GDPR compliance, data protection, cybersecurity, IT contracts and technology law.
Filter by specialisation
GDPR applies to any organisation that processes personal data of EU residents, regardless of where the organisation is based. A data protection lawyer can advise on compliance.
Fines can reach €20 million or 4% of global annual turnover (whichever is higher). A data protection lawyer can help implement compliant processes to minimise risk.
Browse our verified directory of law firms across Poland's major cities. All listed firms offer English-language legal services to expats and foreign nationals.
Find My Lawyer in 60 SecondsThe EU General Data Protection Regulation (GDPR) applies in Poland as RODO (Rozporządzenie o Ochronie Danych Osobowych — Regulation (EU) 2016/679). It is supplemented by the Ustawa o ochronie danych osobowych (UODO) (Act on Personal Data Protection, Dz.U. 2018 poz. 1000), which implements national derogations. The supervisory authority is the Urząd Ochrony Danych Osobowych (UODO), headed by the President of UODO (Prezes UODO). Fines: up to €20M or 4% of global annual turnover (Tier 1); up to €10M or 2% (Tier 2).
| Organisation | Fine (PLN) | Year | Violation |
|---|---|---|---|
| Fortum Marketing and Sales Polska S.A. | 4,911,732 PLN (~€1.1M) | 2022 | Illegal profiling; processing personal data for marketing purposes without valid legal basis |
| Bank Millenium S.A. | 363,156 PLN | 2022 | Failure to notify data subjects of breach; inadequate breach response procedures |
| Bisnode Polska sp. z o.o. | 220,565 PLN | 2019 | First major RODO fine in Poland; failure to fulfil transparency obligations (art. 14 RODO) — scraping public data without informing data subjects |
| Główny Geodeta Kraju (state body) | 100,000 PLN | 2022 | Unlawful disclosure of personal data; inadequate technical security measures |
| Santander Consumer Bank S.A. | 547,061 PLN | 2023 | Inadequate response to data subject access request (SAR); breach of art. 15 RODO |
Age of digital consent: 16 years (UODO art. 5; RODO art. 8 — Poland chose 16, not 13). Employment data: KP art. 22¹ limits what employers can request — name, address, education, employment history, PESEL are lawful; criminal records require employer's specific legal obligation. Health data in employment: only the conclusion of medical fitness (zdolność do pracy) may be communicated to employer — not the diagnosis. CCTV in workplaces: KP art. 22² — employer must inform employees; maximum 3-month retention; works council (rada pracownicza) consultation required for new monitoring systems. Meldplicht datalekken (breach notification): to UODO within 72 hours of becoming aware; to data subjects without undue delay if high risk — RODO arts. 33–34 apply directly.
A Warsaw-based HR platform (1.2 million user profiles) suffered a cyberattack exposing CVs, contact details, and salary expectations. Breach notified to UODO within 48 hours (within the 72-hour window). Data subjects notified via email. UODO investigation: adequate TOM (technical and organisational measures) at time of breach but outdated encryption algorithm identified. UODO issued an administrative decision (decyzja administracyjna) rather than a fine, requiring: (1) migration to AES-256 encryption within 60 days; (2) annual penetration testing; (3) DPIA (ocena skutków dla ochrony danych) update within 90 days. Company avoided fine by demonstrating rapid response and cooperation. External DPO (inspektor ochrony danych) appointed as a condition of resolution.
