GDPR Enforcement in Poland

Trend: Have the national data protection authorities in Poland focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?  

It cannot be clearly stated whether the Polish data protection authority – the President of the Personal Data Protection Office (“UODO”) – deliberately focuses on certain types of violations. However, the UODO carries out inspections in accordance with its annual audit plans and outside the scope of its audit plan. Each year the UODO publishes its Sectoral Inspection Plan (“Plan”). According to the Plan for 2026, the UODO intends to focus its inspections on: 

• Marketing entities – particularly with respect to the legal bases for processing personal data for marketing purposes.
• Online delivery platforms – processing of personal data in connection with the provision of intermediation services for the sale of goods and services via online applications.
• Healthcare entities – processing of personal data through the use of video surveillance, particularly data relating to children, including within paediatric hospital wards and children's outpatient clinics.
• Entities operating the Public Information Bulletin – the manner of processing personal data in connection with the obligation to maintain the Public Information Bulletin.
• Authorities processing personal data in Large-Scale EU Systems, including the processing of SIS/VIS personal data – continuation of inspections from 2025.

This focus reflects the UODO's continued attention on evolving data protection challenges across diverse sectors. The 2026 Plan targets areas of growing regulatory concern, reflecting the authority's proactive approach to addressing emerging risks in the data protection landscape.

Additionally, in February 2025, the UODO published an updated Guide to Personal Data Breaches, which may signal heightened scrutiny of breach notification practices and documentation requirements.Overall, what was the most significant fine in Poland to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

In 2025, the UODO imposed over PLN 64 million in fines, including the three largest penalties in Polish data protection history. These substantial fines stemmed from structural deficiencies in data governance frameworks.

• Poczta Polska (PLN 27 million, approx. EUR 6.3 million) was involved in a case that concerned the unlawful collection of voter data ahead of the 2020 presidential elections – the decision was overturned by the Provincial Administrative Courts, though the ruling is not final and the UODO may file an appeal to Supreme Administrative Court.
• Bank ING (PLN 18.4 million, approx. EUR 4.3 million) was fined for excessive scanning of identity documents without individual risk assessment, in violation of data minimisation principles. The bank has announced that it will appeal; the decision is still not final.
• McDonald's (PLN 16.9 million, approx. EUR 4 million) was subject to a case involving inadequate verification and monitoring of processors handling personal data on behalf of the controller – the decision is listed as partially final. 

How is the data protection authority organised in Poland? Budget, staff, assignment to a ministry?

In Poland there is one central data protection authority - the UODO.

The President of the UODO is appointed by the lower house of the Polish Parliament subject to the approval of the Senate (the higher house of the Polish Parliament).

In 2023 the UODO's budget was PLN 45.4 million (approx. EUR 10.7 million) and it employed 267 people at the end of 2023. In 2024 the UODO's budget was PLN 54.8 million (approx. EUR 12.9 million) and it employed 278 people at the end of 2024.

In addition, a violation of some rules, e.g. direct marketing, may result in action being taken by other authorities, such as the President of the Office for Competition and Consumer Protection or the President of the Office for Electronic Communications.

How does a fine procedure work in Poland? Can the authority impose fines itself? Procedural steps? Legal remedies?

Fines can be directly imposed by the UODO as part of administrative proceedings, which are single instance. 
In general, the UODO carries out inspections resulting in fines/corrective measures in accordance with its annual audit plans and outside the scope of its audit plan. However, quite frequently, inspections are commenced as the consequence of ongoing general administrative proceedings owing to a complaint made by an individual person or a breach notification.

The procedure usually starts with a formal notification to the relevant entity on the opening of proceedings regarding a particular entity (i.e. a non-public notification). In the course of the proceedings, the UODO contacts the controller/processor to obtain the relevant information.

The entity subject to inspection has the opportunity to present its view on the factual and legal aspects of the case before the UODO issues its final decision.

Only some of the cases end with a financial penalty. The UODO more often imposes corrective measures on the entities in a form of a “reprimand”.

