Data & Privacy - Poland

Poland is bound by the directly applicable EU GDPR, with national specifics set out in the Personal Data Protection Act of 10 May 2018. The Act fully incorporated the GDPR and addressed areas left to member-state discretion (e.g., the supervisory authority's structure and powers).

The independent supervisory authority is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, PUODO), based in Warsaw. The President is appointed by the Sejm with the Senate's consent for a four-year term; the office replaced the former GIODO when the 2018 Act took effect.

Individuals in Poland enjoy the full set of GDPR rights: access, rectification, erasure, restriction of processing, data portability, objection, and protection against solely automated decision-making. Rights are exercised directly against the data controller.

Controllers must notify a personal data breach to UODO within 72 hours of becoming aware of it (unless unlikely to risk individuals' rights), and must communicate high-risk breaches to affected individuals. Standard GDPR duties on lawful basis, transparency, security and DPO appointment apply.

The 2018 Act sets the child's consent age for information-society services at 16, caps administrative fines on public bodies at PLN 100,000, and requires notification of a Data Protection Officer (DPO) to UODO within 14 days of designation.

UODO issues about 2,000 administrative decisions annually and has imposed major fines, including a record PLN 27 million on Poczta Polska (March 2025, presidential-election data) and PLN 18.4 million on ING Bank Śląski (2025), demonstrating a maturing, robust enforcement posture.