Poland

Poland is a member of the European Union and is therefore subject to the General Data Protection Regulation (GDPR), the Law Enforcement Directive, the ePrivacy Directive, and other EU-level data protection instruments. For a detailed treatment of the EU framework, see the EU Framework page. This page covers Poland’s national implementing legislation, domestic enforcement record, intelligence and surveillance laws, and international data sharing agreements.

Overview

Poland’s privacy landscape is defined by a tension between EU data protection standards and an extensive domestic surveillance apparatus that the European Court of Human Rights has found to violate fundamental rights. The Urzad Ochrony Danych Osobowych (UODO), Poland’s data protection authority, enforces the GDPR and has issued significant fines — including PLN 27.1 million against Poczta Polska for unlawfully processing the personal data of approximately 30 million citizens during the 2020 postal election preparations. Five separate intelligence and security agencies — the ABW, AW, CBA, SKW, and SWW — collectively exercise surveillance powers with minimal judicial oversight.^[1][2]

The Pegasus spyware scandal revealed that 578 individuals were targeted between 2017 and 2022 by three agencies using software purchased with PLN 25 million diverted from the Justice Fund, a victims’ support fund. In May 2024, the ECHR ruled in Pietrzak and Others v. Poland that Poland’s surveillance regime violated Article 8 of the European Convention on Human Rights on three separate grounds. Poland also hosted a CIA secret detention facility at the Stare Kiejkuty military base, confirmed by the ECHR in two 2014 rulings. Poland is classified as an NSA Tier B partner under “Focused Cooperation.”^[3][4][5]

Data Protection Authority: UODO

The Urzad Ochrony Danych Osobowych (UODO) is Poland’s independent supervisory authority under the GDPR. The current president is Miroslaw Wroblewski, appointed by the Sejm on January 16, 2024, confirmed by the Senate on January 17, 2024, and sworn in on January 26, 2024. Wroblewski previously served as Director of the Constitutional, International and European Law Department at the Office of the Commissioner for Human Rights (2007–2024). In 2023, the UODO issued 1,870 administrative decisions, including 30 decisions imposing fines totaling PLN 1,230,331.^[1]

Notable Enforcement Actions

Key Legislation

Personal Data Protection Act (May 10, 2018)

Poland’s primary GDPR implementing legislation (Ustawa o ochronie danych osobowych), entered into force on May 25, 2018. Supplemented by the Act on amendments to sectoral acts of February 21, 2019, which amended 162 existing laws for GDPR alignment.^[11]

Electronic Communications Law (July 12, 2024)

The Prawo komunikacji elektronicznej, enacted July 12, 2024, entered into force November 10, 2024, replacing the Telecommunications Law of 2004. It implements the European Electronic Communications Code and expands scope to include email providers, instant messaging services, and online meeting tools. Poland was fined over EUR 10 million by the CJEU for its delay in implementing the Code.^[12]

Police Act (1990)

Operational control (wiretapping) under the Police Act requires court approval. In 2022, courts authorized 9,781 wiretaps with a 99% approval rate; only 13% (1,308) yielded evidence used in penal proceedings. Separately, police and intelligence agencies access telecommunications metadata — including billings and location data — without judicial authorization. In 2019, police alone placed 1.35 million metadata requests; total metadata requests across all agencies reached approximately 2 million per year.^[13][14]

Anti-Terrorism Act (2016)

Authorizes the ABW to order three-month wiretapping of foreigners without judicial authorization if terrorism-related suspicion exists. The ABW is also authorized to block websites and shut down telecom networks during declared terrorist threats. The ECHR’s May 2024 ruling found the Act’s secret surveillance provisions failed to satisfy Article 8 requirements.^[15][4]

National Cybersecurity System Act (July 5, 2018)

Transposes the NIS Directive. Establishes three CSIRTs: CSIRT GOV (ABW), CSIRT NASK (research institute), and CSIRT MON (Ministry of National Defence). NIS2 transposition is delayed: Poland missed the October 17, 2024 deadline, received a European Commission reasoned opinion on May 7, 2025, and sent a draft to the Sejm on November 7, 2025, but the law has not yet been enacted.^[16]

Surveillance and Intelligence

Intelligence Agencies

Poland operates five intelligence and security agencies, all created after the dissolution of the communist-era services:

ABW and AW were created in 2002 from the split of the Urzad Ochrony Panstwa. CBA was established in 2006. All five agencies have operational control (wiretapping) powers and access to telecommunications metadata without judicial authorization.^[17]

Pegasus Spyware Scandal (2017–2022)

The CBA purchased Pegasus from NSO Group in late 2017 using PLN 25 million (~EUR 5.5 million) from the Justice Fund (Fundusz Sprawiedliwosci), a victims’ support fund. The Supreme Audit Office (NIK) flagged this expenditure as illegal in 2018. Between 2017 and 2022, three agencies — CBA, ABW, and SKW — targeted 578 individuals: 6 in 2017, 100 in 2018, 140 in 2019, 161 in 2020, 162 in 2021, and 9 in 2022.^[3]

