Skip to content
Last reviewed: 2026-05-05 Reviewer: M.K., CIPP/E Methodology Report inaccuracy
Editorial emblem — PLStylized flag-color motif for editorial reference. Not an official symbol.PL
Poland Rzeczpospolita Polska

WEB ANALYTICS · COOKIE COMPLIANCE · EASTERN EUROPE · PL

Poland — analytics & cookie compliance reference

What you can run on a Polish-targeted website without a fine — GA4, cookies, vendor stack, and the rules behind them. UODO active on telecom + digital platforms · PESEL identifier handling under scrutiny · Polish-language privacy notices required.

GDPR ePrivacy Free reference · sources cited
// SCOPE

Web analytics, cookies, tag managers, CMPs, ad pixels, and session-replay tools as deployed on websites and apps targeting Poland. Sectoral rules (healthcare, banking, employment) are touched only where they intersect with the analytics layer.

Applicable laws

The legal framework that governs personal data processing here.

EU REGULATION · 2018-05-25
GDPR
General Data Protection Regulation (EU 2016/679)
20 jurisdictions · max €20.0M
EU DIRECTIVE · 2002-07-31
ePrivacy
ePrivacy Directive 2002/58/EC (as amended)
20 jurisdictions · max —

National addons

Country-specific statutes layered on the EU baseline.

UODO Act
Ustawa o ochronie danych osobowych
Polish implementation of GDPR opening clauses + UODO president powers + employee data + DPO appointment procedures + fines on public bodies (capped at 100,000 PLN). Establishes Urząd Ochrony Danych Osobowych as the single national supervisory authority replacing the former GIODO.
  • Art 5 Child consent age — kept at 16 (Poland did not derogate downward under GDPR Art 8(1))
  • Art 8 DPO designation procedures — notification to UODO within 14 days
  • Art 102 Public-sector fine cap — 100,000 PLN max for state/local government bodies
  • Art 107 Criminal liability — up to 3 years' imprisonment for unlawful processing of special-category data
Ustawa z dnia 10 maja 2018 r. o ochronie danych osobowych (Dz.U. 2018 poz. 1000), latest amendments through 2024
Prawo telekomunikacyjne Art 173  Stricter
Ustawa Prawo telekomunikacyjne
Cookies + terminal-equipment access + electronic communications privacy. Art 173 transposes ePrivacy Art 5(3) — opt-in for non-essential cookies; UKE (telecom regulator) and UODO share oversight depending on the breach character.
  • Art 173(1) Storage / read access on terminal equipment requires prior, informed consent of the subscriber/end-user
  • Art 173(2) Strictly-necessary exception — narrow; analytics, marketing and A/B testing do not qualify
  • Art 173(3) Information duty — purpose, scope, and means of withdrawal must be presented before consent
Ustawa z dnia 16 lipca 2004 r. Prawo telekomunikacyjne (Dz.U. 2004 Nr 171 poz. 1800) — to be replaced by Prawo komunikacji elektronicznej (PKE) once enacted
UŚUDE
Ustawa o świadczeniu usług drogą elektroniczną
Direct marketing — email/SMS opt-in (Art 10). Polish courts have aligned Art 10 with the GDPR consent standard — opt-in must be express, specific, informed, and unambiguous; soft-opt-in is not codified, unlike the German UWG carve-out. GDPR legitimate-interest does not cure UŚUDE breach.
  • Art 10(1) Unsolicited commercial electronic communication prohibited without prior consent
  • Art 10(2) Consent must be obtained before any commercial message is sent — written form not required, but evidentiary burden lies with the sender
  • Art 24 Administrative fines for spam — up to 5,000 PLN per offence (in addition to UODO sanctions on data side)
Ustawa z dnia 18 lipca 2002 r. (Dz.U. 2002 Nr 144 poz. 1204), consolidated text Dz.U. 2020 poz. 344
Kodeks pracy Art 22(1)  Stricter
Ustawa Kodeks pracy — przepisy o monitoringu pracowniczym
Closed catalogue of employee personal data (name, parents' names, DoB, contact, education, employment history, PESEL). Anything beyond requires express written consent or specific statutory basis. Art 22(2)–22(3b) governs CCTV, email, and IT-system monitoring — must be necessary, transparent, time-limited, and announced 2 weeks in advance.
  • Art 22(1) Closed catalogue of employee data — analytics on internal tools handling more must have a non-consent legal basis
  • Art 22(2) CCTV monitoring — limited to safety, property protection, work-organisation control
  • Art 22(3) Email/IT monitoring — only with employee notification 2 weeks before launch
  • Art 22(3b) Other monitoring (location, biometrics, productivity tools) — same procedural rules as email/IT
Ustawa z dnia 26 czerwca 1974 r. Kodeks pracy, Art 22(1) introduced by 2018 amendment harmonizing with GDPR

