GDPR Fines in Poland — Review of Key UODO Decisions and Lessons for Businesses

Since the GDPR came into force in May 2018, the President of the Polish Data Protection Authority (UODO) has imposed dozens of administrative fines on Polish companies and public institutions. The total amount of fines is growing year on year — and an analysis of UODO decisions provides valuable insights into which mistakes most frequently lead to sanctions and how to protect against them.

This article presents a review of the most significant fines imposed by UODO, analyses the most commonly violated provisions, and draws practical conclusions for organisations.

Scale of UODO Fines — Statistics

UODO’s enforcement activity has been growing steadily:

2024: 20 decisions imposing fines on 24 entities, totalling nearly PLN 14 million (approx. EUR 3.2 million). This was a marked increase — the total fines accounted for over 44% of all sanctions imposed since 2018.

2025: 32 fines totalling PLN 64.5 million (approx. EUR 15 million) — a fivefold increase compared to the previous year. At the same time, UODO received nearly 13,000 complaints (compared to 8,000 in 2024) and over 22,000 breach notifications.

The trend is clear — UODO is issuing fewer decisions but imposing significantly higher fines, guided by the principle that sanctions must be effective, proportionate, and dissuasive.

At the European level, total GDPR fines since 2018 have exceeded EUR 7 billion.

Highest Fines in Poland — Key Decisions

Poczta Polska S.A. — PLN 27.1 million (2025)

The record fine in UODO’s history. Poczta Polska was fined for the unlawful processing of personal data of approximately 30 million citizens from the PESEL register in connection with preparations for the so-called postal elections in 2020. UODO found that the processing was carried out without a proper legal basis, in violation of GDPR principles and citizens’ constitutional right to privacy.

Lesson: Even acting on instructions from a state authority does not exempt an organisation from verifying the legal basis for data processing.

McDonald’s Polska Sp. z o.o. — approx. PLN 16.9 million (2025)

Fine for the unauthorised scanning of customer identity documents (including the PESEL number) without assessing the necessity and proportionality of processing.

Lesson: Collecting data “just in case” without analysing whether it is genuinely necessary violates the data minimisation principle.

Fortum Marketing and Sales Polska S.A. — PLN 4.9 million (2022)

Fine for insufficient technical and organisational measures to protect personal data. The energy company failed to ensure an adequate level of security for the data it processed.

Lesson: Article 32 GDPR requires the implementation of adequate security measures — and UODO assesses not only whether procedures exist, but whether they actually work.

Morele.net Sp. z o.o. — PLN 3.8 million (2024)

Fine for violations of Articles 5, 25, and 32 GDPR — inadequate technical and organisational safeguards that led to a breach affecting approximately 2.2 million individuals.

Lesson: The scale of the breach (the number of affected individuals) has a direct impact on the fine amount.

PLN 4.05 million fine (2024) — failure to notify individuals

The highest fine in 2024 was imposed for failing to notify individuals whose data had been compromised. UODO found that the failure to inform affected individuals prevented them from taking protective measures and constituted a disregard for their rights.

Lesson: Failure to notify individuals about a breach (Article 34 GDPR) is treated by UODO very seriously — sometimes even more severely than the breach itself.

Santander Bank Polska S.A. — PLN 1.44 million (2024)

Fine for violations of Articles 33 and 34 GDPR — failure to report an incident and failure to notify affected individuals.

Lesson: Banks and financial institutions face heightened scrutiny from UODO due to the sensitivity of the data they process.

Fine for missing DPIA and DPO irregularities — PLN 314,000 (2024)

A bank was fined for failing to conduct a DPIA for large-scale profiling activities and for the DPO not reporting directly to the highest management level — violating the DPO independence requirement under Article 38 GDPR.

Lesson: UODO examines not only documentation but also the DPO’s actual position within the organisational structure.

Most Commonly Violated GDPR Provisions

Analysis of UODO decisions reveals recurring patterns of violations:

Article 5 GDPR (processing principles) — violation of the integrity and confidentiality principle (insufficient safeguards), violation of the accountability principle (lack of documented compliance), violation of the data minimisation principle (collecting excessive information).

Article 25 GDPR (privacy by design and by default) — failure to consider data protection at the design stage of systems and processes. UODO increasingly assesses whether the organisation considered data protection before launching a new process.

Article 32 GDPR (security of processing) — lack of encryption, loss of data storage devices (laptops, USB drives), insufficient access control, no security testing, vulnerability to ransomware attacks.

Articles 33 and 34 GDPR (breach notification) — failure to report a breach to UODO within 72 hours, failure to notify affected individuals, late or incomplete notifications.

