Poczta Polska (Polish Post) – €224,969 Fine (Poland, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The case concerned Poczta Polska S.A., the Polish national postal operator (the controller). On 24 February 2023, the controller notified the Polish Data Protection Authority (UODO) of a personal data breach involving unauthorised access to a tax document . While examining the breach notification, the DPA identified that the controller’s Data Protection Officer (DPO) simultaneously held several senior management roles within the organisation. In particular, the DPO served as: i) Director of an organisational unit; ii) Proxy for Classified Information Protection; and iii) Proxy for the Information Security Management System. Under the controller’s internal Organisational Regulation, the Director of unit “V.” was responsible for organising and improving the information protection system, including the protection of personal data. In that role, the DPO directly supervised the Information Protection Department, which was responsible for monitoring compliance, managing risks, conducting audits, and issuing opinions on contracts relating to data protection. In addition, the DPO held a power of attorney granted by the Management Board to represent the controller before the DPA and administrative courts in data protection matters. The controller acknowledged that it had not documented any formal assessment of potential conflicts of interest arising from the combination of these roles. It argued that no conflict existed because the DPO reported directly to the Management Board and was supported by a dedicated team. The controller also had not established any rules to prioritise the DPO’s tasks in the event of conflicting duties. During the DPA’s investigation, in March 2025, the controller changed its organisational structure by dissolving unit “V.” and establishing an independent DPO function reporting directly to the Management Board. The Polish DPA held that the controller infringed Article 38(6) GDPR by appointing a DPO who simultaneously held senior management positio
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The case concerned Poczta Polska S.A., the Polish national postal operator (the controller). On 24 February 2023, the controller notified the Polish Data Protection Authority (UODO) of a personal data breach involving unauthorised access to a tax document . While examining the breach notification, the DPA identified that the controller’s Data Protection Officer (DPO) simultaneously held several senior management roles within the organisation. In particular, the DPO served as: i) Director of an organisational unit; ii) Proxy for Classified Information Protection; and iii) Proxy for the Information Security Management System. Under the controller’s internal Organisational Regulation, the Director of unit “V.” was responsible for organising and improving the information protection system, including the protection of personal data. In that role, the DPO directly supervised the Information Protection Department, which was responsible for monitoring compliance, managing risks, conducting audits, and issuing opinions on contracts relating to data protection. In addition, the DPO held a power of attorney granted by the Management Board to represent the controller before the DPA and administrative courts in data protection matters. The controller acknowledged that it had not documented any formal assessment of potential conflicts of interest arising from the combination of these roles. It argued that no conflict existed because the DPO reported directly to the Management Board and was supported by a dedicated team. The controller also had not established any rules to prioritise the DPO’s tasks in the event of conflicting duties. During the DPA’s investigation, in March 2025, the controller changed its organisational structure by dissolving unit “V.” and establishing an independent DPO function reporting directly to the Management Board. The Polish DPA held that the controller infringed Article 38(6) GDPR by appointing a DPO who simultaneously held senior management positio
Related Enforcement Actions (0)
No other enforcement actions found for Poczta Polska (Polish Post) in PL
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
2 January 2026
Authority
Urząd Ochrony Danych Osobowych
Fine Amount
€224,969
978,128 PLN
GDPRhub ID
gdprhub-9770About this data
Cite as: Cookie Fines. Poczta Polska (Polish Post) - Poland (2026). Retrieved from cookiefines.eu
Last updated: