Cross‑border Data Requests & E‑evidence in Poland (2026): What Boards, Gcs and Compliance Teams Must Do When Criminal Investigators Seek Company Data

The EU’s push to streamline cross-border data requests in Poland and across Member States has accelerated sharply in 2026, with the European Production Order and European Preservation Order instruments now entering the national implementation phase and reshaping how criminal investigators obtain electronic evidence from companies. For boards, general counsel and compliance teams operating in or through Poland, the practical reality is stark: a prosecutor in another EU country can now seek your company’s subscriber data, traffic logs or stored content through channels that are faster, more direct and harder to deflect than traditional mutual legal assistance treaties.

This guide provides a step-by-step corporate playbook, from the first six hours after receiving a request to the board-level escalation decisions that follow, grounded in Polish criminal procedure, EU e-evidence instruments, GDPR constraints and real-world provider dynamics.

Executive Summary, Immediate Decisions Boards and GCs Must Make

When a cross-border criminal data request lands on your desk, the window for critical decisions is narrow. Whether the request arrives as a domestic prosecutor’s order, a Mutual Legal Assistance Treaty (MLAT) transmission, or a European Production Order served to your Polish subsidiary, the following actions should begin within hours, not days.

• Notify core stakeholders immediately. The General Counsel, CEO, board chair and Chief Information Security Officer (CISO) must be informed within the first six hours. Delayed notification creates privilege risks and may forfeit early objection windows.
• Issue an internal legal hold. Instruct IT and data teams to preserve all potentially responsive data, email archives, cloud logs, access records and metadata. Destruction of data after receipt of a lawful request carries criminal liability under Polish law.
• Assess the instrument’s legitimacy. Determine whether the request is a domestic warrant under the Polish Code of Criminal Procedure, an MLAT channelled through the Ministry of Justice, or an EU production/preservation order. Each instrument carries different compliance timelines, challenge mechanisms and grounds for refusal.
• Engage external criminal counsel. Cross-border investigation compliance demands specialist advice. If the request touches data held by a US cloud provider, also consider engaging US-qualified counsel for CLOUD Act and provider-specific issues.
• Assess privilege and confidentiality. Before producing any data, identify material potentially covered by legal professional privilege, trade secrets, press source protections or banking secrecy. Polish law recognises these protections, but they must be asserted proactively.
• Set an escalation threshold. If the request involves board-member communications, may trigger securities disclosure obligations, or risks significant reputational exposure, escalate to the full board immediately, do not delegate this decision downward.
• Document everything. From the moment the request is received, maintain a contemporaneous log of all decisions, communications and data-handling steps. This audit trail protects the company and its officers if the response is later challenged.

Quick 0–72 Hour Checklist for Cross‑Border Data Requests in Poland

A structured, time-bound response is the single most important factor in managing executive data risk when criminal investigators seek company data. The checklist below translates the principles above into a granular action plan, broken into three phases.

Hours 0–6: Secure and Assess

1. Receive and log the request. Record the date, time, delivery method, issuing authority and instrument type (warrant, MLAT, European Production Order, European Preservation Order or informal request).
2. Notify the General Counsel and CISO. Use a pre-drafted internal escalation email (template: “URGENT, Criminal Data Request Received, Legal Hold Required”) that triggers the incident-response protocol.
3. Issue an immediate legal hold notice to IT, instructing preservation of all data within scope. The notice should specify data categories, custodians, systems and a prohibition on deletion or modification.
4. Verify the formal validity of the request: Does it bear the required judicial stamp or prosecutorial signature? Is it addressed to the correct legal entity? Does it cite the applicable legal basis?
5. Engage external criminal law counsel, ideally a practitioner experienced in e-evidence in Poland and international cooperation.

Hours 6–24: Analyse and Plan

1. Map the data landscape. Identify where responsive data is stored (on-premises in Poland, EU cloud infrastructure, US provider servers) and who controls access.
2. Assess jurisdictional and conflict-of-law issues. If data is held by a US tech provider, determine whether the CLOUD Act, provider terms of service, or EU blocking provisions create competing obligations.
3. Identify privileged, confidential or protected material. Flag legal professional privilege, trade secrets, press source material (relevant where Poland’s Press Law applies) and personal data requiring GDPR analysis.
4. Prepare a preliminary position paper for the board summarising: the request, likely scope of responsive data, estimated compliance cost, key legal risks and recommended next steps.
5. If the instrument is a data preservation request, confirm the preservation deadline and instruct IT to snapshot relevant data with chain-of-custody documentation.

