Głównemu Geodecie Kraju – €23,000 Fine (Poland, 2020)

The GGK published personal data in the form of information obtained from land and property registers (including land register numbers) from 90 poviat starosties only on the basis of agreements concluded with them. Was the publishing of the land register numbers by the GGK on the GEOPORTAL2 (geoportal.gov.pl) lawful, in accordance with Articles 5(1)(a) and 6(1) GDPR? The DPA held that the agreements between the GGK and the poviat starosties concerned the creation and maintenance of common elements of the technical infrastructure intended to store and make available certain data filing systems, but did not constitute a legal basis for making available the data, including the land register numbers. Such a basis would need to result from commonly binding legal provisions. Since the GGK could not provide a valid legal basis for its processing of personal data, the UODO held that the publishing on the GEOPORTAL2 was not in line with the principle of lawfulness in Article 5(1)(a) GDPR, as none of the conditions of Article 6 GDPR were satisfied. The data disclosed in the land register of natural persons includes, among others, names, surnames, parents’ names, PESEL number (personal identification number), and property address. The DPA therefore held that a large number of data subjects may be exposed to identity theft in such a situation.