Monetary penalties for infringements of the GDPR provisions are of particularly high interest in the area of personal data protection. The risk of financial liability is a frequent motivating factor for ensuring compliance with the law, while at the same time deterring data controllers from undertaking risky activities involving personal data. Decisions concerning penalties are also a valuable source of knowledge for data protection practitioners. Monitoring these rulings and the conclusions drawn from them makes it possible to better understand interpretations of the GDPR provisions and the expectations of the supervisory authority, as well as to avoid similar infringements within one’s own organisation. Such awareness translates into a more accurate risk assessment, appropriate action, and compliance with the law.
Key conclusions
- Organisations that actively monitor updates regarding decisions issued by the President of the Polish DPA are better prepared for the lawful processing of personal data in compliance with the GDPR.
- Improper risk analysis is one of the most common reasons for the imposition of penalties, which points to systemic shortcomings in the approach to data protection.
- The supervisory authority’s guidance and actual penalty decisions serve as a practical guide for data controllers seeking to avoid similar mistakes within their own organisation.
- The obligation to report a personal data breach within the appropriate timeframe is one of the key requirements of the regulation, and failure to comply may result in serious financial consequences.
- Awareness of mitigating and aggravating factors in the imposition of penalties makes it possible to better assess the actual regulatory risk within an organisation.
Financial penalties under the GDPR – why is it worth monitoring decisions issued by the President of the Polish DPA?
In our report, we present a summary of the most important issues. For its purposes, we analysed the published decisions of the President of the Polish Data Protection Authority imposing administrative fines. We reviewed each of them in terms of the entities sanctioned and the provisions infringed. We present the results of this analysis in graphical and descriptive form. We indicate the areas in which entities made mistakes resulting in financial consequences. Some infringements recur more frequently than others – particularly deficiencies in risk analysis. This demonstrates, on the one hand, a widespread weakness within organisations in this area and, on the other – that it remains a constant focus of the supervisory authority. Given the alarming predominance of these infringements in the statistics and the key importance of risk analysis for data security, there is no reason to expect that the President of the Polish DPA will abandon this topic.
Fines overview – the Polish Data Protection Authority against the backdrop of European supervisory authorities
The findings of the report go beyond Poland. You will also find results of a comparative analysis showing how the activity of the Polish supervisory authority compares with that of other European authorities. Based on the available data, we analysed the number of decisions issued and the total amounts of fines imposed by the supervisory authorities of other EU Member States in 2023–2025. We have presented data concerning the countries occupying the leading positions in an accessible overview.
In a European context, Poland occupies a moderate position – the number of decisions imposing administrative fines is clearly lower than in Germany, Spain or Italy, but higher than in countries where sanctions are only occasional. The overview of fines from 2023–2024 shows that our supervisory authority is consistently moving towards greater selectivity: fewer decisions, but of greater significance and involving higher amounts. From a European perspective, the President of the Polish DPA remains a regulator with a stable yet clearly evolving supervisory practice.
The most high-profile decisions imposing financial penalties – cases worth millions
In the report, you will also find the most interesting – in our view – decisions in which the fines amounted to millions. In condensed form, we present the essence of each of them: who was fined and for what, the amount of the fine, and what practical lessons can be drawn from it.
2025 brought three high-profile decisions that dominated the statistics on the imposition of financial penalties: the Polish DPA’s fine on Poczta Polska amounted to a record PLN 27.1 million for the unlawful processing of data from the PESEL register concerning nearly 30 million citizens; ING Bank Śląski was fined PLN 18.4 million for the mass, unauthorized copying of identity documents; and McDonald’s Polska together with its data processor 24/7 Communication were fined a total of more than PLN 17 million for a data breach involving employees’ data caused by an incorrect server configuration. Each of these cases provides valuable practical lessons and shows that personal data protection infringements can generate financial consequences on a scale previously unseen in Poland.
What affects the amount of administrative fines imposed by the President of the Polish DPA?
In the Report, we also remind readers which circumstances the supervisory authority takes into account when determining the amount of a financial penalty. Based on real cases, we present selected factors that may affect the level of the penalty — either mitigating or aggravating it.
When determining the amount of a fine, the supervisory authority examines the circumstances of each individual case on a case-by-case basis — taking into account, among other things, the nature and duration of the infringement, whether the conduct was intentional, the number of affected individuals, the category of data processed, and the entity’s compliance history with the GDPR. A more lenient fine may, for example, apply to data controllers who have actively remedied the non-compliant situation, taken steps to minimize harm to the data subjects, or adopted and applied an approved code of conduct. Aggravating factors include, among others, the continued maintenance of GDPR non-compliance after the incident was reported, an increased risk to individuals arising from the processing of special categories of data, or the nature of the controller’s business, which implies that higher standards of due diligence are expected of it.
Personal data security in 2026 — forecasts and priorities of the supervisory authority
Finally, we present forecasts for 2026 and indicate the areas on which, in our view, the supervisory authority will focus during that period.
In 2026, increased interest from the President of the Polish DPA should be expected in the areas of cybersecurity and the use of artificial intelligence systems, which is a direct consequence of the entry into force of regulations in the area of the AI Act, NIS 2 and the Data Act. Issues related to privacy by design and by default, Data Protection Impact Assessments, and the proper structuring of relationships with data processors will become increasingly important.
FAQ – frequently asked questions
What does the President of the Polish DPA most often impose financial penalties for?
The President of the Polish DPA most often imposes penalties for violations of GDPR provisions related to an improper risk analysis and the lack of adequate security measures in the processing of personal data. Decisions of the supervisory authority indicate that these are the areas that remain at the centre of its ongoing interest.
Does every personal data breach result in a financial penalty?
Not every personal data breach results in the imposition of a penalty – the supervisory authority takes into account a number of circumstances surrounding the breach, its severity, cause and consequences, including any prior warnings, the entity's cooperation during the proceedings, and the remedial measures taken.
How should personal data be processed to minimize the risk of a penalty?
To process personal data in compliance with GDPR and reduce the risk of penalties, it is necessary, among other things, to conduct a thorough risk analysis, ensure appropriate procedures and security measures, and carry out regular compliance audits. Guidance and decisions issued by supervisory authorities, which specify their expectations in this area, may also be helpful.
How does Poland compare with other EU countries in terms of administrative fines imposed?
The report includes a comparison of fines imposed by supervisory authorities in EU countries in 2023–2025, which makes it possible to assess the activity of the President of the Polish DPA in a European context. This analysis shows both the number of decisions issued and the total amount of fines, providing a fuller picture of the engagement of the Polish regulator.
What are personal data breaches and when must they be reported?
Personal data breaches are security breaches leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed. Under GDPR, the data controller is obliged to notify such a breach to the supervisory authority within 72 hours of becoming aware of it, if it is likely to pose a risk to the rights and freedoms of natural persons.
What circumstances may mitigate or aggravate the amount of the penalty?
The level of the fine is influenced, among other things, by the degree of fault, the number of affected individuals, the manner in which the breach was disclosed, compliance with previously imposed remedial measures, and conduct following the breach. Prompt remedial action that minimises harm to the data subjects, the removal of the non-compliant state, and an increased level of security may work in favour of the sanctioned entity.
Can small businesses also be subject to fines under the GDPR?
Yes – the GDPR applies to every entity processing personal data, regardless of the size of the organisation or the turnover it generates.
What are the forecasts regarding the imposition of financial penalties in 2026?
The supervisory authority will likely continue its current sanctioning policy in 2026, especially where fundamental obligations under personal data protection laws are breached. Among these areas, one should mention data security and risk analysis, as well as breach notification.