In December 2021, Citizen Lab identified the first Polish Pegasus targets: opposition politician Krzysztof Brejza (whose phone was hacked 33 times during his campaign role), lawyer Roman Giertych, and prosecutor Ewa Wrzosek. An 18-month Senate investigation concluded in September 2023, finding “gross violations of constitutional standards” and calling the Pegasus purchase illegal. The Sejm established an Inquiry Committee in January 2024, but the Constitutional Tribunal ruled it unconstitutional on September 10, 2024.^[18][19]

Former Justice Minister Zbigniew Ziobro, who oversaw the Justice Fund, was arrested on January 31, 2025, facing 26 criminal charges including leading an organized criminal group within the Ministry of Justice. Ziobro was granted asylum in Hungary in January 2026, and a European Arrest Warrant was sought in February 2026.^[20]

ECHR Ruling: Pietrzak and Others v. Poland (May 28, 2024)

In Pietrzak and Bychawska-Siniarska and Others v. Poland (Applications nos. 72038/17 and 25237/18), the ECHR found three violations of Article 8 ECHR: (1) the operational control (wiretapping) regime lacked adequate safeguards; (2) the data retention and communications metadata access regime went beyond what was “necessary in a democratic society”; and (3) secret surveillance under the Anti-Terrorism Act was not subject to review by an independent body. The five applicants included the Dean of the Warsaw Bar Association and representatives of the Panoptykon Foundation and Helsinki Foundation for Human Rights.^[4]

Constitutional Tribunal Surveillance Ruling (K 23/11, July 30, 2014)

The Constitutional Tribunal found that provisions empowering secret services to access telecommunications data violated the constitutional right to privacy. It required independent oversight, notification of surveillance targets, and tightened procedural safeguards. The 2016 amendments to the Police Act broadly ignored these requirements and instead expanded surveillance powers.^[21]

Palantir Technologies Defense Partnership

Poland has pursued an aggressive relationship with US defense technology firms as part of its military modernization drive backed by NATO-leading defense spending of approximately 5% of GDP. On December 23, 2024, the Defense Ministry signed a Memorandum of Understanding with Palantir Technologies. On October 26, 2025, Defense Minister Władysław Kosiniak-Kamysz and Palantir CEO Alex Karp signed a Letter of Intent in Warsaw, covering battlefield management, logistics, data integration, real-time analytics, AI, and cybersecurity across the Polish Armed Forces, Cyber Army, General Command, and Operational Command.^[30][31]

The October 2025 ceremony simultaneously included a Letter of Intent with Anduril Industries. Because Palantir is a US company subject to the CLOUD Act, Polish Armed Forces operational data processed through Palantir platforms is accessible to US authorities via administrative subpoena without Polish government consent or notification — a structural data sovereignty issue that Poland’s parliament has not publicly addressed in the context of these agreements.

Internet Infrastructure

EPIX (e-Poludnie Internet Exchange)

EPIX is Poland’s largest internet exchange point by traffic, exceeding 3.5 Tbps with over 850 connected users. Operated by the e-Poludnie Association (not-for-profit, founded 2009), EPIX maintains points of presence in Warsaw, Katowice, and Poznan.^[22]

PLIX / Equinix Internet Exchange Warsaw

The Polish Internet Exchange (PLIX), now operated as Equinix Internet Exchange Warsaw following TelecityGroup’s acquisition, connects approximately 241 ISP members through 460+ active ports across three IBX data centers in Warsaw (WA1, WA2, WA3).^[23]

Connectivity

Poland has approximately 500 km of Baltic Sea coastline. Its international internet connectivity relies primarily on terrestrial fiber connections to Germany, Czech Republic, Lithuania, and other neighbors. The SwePol Link is a 238 km HVDC power cable from Karlshamn, Sweden, to near Ustka, Poland. The four major mobile operators — Play (~30%), Orange Polska (~27%), Plus (~20%), and T-Mobile (~20%) — collectively hold approximately 97% of the market.^[24]

Data Retention

Poland imposes a 12-month mandatory retention period for telecommunications metadata (originator, destination, date, time, location data). Poland originally implemented the EU Data Retention Directive with a 24-month retention period, the maximum permitted, before reducing it to 12 months in January 2013. Retention provisions are now governed by the Electronic Communications Law (2024), replacing the former Telecommunications Law Articles 180a–180c.^[25]

Nine entities are authorized to access retained data: the Police, Border Guard, Military Police, ABW, SKW, CBA, Customs Service, fiscal authorities, and prosecutors/courts. Access to metadata by intelligence agencies requires no judicial authorization and is not subject to independent oversight. The Constitutional Tribunal’s 2014 ruling that this access regime violated constitutional privacy rights has not been effectively implemented.^[14][21]

International Data Sharing Agreements

NATO and EU Membership

Poland has been a NATO member since March 12, 1999 and an EU member since May 1, 2004. Poland participates in the Schengen Information System (SIS II), the European Investigation Order (EIO) framework, the Pruem Convention for automated DNA/fingerprint/vehicle data exchange, and Europol/Eurojust cooperation.^[26]

