The Weaponization of Debt Registries

The Weaponization of Debt Registries

2026-04-07

How Polish creditors exploit commercial-information bureaus to coerce payment on disputed debts – and what the law actually allows debtors to do about it

The Mechanics of Pressure: Why a Registry Entry Can Be More Devastating Than a Lawsuit

A listing in Poland’s commercial-debt registries can cripple an entrepreneur more swiftly than any lawsuit. The major bureaus – KRD BIG S.A., ERIF BIG S.A., BIG InfoMonitor – function as quasi-public ledgers of creditworthiness, and a single entry can trigger a cascade of consequences: loan applications denied, business partners backing away after routine due-diligence checks, existing contracts terminated without ceremony. The effects of an unlawful listing reach far beyond the narrow question of debt collection and strike directly at the protection of an entrepreneur’s assets.

Certain creditors understand this arithmetic perfectly well. They report disputed, nonexistent, or time-barred claims to the registries, wagering that the debtor will pay – not because the debt is legitimate, but because the reputational damage is intolerable. In extreme cases, such conduct may constitute a deliberate act to the detriment of a debtor under criminal-law provisions, or even amount to fraud – where the creditor knowingly reports a claim it knows does not exist. As the Polish Supreme Court observed, with characteristic precision, in its judgment of November 24, 2022 (case No. I NSNc 520/21, Legalis No. 2847514): the entry of personal data in a registry of unreliable debtors, and the consequent dissemination of false information, constitutes a violation of personal dignity, good name, and honor.

This article examines the full arsenal of remedies available to those on the receiving end of such tactics – from statutory demands for removal, through personal-rights litigation and the Supreme Court’s landmark 2023 resolution on corporate claimants, to the still-underutilized damages regime of Article 82 of the EU General Data Protection Regulation.

 

When Is a Registry Entry Lawful?

Poland’s Act of April 9, 2010, on the Sharing of Commercial Information and the Exchange of Commercial Data (the “Commercial Information Act”) sets out, in Articles 14 through 18, the substantive and procedural prerequisites that must be satisfied cumulatively before a creditor may lawfully transmit information to a bureau. For obligations owed by a business debtor, the creditor must demonstrate, among other things, that the obligation arose from a defined legal relationship; that the aggregate overdue amount is at least five hundred zlotys; that the obligations have been overdue for at least thirty days (sixty for consumers); and that at least one month has elapsed since the creditor sent the debtor a demand for payment containing an explicit warning of the creditor’s intention to report the debt to a bureau.

The failure to satisfy even one of these conditions renders the entry unlawful – and opens the door to its elimination.

 

Step One: A Statutory Demand to the Creditor

The primary instrument for correcting an improper entry is Article 30(1) of the Commercial Information Act, which entitles the debtor to demand that the creditor supplement, update, rectify, or delete commercial information that is incomplete, out of date, untrue, or disclosed in violation of the statute. As T. Ostrowski observes in his commentary on this provision (Legalis, C.H.BECK, 1st ed., 2012), this right is a legislative specification of the principle of informational autonomy enshrined in Article 51(4) of the Polish Constitution. The term “debtor” should be construed broadly: it encompasses any entity whose data have been made available through the bureau, regardless of whether the claimed obligation actually exists.

The demand should specify precisely why the commercial information is untrue or was disclosed in violation of the statute. In a disputed-debt scenario, the crucial task is demonstrating that the obligation does not exist, is not yet due, or that the formal prerequisites for the listing were not met. Professional contract drafting and negotiation with counterparties should include clauses safeguarding against such abuses from the outset.

A critical procedural point: the addressee of the obligation under Article 30(1) is the creditor alone – not the bureau. The debtor cannot effectively demand deletion directly from the bureau; the bureau merely executes the creditor’s instructions, with the limited exception of its own obligation to delete information ex officio under Article 31(6) or (7) of the Act.

 

Step Two: When the Creditor Refuses – Personal-Rights Litigation

The statute provides no direct sanction for a creditor’s failure to comply with Article 30(1). The debtor’s recourse, at that point, lies in civil litigation – principally an action for the protection of personal rights under Article 24 of the Civil Code, read together with Article 448.

