First GDPR fine in Poland (~220,000 EUR) for failure to meet information obligation

  • Data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes.
  • Company did not meet the information obligation in relation to over 6 million people.
  • Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data.
  • Some additional comments by Piotr Foitzik (IAPP forum on LinkedIn): The company also processed data of millions of people who were sole traders in the past and are not anymore. When it will send postal letters to postal addresses which are not correct and are outdated, this will result in a data breach. The fact that a legal basis has not been analyzed, and were it to be a legitimate interest a balancing test would need to be conducted, does not mean that processing was legitimate but that unfortunately the authority did not discuss some of the core issues here. All in all, publicly available information, including that of entrepreneurs is also subject to the GDPR and in this instance the data became public not as their free choice, but as it is a legal requirement in Poland, but this requirement also serves for specific purposes and the processing should be in line with these purposes

https://edpb.europa.eu/news/national-news/2019/first-fine-imposed-president-personal-data-protection-office_en