European Union · updated 2026-06-15
Poland
Poland's UODO enforces the fundamentals — its landmark Morele.net fine was about weak security and its Fortum decision about unverified processors. Solid technical security and vendor oversight matter more here than paperwork polish.
- Law:
- GDPR + Personal Data Protection Act 2018 + Telecommunications Law
- Regulator:
- UODO (Urząd Ochrony Danych Osobowych)
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
€20,000,000 or 4% of global annual revenue, whichever is higher
What Poland requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Privacy policy (polityka prywatności)
Art. 13–14 GDPRPolish-language privacy notice for consumer services, naming UODO as the complaint authority.
How to implement Polish consumer protection law (UOKiK) also reviews unfair clauses in policies — keep the language plain and specific about retention.
Required -
Cookie consent banner
Art. 173 Telecommunications LawOpt-in consent for analytics and marketing cookies with prior blocking.
How to implement Deploy a CMP with a Polish-language banner and a first-layer reject option; UOKiK (the consumer regulator) has also acted against dark-pattern banners.
Required -
Records of processing (ROPA)
Art. 30 GDPRStandard register of processing activities.
How to implement Keep it current; UODO inspections start with the ROPA and your security-measures documentation.
Required -
Data protection officer (IOD)
Art. 37 GDPR + Polish DPA ActGDPR-baseline thresholds; appointment must be notified to UODO within 14 days of designation.
How to implement Notify electronically via ePUAP and publish the IOD's contact details on your website — Polish law requires the name to be publicly available.
Conditional -
Breach notification process
Art. 33–34 GDPR72-hour notification to UODO plus individual notification for high-risk breaches.
How to implement UODO has fined companies for under-classifying breaches. When in doubt, report — a defensible written risk assessment is your protection either way.
Required -
Security measures & vendor verification
Art. 32 GDPRUODO enforcement centres on Art. 32: MFA, encryption, testing, and documented verification of processors' security.
How to implement Enable MFA on admin panels, encrypt backups, and keep dated records of vendor security reviews — these exact gaps produced Poland's largest fines.
Required
The details
- Cookie consent
- Art. 173 of the Telecommunications Law requires opt-in consent for non-essential cookies; browser settings alone are not valid consent for tracking. Marketing tags must be blocked until consent.
- Data Protection Officer
- GDPR baseline thresholds. Appointed DPOs (IOD) must be notified to UODO within 14 days, and the notification is done electronically.
- Processing agreements
- Art. 28 GDPR agreements required. UODO's Fortum fine specifically punished a controller for not verifying its processor's security — Polish enforcement expects active vendor oversight, not just a signed contract.
- Breach notification
- Notify UODO within 72 hours via its electronic inbox (ePUAP) or online form. UODO has fined companies for deciding not to report breaches it later deemed reportable.
- Enforcement in practice
- Morele.net was fined PLN 2.8M (≈€660k) after a breach exposed 2.2M customers — UODO faulted insufficient safeguards like missing two-factor authentication.
Data subject rights
What users can demand from you in Poland, and the engineering that satisfies each right.
Right to access
Art. 15 GDPRCopy of personal data and processing details within one month.
Respond within 30 days; UODO handles thousands of complaints annually, most about ignored requests.
Right to erasure
Art. 17 GDPRDeletion when data is no longer necessary or consent withdrawn.
Polish accounting law requires 5-year retention of tax records — document the exemption in your retention schedule.
Right to data portability
Art. 20 GDPRMachine-readable export of user-provided data.
JSON/CSV export endpoint for consent- and contract-based processing.
Right to rectification
Art. 16 GDPRCorrection of inaccurate personal data.
Self-service edits plus a support channel.
Right to restrict processing & to object
Art. 18, 21 GDPRFreeze during disputes; absolute objection to direct marketing.
Polish law additionally requires separate consent for marketing calls and emails (Art. 172 Telecom Law) — objection means immediate suppression.
Automated decision-making
Art. 22 GDPRProtection against solely automated significant decisions.
Disclose logic and add human review to automated credit or fraud decisions; Polish banking regulation adds sector-specific duties.
Tools that cover Poland
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
cookie consent
Cookiebot
CMP with Polish-language banners and prior blocking out of the box.
Visit Cookiebot → -
privacy policy
iubenda
Generates Polish-language policies kept in sync with GDPR and telecom-law changes.
Visit iubenda → -
dpa template
Termly
DPA templates with security-measures annexes — useful given UODO's vendor-verification focus.
Visit Termly →
Frequently asked questions
What does UODO actually fine companies for?
Weak security and poor vendor oversight more than paperwork. Morele.net (missing MFA before a breach) and Fortum (unverified processor) are the pattern: if a breach happens and your safeguards were thin, the fine follows.
Do I need to tell UODO if I appoint a DPO?
Yes — within 14 days, electronically. Poland also requires publishing the DPO's name and contact details on your website, which is stricter than the GDPR baseline of contact details only.
Is browser-setting consent enough for cookies in Poland?
The Telecommunications Law nominally allows settings-based consent, but for GDPR-grade tracking consent regulators expect an affirmative banner action. Practically: run a standard opt-in CMP like everywhere else in the EU.
What security measures does Polish enforcement expect at minimum?
Two-factor authentication on administrative access, encryption of data at rest and in transit, regular testing of safeguards, and documented reviews of processors — each of these gaps has been cited in a published UODO fine.
Similar jurisdictions
Free download
Get GDPR updates for Poland
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.