The Polish privacy regulator has issued its first GDPR fine, penalizing an unnamed firm over £187,000 for scraping public data on individuals and reusing it commercially without notifying them.
The firm is said to have taken personally identifiable information (PII) on over six million Polish citizens from the country’s Central Electronic Register and Information on Economic Activity.
However, it only informed the 90,000 individuals it had email addresses for, claiming that “high operational costs” prevented it from doing more, according to the regulator, the Personal Data Protection Office (UODO).
In fact, it should have used the postal addresses and telephone numbers it had to notify individuals about the data it used, the source of their data, the “purpose and the period of the planned data processing,” and their rights under the GDPR, it continued.
“The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because — as it was established during the proceedings — the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons,” the UODO said in a notice.
“While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so.”
Some 12,000 individuals out of the 90,000 that were notified by the company apparently objected to its use of their data.
The move is another sign of the growing readiness of regulators to issue major fines to companies found to have deliberately violated the GDPR.
The biggest penalty so far was the €50m (£43m) levied against Google in France related to how the tech giant personalizes ads. However, as of February, over 59,000 breaches had been reported to GDPR regulators since the law was introduced in May 2018, with 91 fines issued, according to DLA Piper.