The Court of Appeal in Kraków, in its May 21, 2010, judgment (case No. I ACa 430/10, OSA 2011, No. 12, item 69), settled a crucial threshold question: the existence of specialized remedies under the Commercial Information Act does not preclude recourse to Article 24 of the Civil Code, nor does it alter the statutory allocation of the burden of proof. The inclusion of data about a debtor’s overdue obligation in a commercial-information registry is lawful only if that obligation actually exists and is actually due.

In a personal-rights action, consequently, it falls to the creditor – the defendant – to demonstrate that the entry was justified, pursuant to the presumption of unlawfulness that Article 24 § 1 of the Civil Code establishes.

 

Which Personal Rights Does an Unlawful Entry Violate?

Case law identifies the personal rights violated by a groundless registry entry with considerable precision.

Good name and honor. The Supreme Court held, in its landmark 2022 judgment (I NSNc 520/21), that listing a person in a registry of unreliable debtors violates personal dignity, good name, and honor by portraying the listed individual as untrustworthy and unreliable. The holding extends to legal persons – that is, to corporate entities – by operation of Article 43 of the Civil Code. The matter was definitively settled by the Supreme Court’s resolution of October 3, 2023 (III CZP 22/23, Legalis No. 2990549), which held that Article 448 of the Civil Code (now Article 448 § 1) applies mutatis mutandis to legal persons. This means that a company wrongfully listed in a debt registry may claim not only removal and an apology, but also monetary compensation for non-material harm – understood, in the case of legal persons, as a non-pecuniary detriment consisting of the inability or difficulty of conducting business activities in the manner and to the extent prevailing before the violation.

Privacy and informational autonomy. The Warsaw District Court, in its March 13, 2025, ruling (case No. II C 310/23, Legalis No. 3291319), found that the disclosure of data concerning a person’s financial obligations – even obligations serviced in good faith – infringes that person’s privacy and violates their informational autonomy. The court emphasized that a failure to remove data from a bureau’s records after the data subject has withdrawn consent constitutes an unlawful invasion of privacy.

Creditworthiness. The Supreme Court, again in case I NSNc 520/21, observed that the processing of client data through their transmission to registries and their disclosure to other entities for the purpose of assessing payment reliability shapes a person’s image and affects their reputation in dealings with banks and financial institutions. An erroneous entry maintained for more than four years led, in that case, to the reversal of a judgment dismissing the claim – the Supreme Court treated the denial of compensation as a gross misapplication of the law.

 

Available Remedies

Under Articles 24 and 448 of the Civil Code, the injured party may seek: an order compelling the removal of the registry entry; a formal written apology in a prescribed format (as the Warsaw court ordered in case II C 310/23); monetary compensation for non-pecuniary harm – courts have awarded amounts ranging from several thousand to several tens of thousands of zlotys, depending on the severity and duration of the violation; and compensation for pecuniary loss on general principles, where the unlawful entry has caused measurable financial harm such as the loss of a contract or denial of credit.

 

Compensation for Legal Persons: The Breakthrough of Resolution III CZP 22/23

For years, the admissibility of monetary compensation for non-material harm suffered by a legal person was seriously contested. The Court of Appeal in Gdańsk, referring the question to the Supreme Court, favored the negative view – arguing that a legal person “does not experience harm” within the meaning of Article 448 of the Civil Code, and that the compensatory function of monetary redress loses its frame of reference when the claimant is a corporation.

The Supreme Court, in its resolution of October 3, 2023 (III CZP 22/23), rejected this argument through a thorough linguistic analysis of the term “harm” (krzywda) as used in Article 448. The Court observed that in ordinary Polish – the starting point for any textual interpretation – krzywda carries a broader meaning than the one adopted in case law concerning natural persons: it denotes moral, physical, or material damage inflicted unjustly or unlawfully; misfortune, injustice, an offense suffered without cause (citing the Słownik Języka Polskiego PWN edited by M. Szymczak). Since krzywda lacks a statutory definition, the Court emphasized the need for caution in transplanting the natural-person case-law definition onto the terrain of corporate personal-rights protection.

