🇵🇱ePrivacy Directive in Poland
A comprehensive guide to ePrivacy Directive compliance for organisations operating in Poland. Understand local enforcement, the national data protection authority, key focus areas, and notable enforcement actions.
About ePrivacy Directive
The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".
ePrivacy Directive Enforcement in Poland
Poland's data protection authority (UODO) has been steadily increasing its enforcement activity since 2019. Poland implemented the GDPR through the Act of 10 May 2018 on the Protection of Personal Data and supplementary legislation modifying over 160 existing Polish laws. The UODO has focused on public sector compliance, data breach notification failures, and obstruction of regulatory proceedings. Poland issued the first GDPR fine in Europe in early 2019 against a company that scraped publicly available business registry data without informing the data subjects. The UODO has also been active in the education sector, addressing biometric data use in schools and student data processing. Poland's age of digital consent is set at 16.
Data Protection Authority
Urząd Ochrony Danych Osobowych (UODO)
Key Enforcement Focus Areas in Poland
- Public sector and government data processing
- Data breach notification compliance
- Education sector data protection
- Biometric data processing in workplaces and schools
- Cross-border data processing cooperation
Notable Enforcement Actions in Poland
Fortum Marketing and Sales Polska
Insufficient technical and organisational security measures leading to data breach affecting 137,000 customers
Bisnode Polska (now Dun & Bradstreet)
First GDPR fine in Europe — failing to inform ~6 million data subjects about processing of scraped business registry data
Virgin Mobile Polska
Inadequate technical measures to protect customer personal data resulting in a data breach
Morele.net
Insufficient security measures leading to a data breach affecting 2.2 million customers
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Other Regulations Affecting Poland
General Data Protection Regulation (GDPR)
The EU's landmark data protection law that governs how organisations collect, store, process, and transfer personal data of individuals in the European Economic Area.
Network and Information Security Directive (NIS2)
The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.
Digital Operational Resilience Act (DORA)
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
EU Artificial Intelligence Act (AI Act)
The world's first comprehensive AI regulation, establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems within the EU.