Hours 24–72: Respond and Escalate

1. Convene a response meeting: GC, CISO, external counsel, DPO and, where thresholds are met, board representatives.
2. Decide on the response posture: full compliance, partial compliance with privilege redactions, a reasoned objection, or a request for clarification/narrowing of scope.
3. If challenging the request, prepare and file the appropriate procedural motion (e.g., a complaint to the court supervising the investigation under the Polish Code of Criminal Procedure).
4. If complying, prepare the production package with a detailed index, privilege log for withheld material, and a cover letter referencing the legal basis for disclosure.
5. Update the board, document the decision in board minutes and file the audit trail in the company’s incident-response register.

Responsibility Matrix

Instruments Used in Cross‑Border Criminal Requests, MLAT, Domestic Warrants, EU Production and Preservation Orders Explained

Understanding which instrument a company is facing is the critical first analytical step. The legal consequences, response timelines and available defences differ dramatically depending on whether the request arrives through traditional mutual legal assistance channels, EU e-evidence instruments or a domestic Polish warrant. As the Centre for European Policy Studies (CEPS) has noted, the fragmented landscape of cross-border data access mechanisms has created significant compliance complexity for companies operating across jurisdictions.

Mutual Legal Assistance Treaties (MLATs) and Companies

MLATs remain the primary mechanism for criminal evidence requests between Poland and non-EU countries, most critically, the United States. Under mutual legal assistance in Poland, requests are channelled through the Polish Ministry of Justice (as the designated central authority) and typically require judicial authorisation in both the requesting and requested state. For companies, the practical consequence is that an MLAT request usually arrives after a Polish court or prosecutor has already authorised the data production, meaning the window for challenge is narrower than many boards expect. Typical MLAT processing timelines range from several weeks to many months, though urgent requests can be expedited.

European Production and Preservation Orders: The E‑Evidence Framework

The EU’s e-evidence package, comprising the European Production Order (EPO) and the European Preservation Order (EPrO), represents a fundamental shift in how EU Member States compel electronic evidence across borders. Under this framework, a judicial authority in one Member State can issue an order directly to a service provider offering services in another Member State, bypassing many of the delays inherent in traditional MLAT processes. The EPO can compel the production of subscriber data, access data, transactional data and, in defined circumstances, content data. The EPrO requires a provider to preserve specified data pending a subsequent production order.

Poland’s implementing legislation transposes these instruments into national law, creating enforceable obligations for companies established in or offering services to users in Poland.

Polish Domestic Warrants and Prosecutor Orders

Under the Polish Code of Criminal Procedure (Kodeks postępowania karnego), prosecutors and courts can issue orders compelling the production of data held on-premises or within Polish jurisdiction. These orders typically require immediate compliance. Companies facing a domestic warrant should secure the evidence chain, verify the order’s formal validity and consult counsel, but should not delay production while doing so, as obstruction can result in coercive measures including fines and compulsory seizure.

Comparison Table: Key Instruments at a Glance

Practical Decision Flow: Comply, Resist or Negotiate, Legal and Reputational Risks

Once the instrument has been identified and its formal validity confirmed, the company faces a three-way decision: comply in full, resist (by challenging the order or asserting grounds for refusal), or negotiate a narrowed scope. This decision carries both legal and reputational consequences and should be made at an appropriately senior level, in most cases, by or with the direct involvement of the General Counsel and, where thresholds are met, the board.

The key factors in this compliance decision include:

• Jurisdiction of the data. Is the data physically stored in Poland, another EU Member State, or a third country (e.g., the US)? Cross-border storage creates competing legal obligations.
• Identity and location of the provider. If data is held by a US cloud provider, the company must consider potential conflicts between EU orders and US law, particularly the CLOUD Act, which may impose separate and potentially conflicting obligations on the provider.
• Secrecy or non-disclosure orders. Some instruments may prohibit the company from notifying the data subject. Assess whether such a prohibition is valid under Polish and EU law and whether it conflicts with GDPR notification requirements.
• Legal professional privilege. Polish law protects communications between a client and their legal adviser. Privileged material must be identified and withheld, but the burden of assertion falls on the company.
• GDPR and data protection compliance. Disclosure of personal data to a foreign authority must be reconciled with GDPR obligations, particularly the restrictions on international transfers in Chapter V of the Regulation.

