Updated as of: September 17, 2025

Poland’s data protection authority continues its aggressive enforcement campaign against major banks, with ING Bank Śląski receiving an 18.4 million zloty fine for excessive identity document scanning—marking the second-largest privacy penalty in Polish history.

UK Banking Enforcement 2025: Record Penalties Signal New Era of Regulatory Vigilance

🎧 Related Podcast Episode

Executive Summary

Poland’s Personal Data Protection Office (UODO) is establishing itself as one of Europe’s most assertive data protection enforcers in the banking sector, imposing substantial fines that collectively exceed €6 million across major financial institutions in just over a year. The 18.4 million zloty (€4.3 million) penalty against ING Bank Śląski represents the largest fine ever imposed on a private company in Poland and underscores the regulator’s determination to hold banks accountable for privacy violations.

This enforcement trend reveals a systematic focus on banking compliance failures, particularly around data breach notifications and excessive data processing practices. For financial institutions operating in Poland, the message is unmistakable: traditional banking secrecy arguments no longer shield institutions from data protection obligations.

ING Bank Śląski: When Anti-Money Laundering Goes Too Far

The Violation: Systematic Over-Collection of Identity Data

Poland’s data protection agency has fined ING Bank Śląski – which is majority owned by the Dutch ING Group – 18.4 million zloty (€4.3 million) for breaching EU privacy rules, making it the second-largest such penalty ever issued by the agency and the biggest against a private company.

The Personal Data Protection Office (UODO) said that ING, the fourth-largest bank in Poland in terms of assets, had unlawfully scanned and stored customers’ and prospective clients’ identity cards between April 2019 and September 2020.

The Anti-Money Laundering Defense Falls Short

The bank said it introduced the practice to comply with anti-money laundering (AML) rules but, according to UODO, its actions exceeded what was required by law. Under Poland’s 2018 anti-money laundering act, which implemented an earlier EU directive, lenders may process and copy information from identity documents. UODO, however, said that ING had applied the rule excessively and without adequate legal basis.

The regulator identified systematic problems with ING’s approach:

Excessive Application: “Identity documents were…scanned in cases not related to the fulfilment of obligations specified in the AML act,” the agency said in a statement, noting that while the copying of documents is permitted, it is not mandatory and should be preceded by an assessment of whether it is necessary, something that ING failed to do on a large scale.

Inappropriate Use Cases: UODO gave the example of an individual who tried to file a complaint about a bank branch’s ATM. According to the Dziennik Gazeta Prawna daily, the person was informed by the bank that their identity card would have to be scanned before the complaint could be accepted, even though the query was unrelated to AML.

Scale and Risk Assessment

UODO also highlighted the risks related to the mass processing of personal data. It noted that any such activity “must be associated with a higher level of responsibility” and “a higher level of due diligence” on the part of the controller, “as it may have negative consequences for many people”.

The scale of potential impact was substantial: In 2020, ING had 4.72 million customers in Poland, including 4.24 million individual customers and 486,000 corporate customers, said the agency, citing the bank’s data.

Bank’s Response and Remediation

The bank said it had fully cooperated with UODO during proceedings, explaining that the scans were collected solely to meet obligations under the AML law. It has also changed its procedures, limiting the copying of identity documents only to cases involving new customers or existing client data changes.

However, UODO imposed a fine of 18.4 million zloty on ING, saying that the penalty was “effective, proportionate and had a discouraging effect”. Last year, the bank achieved a consolidated net profit of 4.4 billion zloty.

NYDFS Enforcement Actions in 2025: A Year of Heightened Cybersecurity and Compliance Vigilance

Poland’s Banking Enforcement Spree: A Pattern of Substantial Penalties

mBank: €870,000 for Breach Notification Failures

In September 2024, the UODO published information about another significant fine imposed on one of the top banks in Poland, mBank (namely PLN 4,053,173, approx. EUR969,659,00) for failing to notify a personal data breach to the data subjects affected by the data leak.

The Incident: The breach occurred on June 30, 2022, when sensitive customer data was mistakenly sent by an employee of a third-party processor to an unauthorized recipient at another financial institution. Although the documents were returned to mBank, the envelope had been opened, increasing the risk that the personal data may have been accessed by third parties.

Data Exposed: The exposed information included names, birth dates, addresses, national identification numbers (PESEL), bank account details, income and asset data, and other identifiers, such as mother’s maiden names and ID card numbers.

Failed Defense: mBank argued that the breach did not require notification because the recipient institution was bound by banking secrecy laws and considered a “trusted entity.” The bank relied on assurances that the documents had not been copied or misused by the recipient.

Regulatory Rejection: The UODO rejected mBank’s defense, referring to GDPR Guidelines 9/2022, which specify that the status of the recipient is not sufficient to avoid the obligation to notify. The guidelines emphasize that a trusted recipient must have a long-term, direct relationship with the sender, along with a track record of secure data handling practices.

