved.
• Right to data portability (Art. 20): Receiving data in a structured, machine-readable format and transmitting it to another controller.
• Right to object (Art. 21): Objection to processing based on legitimate interests or for direct marketing; the controller must stop unless it demonstrates compelling legitimate grounds.
• Rights in automated decision-making (Art. 22): Protection against decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

Controllers must respond within one month. The deadline extends to three months for complex requests, but the controller must notify the data subject of the extension within the initial month.

The UODO Complaint Path

Before lodging a complaint with UODO, data subjects should first submit a written request to the controller. If the controller fails to respond within one month, responds inadequately, or refuses the request, the data subject may lodge a complaint with the UODO President. UODO issues a binding administrative decision. That decision can be challenged before the Voivodeship Administrative Court (WSA). A cassation appeal to the Supreme Administrative Court (NSA) is available against WSA judgments. Civil compensation claims under Article 82 GDPR may be pursued in civil courts independently of UODO proceedings.

Breach Notification Requirements

Poland follows the GDPR's breach notification framework with one national addition for telecommunications providers.

Notification to UODO

Controllers must notify UODO of a personal data breach within 72 hours of becoming aware of it, where the breach is likely to result in a risk to natural persons' rights and freedoms. The notification must include: the nature of the breach (categories and approximate number of affected individuals and records); the DPO's name and contact details; the likely consequences; and measures taken or proposed to address the breach and mitigate its effects. If full information is not yet available, an initial notification may be submitted and supplemented.

Telecom Providers: 24-Hour Deadline

Under Polish telecommunications law, providers of publicly available electronic communications services face a 24-hour notification deadline following discovery of a breach, which is stricter than the standard GDPR 72-hour rule.

Notification to Data Subjects

When a breach is likely to result in a high risk to natural persons, the controller must also notify affected individuals without undue delay in clear, plain language. This notification must describe the breach, provide the DPO's contact details, state the likely consequences, and explain what steps individuals can take to protect themselves. As the McDonald's Polska decision shows, press releases cannot substitute for direct individual notification where high risk is present.

Documentation

Article 33(5) GDPR requires controllers to document all breaches, including those below the notification threshold, in an internal breach register, covering facts, effects, and remedial measures. Breach documentation compliance was a 2025 UODO inspection priority.

DPO Role in Breach Response

A February 2025 UODO guideline confirmed that the DPO advises and monitors but the controller, not the DPO, is responsible for filing the UODO notification, notifying data subjects, and deciding remedial actions. Placing breach notification responsibility on the DPO is a structural error that can itself attract a fine.

DPO Requirements

When Mandatory

A Data Protection Officer must be appointed when the controller or processor is a public authority or body (excluding courts in their judicial capacity), when core activities require regular and systematic large-scale monitoring of data subjects, or when core activities involve large-scale processing of special-category data or criminal conviction data (GDPR Art. 37(1)).

Polish-Specific DPO Rules

Poland imposes additional requirements on top of the GDPR's Articles 37-39:

• 14-day notification: The controller or processor must notify UODO of the DPO appointment, change, or dismissal within 14 days, using the UODO DPO notification form submitted electronically with a qualified electronic signature or ePUAP trusted profile.
• Public disclosure: The DPO's name and contact details must be published on the organization's website immediately after appointment. Where no website exists, the information must be displayed at the business premises.
• Independence: The DPO cannot receive instructions on how to perform their tasks and cannot be dismissed or penalized for performing DPO duties.
• Direct reporting line: The DPO must report directly to the highest management level. UODO fined Toyota Bank EUR 132,000 in 2024 for placing the DPO in a reporting line subordinate to a line manager rather than to top management.

Cross-Border Data Transfers

As an EU member state, Poland applies the GDPR's third-country transfer framework (Chapter V) without national modification.

Adequacy decisions: Transfers to countries covered by a European Commission adequacy decision, including the UK, Japan (private sector), Canada (private sector), Switzerland, Israel, New Zealand, Uruguay, Argentina, and organisations participating in the EU-US Data Privacy Framework, proceed without additional safeguards.

Standard Contractual Clauses: Transfers to countries without an adequacy decision require SCCs (Commission Decision of 4 June 2021) or another Article 46 mechanism such as Binding Corporate Rules or an approved code of conduct.

Transfer Impact Assessments: Following the Court of Justice of the EU judgment in Case C-311/18 (Data Protection Commissioner v. Facebook Ireland, known as Schrems II), a Transfer Impact Assessment is required before relying on SCCs for transfers to countries where the legal system may not provide essentially equivalent protection. The TIA must assess local surveillance laws, available remedies, and whether supplementary technical measures such as end-to-end encryption or pseudonymization are necessary.

