In 2025, Poland’s Personal Data Protection Office (UODO) imposed nearly PLN 64.5 million in fines on businesses and institutions for breaches of personal data protection rules. The most common violations concerned organizational and technical shortcomings in data security, as well as improper notification of personal data breaches to both the authority and the individuals affected.
Last year, UODO issued more than 2,000 administrative decisions and imposed 32 financial penalties totaling almost PLN 64.5 million. By comparison, in 2024 there were 1,719 decisions, including just over 20 decisions imposing administrative fines with a combined value of more than PLN 13.9 million. This shows a clear increase in both the number and the scale of sanctions in 2025.
“The most serious shortcomings relate to problems with securing data—defects tied to organizational and technical issues. These are often closely linked to protection against cyberattacks. Penalties also concern failures to notify the authority and the individuals whose data are affected about data protection breaches,” Mirosław Wróblewski, President of the Personal Data Protection Office, told Newseria. “There are also issues connected with inadequate safeguarding of the status of data protection officers, as well as the operation of CCTV monitoring.”
The largest fine—over PLN 27 million—was imposed on Poczta Polska (Polish Post) for the unlawful disclosure and processing of personal data of approximately 30 million citizens from the PESEL register in connection with preparations for the so-called postal elections that were intended to take place in 2020.
According to the report “GDPR Fines and Data Breach Survey January 2026,” prepared by law firm DLA Piper, between 28 January 2025 and 27 January 2026 supervisory authorities across the European Union and the European Economic Area imposed around EUR 1.2 billion in fines for breaches of the EU’s General Data Protection Regulation (GDPR). The cumulative value of fines since the GDPR took effect in 2018 has now exceeded EUR 7 billion.
The report also points to a marked increase in the number of data breach notifications across the EU. In the period analyzed, the figure reached 443 reports per day—around 22% more year on year. Poland is also seeing growing civic activity in this area. In 2025, UODO received about 13,000 complaints from individuals—significantly more than in previous years. In 2023, the number was around 7,000, and in 2024 about 8,000.
“Citizens are aware of their rights, and I hope they also trust the Personal Data Protection Office. The number of complaints may also indicate that there are more breaches, including those involving new technologies. They concern many areas: everyday life, the financial sector—banking and insurance—but also education, both higher education and schools. It is therefore a very broad field of state and business activity. In practice, there is hardly any area in which personal data are processed and where breaches do not occur,” Wróblewski assesses.
Complaints most often relate to unauthorized disclosure of data, human error, and insufficient safeguards in IT systems.
In the UODO president’s view, the challenges linked to personal data protection will become even more serious in the coming years, among other reasons due to rapid legislative changes at the EU level.
“Operating in a changing legal environment is a challenge for many entities and data controllers. New EU legal acts certainly do not make life easier, but they are needed for many reasons. UODO tries to support both lawmakers in creating appropriate legal tools and controllers and organizations in functioning under changing conditions,” he notes.
The debate about the future of personal data protection is increasingly taking place in the context of the development of artificial intelligence and the use of data to train algorithms.
“When it comes to building the right legal foundations for using data in the context of training AI algorithms, the rules must be clear and transparent, while also enabling European businesses to compete with American ones. Certain burdens that are not necessary for real personal data protection should also be reduced,” the expert argues.
Education remains an important part of the authority’s work—relevant not only for data controllers but also for citizens themselves. UODO pays particular attention to children and young people, who increasingly use digital services and new technologies, often without full awareness of the consequences associated with processing personal data.
“That is why we run the broad ‘Your Data – Your Case’ program, which already involves nearly half a thousand schools,” Wróblewski points out.
The year 2026 also brings a symbolic milestone for EU data protection rules. It marks 10 years since the adoption of the GDPR, which entered into force two years later (in May 2018) and harmonized data protection standards across the European Union. According to the head of UODO, experience from recent years shows that while these regulations have significantly strengthened citizens’ rights, some of the obligations imposed on data controllers now require a fresh assessment.
