Data protection & privacy laws in Poland (2026)

Poland's government approved a bill to create a dedicated national AI supervisory authority and transpose the EU AI Act into domestic law, forwarding it to Parliament for enactment. Poland is one of the first EU states to propose a single, purpose-built institution for AI oversight rather than assigning the role to an existing body.

Poland's Naczelny Sąd Administracyjny held that UODO must affirmatively demonstrate that an individual is identifiable — within the meaning of Article 4(1) GDPR — before classifying IP addresses or cookie identifiers as personal data. The ruling imposes a higher evidentiary burden on the regulator and constrains blanket cookie-consent enforcement.

UODO penalised ING Bank Śląski PLN 18.4 million (~€4.375 million) for scanning the identity cards of approximately 4.7 million customers and prospective customers without verifying whether each scan was legally required under the AML Act, violating Articles 5(1)(a,b,c) and 6(1) GDPR. The case exposed widespread over-collection of biographic data in Polish retail banking.

UODO imposed its largest-ever fine — PLN 27,124,816 (~€6.44 million) on state postal operator Poczta Polska and PLN 100,000 on the Minister of Digitization — for unlawfully receiving and processing PESEL register data covering ~30 million adult citizens to organise a COVID-era postal presidential election without a valid legal basis under Articles 5(1)(a) and 6(1) GDPR. The case set a precedent that executive-directed emergency data transfers are not exempt from GDPR.

UODO issued a significant fine against mBank S.A. for breaching Article 34 GDPR by failing to communicate a personal data breach directly to affected individuals, continuing the authority's intensified focus on breach-notification obligations as a standalone compliance requirement distinct from the 72-hour regulator notification rule.

UODO penalised Santander Bank Polska S.A. (~€344,498) for not reporting a breach in which a parcel containing bank documents — including PESEL numbers, credentials, and ID data — was lost, in violation of the 72-hour notification requirement under Article 33 GDPR. The case reinforced that physical document losses trigger the same notification obligations as digital breaches.

UODO imposed an administrative fine on P4 Sp. z o.o. (mobile network Play) for failing to notify the supervisory authority of a personal data breach within 72 hours as required by Article 33 GDPR, signalling that the authority would treat notification-deadline breaches as a standalone, fining-worthy violation.

UODO issued Poland's inaugural GDPR enforcement decision against Bisnode, a data-analytics firm that scraped 7.6 million business records from public registries but notified only ~700,000 individuals, citing the cost of postal outreach as disproportionate; the authority rejected that argument and ordered contact with the remaining ~6 million people. The ruling established that financial inconvenience does not excuse Article 14 transparency obligations.

Parliament enacted the Act of 21 February 2019 amending over 160 sector-specific statutes — covering health, employment, scientific research, and financial services — to align them with GDPR and exercise Member State discretions. Together with the 2018 PDPA, it closed the formal transposition of the GDPR into Polish law.

Poland enacted its first comprehensive data-protection statute to transpose EU Directive 95/46/EC, establishing the Inspector General for Personal Data Protection (GIODO) as supervisory authority and setting foundational rules on lawful processing, data subjects' rights, and cross-border transfers. The Act governed Polish data protection for over two decades until superseded by the PDPA 2018.