Article 28 GDPR (processing agreements) — absence of data processing agreements with processors, incomplete agreements, failure to verify sub-processors.

Article 6 GDPR (legal bases) — processing data without a proper legal basis or with an incorrectly selected basis.

What UODO Focuses On

Based on analysis of decisions and UODO’s own statements, the areas with the highest risk of audit and fines include:

Real effectiveness of safeguards — UODO no longer assesses merely “whether a procedure exists” but whether it actually works in practice. Token GDPR implementations — documentation on paper without a real management system — are punished increasingly severely.

Incident response — UODO analyses not only whether the notification was timely, but also its quality, completeness, and the method of risk assessment for individuals. An effective incident response can mitigate the fine, while its absence can increase it.

Cooperation with the supervisory authority — openness to cooperation with UODO during proceedings can significantly reduce the fine. Conversely, ignoring correspondence from UODO leads to harsher sanctions.

Profiling and automated decision-making — UODO checks whether profiling is included in the ROPA, whether a DPIA has been conducted, and whether individuals are properly informed.

Public entities — UODO emphasises that public entities processing data in a “citizen-institution” relationship are held to a higher standard of care, as the individual has limited ability to object.

Factors Affecting Fine Amounts — Article 83(2) GDPR

When determining the fine, UODO considers the following factors:

Nature, gravity, and duration of the violation — a one-off incident is treated more leniently than systematic non-compliance.

Intentional or negligent character — deliberate violations result in higher fines than errors arising from carelessness.

Actions taken to mitigate damage — swift incident response, notification of affected individuals, implementation of remedial measures — can reduce the fine.

Degree of cooperation with UODO — openness, provision of information, implementation of recommendations.

Categories of data — violations involving special category data (health, biometric) or financial data are punished more severely.

Previous violations — repeat offences lead to higher fines.

How UODO learned of the violation — self-reporting by the controller is viewed more favourably than discovery by the authority ex officio or through a complaint.

Prior technical and organisational measures — holding ISO 27001 certification, implemented procedures, and staff training are mitigating factors.

European Fines — Context for Polish Decisions

Polish fines, while growing, remain relatively low compared to some EU countries. For context: the Irish DPC has imposed fines on Meta reaching hundreds of millions of euros, the French CNIL has imposed multimillion-euro fines on Google and Amazon for cookie violations, and the Luxembourg authority imposed a record EUR 746 million fine on Amazon.

The European trend clearly indicates the direction — fines will continue to rise, and supervisory authorities will become increasingly active. Polish fines are following the same trajectory, albeit with a slight delay.

UODO Audit Plan for 2025/2026

UODO has announced audits focused on particularly sensitive sectors, including entities processing data on a large scale in EU systems, the financial and banking sector, public entities, and the health and e-commerce sectors.

This approach demonstrates that UODO audits can be planned rather than solely reactive — increasing the risk even for entities that have not previously been audited.

How to Reduce the Risk of a Fine — Practical Recommendations

Based on UODO decision analysis, the most effective protective measures are:

1. A genuinely implemented data protection system — not just documentation on paper, but a functioning system: procedures, training, audits, and incident response.

2. Regular risk assessment — an up-to-date risk assessment helps identify and eliminate gaps before a breach occurs.

3. Effective incident response procedure — preparation for breaches (Incident Response Plan) and the ability to act swiftly within 72 hours.

4. A competent DPO — with genuine independence, access to the board, and adequate resources.

5. Current documentation — ROPA, privacy notices, processing agreements, and security policies — regularly reviewed and updated.

6. Staff training — regular, documented data protection training for all personnel.

7. ISO 27001/27701 certification — as evidence of a systematic approach to security and a mitigating factor when determining fines.

8. Cooperation with UODO — in the event of an audit or proceedings: openness, timely provision of information, and implementation of recommendations.

Checklist — Minimising the Risk of a UODO Fine

1. Check whether you have a genuinely functioning data protection system (not just documents).
2. Conduct an up-to-date risk assessment.
3. Ensure you have an effective breach response procedure (72 hours!).
4. Verify the DPO’s position — do they have independence and access to the board?
5. Review and update documentation: ROPA, privacy notices, processing agreements.
6. Check technical safeguards: encryption, access control, backups.
7. Schedule and document staff training.
8. Analyse whether you use profiling — and whether it is reflected in the ROPA and DPIA.
9. Consider ISO 27001/27701 certification.
10. Prepare for contact with UODO — know who in the organisation is responsible and how to respond.

Need a GDPR Compliance Audit?

Preventive measures are incomparably cheaper than a multimillion-zloty administrative fine and subsequent litigation. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we conduct GDPR compliance audits, identify gaps, and help eliminate them — before UODO does.