NSA Tier B Cooperation

Poland is classified as an NSA Tier B partner under “Focused Cooperation” on computer network exploitation. Poland is not a member of the Five Eyes, Nine Eyes, or Fourteen Eyes alliances.^[5]

CIA Black Site at Stare Kiejkuty

The ECHR found “beyond reasonable doubt” that Poland hosted a CIA secret detention facility at the Stare Kiejkuty military base in northeastern Poland during 2002–2003. In Al Nashiri v. Poland (No. 28761/11) and Husayn (Abu Zubaydah) v. Poland (No. 7511/13), both decided on July 24, 2014, the Court found Poland violated Articles 3, 5, 6, 8, and 13 ECHR and awarded EUR 100,000 in damages to each applicant. Former President Aleksander Kwasniewski subsequently admitted he agreed to host the site.^[27]

US-Poland MLAT

The US-Poland MLAT on Mutual Legal Assistance in Criminal Matters was signed at Washington on July 10, 1996, and entered into force on September 17, 1999.^[28]

The Privacy Backdoor Effect

Despite UODO GDPR enforcement and constitutional privacy protections under Article 47, Poland’s extensive intelligence sharing relationships and documented history of hosting CIA operations create pathways for accessing Polish person data entirely outside GDPR — while Polish intelligence law authorizes surveillance of foreign nationals transiting Polish infrastructure:

• NSA Tier B Cooperation: Poland’s bilateral SIGINT partnership with the NSA enables intelligence sharing about Polish nationals outside GDPR-compatible frameworks; as an NSA Tier B partner, Polish persons can also be targeted by NSA collection under US foreign surveillance authorities.
• Club de Berne / EU INTCEN: ABW intelligence shared with EU INTCEN and 31 European services flows outside GDPR.
• CIA Black Site Legacy: Poland’s hosting of the CIA’s Stare Kiejkuty rendition facility established a precedent of US intelligence operations on Polish soil outside Polish legal oversight; the ECHR held in Al Nashiri and Husayn v. Poland that Poland violated the European Convention on Human Rights by enabling US torture.
• EU Framework Sharing: Polish person data in SIS II, Prüm, or EIO channels is accessible to 27 EU member states and, through Europol, to US FBI.
• MLAT Bypass: US authorities can request Polish data via the US-Poland MLAT at potentially lower evidentiary thresholds than Polish judicial warrants under the Code of Criminal Procedure.
• SWIFT/PNR Dragnet: International financial transactions and air travel data subject to US access.

For Polish persons, GDPR and the Personal Data Protection Act (2018) apply to data controllers subject to Polish jurisdiction — but ABW, AW, SKW, SWW, and CBA operate under the Police Act (1990) and Anti-Terrorism Act (2016), explicitly exempt from data protection supervision. The ECHR’s 2024 ruling in Pietrzak and Others v. Poland confirmed that Polish surveillance law provides insufficient oversight for residents; for foreign nationals whose communications transit PLIX, EPIX, or Polish fiber networks, protections are weaker still — GDPR Article 2(2) excludes national security processing from its scope entirely.

Recent Developments

UODO Fines ING Bank and McDonald’s (July 2025)

ING Bank Slaski fined PLN 18.4 million for scanning customers’ identity documents without purpose analysis. McDonald’s Polska fined PLN 16.9 million for failed risk analysis exposing employee data.^[9][10]

Poczta Polska Fine (March 2025)

PLN 27.1 million fine for unlawfully processing PESEL data of approximately 30 million citizens during 2020 postal election preparations. The fine was reduced by 75% due to Poczta Polska’s public service role.^[2]

Ziobro Arrest and European Arrest Warrant (January 2025–February 2026)

Former Justice Minister Zbigniew Ziobro arrested January 31, 2025, facing 26 criminal charges related to the Pegasus purchase and Justice Fund misuse. Fled to Hungary and granted asylum in January 2026.^[20]

ECHR Surveillance Ruling (May 2024)

Three Article 8 ECHR violations found in Poland’s surveillance regime: inadequate wiretap safeguards, excessive metadata access, and Anti-Terrorism Act secret surveillance lacking independent review.^[4]

Electronic Communications Law (November 2024)

New law entered into force November 10, 2024, replacing the 2004 Telecommunications Law and expanding scope to email, messaging, and video conferencing providers.^[12]

Chat Control: Poland Opposes Mass Scanning

During Poland’s EU Council Presidency (January 2025), Poland proposed a compromise removing detection orders and permitting only voluntary scanning. Sixteen member states rejected the compromise; Poland remains firmly opposed to mandatory scanning of encrypted communications.^[29]

NIS2 Transposition Delayed

Poland missed the October 17, 2024 deadline and received a European Commission reasoned opinion on May 7, 2025. A draft was sent to the Sejm on November 7, 2025, but the law has not yet been enacted.^[16]

Sources