Poland Advances EU Data Governance Push with New Law on Data Sharing and Intermediation

Key Takeaways

• DGA Implementation Moves Forward: Poland has adopted legislation to implement the EU Data Governance Act at the national level, pending presidential approval.
• Regulator’s Role Expands: The Personal Data Protection Office will oversee data intermediation services, data altruism registration, and certain cross-border data transfers.
• Public Sector Data Access Structured: The law sets conditions for reusing protected public sector data while maintaining third-party rights.
• Intermediation Model Formalized: Data intermediaries will operate under a defined regulatory framework aimed at increasing trust in data sharing.
• From Policy to Practice: Organizations now face more immediate compliance and governance considerations as the DGA takes effect at the national level.

Deep Dive

Poland has moved to bring the EU’s data governance ambitions closer to day-to-day reality, with lawmakers approving a national law designed to operationalize the bloc’s Data Governance Act. The Sejm of the Republic of Poland adopted amendments put forward by the Senate, clearing the way for the legislation to take effect once it is signed by the President and formally promulgated. The law will enter into force three months after that final step.

The measure may read as a technical alignment exercise, but it marks a more substantive shift in how data is expected to move, be shared, and be overseen, particularly as the EU continues to build out a framework that treats data as both an economic asset and a regulated resource.

At the center of the new regime is a clearer assignment of responsibility. Poland’s Personal Data Protection Office will take on an expanded role, not only in the traditional realm of data protection, but also as the authority responsible for supervising data intermediation services, registering so-called data altruism organizations, and overseeing certain transfers of non-personal data to third countries.

That broader mandate reflects the direction of travel in Brussels, where policymakers have increasingly looked beyond privacy alone and toward creating structured, trusted environments for data sharing across sectors.

The law itself mirrors the architecture of the EU Data Governance Act, which is built around the idea that data sharing can be scaled safely if the right guardrails are in place.

One of those guardrails focuses on public sector data. The framework sets conditions for reusing certain categories of information held by public bodies—particularly where that data is subject to third-party rights. In practice, that means organizations may gain access to valuable datasets, but only within a defined legal structure that preserves existing protections.

Another pillar is the regulation of data intermediation services. These intermediaries are positioned as neutral brokers, designed to facilitate data exchanges between parties that might otherwise be reluctant to share information directly. The aim is less about mandating data sharing and more about building the trust infrastructure that makes it viable.

There is also a clear push toward what the EU terms “data altruism”, the voluntary sharing of data for purposes deemed to be in the public interest, such as scientific research or policy development. Under the new framework, these activities are formalized, with registration requirements intended to lend credibility and oversight to organizations operating in this space.

Overlaying all of this is the European Data Innovation Council, established at the EU level to help ensure that these rules are applied consistently across Member States and that practical lessons are shared as implementation unfolds.

For organizations, particularly those operating across multiple EU jurisdictions, the Polish law is another signal that the DGA is moving out of the abstract and into enforceable practice.

That shift brings a more immediate set of questions. Businesses will need to assess whether their data-sharing arrangements fall within the scope of regulated intermediation, how they handle access to public sector data, and what governance structures are required if they choose to participate in data altruism initiatives. Cross-border data flows, including those involving non-personal data, are also likely to come under closer scrutiny.

The EU is not only regulating how data is protected, but increasingly how it is accessed, shared, and put to use. Poland’s latest move adds another piece to that puzzle, one that moves the conversation from principle to practice.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.