GDPR Enforcement in Poland

Trend: Have the national data protection authorities in Poland focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?  

It cannot be clearly stated whether the Polish data protection authority – the President of the Personal Data Protection Office (“Prezes Urzędu Ochrony Danych Osobowych”, “UODO”) deliberately focuses on certain types of violations. However,  we observe that the UODO has increased its activity in terms of imposing fines for violations involving insufficient technical and organisational measures to ensure information security, and insufficient fulfilment of data breach notification obligations. For example, in September 2024, the UODO published information about another significant fine imposed on one of the top banks in Poland, mBank (namely PLN 4,053,173, approx. EUR969,659,00) for failing to notify a personal data breach to the data subjects affected by the data leak. In view of this trend, businesses should consider reviewing their implemented security measures and internal processes as regards personal data breaches. We also observe that the UODO more often imposes fines/corrective measures for non-cooperation with the UODO. Therefore, companies should not ignore any letters from the UODO. 

Fines imposed in Poland have so far covered a fairly balanced range of sectors, in particular the financial sector, the insurance sector, telecommunications, and public sector entities.

The UODO carries out inspections in accordance with its annual audit plans and outside the scope of its audit plan. Each year the UODO publishes its Sectoral Inspection Plan (“Plan”). According to the Plan for 2025, the UODO intends to focus its inspections on:

• Authorities processing personal data in Large-Scale IT Systems of the European Union (including Schengen Information System and the Visa Information System);
• Entities processing health data, focusing on the methods used to ensure the security of personal data;
• Entities processing children's data, particularly concerning the processing of children's images where parental or legal guardian consent is required;
• Data controllers' compliance with Article 33(5) of the GDPR, which requires documenting all personal data breaches, including the circumstances of the breach, its consequences, and the remedial actions taken. 

This shift indicates the UODO's responsiveness to emerging data protection challenges, particularly in sectors involving sensitive information such as health records and children's data. By broadening its inspection scope, the UODO aims to address areas with increasing risks of personal data protection violations and significant public interest.

Overall, what was the most significant fine in Poland to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings? 

According to the publicly available information, the highest GDPR fine in Poland to date, within the private sector, was imposed on Fortum Marketing and Sales Polska S.A. (an energy and gas provider) (“Fortum”), on 19 January 2022, to the amount of PLN 4,911,732 (approx. EUR 1,175,056) for failing to implement appropriate technical and organisational measures to ensure personal data security and for failing to verify the processor. In turn, the processor, PIKA sp. z o.o. (“PIKA”), received a fine of PLN 250,000 (approx. EUR 59,809). 

Summary – background 

The UODO commenced its investigation, following a notification of a data breach from Fortum. The data breach concerned the copying of a customer database by unauthorised third parties. The data breach happened when the processor, PIKA, was introducing changes in the ICT environment. Because the server on which the database was deployed lacked appropriate configurations to ensure the security of data transmitted from the new server to other ICT components, the unauthorised persons copied Fortum's customer database. The controller found out about the incident not from the processor, but from two independent Internet users who notified it that they had unauthorised access to the database. 

Findings of the UODO 

The UODO found that Fortum did not carry out audits, including inspections, to verify whether PIKA had correctly fulfilled its obligations under the GDPR. The processor acted contrary to generally recognised ISO standards, while also running contrary to the provisions of its own "Security Policy" which refers to said standards. 

Additionally, the UODO found that the technical and organisational measures applied by Fortum only met the requirements specified in Article 32 of the GDPR to a very limited extent. Fortum did not enforce its own agreement with the processor, did not follow its own practice of implementing changes into the IT environment based on internal regulations, and did not audit the processor with regard to its activities, in order to improve the functioning of the service. 

The customer database contained personal data such as residence information, personal identification numbers, ID numbers and series and agreement dates. The data breach concerned about 137,314 of Fortum’s customers. 