Santander Bank Polska: €344,498 for Lost Documents

Another very recent landmark case from April 2024 concerns the UODO’s decision to fine one of the largest Polish banks - Santander Bank Polska S.A. – PLN 1,440,000 (approx. EUR 344,498) for the lack of data breach notification.

In this case the bank did not notify the data breach concerning a lost parcel with bank documents containing personal data such as PESEL numbers, bank usernames and passwords, ID numbers, etc. Shortly after the parcel was lost by the courier, it was found by an identified person, who had taken in directly to the police station and stated that he had not copied the documents found.

Nevertheless, the UODO indicated that the security of personal data was more important than the interests of the data controller. Moreover, the lack of the data breach notification had prevented the affected persons from responding appropriately to the breach, which could have had serious consequences for them.

Bank Millennium: €80,000 for Notification Failures

The Personal Data Protection Office (UODO) learnt about the personal data breach from a complaint lodged against the bank. The complaint concerned the loss by a courier company of correspondence containing personal data, such as: name, surname, personal identification number (PESEL number), registered address, bank account numbers, identification number assigned to the bank’s customers.

In the course of the case, it turned out that the data controller had failed to comply with its obligations in relation to personal data breach. The bank considered that the risk of adverse effects for persons affected by the breach was medium; therefore, it did not notify this breach to the supervisory authority, and did not fully comply with the obligation to communicate it to the data subjects.

When deciding to impose a fine of 80,000 EUR, the UODO took into account, among other things, the fact that, during the proceedings, the bank had still failed to fulfil its obligations relating to the breach, as well as the unsatisfactory level of cooperation with the supervisory authority, the intentional nature of the activity and the nature and gravity of the breach.

UODO’s Strategic Enforcement Approach

Regulatory Focus Areas

It cannot be clearly stated whether the Polish data protection authority – the President of the Personal Data Protection Office (“Prezes Urzędu Ochrony Danych Osobowych”, “UODO”) deliberately focuses on certain types of violations. However, we observe that the UODO has increased its activity in terms of imposing fines for violations involving insufficient technical and organisational measures to ensure information security, and insufficient fulfilment of data breach notification obligations.

New Leadership’s Priorities

As of 26 January 2024, a new DPA was appointed by the Polish Parliament. The new DPA is highly active and places significant emphasis on the protection of citizens’ rights (e.g. through cooperation with the ombudsman for children’s rights). He also seeks to maintain a dialogue with various market sectors.

In 2025, the DPA’s main focus has shifted compared to the previous years and includes: the processing of health data (with a particular emphasis on data security), the processing of children’s personal data (especially images requiring parental consent), and the documentation of data breaches under Article 33(5) of the GDPR.

Transparency and Messaging

The decisions are published if the UODO deems it justified by the public interest, in particular if by a fine the UODO can “send a message” to the Polish companies like e.g. in the Santander, mBank or Poczta Polska cases.

Financial Impact and Enforcement Philosophy

Proportionality Considerations

Despite substantial absolute amounts, the fines represent relatively modest percentages of bank revenues:

  • mBank: The penalty, while substantial, represents just 0.0024% of the bank’s annual turnover, raising questions about the relative impact of such fines on large financial institutions- ING Bank Śląski: Last year, the bank achieved a consolidated net profit of 4.4 billion zloty, making the 18.4 million zloty fine approximately 0.4% of annual profit

Deterrent Effect Strategy

In the opinion of the supervisory authority, the amount of the fine will fulfil a repressive function, as not only this particular controller, but also others, will properly fulfil their obligations related to data breaches.

The UODO’s approach emphasizes industry-wide deterrence rather than purely punitive measures against individual institutions.

Digital Operational Resilience Act (DORA)

The Digital Operational Resilience Act or DORA came into force at the start of this year. It has already affected the financial sector, but financial market participants such as payment institutions, investment firms or crypto-asset service providers (CASPs) are still looking for proper compliance guidelines.

Enhanced Supervisory Framework

A key regulatory shift that took effect at the start of 2024 was the introduction of supervision over all lending institutions by the KNF, following legislative changes finalised in late 2023. This regulatory overhaul brought stricter capital, organisational and business requirements, fundamentally reshaping the consumer finance landscape.

Sectoral Inspection Plans

The Personal Data Protection Office’s Sectoral Inspection Plan for 2025 includes sectors where the risk of violating personal data protection regulations may be particularly high, with specific focus on:

  1. Authorities processing personal data in Large-Scale European Union Systems2. Entities processing health data – the method of ensuring the security of personal data3. Entities processing children’s data – processing children’s images when parental or legal guardian’s consent is required

Best Practices for Banking Compliance in Poland

Data Breach Notification Excellence

Immediate Notification Requirements: Banks must notify UODO within 72 hours of becoming aware of a breach, regardless of the recipient’s status or assurances.

