Based on insights from industry media, it can be said that this year, the Personal Data Protection Office (“UODO“) has, colloquially speaking, its hands full.[1] This situation does not directly stem from inappropriate legislative actions by lawmakers, but rather from a gap (or collision) that has emerged related to the case law of the Supreme Administrative Court. This is particularly evident following the January judgment of the Supreme Administrative Court, which confirmed that the land and mortgage register number constitutes protected personal data and that the processing of this data must be conducted in a manner compliant with the standards specified, among others, in the General Data Protection Regulation[2] (“GDPR”).

The problem, however, is that at the same time, there are normative acts (of statutory rank!) that not only allow but also directly order public administration bodies to partially publish land and mortgage register numbers. This situation leads to contradictions, and until it is corrected legislatively, it contradicts the applicable principles of personal data protection.

Land and Mortgage Register in the Context of Personal Data

The issue of data appearing in land and mortgage registers (including determining the legal nature of such data and the scope of their protection) has long been the subject of interest of the Personal Data Protection Office and administrative courts. As indicated by the Supreme Administrative Court in its judgment of September 26, 2018 (ref. no. I OSK 11/17) “personal data are all information relating to an identified or identifiable natural person. An identifiable person is a person whose identity can be determined directly or indirectly, as in this case by referring to an identification number or physical, mental, economic, cultural, or social characteristics. Since the content of land and mortgage registers is publicly available, the personal data of persons disclosed in the land and mortgage register can also be determined based on the land and mortgage register number.“

By judgment of January 28, 2025, in case file reference III OSK 6508/21, the Supreme Administrative Court dismissed the cassation appeal of the Surveyor General of the Country (“SGC“) against the decision of the President of the Personal Data Protection Office, in which the President of the UODO imposed on SGC, among others, an administrative fine in the amount of PLN 100,000 for violating Article 5 Section 1 Latter a and Article 6 Section 1 of the GDPR. The Supreme Administrative Court consistently ruled that land and mortgage register numbers correspond to the legal definition of personal data under Article 4 Section 1 of the GDPR, and therefore, the processing of these data must take place in a limited manner – only based on an appropriate legal basis and in a manner that guarantees adequate protection of the rights and interests of persons indicated in the land and mortgage register.

From a legal perspective, it is hard to disagree with such a consistent jurisprudential line of the Supreme Administrative Court. By knowing the number of the land and mortgage register for a selected property, one can easily and free of charge determine the basis for entries in the land and mortgage register- such as titles of transfer of ownership, mortgages, or restrictions on property use- using the official portal of the Ministry of Justice, namely the Electronic Land and Mortgage Registers. Moreover, one can access information about the owners or perpetual users of the property, including their names, surnames, and PESEL numbers.

Personal data still available in BIP

However, there is a significant problem – personal data, i.e., land and mortgage register numbers enabling direct and free access to the personal data of persons related to real estate, remain publicly available in some situations.

This is done, among others, based on the provisions of the Facilitating the Preparation and Implementation of Housing Investments and Accompanying Investments Act.[3]

Under the provisions of this Act, when intending to undertake a residential investment, the investor submits an application through the voyt (mayor, city president) to determine the investment’s location to the locally competent municipal council, as outlined in Article 7, Section 7, Points 8-10 of the referenced Act. This application must include a list of land and mortgage registers maintained for the properties where the investment will occur, as well as for neighboring properties, which may be affected or on which the investment’s supporting infrastructure will be located.

Notably, the investor’s application (along with non-anonymized land and mortgage register numbers, of course) is then published by the public administration body. According to Article 7 Section 10 of this act, the voyt (mayor, city president), no later than within 3 days of receiving the application, places this application together with the documents attached to it on the subject page of the Public Information Bulletin of the gmina, and if the commune does not have a subject page of the Public Information Bulletin on the gmina’s website.

In addition, under Article 8 Section 2 of the Act, the resolution on determining the location is subject to publication in the provincial official journal (which happens together with the indication of the real estate related to this investment according to the real estate cadaster and the land and mortgage register, following Article 8 Section 1 Item 10 of the Act).

In the analyzed situation, therefore, not only will the personal data of the owners or perpetual users of the real estate on which the investment is to be carried out be available via the BIP and in the official journal, but the personal data of the “neighbors” of such an investment will, de facto, also be disclosed.

Solutions to the systemic problem needed

The problem mentioned above is systemic in nature and, in my opinion, cannot be solved in any way other than legislatively. Ensuring an appropriate standard of personal data protection is becoming one of the most significant legislative challenges from the perspective of the state today.

At the same time, we cannot forget that the state alone is not responsible for the improper processing of personal data. In principle, anyone can be liable for violating regulations, which is why it is even more crucial, particularly from the perspective of entrepreneurs, to implement effective, consistent, and legal policies and safeguards in this area. Hiring a professional who understands the GDPR can protect entrepreneurs from the potential negative and painful consequences associated with the improper collection or processing of personal data.

[1] https://www.prawo.pl/biznes/numery-ksiag-wieczych-w-internecie-a-rodo,532110.html

[2]Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

[3]Journal of Laws 2018 item 1496.