For legal persons, the Supreme Court defined harm as non-material damage resulting from a violation of the legal person’s personal right, concretized as a detriment consisting of the inability or difficulty of conducting business in the manner and to the extent prevailing before the violation – regardless of whether this affects the entity’s financial position (for instance, loss of credibility leading to loss of access to financing).

The Court further held that monetary compensation awarded to a legal person serves not satisfaction or relief from suffering, but the protection of the legal person’s objectively understood interests connected with its personal rights. Such compensation fulfills not only a compensatory function, but also a satisfactory, repressive, and preventive-educational one – the latter functions, as the Court explained (citing its February 21, 2020, judgment, I CSK 565/18), being derivatives of the compensatory function whose omission renders compensation itself defective.

The resolution’s significance for disputes over unlawful registry entries is fundamental. Entrepreneurs operating through limited-liability companies or joint-stock companies – legal persons, in other words – constitute the largest class of entities affected by the instrumental use of debt registries. Before III CZP 22/23, their protection was limited in practice to non-pecuniary remedies (removal orders, apologies) and general-principles compensation for pecuniary damage under Article 24 § 2 of the Civil Code. Now they may also claim monetary compensation for non-material harm alone – understood as the impediment to business operations caused by the undermining of credibility through a baseless listing.

The Court cautioned that applying Article 448 to legal persons should be exercised with greater restraint than in relation to natural persons, and that relevant circumstances should include the nature of the entity’s activities, the personal right violated, the scale of the violation, and the degree of impact on the entity’s ability to conduct its business. In practice, an unlawful BIG listing may also generate board-member liability toward the company – if the board failed to take protective action despite knowing the entry was groundless.

 

Claims Directly Against the Bureau – An Underestimated Avenue

In practice, individuals listed in debt registries are routinely shuttled between the creditor and the bureau in a maddening game of jurisdictional ping-pong. The creditor points to the bureau as the entity maintaining the listing; the bureau redirects the complainant to the creditor as the data controller. This exasperating cycle is vividly illustrated in the facts of case II C 310/23, where the company operating the commercial-information system told the plaintiff, in so many words, that “as a processor, it is not authorized to fulfill obligations imposed by the GDPR on the controller without the controller’s express instruction.” The question, then, is whether the injured party has any direct claim against the bureau itself.

 

The Bureau’s Status: Processor, or Something More?

Commercial-information bureaus consistently classify themselves as data processors within the meaning of Article 28 of the GDPR. The classification – carrying significant implications also in the domain of cybersecurity – is less straightforward than the bureaus would have it.

The Commercial Information Act imposes on the bureau a number of obligations that it carries out autonomously – not at the creditor’s direction. Article 31 requires the bureau to delete information ex officio in certain circumstances: upon obtaining credible information that the obligation does not exist; upon learning that an action for payment of a disputed claim has been filed; upon the expiration of a ten-year retention period. The bureau is not, in other words, a passive repository. The statute assigns it an independent decisional competence regarding the deletion of data. Moreover, as the Provincial Administrative Court in Warsaw held in its October 27, 2020, judgment (case No. II SA/Wa 310/20), when a processor unlawfully encroaches on the sphere reserved to the controller – making decisions about the purposes and means of data processing – Article 28(10) of the GDPR requires that the processor be treated as a controller with respect to that processing, and thus held liable as one.

 

Article 82 of the GDPR: An Autonomous Basis for Bureau Liability

Regardless of whether a bureau is classified as a processor or a controller, Article 82 of the GDPR provides an independent and direct basis for compensatory liability toward the data subject. This provision deserves close examination, because it opens a path of redress that Polish judicial practice has thus far underutilized.

Joint and several liability of controller and processor. Article 82(1) of the GDPR provides that any person who has suffered material or non-material damage as a result of a GDPR violation has the right to obtain compensation from either the controller or the processor. Crucially, Article 82(4) establishes joint and several liability: where a controller and a processor are involved in the same processing, they are jointly liable for the entire damage, “so as to ensure effective compensation for the data subject.” As P. Barta, M. Kawecki, and P. Litwiński observe in their commentary on Article 82 of the GDPR (in: P. Litwiński ed., Ogólne rozporządzenie o ochronie danych osobowych. Ustawa o ochronie danych osobowych. Wybrane przepisy sektorowe. Komentarz, 2nd ed., C.H.BECK 2025), the practical consequence is that the injured party may claim the full amount of compensation from any one of these entities – at their election – or from all of them together.

