Poland’s Personal Data Protection Office has fined data analytics company Bisnode for a GDPR infringement that it said affected more than 6 million people.
The watchdog yesterday said it had fined the relevant data controller “more than” 943,000 złoty (€220,000) for failing to inform more than 6 million individuals that it was processing their data.
The authority did not identify Bisnode, and did not respond to GDR’s requests for it to do so – but the company disclosed that it was the fine’s target today and said it is considering next steps. A European Data Protection Supervisor spokesperson said the GDPR does not require identifying fined companies – “It is also not a matter of national law, but left entirely to the discretion of the [data protection authorities].”
The authority’s head of strategy and analysis Piotr Drobek yesterday said the company had failed to tell more than 6 million people about the processing; and that of the approximately 90,000 people who were told, more than 12,000 objected to it.
Personal Data Protection Office president Edyta Bielak-Jomaa yesterday said: “The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity.” The watchdog found the infringement was intentional, as it was aware of the obligation to provide information and directly inform affected individuals.
The Personal Data Protection Office said Bisnode had obtained the information from the government public register of business activity, and went on to use it for commercial purposes. The company, it said, only informed individuals about the processing if it had their email addresses, and otherwise failed to comply with the GDPR’s obligation to inform.
The office said the company had failed to comply with the obligation to inform the remaining individuals due to high costs of doing so and only published a notice about the processing on its website.
The Polish watchdog said this action was “insufficient”; it noted that the company had individuals’ post addresses and phone numbers and could have made them aware. It said the company took no action to end the infringement and did not say it planned to do so.
Bisnode said in a statement that it had notified 679,000 individuals for whom it held email addresses.
Ewa Kurowska-Tober, a partner at DLA Piper in Warsaw, said the decision is “especially important to data brokers and other companies using publicly available data in their business activities”.
She added that the decision is interesting not only because of the amount of the fine, but also because of other statements and interpretations the data protection authority included in its justification for the penalty – for example that delivery of notification by registered post is not required, and that simple mail is acceptable.
“Finally the [data protection authority] did not challenge the legal ground for data processing in the given case,” Kurowska-Tober noted, which may mean it found that legitimate interests were found to be sufficient.
Dominik Lubasz at Lubasz i Wspólnicy in Lodz told GDR that the decision is “exceptional”.
“Without any doubt the obligation to provide data subjects with proper knowledge about operations on their data is one of the basic and most crucial obligations of data controllers,” he said.
But he noted that the decision may be controversial as earlier this year, in a case based on similar facts against data-driven open government organisation Fundacja ePanstwo, the office issued a decision in which it found that processing data collected from public registers did not violate data protection law.
Marcin Serafin, a partner at Maruta Wachta in Warsaw, said the data protection authority “hardly considered the proportionality of the decision of the controller against the effort and costs of serving privacy notice directly to data subjects.”
He added that the authority had “emphasised that the penalty should be cumbersome and deterrent” – but instead of emphasising the “educational” aspect of the penalty, “pushed strongly on its repressive character.”
Serafin added said the company could say during a potential appeal that the effect on data subjects was small enough that the data protection authority did not use its power to warn them about Bisnode’s alleged misconduct.
Łaszczuk i Wspólnicy managing partner Marek Korcz in Warsaw expressed doubt to GDR that the decision – especially the amount of the fine – would be upheld on any possible appeal.
And Xawery Konarski at Traple Konarski Podrecki i Wspólnicy in Krakow said the “substance of the matter” is an exemption to notification obligations when data is gathered from public registries, rather than directly from data subjects. He noted that the GDPR exempts controllers from notification when doing so would involve disproportionate efforts.
Konarski said the decision is controversial as the data subjects in this case were “acting as economic entities” – such as sole traders – and that the cost of notification by post or phone would have exceeded the revenue that the controller had planned to obtain from processing the personal data.
He said the decision to impose a fine in excess of €200,000 should be seen as “harsh”, as the data controller’s interpretation of the law is “not obviously unjustified”.