The Polish data protection authority’s first two GDPR decisions concern the data processed in or derived from Poland’s public registers.
One of the decisions imposes a fine of € 220,000 on a company using mainly data from publicly accessible records. The reason for the punitive action was the failure to provide privacy notices described in Article 14 of the GDPR for most of the business owners. Instead, the controller referred to the exception under Article 14(5b) of the GDPR and decided only to send privacy notices to those who disclosed their email address (approximately 500,000 individuals). The controller also included information on its operations on the official website.