The year 2025 will bring a significant tightening of GDPR enforcement practices by the President of the Personal Data Protection Office (UODO). Already in the first months of the year, decisions were made demonstrating that personal data protection is not just a matter of formal documentation, but also of real organizational and technical measures. Record-breaking GDPR fines in 2025 are a clear warning sign for businesses and public entities – non-compliance with the regulations today means high financial and reputational risk.
The most important decisions of the Personal Data Protection Office in 2025 – what results from the authority’s practice?
Decision DKN.5131.1.2025 concerned a public entity performing tasks of significant social importance that processed the personal data of a large number of individuals as part of its statutory powers. During the proceedings, the President of the Personal Data Protection Office (UODO) determined that the controller:
- processed personal data without a clearly defined and properly selected legal basis,
- was unable to demonstrate why the basis adopted under Article 6(1) of the GDPR was applicable to a specific processing purpose,
- violated the principle of transparency towards data subjects – the information provided to natural persons was incomplete or inadequate to the actual scope of data operations.
Importantly, the case concerned data processed in a "citizen-public institution" relationship, a situation in which an individual has limited ability to object or exercise real choice. The Personal Data Protection Office (UODO) emphasized that in such cases, the public controller has a higher standard of care because:
- acts from a position of authority,
- processes data in a mass manner,
- the effects of a violation may affect a wide social group.
In the justification of the decision, the President of the Personal Data Protection Office explicitly stated that the social nature of the violation and its potential impact on the rights and freedoms of many individuals constituted an aggravating factor in the imposition of the penalty. It was this factor that determined the decision to impose the maximum sanction, even though the decision was addressed to a public entity.
This decision clearly shows that the status of a public entity does not protect against high administrative penalties, but on the contrary – in certain situations it may lead to a more severe assessment of the infringement than in the case of private entities.
Which GDPR violations most often result in penalties?
The analysis of decisions published by the Personal Data Protection Office in 2025 shows recurring risk areas:
- untimely or incorrect reporting of data breaches,
- failure to provide information about the breach to data subjects,
- technical and organizational security gaps,
- discrepancies between documentation and actual data processing practice,
- lack of cooperation with the supervisory authority during the proceedings.
The Personal Data Protection Office (UODO) increasingly examines not only "whether the procedure exists", but also whether it actually works in practice.
Highest fines imposed in 2025
- Poczta Polska SA – fine: approx. PLN 27,124,816 (€6.44 million)
Reason: unlawful disclosure and processing of personal data of approximately 30 million citizens from the PESEL register in connection with preparations for the so-called postal elections in 2020 – without a proper legal basis and in violation of the GDPR principles.
- Minister of Digital Affairs – fine: PLN 100,000
Reason: disclosing data to Poczta Polska without a legal basis (the same case as the penalty imposed on Poczta Polska).
- ING Bank Śląski SA – fine: PLN 18.4 million
Reason: unauthorized scanning of customer identity documents (including PESEL) without assessing the necessity and proportionality of processing - violation of the principles of legality and data minimization.
- McDonald's Polska Sp. z o. o. – fine: approximately PLN 16.9 million
Reason: numerous breaches of data protection rules – including disclosure of employee personal data due to lack of adequate security and control over processing by an external entity.
UODO sectoral inspection plan for 2025 – who is at increased risk?
In 2025, the Personal Data Protection Office announced inspections focused on particularly sensitive sectors, including:
- entities processing data in large-scale EU systems (e.g. SIS, VIS),
- healthcare sector and medical data processing,
- educational institutions and entities processing children's data,
- ways of keeping records of violations and documenting incidents.
This approach shows that GDPR audits can be planned and not solely reactive, which significantly increases the audit risk also for entities that have not been audited before.
What do record GDPR fines in 2025 teach businesses?
1. The legal basis for processing is the foundation
Errors in identifying or documenting the legal basis for data processing may result in sanctions reaching the highest thresholds provided for in the GDPR.
2. Reporting violations is not a formality
The Personal Data Protection Office (UODO) analyses not only the timing of the notification, but also its quality, completeness and the method of assessing the risk for data subjects.
3. Procedures must work in practice
Policies and regulations alone do not protect against punishment if they are not actually applied and updated.
4. Sectoral controls increase compliance pressure
Entities from “high-risk” industries should assume an increased likelihood of inspections and prepare organizationally in advance.
Summary – how to reduce the risk of GDPR fines in 2025?
The year 2025 confirms that GDPR is an ongoing process, not a one-time implementation. Record fines and announced sectoral inspections mean businesses must:
- regular GDPR audits,
- updating documentation and procedures,
- employee training,
- testing the real effectiveness of security measures.
Lack of preparation may result not only in financial penalties, but also in serious reputational damage.
FAQ – Record-breaking GDPR fines 2025
Can the Personal Data Protection Office impose the maximum GDPR fine on a public entity?
Yes. The 2025 decisions confirm that public entities are not exempt from the highest sanctions.
How quickly must a personal data breach be reported?
Generally, within 72 hours of becoming aware of the breach, unless it poses no risk to the rights and freedoms of natural persons.
Does the absence of GDPR procedures always result in a penalty?
Not always, but it significantly increases the risk of a penalty being imposed – especially in the case of systemic violations.
Which industries are most vulnerable to inspections in 2025?
Healthcare, education, entities processing children's data, and administrators of large IT systems.
Can a GDPR audit reduce the fine?
Yes – corrective and preventive actions are considered mitigating circumstances.
How does Graś i Wspólnicy Law Firm help in such cases?
Experience stemming from the President of the Personal Data Protection Office's decisions shows that the risk of GDPR violations applies not only to businesses but also to public entities carrying out tasks of significant social importance. Graś i Wspólnicy Law Firm supports both the private and public sectors in comprehensively managing compliance with personal data protection regulations.
As part of our legal services in the area of GDPR, the law firm provides assistance in, among other things:
- analysis and correct selection of the legal basis for the processing of personal data (Articles 6 and 9 of the GDPR),
- verification of compliance of processing processes with the principles of legality, transparency and data minimization,
- preparing and updating information clauses and GDPR documentation,
- support in proceedings before the President of the Personal Data Protection Office, including at the stage of inspections, explanations and appeals against decisions,
- advice on reporting personal data breaches and communicating with data subjects,
- conducting GDPR audits and training for management staff and employees.
This approach not only reduces the risk of administrative fines being imposed, but also prepares the organization for sectoral inspections by the Personal Data Protection Office and demonstrates due diligence in the event of any proceedings.
This article is for informational purposes only and does not constitute legal advice.
Legal status as of December 16, 2025
Author / Editor of the series:
