Bisnode case
Polish supervisory authority (UODO), 2019. Fined Bisnode Polska €220,000 (PLN 943,470) under GDPR.
What happened
Bisnode scraped publicly available business records — names, contact details, professional roles — and used them for B2B marketing. They did not proactively notify the individuals whose data they had collected. Their position was that publishing a privacy notice on their website satisfied the obligation.
UODO disagreed. GDPR Article 14 requires active notification when personal data is collected from sources other than the data subject. Passive publication does not count.
Why it matters for DBPOC
Same shape: we collect named contacts (VD, board members, employees) from publicly accessible sources (company websites, registries) for B2B marketing/lead generation. The legal basis is GDPR Legitimate Interest (Art. 6(1)(f)), but Article 6 does not absolve us of the Article 14 notification duty.
The trigger must fire within one month of collection — not at export, not at first contact. See Article 14.
Cost benchmark
€220K is the data point that comes up in any compliance review. A second-time offence in this jurisdiction would be larger. Treat Article 14 as a hard requirement, not a nice-to-have.
Source
UODO decision ZSPR.421.3.2018, 15 March 2019. Upheld on appeal.
See also
Article 14, GDPR Legitimate Interest, Known Issues, RoPA Log.