This means, in practice, that a person wrongfully listed in a debt registry may sue the creditor (as the data controller) and the commercial-information bureau (as the processor) jointly and severally – and the court should adjudicate the liability of both in a single proceeding.

Limited processor liability – but not zero. Article 82(2) differentiates the scope of liability: the controller is liable for all damage caused by processing that violates the GDPR, whereas the processor is liable only when it has failed to comply with obligations that the GDPR imposes directly on processors, or when it has acted outside or contrary to the controller’s lawful instructions. Barta, Kawecki, and Litwiński note a third scenario recognized in the literature: where the processor has acted within a sphere of its own discretion, beyond the scope of its arrangements with the controller – in which case it should, in many instances, be treated as a controller for purposes of liability under Article 28(10) of the GDPR.

In the context of commercial-information bureaus, this third ground is of particular significance. A bureau that continues to disclose data to third parties despite having received signals about the disputed character of the underlying claim – correspondence from the listed individual, notice of pending litigation, a decision of the President of the Personal Data Protection Office – may be found to have made independent decisions about the purposes and means of processing, and thus to be answerable as a controller.

Elements of liability and allocation of the burden of proof. The elements of liability under Article 82 are: (1) the occurrence of material or non-material damage; (2) a violation of the GDPR by the controller or processor; (3) a causal link between the violation and the damage; and (4) fault on the part of the controller or processor. Importantly, Article 82(3) reverses the burden of proof: it is the controller or processor who must demonstrate that it “is not in any way responsible for the event giving rise to the damage.” As Barta, Kawecki, and Litwiński emphasize, the phrase “in any way” imports a standard of heightened – rather than merely ordinary – diligence.

This regime is more favorable to the injured party than the general tort-liability framework of Article 415 of the Civil Code, which does not presume fault. As the commentary’s authors note, Article 82 is closest in nature to a tort regime, and the Civil Code’s tort provisions apply only in areas not regulated by Article 82 itself – for example, the limitation period for claims.

 

Non-Material Damage in the CJEU’s Case Law: A Low Threshold, a Broad Concept

Particularly significant for registry-listing disputes is the broad construction of non-material damage in the recent case law of the Court of Justice of the European Union. Recital 146 of the GDPR’s preamble requires that the concept of damage be “interpreted broadly in the light of the case-law of the Court of Justice in a manner which fully reflects the objectives of this Regulation.”

In a series of judgments from 2023 and 2024, the CJEU refined these contours in a manner distinctly favorable to claimants. Damage need not reach any de-minimis threshold (judgment of December 14, 2023, C-456/22). Even the fear of potential illegal use of one’s personal data by third parties may, in itself, constitute non-material damage within the meaning of Article 82 (judgment of December 14, 2023, C-340/21, VB v. Natsionalna agentsia za prihodite; judgment of October 4, 2024, C-200/23, Agentsia po vpisvaniyata v. OL). Likewise, the mere loss of control over one’s data for a brief period can ground a claim (judgment of January 25, 2024, C-687/21).

At the same time, the CJEU insists that the damage must be real: a bare violation of the GDPR, without demonstrated harm, does not suffice (judgment of May 4, 2023, C-300/21; judgment of October 4, 2024, C-507/23). And the right to compensation under Article 82 serves an exclusively compensatory function – not a punitive or deterrent one (judgment of January 25, 2024, C-687/21; judgment of December 21, 2023, C-667/21).

 

Concurrence of Claims: How to Combine Article 82 of the GDPR with Article 24 of the Civil Code

The relationship between a GDPR claim and a personal-rights claim under Polish law is one of the more intricate questions at the intersection of EU and domestic regulation. As Barta, Kawecki, and Litwiński observe, the compensatory regimes overlap in part: the catalogue of protected interests under the GDPR and under Polish personal-rights law share significant territory – above all in the domain of privacy, image, and name protection.