Customer Communication: The President of the UODO stressed that mBank’s failure to notify its customers deprived them of the opportunity to protect themselves against potential risks, such as identity theft or financial fraud.

Documentation Standards: The new DPA is also actively involved in revising the guidelines published by his predecessor DPA shortly after the entry into force of the GDPR, which have not been updated since. For instance, the updated guide on data breaches was published in February 2025.

Data Processing Justification

Necessity Assessment: Every data processing activity must be preceded by an assessment of whether it is truly necessary for the stated purpose.

Scope Limitation: While the copying of documents is permitted, it is not mandatory and should be preceded by an assessment of whether it is necessary.

Regular Review: Banks should regularly review their data processing practices to ensure they remain proportionate and necessary.

Cooperation with Supervisory Authority

We also observe that the UODO more often imposes fines/corrective measures for non-cooperation with the UODO. Therefore, companies should not ignore any letters from the UODO.

Proactive Engagement: Banks should engage constructively with UODO investigations and implement recommended remedial measures promptly.

Transparency: Full cooperation during proceedings can influence penalty calculations.

Looking Forward: The Evolution of Polish Data Protection Enforcement

Increasing Financial Stakes

The progression of penalties shows escalating enforcement:

  • Bank Millennium (2021): €80,000- Santander (2024): €344,498- mBank (2024): €870,000- ING Bank Śląski (2025): €4.3 million

Sectoral Impact Beyond Banking

Earlier this year, UODO fined Poland’s state post office, Poczta Polska, 27 million zloty for unlawfully processing data from 30 million citizens while preparing for the 2020 presidential election, demonstrating that enforcement extends beyond private sector entities.

International Compliance Considerations

For international banks operating in Poland, the enforcement pattern reveals several key considerations:

No Banking Secrecy Shield: Traditional banking confidentiality arguments do not override GDPR obligations.

Local Regulatory Relationships: The status of recipients within the Polish banking sector does not automatically create “trusted entity” exemptions.

Operational Integration: Data protection compliance must be integrated into operational procedures, not treated as a separate compliance exercise.

Strategic Recommendations for Financial Institutions

Immediate Actions

  1. Comprehensive Data Processing Audit: Review all data collection and processing activities to ensure they meet necessity and proportionality standards2. Breach Response Enhancement: Update breach notification procedures to ensure 72-hour compliance regardless of recipient status3. Staff Training: Implement comprehensive GDPR training focusing on breach identification and response procedures4. Documentation Review: Ensure all data processing activities are properly documented with clear legal bases

Medium-term Strategic Initiatives

  1. Privacy by Design Implementation: Integrate data protection considerations into all new product development and operational procedures2. Third-party Risk Management: Enhance due diligence procedures for processors and other third parties handling personal data3. Regular Compliance Reviews: Establish ongoing monitoring and review processes to identify potential compliance gaps4. Stakeholder Engagement: Maintain proactive dialogue with UODO and industry associations on evolving compliance expectations

Technology and Operational Excellence

  1. Data Minimization: Implement technical measures to ensure only necessary data is collected and processed2. Automated Compliance Monitoring: Deploy systems to automatically detect potential compliance issues and breach incidents3. Enhanced Security Measures: Businesses should consider reviewing their implemented security measures and internal processes as regards personal data breaches

Conclusion: A New Era of Accountability

Poland’s systematic enforcement against major banks represents a fundamental shift in data protection supervision, moving from advisory guidance to substantial financial penalties. The ING Bank Śląski fine, as the largest penalty against a private company in Polish history, establishes a new benchmark for enforcement and signals UODO’s commitment to holding even the largest financial institutions accountable.

Key Takeaways for the Banking Sector:

  1. Traditional Defenses Are Failing: Banking secrecy, AML compliance, and “trusted entity” arguments no longer provide adequate protection from data protection obligations2. Systematic Enforcement: UODO’s pattern of banking fines suggests ongoing sectoral scrutiny rather than isolated enforcement actions3. Escalating Financial Impact: Penalty amounts are increasing substantially, with the latest fine representing a 500% increase over the previous largest private sector penalty4. Operational Integration Required: Data protection compliance must be integrated into core banking operations, not treated as a separate compliance function

The Broader Message: Polish banks can no longer treat data protection as a peripheral compliance requirement. The substantial financial penalties, combined with reputational impact and operational disruption, make robust data protection compliance a strategic business imperative.

For international financial institutions, Poland’s enforcement evolution provides a preview of the regulatory environment across Central and Eastern Europe, where data protection authorities are increasingly asserting their supervisory powers with meaningful financial consequences.

The era of compliance through good intentions is over. In Poland’s banking sector, data protection excellence is now a business-critical requirement, backed by some of Europe’s most substantial enforcement actions.

This analysis is based on publicly available regulatory decisions and enforcement actions as of September 17, 2025. Banks should consult with local legal counsel for specific compliance guidance and stay updated on evolving UODO enforcement policies.