Polish DPA imposes EUR 220,000 fine for breach of Art. 14 GDPR
On 26 March 2019, the Polish data protection authority (DPA) announced that it has imposed its first financial penalty amounting to EUR 220,000 (approx. PLN 943,000) on a data controller in Poland for failing to comply with the provisions of the GDPR. The controller is a company that aggregates personal data from publicly available registers, such as the Central Register and Information on Economic Activity (CEIDG) and the National Court Register (KRS), for the purpose of providing company-verification services. The personal data in question was the data of entrepreneurs conducting business in the form of a sole proprietorship, including active entrepreneurs and persons who have conducted business activity in the past or have suspended it. According to the DPA, the controller failed to comply with its duties as specified in Article 14 para 1-3 GDPR, as it did not provide the data subjects with the information required when collecting personal data from sources other than the data subject.
Violation of obligation to provide information to data subjects
According to the DPA, the company processed the personal data of over 7 million sole-entrepreneurs for its profit-making purpose. However, the company sent individual information about this processing only to a small fraction of those persons - approx. 900,000 data subjects. Thus, the company did not provide information required by the GDPR to over 6 million people.
The company argued that it did not have the email addresses of the other data subjects and that sending information to those data subjects by post would have involved a disproportionate effort, as the cost of mailing letters could be over PLN 30 million (EUR 6,978,000), which is more than the company's annual turnover. For the same reason, the company decided not to inform the data subjects via SMS. Moreover, the company argued that sending individual information to each person would generate additional costs, such as the costs of printing, paper and remuneration for the third party to which the company would outsource this obligation. The company claimed that the practical implementation of the obligation to inform data subjects could threaten its ability to conduct business activity in Poland. It relied on Article 14 point 5 b) GDPR as a basis to be exempt from providing the information. Finally, it argued that it had all the necessary information about the data processing on its website.
In the opinion of the DPA, displaying information on a website was insufficient. The authority emphasized that the controller had the data subjects' contact data, i.e., their phone numbers and postal addresses. Thus, it should have informed them individually about - inter alia - the controller's identity, the purpose and retention period, the source of data and their rights under the GDPR. The authority stressed that out of 900,000 persons that were properly informed about the processing, 12,000 decided to object. Failure to properly inform the remaining large number of data subjects deprived them of their rights under the GDPR.
The DPA further stressed that the breach was intentional as the company was aware of its duty to inform the data subjects, which led to the authority's decision to impose quite a significant fine. Also, the breach was not a one-off event, but lasted for a long time, even several months after the GDPR started to apply. The DPA also emphasized that the main business activity and source of revenue of the company is processing personal data in a professional manner and on a large scale. As a result, the DPA reasoned that the company needed to factor into its business planning the cost of compliance with core legal obligations.
Apart from a financial fine, the DPA also ordered the company to comply with the obligation to provide data subjects with the information specified in Article 14 paras 1 and 2 GDPR within 3 months of the delivery of the decision. This obligation includes not only entrepreneurs currently conducting business activity, but also those who have conducted it in the past or suspended it, given the fact that the company processes such data as well.
What will happen next?
The company may now appeal the decision in court. Filing such appeal will suspend the execution of the decision until a final judgment is delivered by the court. The DPA is said to be preparing another two decisions imposing penalties but no further details have been disclosed.
What does it mean for companies doing business in Poland?
The first decision of the Polish DPA shows that the Polish authority has adopted a strict approach and takes compliance with the information obligation very seriously. In its decision the authority stressed that data subjects who are unaware of the processing of their data cannot in fact exercise their fundamental rights under the GDPR. It is worth noting that the data subjects in question were not consumers, but sole-entrepreneurs, whose data were collected from the official, publicly available register. It may be anticipated that in cases involving consumers, the penalties may be even higher. However, even if controllers process only business-related data, as in this case, they should also pay attention to fulfilling information duties, e.g., in relation to their business contacts, clients or vendors.