The crucial distinction lies in the type of remedy sought. For pecuniary damage (a lost contract, a denied loan resulting from a negative listing), Article 82 of the GDPR may serve as a self-standing and exclusive basis – it suffices to establish a GDPR violation and a causal link to the loss, without the need to prove that a specific personal right was infringed. For non-pecuniary damage (moral harm), the picture is more complex. As M. Gumularz aptly notes (cited in the commentary), “although Article 82 of the GDPR does not refer to the prerequisite of a personal-rights violation, the occurrence of non-material damage will, by its very nature, be a consequence of a violation of personal rights.” In practice, an award of compensation for moral harm requires establishing a violation not only of the GDPR but also of Article 24 of the Civil Code. For corporate claimants seeking compensation under Article 448 CC read with Article 43, the Supreme Court’s III CZP 22/23 resolution provides additional and definitive support.

Strictly non-pecuniary remedies – an order to cease the violation, to remove the registry entry, to issue a written apology – must, under current law, be grounded in Articles 23–24 of the Civil Code, read together with Article 92 of the Personal Data Protection Act and Article 79 of the GDPR.

The optimal litigation strategy therefore consists of invoking both bases cumulatively: Article 82 of the GDPR (for damages claims, with the advantageous reversed burden of proof) and Articles 24 and 448 of the Civil Code (for non-pecuniary remedies and moral-harm compensation). Suing the creditor and the bureau jointly and severally on both bases eliminates the risk of being bounced between respondents and compels both to mount an active defense. Such an approach calls for strategic advisory that accounts for the particular dynamics of data processing within commercial-information systems.

Polish courts are slowly embracing this dual optic. As the commentary’s authors note, judgments grounded in Article 82 of the GDPR are beginning to appear in judicial practice (see the Warsaw District Court’s rulings of August 6, 2020, XXV C 2596/19; of December 17, 2021, III C 1169/19; and of December 5, 2022, XXV C 559/22) – though many courts continue to adjudicate solely on the basis of the Civil Code, omitting the GDPR framework entirely. This ought to change: as Barta, Kawecki, and Litwiński stress, reliance on Article 82 in cases involving the unlawful use of personal data should constitute, at a minimum, good judicial practice.

 

Disputed Debts and the Registry: A Particular Vulnerability

The scenario in which a creditor reports to a bureau a claim that is the subject of a genuine dispute – challenged as to its existence, its amount, or its enforceability – warrants separate analysis, because it represents the most common form of instrumental registry abuse.

A crucial distinction separates a disputed claim from a nonexistent one. The Commercial Information Act requires the reported claim to exist and be due. If the debtor contests the obligation – because the underlying contract is void, because the debt has been paid, or because the claim is time-barred – the creditor bears the risk that the registry entry will be held unlawful. Where the dispute arises in the context of broader financial difficulties, the debtor should also consider restructuring as a strategy for managing creditor relations.

The Szczecin District Court, in its December 10, 2014, judgment (case No. II Ca 325/14, Legalis No. 2182852), confirmed that a debtor whose obligation is contested by the creditor retains a legal interest in bringing a declaratory action for nonexistence of the debt (Article 189 of the Code of Civil Procedure) – independent of any remedy under Article 30 of the Commercial Information Act. A declaratory judgment that the debt does not exist definitively resolves the dispute and furnishes a basis for the entry’s removal.

 

Time-Barred Claims

Whether a time-barred debt may lawfully be listed remains controversial. The Szczecin District Court, in its October 8, 2014, judgment (case No. II Ca 81/14, Legalis No. 2181165), took the position that limitation does not affect a debt’s existence or enforceability for purposes of the statute, and that the Act contains no prohibition on listing a time-barred claim.

That position, however, calls for careful reassessment after the 2018 amendment to the Civil Code, which introduced Article 117 § 2¹ – a provision barring a creditor from demanding satisfaction of a time-barred claim against a consumer. Under the current state of the law, the argument that listing a time-barred consumer debt is unlawful has gained substantial normative support – analogous to the treatment of unfair contract terms, which cannot ground claims against consumers.