Regulators

Supervisory authorities that interpret and enforce privacy law here.

FEDERAL
UODO · Urząd Ochrony Danych Osobowych — Personal Data Protection Office
Single national DPA — supervises all controllers and processors in Poland (private and public). No regional sub-authorities. Replaced GIODO in 2018.
https://uodo.gov.pl/

Coordination body

UODO President · Prezes Urzędu Ochrony Danych Osobowych
Issues binding administrative decisions, fines, and non-binding interpretive guidance (komunikaty / wytyczne). Active member of EDPB. Cooperates with UKE (telecom regulator) on Art 173 cookie matters.
  • 2019-09-19 · Morele.net fine — First major Polish GDPR fine — 2.8M PLN against e-commerce retailer for inadequate security measures after data breach affecting 2.2M customers.
  • 2022-01 · Cookie consent guidance — UODO + UKE joint position — pre-ticked boxes invalid, equal-prominence reject button required, scrolling does not constitute consent.
  • 2024-06 · PESEL handling — UODO President emphasised heightened obligations around PESEL national identifier — must not be requested unnecessarily, never displayed in user interfaces in full, breach reports prioritised when PESEL is implicated.
  • 2025-03 · Polish-language notices — UODO position aligned with Ustawa o języku polskim — privacy notices and consent banners on Polish-targeted sites must be available in Polish; English-only is insufficient where Polish consumers are addressed.
https://uodo.gov.pl/

Notable enforcement

UODO sits in the middle tier of EU enforcers by fine volume — fewer headline-amount cases than France/Italy/Germany, but consistent quarterly activity in security, telecom, and unsolicited-marketing dossiers. Polish administrative courts (WSA Warsaw, NSA) have annulled or reduced several flagship fines (Bisnode, ClickQuickNow), creating a trend where UODO pursues smaller-but-defensible amounts. Recent focus areas: PESEL handling, telecom sector (Toya, Wirtualna Polska, telco breach notifications), digital-platform consent layers, and finance-sector security breaches.

  1. 2025-02 €1.1M
    Major bank (anonymised) UODO · Art 5, 32 stood

    Finance-sector breach — improper PESEL handling in internal tools + retention beyond purpose. UODO 2025 PESEL-focus dossier.

  2. 2024-02 €870k
    Morele.net (re-issued) UODO · Art 32, 5(1)(f) stood

    Re-issued fine after NSA annulment of 2019 decision. PLN 3.8M for the same 2018 data breach — UODO confirmed inadequate technical-organisational measures (encryption, two-factor authentication absent).

  3. 2019-09 €644k
    Morele.net UODO · Art 32 annulled-then-reissued

    2.8M PLN fine — inadequate security measures after data breach affecting 2.2M customers (e-commerce retailer). Annulled by Supreme Administrative Court (NSA) Feb 2023 (case III OSK 3945/21) on procedural grounds (UODO refused Morele's request to appoint an external technical expert). UODO re-issued a fresh decision 8 Feb 2024 — PLN 3.8M (~€870K) confirming the underlying security failures.

  4. 2020-12 €215k
    ID Finance Poland UODO · Art 32 stood

    1M PLN — security failures around lender platform. Stood on appeal.