Appeal proceedings 

Fortum has appealed the UODO’s decision to the Provincial Administrative Court. As a result, the court of the first instance annulled the UODO’s decision in 2023. However, the UODO is contesting the court’s ruling and appealed against it to the Supreme Administrative Court, therefore it is not yet final. 

Landmark 2024 decision 

Another very recent landmark case from April 2024 concerns the UODO's decision to fine one of the largest Polish banks - Santander Bank Polska S.A. – PLN 1,440,000 (approx. EUR 344,498) for the lack of data breach notification. In this case the bank did not notify the data breach concerning a lost parcel with bank documents containing personal data such as PESEL numbers, bank usernames and passwords, ID numbers, etc. 

Shortly after the parcel was lost by the courier, it was found by an identified person, who had taken in directly to the police station and stated that he had not copied the documents found. Nevertheless, the UODO indicated that the security of personal data was more important than the interests of the data controller. Moreover, the lack of the data breach notification had prevented the affected persons from responding appropriately to the breach, which could have had serious consequences for them. It had also deprived the UODO of the opportunity to assess whether the bank had implemented appropriate safeguards to avoid such incidents in the future.  

The latest highest GDPR fine 

In March 2025 UODO imposed a record-breaking fine of PLN 27 million (approx. EUR 6.46 million) on the national postal service operator Poczta Polska - for unlawfully processing the data of 30 million citizens during the attempt to organise the presidential election in Poland in May 2020 by correspondence. 

The UODO's investigation revealed that the Ministry of Digital Affairs transferred citizens' data to Poczta Polska without a legal basis. According to the UODO's estimates, the data concerned all adult citizens, i.e. approx. 80% of the total population of Poland. After receiving the data, Poczta Polska processed them without a legal basis. 

The President of Poczta Polska has announced that they will appeal the fine imposed by the UODO to the administrative court. 

How is the data protection authority organised in Poland? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

• In Poland, there is one central Data Protection Authority - the UODO.
• The President of the UODO is appointed by the lower house of the Polish Parliament (“Sejm”) subject to the approval of the Senate (the higher house of the Polish Parliament).
• In 2022, the UODO’s budget was PLN 41,713,000 (approx. EUR 9,979,187) and it employed 243 people at the end of 2022. In 2023, the UODO’s budget was PLN 45,367,000 (approx. EUR 10,853,349) and it employed 267 people at the end of 2023.
• In addition, a violation of some rules, e.g. direct marketing, may result in action being taken by other authorities, such as the President of the Office for Competition and Consumer Protection or the President of the Office for Electronic Communications.

How does a fine procedure work in Poland? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• Fines can be directly imposed by the UODO as part of administrative proceedings, which are single instance.
• In general, the UODO carries out inspections resulting in fines/corrective measures in accordance with its annual audit plans and outside the scope of its audit plan. However, quite frequently, inspections are commenced as the consequence of ongoing general administrative proceedings owing to a complaint made by an individual person or a breach notification.
• The procedure usually starts with a formal notification to the relevant entity on the opening of proceedings regarding a particular entity (i.e. a non-public notification). In the course of the proceedings, the UODO contacts the controller/processor to obtain the relevant information.
• The entity subject to inspection has the opportunity to present its view on the factual and legal aspects of the case before the UODO issues its final decision.
• Only some of the cases end with a financial penalty. The UODO more often imposes corrective measures on the entities in a form of a “reprimand” (“upomnienie”).
• The decisions of the UODO may be appealed to the competent administrative courts (the provincial administrative courts; “wojewódzkie sądy administracyjne”). Later on, the lower administrative court’s ruling may be challenged in the court of second instance – the Supreme Administrative Court (”Naczelny Sąd Administracyjny”).

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

Funds from administrative fines constitute state budget revenue. They do not contribute to the UODO itself.

Is there a common, official calculation methodology for fines in Poland (such as the fining models in the Netherlands or Germany)?