The decisions of the UODO may be appealed to the competent administrative courts. Later on, the lower administrative court's ruling may be challenged in the court of second instance – the Supreme Administrative Court.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

Funds from administrative fines are categorised as non-tax revenue and are considered state budget revenue. However, they do not contribute to the UODO itself.

Is there an official calculation methodology for fines in Poland?

The UODO has not adopted one common, official calculation methodology for fines. As the UODO stresses, each case is examined individually, analysing the factual and legal situation as of the date of the decision.

However, the UODO relies on the Guidelines 04/2022 on the calculation of fines under GDPR, and it even confirms this on its official website.

Can public authorities be fined in Poland? If yes: Where does this money go?

Yes, public authorities may be fined by the UODO. A limitation on administrative fines for public bodies of up to PLN 100,000 (approx. EUR 23,555) or up to PLN 10,000 (approx. EUR 2,355) for cultural institutions has been introduced.

Funds from administrative fines are considered state budget revenue. They do not contribute to the UODO itself.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

No comprehensive publication of fines, as the UODO is not obliged to publish each fine.

The decisions are published if the UODO deems it justified by the public interest, in particular if by issuing a fine the UODO can “send a message” to Polish companies like in the McDonald’s or Poczta Polska cases. Publicly available decisions can be accessed online (only available in Polish here and here).

If the UODO issues a decision establishing that a violation has occurred, units within the public finance sector, research institutes and the National Bank of Poland must provide public information as to the actions taken to implement the decision.

As a general rule, fined legal entities (companies) are not anonymised by the UODO in its official press releases and communications. However, in the published decisions, personal data are always anonymised due to the privacy of an individual or business confidentiality.

If no individual publication: aggregated figures? Provide annual figures from 2019 onwards (if available).

Each year the UODO publishes a report on its activities. The reports provide aggregated information on the total number of cases and fines. They are available online here (in Polish only).

• In 2019 the UODO imposed fines totalling PLN 3.2 million (approx. EUR 0.7 million). 
• In 2020 the UODO imposed fines totalling PLN 3.4 million (approx. EUR 0.8 million). 
• In 2021 the UODO imposed fines totalling PLN 2.2 million (approx. EUR 0.5 million). 
• In 2022 the UODO imposed fines totalling PLN 7.9 million (approx. EUR 1.8 million).
• In 2023 the UODO imposed fines totalling PLN 1.2 million (approx. EUR 0.3 million).
• In 2024 the UODO imposed fines totalling PLN 13.9 million (approx. EUR 3.3 million).

Currently, the UODO's report for the year 2025 is not yet publicly available - however it should be published no later than by 31 August 2026.

Does Poland have model declaratory proceedings/class actions in data protection law?

In August 2024, Poland implemented Directive (EU) 2020/1828 on representative actions for the protection of consumer interests. 

The amended Polish Class Actions Act now allows authorised entities (such as consumer organisations registered with the President of the Office for Competition and Consumer Protection or the European Commission) to bring collective actions on behalf of consumers for violations of laws listed in Annex I to the Directive, which includes the GDPR.

These representative actions may seek both injunctive relief (cessation of infringing practices) and monetary compensation. Notably, authorised entities are exempt from court fees. In proceedings seeking injunctive relief (cessation of infringing practices), they are also not required to prove individual harm or fault of the defendant.

What is more relevant: fines from authorities or court proceedings (damages/injunctions)? Outlook for the coming 12 months?

At present, administrative fines issued by the UODO play a far more significant role in the enforcement of data protection law than private litigation, which remains relatively rare. This is most likely attributable to high litigation costs combined with typically low damages claims.

However, this situation is expected to change as a result of amendments to the Polish Class Action Act. The LexCultura Foundation has publicly declared its readiness to initiate representative actions and is actively monitoring the market for opportunities to make use of these newly introduced procedural mechanisms. This development may substantially lower the barriers to private enforcement of data protection rights and could result in an increase in data protection litigation in the coming months.

That said, it should be noted that, at present, only the Financial Ombudsman and the LexCultura Foundation are entered in the official register of authorised entities entitled to bring such actions.