Intra-EEA transfers: Poland-to-EEA transfers (including to the other 26 EU member states and Iceland, Liechtenstein, and Norway) require no transfer mechanism because the GDPR applies uniformly across the EEA.

PESEL Number Protection

The PESEL (Powszechny Elektroniczny System Ewidencji Ludnosci) is Poland's universal 11-digit personal identification number, assigned at birth or on registration to every citizen and permanent resident. UODO treats the PESEL number as one of the most sensitive categories of personal data in Polish law, second only to a person's name.

Unlike passwords, PESEL numbers are permanent and cannot be changed (except in narrow circumstances such as gender reassignment). Unauthorized disclosure therefore creates lasting exposure to identity fraud and impersonation. The Poczta Polska case, where PESEL numbers for 30 million citizens were transferred without a valid legal basis, is the clearest illustration of the systemic risk that PESEL mishandling creates.

Organizations that collect PESEL numbers must identify a specific legal basis under Article 6(1) GDPR, apply access controls proportionate to the high sensitivity of the data, and include PESEL number processing in DPIAs where processing is conducted at scale or poses high risk.

Employee Monitoring

Poland's Labour Code (Kodeks Pracy), as amended by the 2019 sectoral act, contains specific provisions on workplace monitoring that supplement the GDPR:

• Video monitoring is permitted for employee safety, property protection, production control, and confidential information protection (Labour Code Art. 22(2)).
• Cameras cannot be placed in toilets, changing rooms, canteens, rest rooms, or trade union premises.
• Audio recording via monitoring systems is prohibited: the Labour Code does not provide a legal basis for sound recording through continuous workplace monitoring systems.
• Two-week advance notice: Employers must inform employees about the monitoring, its purposes, and the scope of data storage at least two weeks before implementation.
• Email and internet monitoring is permitted for legitimate business purposes but must be disclosed in the employer's workplace regulations (regulamin pracy) and communicated to all employees.

Penalties and Sanctions

GDPR Administrative Fines

The two-tier fine structure of Article 83 GDPR applies:

• Tier 1 (up to EUR 10 million or 2% of global annual turnover): Violations of controller and processor obligations (Articles 8, 11, 25-39, 42, 43) and certification requirements.
• Tier 2 (up to EUR 20 million or 4% of global annual turnover): Violations of basic processing principles (Article 5), lawfulness (Article 6), consent conditions (Article 7), children's data (Article 8), special-category rules (Article 9), data subject rights (Articles 12-22), and international transfer rules (Articles 44-49).

Public-Sector Cap

Public bodies are subject to a maximum fine of PLN 100,000 under Section 102 of the Polish Personal Data Protection Act. The Poczta Polska case applied this cap to the Minister of Digital Affairs (PLN 100,000), while Poczta Polska itself, a commercial entity, received the full PLN 27 million fine.

Electronic Communications Penalties

Under Article 209 of the Polish Electronic Communications Law, violations of consent requirements for electronic marketing (email, SMS, automated calls) and cookie obligations carry fines of up to 3% of the violator's prior-year revenue.

Criminal Penalties

The Polish Personal Data Protection Act criminalizes unauthorized data processing. Processing personal data without authorization or in a manner not permitted by statute carries a fine, restriction of liberty, or imprisonment of up to two years (Section 107(1)). Where the violation involves special-category data, the maximum penalty rises to three years' imprisonment (Section 107(2)).

Civil Compensation

Data subjects may pursue civil compensation for material or non-material damage caused by GDPR violations (GDPR Art. 82). Proceedings may be brought before civil courts independently of any UODO administrative proceedings. Non-profit organizations acting in the public interest may represent data subjects in compensation claims under Polish procedural rules.

Notable Enforcement Decisions

Poczta Polska: PLN 27 Million (March 2025)

UODO's largest fine to date targeted the state postal operator for its role in the May 2020 correspondence election. The Ministry of Digital Affairs transferred PESEL register data for approximately 30 million adult citizens to Poczta Polska before the legislation authorizing postal voting had entered into force. UODO found violations of Articles 5(1)(a) and 6(1) GDPR (lawfulness and purpose limitation). The EDPB confirmed the fine. The Minister of Digital Affairs received the statutory maximum of PLN 100,000 as a public entity.

