Home

Global

Contact

de|en|pl

50 countries – 116 offices – around 6,000 colleagues – 1 firm |

Worldwide

We use cookies to personalise the website and offer you the greatest added value. They are, among other purposes, used to analyse visitor usage in order to improve the website for you. By using this website, you agree to their use. Further information can be found in our data privacy statement.

2025 plan of sectoral inspections by the Personal Data Protection Office – who can expect PDPO inspectors?

by Maciej Szczepanowski

11 February 2025

As in the past years, at the beginning of this year the Personal Data Protection Office (PDPO) has published a plan of sectoral inspections in 2025 indicating the entities to be investigated.

PDPO’s sectoral inspections in 2025 – who is going to be investigated?

Authorities which process personal data in large-scale IT systems of the European Union – inspections will cover SIS/VIS data processing pursuant to the Act of 24 August 2007 on Poland’s Participation in the Visa Information System and the Schengen Information System (Journal of Laws of 2023, item 1355, as amended), implementing regulations and European Union laws).
Processors of health data – methods of safeguarding the personal data.
Processors of children's data – processing of children's image where the consent from parents or guardians is required.
Data controllers – fulfilment of the obligation under Article 33(5) GDPR to document all personal data breaches, including circumstances of the breaches, their effects and preventive measures adopted in response.

Inspections of data controllers

Please pay attention to this last point which, in practice, covers the largest number of entities from both the public and private sector, regardless of their line of business and size.

If the PDPO comes for an inspection, the documentation of personal data breaches should let the inspectors, among other things:

verify if the breach occurred and its nature;
assess the controller's measures taken to mitigate the adverse effects of the incident and reduce the risk of similar incidents.

Please remember that the above-mentioned documentation obligation applies also to breaches that do not have to be reported to the supervisory authority, i.e. situations in which the data controller has decided that the breach is unlikely to pose a risk to the rights and freedoms of individuals.

Every deficiency or shortcoming in the documentation of breaches detected in the course of an inspection exposes the data controller to harsh penalties from the President of the PDPO.

If you have any doubts about your documentation, we offer comprehensive assistance in implementing solutions to ensure full compliance with personal data protection laws. You are welcome to contact us »

Contact

Contact Person Picture

Marta Wiśniewska

Attorney at law (Poland)

Associate Partner

Send inquiry

Profile