  5. 2024-11 €75k
    Wirtualna Polska UODO · Art 32 stood

    Digital-media group — security incident affecting reader accounts. Fine reflects mitigation steps taken; UODO emphasised PESEL-adjacent identifiers in published decision.

  6. 2024-03 €53k
    Toya Sp. z o.o. UODO · Art 33, 34 stood

    Telecom operator — late notification of personal-data breach (subscriber data exposed). 247K PLN. Stood.

  7. 2019-04 €50k
    Bisnode Poland UODO · Art 14 annulled

    220K PLN — failure to fulfil information duty toward 6M individuals whose data was scraped from public registers. Annulled by NSA (Polish Supreme Administrative Court) in 2022 — proportionality grounds.

GA4 status

GA4 is usable in Poland with prior, explicit, granular consent under Art 173 Prawo telekomunikacyjne. UODO has aligned with EDPB and accepts post-DPF transfers (10 Jul 2023) while Google LLC remains DPF-certified. UODO has not issued the GA4-specific decisions seen in CNIL/Datatilsynet/Garante; posture is moderate. Polish-language consent banner and privacy notice required.

DPAStance
UODOModerate post-DPF — transfers lawful with DPF + explicit consent. Polish-language banner and notice required. PESEL must never enter the analytics dataset.

Cross-border transfers + Schrems II

UODO accepts EU-US Data Privacy Framework adequacy (10 Jul 2023) for DPF-certified US importers — moderate posture aligned with EDPB. For non-DPF US recipients, Schrems II Transfer Impact Assessment + supplementary measures expected. UODO has not issued enforcement action against GA4 specifically (unlike CNIL or Datatilsynet), but expects documented basis where transfers are involved.

EU 2021/914 SCCs remain the fallback when DPF certification is absent or revoked. UODO references EDPB Recommendations 01/2020 on supplementary measures. Onward-transfer documentation under SCC Module 2/3 is reviewed during inspections.

Topic: International transfers

Employee data

Key thresholds

Child consent age
16 years
Article 27 representative
Required
Marketing consent
Double opt-in

Vendor signals

Red / yellow / green markers are an editorial reading of public regulator guidance and published enforcement actions, applied to vendor behavior we can observe or that the vendor documents. They are not legal conclusions, not endorsements, and not advice about your specific processing. Configuration changes the picture — a "yellow" vendor in one configuration may be defensible in another.

Analytics tools · 4 · 0 green · 3 yellow · 1 red
VendorStatusRationale
 YELLOW Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation.
 YELLOW EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain.
 YELLOW EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green.
 RED Auto-capture grabs every click and form value — broad PII risk under GDPR Art 5(1)(c) data minimization.
Consent management platforms · 5 · 5 green · 0 yellow · 0 red
VendorStatusRationale
 GREEN Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent — verify your manual scripts also gate.
 GREEN Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan.
 GREEN Open-source, self-hosted. No managed updates — site owner maintains vendor list.
 GREEN GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch — verify per-region defaults.
 GREEN German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites.
Ad pixels · 3 · 0 green · 0 yellow · 3 red
VendorStatusRationale
 RED Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set.
 RED Schrems II concerns persist; advanced matching hashes PII but does not fix EU→US transfer problem.
 RED PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required.
Server-side · 3 · 2 green · 1 yellow · 0 red
VendorStatusRationale
 GREEN EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic.
 GREEN EU server containers handle the routing — but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings.
 YELLOW "EU server" ≠ EU data — clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing.

Compare with neighbors

Side-by-side rule comparison.