• The UODO has not adopted one common, official calculation methodology for fines. As the UODO stresses, each case is examined individually, analysing the factual and legal situation as of the date of the decision.
• However, the UODO relies on the Guidelines 04/2022 on the calculation of fines under GDPR, and it even confirms this on its official website.

Can public authorities be fined in Poland? If they can: Where does this money go?

Yes, public authorities may be fined by the UODO. A limitation on administrative fines for public bodies was introduced at up to PLN 100,000 (approx. EUR 23,923), or up to PLN 10,000 (approx. EUR 2,392) for cultural institutions.

Funds from administrative fines constitute state budget revenue. They do not contribute to the UODO itself.

In Poland, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

• No comprehensive publication of fines, as the UODO is not obliged to publish each fine. 
• The decisions are published if the UODO deems it justified by the public interest, in particular if by a fine the UODO can “send a message” to the Polish companies like e.g. in the Santander, mBank or Poczta Polska cases. Publicly available decisions can be accessed online (only available in Polish here).
• If the UODO issues a decision establishing that a violation has occurred, units within the public finance sector, research institutes and the National Bank of Poland must provide public information as to the actions taken to implement the decision.  
• As a general rule, fined entities are not anonymised by the UODO in its publications. However, due to the privacy of an individual or business confidentiality, the UODO may decide to anonymise the data.

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

Each year the UODO publishes a report on its activities. The reports provide aggregated information on the total number of cases and fines. They are available online here (in Polish only).

• In 2019, the UODO issued 1,369 administrative decisions, including 8 decisions imposing fines of a total amount of PLN 3,167,160.50 (approx. EUR 757,693.90). In total, there were 6,039 data breach notifications and 9,304 data subject claims. 
• In 2020, the UODO issued a total of 1,866 administrative decisions, including 11 decisions imposing fines of a total amount of PLN 3,446,800.20 (approx. EUR 824,593.35). In total, there were 7,507 data breach notifications and 6,442 data subject claims.
• In 2021, the UODO issued a total of 2,082 administrative decisions, including 18 decisions imposing fines of a total amount of PLN 2,198,007.00 (approx. EUR 525,839.00). In total, there were 12,946 data breach notifications and 8,318 data subject claims.
• In 2022, the UODO issued a total of 2,030 administrative decisions, including 20 decisions imposing fines of a total amount of PLN 7,850,861.00 (approx. EUR 1,878,196.41)
• In 2023 the UODO issued a total of 1870 administrative decisions, including 30 decisions imposing fines of a total amount of PLN 1,230,331.28 (approx. EUR 294,337.63)

Currently, the UODO’s report for the year 2024 is not yet publicly available – however it should be published no later than by 31 August 2025.

Does Poland have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

The possibility of bringing a class action for a personal data protection breach is not clear-cut in Poland. Under the Polish Class Actions Act it is possible to bring claims for compensation (of a pecuniary nature) based on Article 82 of the GDPR in declaratory proceedings/class action. However, it is not possible to pursue class actions claims for reparations of a non-pecuniary nature based on Article 79 of the GDPR, in conjunction with the violation of personal interest.  

However, at this time, no declaratory proceedings/class action claims have been initiated in Poland for damages or compensation related to a personal data breach. Therefore, it is difficult to clearly establish the possibility of lodging declaratory proceedings / a class action claim based on a breach of data protection regulations.

In addition, the infringement of data protection regulations may simultaneously infringe the collective interest of consumers. In this case, the matter shall be handled by the Office for Competition and Consumer Protection. If such a violation is proven, it will be possible to start declaratory proceedings / a class action claim.

What is more relevant in Poland fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

At present, fines issued by UODO are much more relevant than private litigation regarding data protection infringements, which is relatively rare. Most likely, this is due to the high litigation costs paired with low claims for damages.

Nonetheless, we notice an increase in the enforcement of data subjects' rights which will likely bring about more litigation in this area in the future.