The European Data Protection Board (EDPB) has announced that the regulator in Poland (UODO) has imposed its first fine under the General Data Protection Regulation (GDPR).

While details of the company involved have not yet been released, the breach of the regulation involved the  records of around 6 million people.

The data came from publicly available records held in the Central Electronic Register and Information on Economic Activity – a register of people who are or have been engaged in some kind of business activity. A UK equivalent would be a list of those who currently are or had been self-employed or sole traders.

The company involved (i.e. the data controller) did not inform data subjects about the processing and thus deprived them of the possibility to exercise their rights under the General Data Protection Regulation (GDPR).

The fine was set at around €220,000, although this may be subject to appeal.

The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs.

The regulator ruled that where the controller did not have email address but did have telephone or address details, the controller should have fulfilled their obligation to inform data subjects of the data being held, the source of the data, the purpose and period of the planned data processing and the data subjects’ rights under the General Data Protection Regulation.

While this is the first fine imposed by the regulator in Poland, we can expect more as there are further cases in the pipeline. 

For all businesses subject to GDPR, there are several points to note:

  • Regulators across the EU are taking action; a tactic of registering in what might be considered a more lightly regulated country should be considered as high risk.
  • Just because data is publicly accessible, that doesn’t mean you can process it without fulfilling your obligations under GDPR.
  • If you are processing personal data for commercial purposes, you should factor in all the costs of compliance with the GDPR and price your products and services accordingly.

While there have been relatively few fines under GDPR so far, as regulators across the EU get to grips with the workload and how their fellow regulators are interpreting the regulation, expect the pace to pick up. If you don’t have data privacy embedded in your business processes already, you’ll be at a competitive disadvantage and you are risking fines and a world of extra admin if the regulator turns it’s attention to your company.  

For most businesses – with proper planning – compliance with the EU GDPR doesn’t have to be onerous. With the right systems, tools and training in place you will be able to fulfill your statutory obligations and provide your customers, staff, suppliers and other stakeholders with the assurance that you take their data privacy seriously.

If you need help or advice on security, data privacy and GDPR compliance? Use the form on the right to arrange a no-obligation call to see if we can help.

Need to speak to an expert about data privacy and protection?


Need help with your compliance strategy for GDPR and other data protection legislation?


Complete the enquiry form to arrange a no-obligation call to see if we can help.