ING Bank Slaski: EUR 4,375,273 (2025)

UODO fined ING Bank Slaski for scanning and storing identity document images for approximately 4.7 million current and prospective customers between April 2019 and September 2020. While anti-money laundering law permits copying identity documents in specific circumstances, it does not make copying mandatory; ING failed to conduct the case-by-case necessity assessment required before resorting to document scanning. Violations of Articles 5(1)(a), 5(1)(b), 5(1)(c), and 6(1) GDPR were found.

McDonald's Polska: EUR 4,022,773 (2025)

A data breach at McDonald's Polska exposed employee data (including PESEL numbers, passport details, job roles, and shift schedules) held by its third-party scheduling processor (24/7 Communication, fined EUR 43,680 separately). UODO found failures in vendor due diligence, absence of a risk assessment, use of an unapproved sub-processor, and inadequate breach notification to former employees (press releases used instead of direct individual notification). Violations of Articles 24(1), 25(1), 28(1), 32(1), and 38(1) GDPR.

mBank: PLN 4,053,173 (2024)

UODO fined mBank for failing to notify data breach victims after customer personal data was sent to an unauthorized recipient on 30 June 2022. The bank discovered the breach but did not inform affected customers that their data had been disclosed, violating Article 34 GDPR (high-risk breach notification to data subjects) without undue delay.

Toyota Bank Polska: EUR 132,000 + EUR 78,000 (2024)

Toyota Bank received two fines: EUR 132,000 for improperly positioning the DPO in a reporting line subordinate to management rather than directly to the highest management level (Article 38(3) GDPR), and EUR 78,000 for failing to notify a personal data breach within 72 hours (Article 33(1) GDPR). The case demonstrates that UODO scrutinizes DPO governance structures, not just data security failures.

DPD Polska: PLN 11.46 Million (Multiple Decisions)

Courier company DPD Polska received two fines totalling over PLN 11 million: PLN 6.251 million for failing to conclude required data processing agreements with external transport carriers before granting them access to customer data (Article 28 GDPR), and PLN 5.209 million for inadequate technical and organizational security measures including an automated credential-generation system with no identity verification (Article 32 GDPR).

EU AI Act Interaction

The EU AI Act, Regulation (EU) 2024/1689, entered partial application from 2 August 2024. High-risk AI systems must achieve full conformity by 2 August 2026. The AI Act intersects with the GDPR at several points relevant to organizations operating in Poland.

Prohibited AI practices (from 2 February 2025): The AI Act bans AI systems that deploy subliminal manipulation techniques, exploit vulnerabilities, engage in social scoring by public authorities, use real-time remote biometric identification in public spaces (with narrow law enforcement exceptions), and infer sensitive personal attributes from biometric data. Most of these prohibited uses involve personal data processing, meaning GDPR lawfulness requirements apply alongside the AI Act prohibitions.

High-risk AI systems: Systems used in biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice are classified as high-risk. Operators must conduct conformity assessments, maintain technical documentation, implement human oversight, and register in the EU AI database, obligations that require close coordination with GDPR requirements (DPIAs, data minimization, purpose limitation).

UODO's position on national AI governance: UODO has released a statement on implementing the EU AI Act, criticizing Poland's draft national AI implementation act for relegating UODO to an advisory role without voting rights. UODO argues that AI Act enforcement involving personal data requires meaningful participation in decision-making, not merely consultation. Poland's draft Act on Artificial Intelligence Systems (adopted by the Council of Ministers on 31 March 2026, submitted to Parliament) proposes a new Commission for AI Development and Security (KRiBSI) as the primary national supervisory authority, with UODO retaining a coordination role on data protection matters. The division of competence between KRiBSI and UODO on AI decisions involving personal data processing remained unresolved as of May 2026.

Business Compliance Checklist

Organizations processing personal data of individuals in Poland should address the following points:

Legal basis and documentation

• Identify a valid Article 6(1) GDPR legal basis for each processing activity and document the analysis.
• For special-category data, identify an additional Article 9(2) condition.
• Avoid relying on employee consent as the sole basis for processing employment data.
• Conduct DPIAs for high-risk processing; consult UODO before proceeding if residual risk remains high after DPIA.

DPO and governance

• Determine whether DPO appointment is mandatory; appoint if so.
• Notify UODO within 14 days of appointment, change, or dismissal.
• Publish the DPO's name and contact information on the organization's website immediately.
• Ensure the DPO reports directly to top management (not to a line manager).
• Do not designate the DPO as responsible for filing breach notifications.

Vendor management

• Execute Article 28 data processing agreements with all processors before the processing begins.
• Approve sub-processors; include them in processing agreements.
• Conduct vendor due diligence; document the risk assessment.

