RODO Privacy Guide: Your Rights Under Poland's GDPR and How to Exercise Them
Complete guide to RODO (Polish GDPR) for individuals. Learn your data protection rights, how to file complaints with UODO, request data deletion, and protect your personal information.
RODO Privacy Guide: Your Rights Under Poland's GDPR and How to Exercise Them
RODO — Rozporządzenie o Ochronie Danych Osobowych — is Poland's implementation of the European General Data Protection Regulation (GDPR). It gives every person in Poland powerful rights over their personal data. Yet most Poles do not know what RODO actually allows them to do. Companies count on this ignorance.
This guide explains your rights in plain language and shows you exactly how to exercise them.
What Is RODO and Who Does It Protect?
RODO applies to every organization that processes personal data of people in Poland — whether the organization is based in Poland, the EU, or anywhere else. It covers:
- Your name, PESEL, address, phone number
- Email addresses and online identifiers
- Health data, biometric data, financial records
- Location data, browsing history, purchase history
- Employment records, tax information
If a company has any of your personal data, RODO applies to them.
Your 8 Core Rights Under RODO
| Right | What It Means | When to Use It |
|---|---|---|
| Right of Access | You can ask any company what data they have about you | When you want to know what a company stores |
| Right to Rectification | You can demand correction of inaccurate data | When your personal details are wrong |
| Right to Erasure ("Right to Be Forgotten") | You can demand deletion of your data | When you no longer use a service |
| Right to Restriction | You can limit how your data is processed | When you dispute data accuracy |
| Right to Data Portability | You can get your data in a machine-readable format | When switching services |
| Right to Object | You can object to data processing, including marketing | When you receive unwanted marketing |
| Right Not to Be Profiled | You can opt out of automated decision-making | When algorithms affect decisions about you |
| Right to Be Informed | Companies must tell you what they collect and why | Always — before data collection begins |
How to Exercise Your RODO Rights
Step 1: Identify the Data Controller
Find out who processes your data. This is usually in the company's "Polityka prywatności" (Privacy Policy) or "RODO" section on their website. Look for the "Administrator Danych Osobowych" (Data Controller) and their contact details.
Step 2: Submit a Written Request
Send an email or letter to the company's Data Protection Officer (Inspektor Ochrony Danych, IOD). Your request should include:
- Your full name and a way to verify your identity
- Clearly state which right you are exercising
- Be specific about what data you want accessed, corrected, or deleted
- Reference RODO/GDPR as your legal basis
Step 3: Wait for Response
The company has 30 days to respond to your request. This can be extended by 60 days for complex cases, but they must inform you of the extension within the first 30 days.
Step 4: Escalate if Ignored
If the company does not respond or refuses your request without valid legal grounds, you can file a complaint with UODO.
Filing a Complaint with UODO
UODO (Urząd Ochrony Danych Osobowych) is Poland's data protection authority. They have the power to investigate companies, issue fines up to 20 million EUR (or 4% of global annual revenue), and order compliance.
How to File
- Online: Visit uodo.gov.pl and use the electronic complaint form
- By mail: Send a written complaint to UODO, ul. Stawki 2, 00-193 Warszawa
- Via ePUAP: Submit through the gov.pl electronic administration platform
What to Include
- Your personal details (name, address, contact)
- The company you are complaining about (name, address)
- Description of what happened and which rights were violated
- Copies of your request to the company and their response (or lack thereof)
- What outcome you are seeking
Typical Timeline
- UODO acknowledges receipt within 30 days
- Investigation can take 3-12 months depending on complexity
- UODO issues a decision ordering the company to comply or imposing a fine
Practical RODO Scenarios
Deleting Your Account and Data
You stopped using a Polish e-commerce site two years ago. You can request complete deletion of your account and all associated data. The company must comply unless they have a legal obligation to retain certain data (such as tax records for 5 years).
Stopping Marketing Emails
A company keeps sending you promotional emails despite your unsubscription. Under RODO, you have an absolute right to object to direct marketing. File a formal RODO objection, and if they continue, report to UODO.
Employer Data After Leaving a Job
Your former employer still has your personal data. They can retain employment records as required by Polish labor law (typically 10 years for post-2019 employees), but they must delete any data not required by law upon your request.
Data Breach Notification
A company that has your data suffers a breach. Under RODO, they must notify UODO within 72 hours and inform you directly if the breach poses a high risk to your rights.
Protecting Your Data Proactively
- Minimize data sharing — Only provide personal data when truly necessary
- Read privacy policies — At least skim the data collection and sharing sections
- Use data deletion requests — Clean up old accounts regularly
- Monitor data breaches — Check haveibeenpwned.com with your email
- Be cautious with consent — Untick optional marketing checkboxes
- Use pseudonyms where real names are not legally required
Share Personal Documents Safely
When you must share personal documents containing PESEL numbers, addresses, or financial details with a lawyer, accountant, or government office, do not send them as email attachments where they sit in inboxes forever. Use LOCK.PUB to create an encrypted, password-protected memo that auto-expires. Only the intended recipient can view the content, and it disappears after the set time — aligning perfectly with RODO's data minimization principle.
The Bottom Line
RODO gives you real power over your personal data. Companies are legally required to respect your requests, and UODO has the authority to enforce compliance with significant fines. Do not hesitate to exercise your rights — they exist specifically to protect you.
For sharing sensitive personal data when necessary, use LOCK.PUB to create encrypted, self-destructing memos that minimize data exposure. Your personal data is yours — RODO ensures it stays that way.
Keywords
You might also like
Anonymous URL Shortener: Shorten Links Without Tracking
Most URL shorteners like Bit.ly and TinyURL track every click. Learn about privacy-first alternatives that shorten links without collecting your data.
KVKK Privacy Guide: Your Data Protection Rights in Turkey
Understand your rights under KVKK (Turkish Personal Data Protection Law). Learn how to request data deletion, file complaints, and exercise your privacy rights in Turkey.
PESEL Number Security: How to Protect Your Polish National ID from Fraud
Learn what PESEL is, why scammers want it, and how to use Zastrzeżenie PESEL in mObywatel to protect yourself from identity theft, fraudulent loans, and SIM registration abuse.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free