GDPR (Polish: RODO) is EU Regulation 2016/679 of 27 April 2016, directly applicable across all Member States since 25 May 2018.

Who it applies to

Every company in Poland (and the EU) that processes personal data - no size threshold. A sole proprietorship maintaining a simple client list operates under the same rules as a bank.

Key obligations

Records of processing activities (Article 30) - internal document describing every processing operation.
Information notice (Article 13) - informing data subjects.
Data Processing Agreement (Article 28, DPA) - with every processor handling data on your behalf.
Technical and organisational measures (Article 32) - MFA, encryption, backup proportionate to risk.
Breach procedure (Articles 33-34) - notify UODO within 72 hours.
Subject rights (Articles 12-22) - access, rectification, erasure, objection.

Fines

Article 83: up to EUR 20 million or 4% global turnover (whichever is higher) for fundamental violations; up to EUR 10 million or 2% for other breaches. UODO levied PLN 13.7 million in fines in 2023; Polish SMBs typically receive PLN 5,000-50,000.

What it means for an SMB in practice

Baseline: processing register, information notices, DPAs with SaaS suppliers, MFA on critical accounts, disk encryption, backups, breach procedure. Most of this can be deployed in 1-2 weeks of internal work.