Privilege and Corporate Secrets

Polish criminal procedure recognises the protection of attorney-client communications and, in defined circumstances, trade secrets and banking secrecy. Where responsive data includes material potentially covered by these protections, the company should prepare a privilege log, withhold the protected material, and notify the issuing authority of the basis for withholding. If the authority contests the privilege claim, the matter can be referred to the supervising court for resolution. Early identification of privileged material, ideally within the first 24 hours, is essential. Industry observers expect that as the volume of cross-border data requests in Poland increases, privilege disputes will become a more frequent point of litigation.

When to Seek Judicial Review

Companies are not obliged to accept every order without question. Under Polish criminal procedure, the addressee of a data production order can challenge its legality before the competent court. Grounds for challenge may include: lack of formal requirements, disproportionate scope, violation of privilege, fundamental rights concerns, or conflict with GDPR. For European Production Orders, the EU instruments also provide grounds for refusal, including where the order is manifestly disproportionate or where compliance would violate fundamental rights. The likely practical effect of these provisions will be to encourage companies to engage in early dialogue with issuing authorities to negotiate scope rather than resort immediately to formal challenge.

Responding to Tech Provider Notices: US Companies, CLOUD Act Issues and Provider Terms

A distinct category of cross-border investigation compliance challenge arises when the data sought by Polish or foreign prosecutors is held not by the company itself, but by a third-party technology provider, typically a US-headquartered cloud, email or communications platform. In these situations, the company may receive a notification from the provider that a government request has been made, or it may need to proactively approach the provider to request preservation or production of its own data.

Key practical steps for handling tech provider data requests include:

• Issue a preservation request to the provider immediately. Major providers (including Google, Microsoft and Meta) accept law-enforcement preservation requests and will typically preserve specified account data for a defined period, usually 90 days, renewable, pending a formal legal order. The company (or, more commonly, the requesting authority) should submit the preservation request through the provider’s designated legal process channel.
• Understand the provider’s process. Each provider maintains a law enforcement request guide that specifies: the types of data available, the legal process required (warrant, subpoena, court order), the jurisdiction of process they will accept, and their typical response timelines. These guides are publicly available on provider transparency and legal process pages.
• Assess CLOUD Act implications. The US CLOUD Act permits US-based providers to respond to foreign government orders in certain circumstances, but it also allows providers to challenge orders that create a conflict with the law of a qualifying foreign government. Where Poland has entered into an executive agreement under the CLOUD Act framework, the process may be streamlined. Where no such agreement exists, the traditional MLAT process remains the primary channel for compelling US-held data.
• Coordinate with law enforcement. In many cases, the company itself cannot compel its cloud provider to produce data to a foreign authority. The company’s role is to facilitate access to its own accounts and data, preserve what it can, and direct the requesting authority to the provider’s legal process channels.

Provider-Specific Nuances

While detailed provider-by-provider analysis is beyond the scope of this guide, boards and GCs should be aware that response timelines, data categories and objection procedures vary significantly between providers. Google, for example, publishes regular transparency reports and maintains a detailed law enforcement request guide. Microsoft operates a similar process through its Digital Safety team. Meta handles requests through its Records of Authorities portal. In all cases, the company should ensure that its IT and legal teams know the provider’s contact channels, required forms and expected turnaround times before a crisis arises, not during one.

Data Protection and GDPR Interaction, UODO Guidance and Criminal Exceptions

One of the most complex dimensions of responding to cross-border data requests in Poland is the interaction between data protection law and criminal process. The Polish Data Protection Authority (UODO) has issued guidance confirming that GDPR does not create an absolute bar to the disclosure of personal data in response to lawful criminal orders. However, controllers must carefully reconcile their data protection obligations with their disclosure duties, and document the reasoning behind their decisions.

Under Article 6(1)(c) and (e) of the GDPR, processing is lawful where it is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest. A valid criminal data production order issued by a Polish or EU judicial authority will typically satisfy this condition. For international transfers, where data is disclosed to a non-EU authority, controllers must additionally assess whether the transfer is covered by an adequacy decision, appropriate safeguards, or a specific derogation under Article 49 of the GDPR (such as the derogation for important reasons of public interest or for the establishment, exercise or defence of legal claims).

Polish national law, including provisions of the Act on the Protection of Personal Data (Ustawa o ochronie danych osobowych), supplements GDPR in this area by specifying the conditions under which Polish controllers may, and must, disclose data to law enforcement and judicial authorities.