 

The Data-Protection Authority’s Decision as a Binding Preliminary Finding

Where the violation simultaneously concerns personal-data-protection regulations (GDPR), it is worth considering a complaint to the President of the Personal Data Protection Office (UODO). A final and binding decision of the President finding a violation of data-protection rules binds the civil court, under Article 97 of the May 10, 2018, Personal Data Protection Act, as to the fact that those rules were violated.

The practical power of this mechanism is well illustrated by the Warsaw District Court’s March 2025 ruling (case No. II C 310/23). The President of the UODO had issued a reprimand to the defendant company for processing the plaintiff’s personal data without a legal basis in the records of a commercial-information bureau over a period from March 2019 to March 2021. The court, invoking Article 97, treated the unlawfulness of the defendant’s conduct as conclusively established and awarded the plaintiff three thousand zlotys in compensation, together with an obligation to issue a formal written apology. Significantly, the court observed that a final UODO decision effectively deprives the defendant of the ability to mount a successful defense on the question of unlawfulness.

 

Unfair-Competition Claims: An Additional Line of Defense for Business Entities

Entrepreneurs subjected to instrumentalized registry listings may also invoke the Act on Combating Unfair Competition. Under Article 14 of that statute, the dissemination of false or misleading information about another entrepreneur constitutes an act of unfair competition when it is aimed at exerting impermissible pressure – for instance, to coerce the purported debtor into paying an amount that is not owed.

Notably, the courts have held that the existence of a competitive relationship is not a necessary prerequisite for qualifying conduct as an act of unfair competition under Article 14 – it suffices that the conduct could potentially affect the entrepreneur’s market position.

 

Jurisdiction and Procedural Pathways

Disputes concerning entries in commercial-information bureaus are civil in nature; they fall within the jurisdiction of the ordinary courts, not the administrative courts. The Provincial Administrative Court in Warsaw confirmed this in its March 4, 2016, order (case No. IV SA/Wa 3743/15, Legalis No. 1647668), dismissing a complaint against the Minister of Development and noting that the contract between a creditor and a bureau is civil-law in character, and that ministerial supervision over the bureaus does not extend to the formation or performance of individual agreements.

 

A Practical Sequence of Steps

A party wrongfully listed in a debt registry as a result of a creditor’s attempt to exert pressure in a dispute over a claim should take the following steps:

Step 1 – Documentation. Secure the evidence: a printout from the registry confirming the listing, all correspondence with the creditor, and documents demonstrating the disputed character of the claim – complaints, demands, records of disagreement.

Step 2 – Demand to the creditor (Article 30(1) of the Commercial Information Act). A written demand for the removal of the commercial information, with a statement of the grounds on which the entry violates the statute. The demand should specify a deadline for compliance and warn of intended legal proceedings. At this stage, negotiation with the creditor aimed at voluntary removal is also possible.

Step 3 – Complaint to the President of the UODO (where the violation involves the processing of personal data without a legal basis). Obtaining an administrative decision establishing a GDPR violation materially strengthens the subsequent civil case.

Step 4 – Court proceedings. Depending on the circumstances: a declaratory action for nonexistence of the debt (Article 189 CCP); a personal-rights action seeking an order for removal of the entry and moral-harm compensation (Articles 24 and 448 CC); a damages claim under Article 82 of the GDPR – optimally with the creditor and the bureau joined as solidary defendants; or, between business entities, an unfair-competition claim (Article 18 of the Unfair Competition Act).

Topical publications

When the Employee – Not the Company – Pays for Fictitious Invoices
2026-04-06

When the Employee – Not the...

A ruling from the Court of Justice of the European Union has upended a decade of conflicting case law in…

read more
Your Employee’s Fraud, Your Tax Bill
2026-04-06

Your Employee’s Fraud, Your Tax Bill

When a gas-station manager in Poland spent four years selling fictitious invoices under her employer’s name, the question of who…

read more
Does a Subsidiary Constitute a Fixed Establishment for VAT Purposes?
2026-04-05

Does a Subsidiary Constitute a Fixed...

The CJEU’s Ruling in Dong Yang Electronics (C-547/18) and the Limits of a Service Provider’s Duty of Inquiry The establishment of…

read more
See more publications