COMPARE
Poland vs Germany
COMPARE
Poland vs Czech Republic
COMPARE
Poland vs Lithuania

Common questions

Is Google Analytics legal in Poland in 2026?
Yes, conditionally. GA4 is usable in Poland only with prior, explicit, granular consent under Art 173 Prawo telekomunikacyjne. After EU-US DPF (10 Jul 2023), transfers to Google's US servers are lawful while Google LLC remains DPF-certified. UODO has not issued the GA4-specific bans seen in France/Italy/Norway, but expects a Polish-language consent banner and privacy notice on Polish-targeted sites.
Does UODO actively enforce against analytics and cookies?
UODO sits in the middle tier of EU enforcers. Headline-amount cases focus on security failures (Morele.net, ID Finance, finance/telecom breaches) rather than cookie-banner sweeps — but a UODO + UKE joint sweep launched in 2025 targets top-100 e-commerce sites for pre-ticked boxes, missing reject buttons, and dark patterns. Polish administrative courts have annulled or reduced several fines on proportionality grounds, so UODO pursues defensible amounts.
Do I need a Polish DPO?
Polish UODO Act follows GDPR Art 37 — no national headcount threshold (unlike Germany's BDSG §38). DPO is mandatory when one of the GDPR triggers is met: public authority, core activity = large-scale regular monitoring, or core activity = large-scale special-category/criminal data. Notification to UODO is required within 14 days of designation.
What is the child-consent age in Poland?
16 years old. Poland did not derogate downward from GDPR Art 8(1) and kept the default age of 16. Information-society services offered directly to children under 16 require parental consent; analytics on children's content needs particular care.
Must my privacy notice be in Polish?
Yes for Polish-targeted sites. UODO position aligns with Ustawa o języku polskim — privacy notices, cookie banners, and consent texts addressed to Polish consumers must be available in Polish. English-only is insufficient when targeting indicators are present (Polish-language site, .pl domain, PLN pricing, PL-language marketing). The targeting test mirrors GDPR Art 3(2).
How must I handle the PESEL number?
PESEL is the Polish national identifier and is treated as a high-sensitivity data point even though GDPR does not list it as 'special category'. UODO expectations: never request PESEL unless statutorily required (employment, tax, healthcare, banking); never display PESEL in full in user interfaces or admin dashboards; never include PESEL in analytics URL parameters, form-tracking payloads, or session-replay capture; breach notifications involving PESEL receive heightened scrutiny.
Is 'legitimate interest' a valid basis for analytics in Poland?
No, for non-essential analytics that store or read on terminal equipment. Art 173 Prawo telekomunikacyjne is independent of GDPR Art 6 — it requires opt-in consent for any non-strictly-necessary cookie or device-storage technology, regardless of GDPR lawful basis. Art 173 governs the cookie/tracking layer; GDPR governs subsequent processing.
What about employee monitoring and analytics tools (Kodeks pracy)?
Kodeks pracy Art 22(1) sets a closed catalogue of employee data; Art 22(2)–22(3b) govern monitoring. CCTV, email, and IT-system monitoring (which captures most analytics on internal tools) require: documented necessity, 2-week prior notification to staff, time-limited storage, and inclusion in work regulations or collective agreement. Productivity-tracking pixels, Hotjar on internal dashboards, and full-session-capture tools fall under Art 22(3b) and require the same procedural rigour. PESEL appearing in monitored output triggers heightened UODO scrutiny.
Do I need a Polish Article 27 representative?
Yes, if you are a non-EU controller offering goods/services to or monitoring behavior of people in Poland (or any EEA state), unless the small-business exception in Art 27(2) applies. UODO has shown willingness to enforce against non-designation, especially for digital platforms targeting Polish consumers.
Is double opt-in required for email marketing in Poland?
Functionally yes. Ustawa o świadczeniu usług drogą elektroniczną (UŚUDE) Art 10 requires prior, express, specific, informed, and unambiguous consent before any commercial electronic communication. Polish courts have aligned this with the GDPR consent standard. There is no statutory soft-opt-in carve-out for existing customers (unlike Germany's UWG §7(3)), so confirmed-opt-in (double opt-in) is the evidentiary standard most controllers adopt to discharge the burden of proof.

// EDITORIAL · NOT LEGAL ADVICE This page summarises Poland's privacy framework as of 2026-05-05. Rules vary by sector, establishment, and DPA position. For binding interpretation, consult counsel admitted here.