Company fined for use of publicly available information

By David Hendry

Company fined for use of publicly available information.

One of the common misconceptions about data protection law is that data in the public domain is a freely available resource to which the law does not apply.  For example, some people believe that telephone numbers on websites are not subject to the PECR and are fair game for outbound telesales which is of course, completely untrue.  Telephone numbers published on websites should be screened against internal suppression lists as well as the TPS and CTPS.  Others believe that personal data and other information obtained from public sources can be used freely without the need to comply with the first principle of data processing regarding fair processing.

Last month, the Provincial Administrative Court in Warsaw, Poland, ruled that the Polish supervisory authority (UODO) was right to impose a fine of €220,000 on digital marketing company Bisnode.  Bisnode collected data from publicly available registers, such as registers of entrepreneurs, which it used to create commercial and market reports for its clients.

Bisnode acknowledged that under Article 14 of the GDPR, it was obligated to provide privacy information to the six million plus people whose information it had collected and relied on a privacy notice published on its website.  When challenged by the UODO Bisnode argued that the provision of privacy information to each individual whose personal data it had collected involved disproportionately high costs citing the exemption provided for in Article 14(5)(b).

UODO did not support Bisnode’s arguments and ruled that the cost of providing privacy information cannot be relied upon to demonstrate disproportional effort: the right to information set out in Articles 13 and 14 being one of the core rights of data subjects under the GDPR.  The Court accepted UODO’s position and ruled that Bisnode’s publishing of a privacy policy on its website was insufficient and contrary to the rights of data subjects.  It ordered Bisnode to provide privacy information directly to its data subjects either by traditional mail or email which will be a significant cost to the company in addition to the fine.

There is some controversy in Polish legal circles about the ruling including the fact that Recital 62 of the GDPR seems to allow the number of data subjects to be a factor to consider with regard to what might constitute disproportionate effort.  However, the Outsourced DPO believes that the exemption in Article 14(5)(b) is drafted to be narrowly construed and the UODO’s decision was based on an appropriate interpretation of the law.

The case throws up some interesting points for organisations using personal data from public sources and/or brokers. It reinforces the need to actively provide privacy information to data subjects rather than passively publish it on websites, and also reminds us that information relating to people in their business/professional capacity is still personal data which believe it or not, many people still believe is not the case.

Contact Us

Send us a Message

    We would like to use your contact information to send you marketing and promotional materials and special offers by email from time to time. We may only send information to you in this way with your consent. Please indicate whether you consent to us contacting you in this way for those purposes. You may withdraw your consent at any time by clicking the unsubscribe link in our emails.

    We are always happy to make contact with you by either phone, email or a face to face meeting at our office or yours. We work standard UK office hours – every week day 0830 to 1730.


    We have been receiving complaints over the last few weeks from people who have received unsolicited direct marketing calls from a company called The Protection People.  We should like to point out that we are Data Protection People and have nothing to do with those calls.

    We have been advising those people who have contacted us that they should make a complaint to the Information Commissioner’s Office (ICO) using this link  It would be helpful to the ICO if you knew the number that called you, the date and time of the call and what the call seemed to be about.

    You might also want to register your phone number with the telephone preference service (TPS), a national suppression service which should cut down calls of this nature as it is not lawful to make unsolicited direct marketing calls to numbers registered on the TPS.  You can register your number here

    We know that these kind of calls can be distressing and intrusive and you have our sympathy.  Please do not hesitate to contact us if you would like to discuss it with us otherwise we’d encourage you to report it to the ICO as notifying them of this kind of practice enables them to investigate and take enforcement action where necessary.  You can see the action that has been taken by the ICO here

    Data Protection People Limited – March 2021