Poland’s privacy regulator, the Urzad Ochrony Danych Osobowych (UODO) (Personal Data Protection Office) has issued its first GDPR fine, penalizing an unnamed firm the equivalent of more than £187,000 for appropriating public data on individuals and reusing it commercially without notifying them.
The firm is said to have taken personally identifiable information (PII) on over six million Polish citizens from the country’s Central Electronic Register and Information on Economic Activity. However, it only informed the 90,000 individuals for whom it had email addresses, claiming that “high operational costs” prevented it from doing more, according to UODO.
To comply with requirements the company should have used the postal addresses and telephone numbers it had to notify individuals about the data used, its source, the “purpose and the period of the planned data processing,” and their rights under GDPR.
“The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because — as it was established during the proceedings — the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons,” the UODO said in a notice.
“While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so.”
Of the 90,000 people who were notified by the company, approximately 12,000 apparently objected to its use of their data.
Since GDPR came into effect in May 2018, the heaviest penalty has been the €50m (£43m) levied against Google in France. As of February this year, more than 59,000 breaches have been reported to GDPR, with 91 fines issued.