Security and breach

• Implement technical and organizational measures under Article 32, proportionate to risk.
• Maintain an internal breach register (Article 33(5)) for all breaches including below-threshold ones.
• Notify UODO within 72 hours of a notifiable breach; notify affected individuals where high risk is present.
• Do not substitute press releases for direct individual notification.

PESEL numbers

• Collect PESEL numbers only where a specific legal basis exists; document it.
• Apply access controls proportionate to the high sensitivity of PESEL data.
• Include PESEL number processing in DPIAs for large-scale or high-risk use cases.

Cross-border transfers

• Confirm adequacy decision coverage before transferring to third countries.
• Use 2021 SCCs for transfers where no adequacy decision applies; complete Transfer Impact Assessments.

Electronic marketing

• Obtain prior consent for email, SMS, and automated marketing calls under Article 398 of the Polish Electronic Communications Law.
• Implement a valid cookie consent mechanism; pre-ticked boxes are invalid.

Disclaimer

This article presents general legal information about the data privacy framework in Poland under the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the Act of 10 May 2018 on the Protection of Personal Data. The information was verified as of 19 May 2026. This article does not constitute legal advice and does not create a lawyer-client relationship. Laws and enforcement guidance change; readers should consult a lawyer licensed in Poland or in the relevant EU jurisdiction for advice on their specific situation.

Related articles

• EU Data Privacy Laws: GDPR Framework
• Poland Recording Laws: Consent and Surveillance Rules

Authorities cited

1. Act of 10 May 2018 on the Protection of Personal Data (Poland). https://uodo.gov.pl/en/660/1464
2. Regulation (EU) 2016/679 (General Data Protection Regulation). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32016R0679
3. Regulation (EU) 2024/1689 (EU AI Act). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32024R1689
4. Constitution of the Republic of Poland (1997), Arts. 30, 47, 49, 51. https://www.sejm.gov.pl/prawo/konst/angielski/kon1.htm
5. UODO Official Website. https://uodo.gov.pl/en
6. Data Subject Rights in Poland: UODO. https://uodo.gov.pl/en/694
7. Designation and Position of the DPO: UODO. https://uodo.gov.pl/en/679
8. UODO Sectoral Inspection Plan for 2025. https://uodo.gov.pl/en/553/1835
9. Plan kontroli sektorowych UODO na rok 2026. https://uodo.gov.pl/pl/138/4029
10. President of UODO Presented the 2024 Annual Report. https://uodo.gov.pl/en/553/2063
11. UODO Breach Notification Guide. https://uodo.gov.pl/en/672/1410
12. UODO: PESEL Number Importance. https://uodo.gov.pl/en/553/1510
13. UODO - Administrative Fines: Poczta Polska (March 2025). https://uodo.gov.pl/en/553/1884
14. EDPB: Poczta Polska Election Fines. https://www.edpb.europa.eu/news/national-news/2025/polish-sa-administrative-fines-gdpr-infringements-organisation-election_en
15. UODO: ING Bank Fine. https://uodo.gov.pl/en/553/1990
16. EDPB: ING Bank Slaski Fine EUR 4,375,273. https://www.edpb.europa.eu/news/national-news/2025/polish-sa-administrative-fine-4-375-273-eu-ing-bank-slaski-sa-scanning_en
17. EDPB: McDonald's Polska Fine EUR 4,022,773. https://www.edpb.europa.eu/news/national-news/2025/polish-sa-administrative-fine-eur-4-022-773-mcdonalds-polska-sp-z-oo-and_en
18. UODO: Fine for mBank for Failure to Inform Data Breach Victims. https://uodo.gov.pl/en/553/1806
19. UODO: Fine for Toyota Bank for Improperly Located DPO. https://uodo.gov.pl/en/553/1833
20. EDPB: EUR 132,000 Fine for Improper DPO Positioning. https://www.edpb.europa.eu/news/national-news/2025/polish-sa-administrative-fine-132-000-eu-improper-positioning-dpo-and_en
21. Right to Lodge a Complaint with the President of UODO. https://uodo.gov.pl/en/680/1402
22. European Commission: GDPR Adequacy Decisions. https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/adequacy-decisions_en
23. European Commission: Standard Contractual Clauses. https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
24. DataGuidance: UODO Statement on EU AI Act Implementation. https://dataguidance.com/news/poland-uodo-releases-statement-implementing-eu-ai-act

Last updated: 2026-05-19. Statutes cited reflect their in-force version as of 2026-05-19.