Notification to Data Subjects, When Required and When Not

Under GDPR, controllers are generally required to inform data subjects about the processing of their personal data. However, where a criminal order includes a non-disclosure or secrecy obligation, notification to the data subject may be lawfully deferred or exempted, provided the exemption is supported by a specific legal basis. UODO guidance indicates that controllers should document the basis for any decision not to notify data subjects and should revisit that decision once the secrecy obligation is lifted. The DPO should be involved in this assessment from the outset and should maintain a record of the analysis for regulatory inspection purposes.

Board and Executive Escalation, Reporting Obligations and Documentation

Cross-border criminal data requests create board-level executive data risk that cannot be managed solely at the operational level. Directors who fail to oversee the company’s response may face personal liability, particularly if the response results in unlawful data disclosure, destruction of evidence, or obstruction of justice.

Boards should ensure the following governance steps are completed:

• Formal board resolution. Where the request meets escalation thresholds (e.g., involves executive communications, triggers disclosure obligations, or risks material litigation), the board should pass a resolution authorising the response strategy and delegating operational execution to the GC.
• Contemporaneous minutes. Board minutes should record: the date the request was received, the instrument and issuing authority, the legal advice received (without waiving privilege), the decision made and the rationale.
• Regulatory reporting. Assess whether the request triggers any reporting obligations, for example, under securities law (for listed companies), regulatory notifications (for regulated entities such as banks or telecoms operators), or under sectoral legislation.
• Privilege retention. All legal advice received in connection with the response should be clearly marked as privileged, stored separately and not disclosed to the requesting authority without express authorisation.
• Audit trail. Maintain a comprehensive, timestamped record of all actions taken, communications sent and data produced. This audit trail is the company’s primary evidence of good-faith compliance if the response is later scrutinised.

Practical Examples and Anonymised Case Studies

The following three scenarios illustrate common patterns in cross-border investigation compliance and the recommended response sequence for each.

Scenario 1, MLAT request for email data held with a US provider. A Polish subsidiary of an international group receives notice that the Polish prosecutor’s office has transmitted an MLAT request to US authorities seeking email data held on Microsoft 365 servers. The company’s response: immediately engage external counsel in both Poland and the US; issue a litigation hold; submit a preservation request to Microsoft through its law enforcement portal; prepare a privilege review protocol; and brief the board on potential disclosure and reputational implications.

Scenario 2, European Production Order served on a Polish subsidiary for cloud access logs. A judicial authority in another EU Member State issues an EPO to the Polish subsidiary of a logistics company, seeking six months of cloud infrastructure access logs. The company’s response: verify the EPO’s formal validity under Poland’s implementing legislation; map the data and identify privilege/trade secret risks; assess whether grounds for refusal exist (e.g., disproportionality); prepare the production package or, if appropriate, file a reasoned objection within the statutory deadline.

Scenario 3, Data preservation request with a 48-hour deadline. A European Preservation Order arrives at a Polish fintech company’s registered office, requiring immediate preservation of subscriber and transactional data for a named account. The company’s response: instruct IT to snapshot the data within hours; confirm preservation to the issuing authority; engage counsel to advise on the likely follow-up production order; and notify the DPO to assess GDPR implications, including whether data-subject notification is deferred by a secrecy obligation.

Conclusion and Next Steps, Your Corporate Playbook for Cross‑Border Data Requests in Poland

The three non-negotiable actions for any company receiving a cross-border criminal data request are: preserve data immediately, engage specialist external counsel within hours, and escalate to the board where thresholds are met. Every other decision flows from these foundations. Companies operating in or through Poland should consider developing a standing incident-response protocol, pre-identifying external counsel and mapping their data landscape before a request arrives. Those seeking tailored guidance can consult the Global Law Experts lawyer directory for qualified criminal and data-protection practitioners.

Sources

1. Polish Data Protection Authority (UODO), Guidance and GDPR Pages
2. Polish Government, Ministry of the Interior: Personal Data Processing
3. CriminalLawPoland, EU E‑Evidence Package and Digital Evidence in Polish Criminal Trials
4. Centre for European Policy Studies (CEPS), Cross‑Border Data Access Task Force Report
5. European Council / Polish Presidency, Cross‑Border GDPR Enforcement Deal (2025)
6. ICLG, Data Protection Laws and Regulations: Poland
7. DLA Piper, Data Protection Laws of the World: Poland