Skip to content
GDPR by Law

European Union · updated 2026-06-15

Poland

Conditional

Poland's UODO enforces the fundamentals — its landmark Morele.net fine was about weak security and its Fortum decision about unverified processors. Solid technical security and vendor oversight matter more here than paperwork polish.

Law:
GDPR + Personal Data Protection Act 2018 + Telecommunications Law
Regulator:
UODO (Urząd Ochrony Danych Osobowych)

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

€20,000,000 or 4% of global annual revenue, whichever is higher

What Poland requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Privacy policy (polityka prywatności)

    Art. 13–14 GDPR

    Polish-language privacy notice for consumer services, naming UODO as the complaint authority.

    How to implement Polish consumer protection law (UOKiK) also reviews unfair clauses in policies — keep the language plain and specific about retention.

    Required
  2. Cookie consent banner

    Art. 173 Telecommunications Law

    Opt-in consent for analytics and marketing cookies with prior blocking.

    How to implement Deploy a CMP with a Polish-language banner and a first-layer reject option; UOKiK (the consumer regulator) has also acted against dark-pattern banners.

    Required
  3. Records of processing (ROPA)

    Art. 30 GDPR

    Standard register of processing activities.

    How to implement Keep it current; UODO inspections start with the ROPA and your security-measures documentation.

    Required
  4. Data protection officer (IOD)

    Art. 37 GDPR + Polish DPA Act

    GDPR-baseline thresholds; appointment must be notified to UODO within 14 days of designation.

    How to implement Notify electronically via ePUAP and publish the IOD's contact details on your website — Polish law requires the name to be publicly available.

    Conditional
  5. Breach notification process

    Art. 33–34 GDPR

    72-hour notification to UODO plus individual notification for high-risk breaches.

    How to implement UODO has fined companies for under-classifying breaches. When in doubt, report — a defensible written risk assessment is your protection either way.

    Required
  6. Security measures & vendor verification

    Art. 32 GDPR

    UODO enforcement centres on Art. 32: MFA, encryption, testing, and documented verification of processors' security.

    How to implement Enable MFA on admin panels, encrypt backups, and keep dated records of vendor security reviews — these exact gaps produced Poland's largest fines.

    Required

The details

Cookie consent
Art. 173 of the Telecommunications Law requires opt-in consent for non-essential cookies; browser settings alone are not valid consent for tracking. Marketing tags must be blocked until consent.
Data Protection Officer
GDPR baseline thresholds. Appointed DPOs (IOD) must be notified to UODO within 14 days, and the notification is done electronically.
Processing agreements
Art. 28 GDPR agreements required. UODO's Fortum fine specifically punished a controller for not verifying its processor's security — Polish enforcement expects active vendor oversight, not just a signed contract.
Breach notification
Notify UODO within 72 hours via its electronic inbox (ePUAP) or online form. UODO has fined companies for deciding not to report breaches it later deemed reportable.
Enforcement in practice
Morele.net was fined PLN 2.8M (≈€660k) after a breach exposed 2.2M customers — UODO faulted insufficient safeguards like missing two-factor authentication.

Data subject rights

What users can demand from you in Poland, and the engineering that satisfies each right.

Right to access

Art. 15 GDPR

Copy of personal data and processing details within one month.

Respond within 30 days; UODO handles thousands of complaints annually, most about ignored requests.

Right to erasure

Art. 17 GDPR

Deletion when data is no longer necessary or consent withdrawn.

Polish accounting law requires 5-year retention of tax records — document the exemption in your retention schedule.

Right to data portability

Art. 20 GDPR

Machine-readable export of user-provided data.

JSON/CSV export endpoint for consent- and contract-based processing.

Right to rectification

Art. 16 GDPR

Correction of inaccurate personal data.

Self-service edits plus a support channel.

Right to restrict processing & to object

Art. 18, 21 GDPR

Freeze during disputes; absolute objection to direct marketing.

Polish law additionally requires separate consent for marketing calls and emails (Art. 172 Telecom Law) — objection means immediate suppression.

Automated decision-making

Art. 22 GDPR

Protection against solely automated significant decisions.

Disclose logic and add human review to automated credit or fraud decisions; Polish banking regulation adds sector-specific duties.

Tools that cover Poland

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • cookie consent

    Cookiebot

    CMP with Polish-language banners and prior blocking out of the box.

    Visit Cookiebot →
  • privacy policy

    iubenda

    Generates Polish-language policies kept in sync with GDPR and telecom-law changes.

    Visit iubenda →
  • dpa template

    Termly

    DPA templates with security-measures annexes — useful given UODO's vendor-verification focus.

    Visit Termly →

Frequently asked questions

What does UODO actually fine companies for?

Weak security and poor vendor oversight more than paperwork. Morele.net (missing MFA before a breach) and Fortum (unverified processor) are the pattern: if a breach happens and your safeguards were thin, the fine follows.

Do I need to tell UODO if I appoint a DPO?

Yes — within 14 days, electronically. Poland also requires publishing the DPO's name and contact details on your website, which is stricter than the GDPR baseline of contact details only.

Is browser-setting consent enough for cookies in Poland?

The Telecommunications Law nominally allows settings-based consent, but for GDPR-grade tracking consent regulators expect an affirmative banner action. Practically: run a standard opt-in CMP like everywhere else in the EU.

What security measures does Polish enforcement expect at minimum?

Two-factor authentication on administrative access, encryption of data at rest and in transit, regular testing of safeguards, and documented reviews of processors — each of these gaps has been cited in a published UODO fine.

Similar jurisdictions

Free download

Get GDPR updates for Poland

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.