The first Polish GDPR fine is of over € 200K and was issued for lack of provision of privacy information in a scenario where a disproportionate effort was not identified.
The facts that led to the Polish GDPR fine
On 25 March 2019, the Polish data protection authority (referred to in Polish as “UODO“) announced the issue of the first GDPR related fine in Poland. A data controller was fined approximately PLN 1 million (approx. € 230,415 ) for a failure to comply with the information obligation set forth in Article 14 of the EU General Data Protection Regulation.
Although the regulator decided not to disclose the name of the entity on which the fine was imposed, the description of the factual background was sufficient to quickly identify the company. Based on all circumstances it was almost sure that the entity subject to the fine was Bisnode, a Polish company providing entity verification services.
Bisnode holds a total of more than 7.5 million records of data relating to individuals. The company fulfilled the individual privacy information obligation under the GDPR in relation to 682,439 people, where it had their e-mail addresses as part of the database record, by sending an e-mail. However, with reference to almost 200,000 people, apparently Bisnode only had their mobile telephone numbers, and in relation to almost 6.5 million people, it only had their postal correspondence addresses (of which almost 3 million records related to inactive businesses).
Given the circumstances above, the company decided that article 14.5, letter b), of the GDPR was applicable in relation to the last categories of individuals and such provision prescribes that the privacy information obligation of article 14 does not apply insofar as
“the provision of such information proves impossible or would involve a disproportionate effort, [—] In such cases the controller shall take appropriate measures to protect the data subject’s rights and freedoms and legitimate interests, including making the information publicly available“.
In order to comply with the above obligation, Bisnode had also published a statement on its website, in a tab entitled “Data and privacy” / “Information on the processing of personal data”. The information in this tab was compliant with the requirements of Art. 14 par. 1 and par. 2 of the GDPR and, according to Bisnode’s explanations, the cost of sending a notice through postal mail would have been of almost PLN 34 million (approx. € 33,999,996) which would be more than the company’s turnover from 2018 according to its CEO.
The notion of disproportionate effort according to the Polish data protection authority
In its decision, UODO presented the following reasoning:
- The mere inclusion of the privacy information required under Art. 14 par. 1 and par. 2 of the GDPR on the company’s website, in the situation where the company had the address data (and sometimes also the telephone numbers) of individuals operating as sole traders (currently or in the past), enabling the traditional mailing of correspondence containing information required by this provision (or communicating it by telephone), cannot be considered as sufficient fulfillment by the company of the obligation referred to in Art. 14 par. 1-3 of GDPR;
- The delivery of the information referred to in Art. 14 of the GDPR by post, to the address of an individual running a business, or by telephone, is not an “impossible” activity and does not require a “disproportionately large effort” in the situation in which the company had a database in its IT system containing the address data of individuals acting as sole traders (currently or in the past), and also – in relation to some of these people – their telephone numbers as well.
UODO explained that Bisnode’s argument concerning disproportionate effort could apply to the personal data of people who are shareholders or members of company bodies and other legal persons, since there are no contact details of these people in public registers (in particular in the National Court Register), and therefore the company would have to search for this data in other places. According to UODO, only this could be classified as a disproportionately large effort for the company; however, this argument was not valid in relation to other data subjects.
UODO concluded that the company made an informed decision (motivated by the desire to avoid an additional financial burden) about the non performance of the privacy information obligation referred to in Art. 14 par. 1-3 of the GDPR towards individuals that currently conduct business activity as a sole trader, or that have done so in the past, “due to costs running in to the millions of zlotys“. This should be considered as an intentional violation of the indicated provisions of law, serving as an aggravating factor in the process of issuing the fine.
Although in the course of the proceedings it was not established that any damage had been suffered by the data subjects, this was not treated by UODO as any mitigating argument and it emphasized that the further processing of personal data without the data subjects’ knowledge undoubtedly hinders or restricts them in exercising their rights, e.g. the right to delete data, to rectify it or to oppose its processing. Consequently, UODO explained that the failure to comply with the information obligation led to the company’s privileged position in exercising its rights in relation to the rights of data subjects and constituted an important element of the company’s business.
UODO also noted that both in the course of the audit and during the proceedings, Bisnode willingly cooperated, e.g. by sending explanations and replying to UODO’s letters. However, this cooperation “was only aimed at ensuring the proper conduct of the proceedings, and not at removing the violation found during the inspection, or removing its consequences.”
Other interesting takeaways from the decision on the fine of the Polish data protection authority
Although, UODO limited its argumentation and explanations of the notion of “disproportionate effort” in a rather disappointing manner, its decision did include some important statements which may be relevant for future cases:
- UODO explained that if the information obligation is to be fulfilled by traditional post, it is not obligatory to send letters by registered mail. This obviously has a significant impact on the cost of such an operation. UODO pointed out that Article 14 of the GDPR does not imply that the information notice must be sent by registered mail, as long as the data controller is able to prove that it was delivered to the persons whose personal data is processed. “The essence of fulfilling the obligation is that the controller acts in an active manner, active towards the data subject, by providing this person with information specified in the provisions of Regulation 2016/679.“
- UODO did not question the legality of Bisnode’s operations as such, nor the legal basis for gathering data from public sources and compiling them into reports and summaries. This is an important confirmation for other providers of such services; and
- UODO emphasized that it was also necessary to impose an administrative fine because the company, while being aware of the existence of the infringement, did not take, or even promise to take, any actions to remove it.
Our view on the dispute
UODO’s justification of the decision has been widely criticized due to its lack of in-depth analysis of the situation and, in particular, the notion of “disproportionate effort” – which is of great interest and concern to many players in the market (in particular, to entities that process large amounts of personal data as the core part of their business activity).
UODO did not explain its reasoning in detail or comment on the very high cost (as calculated and presented by Bisnode in its explanations) of fulfilling the information obligation and the impact of bearing such costs on a company’s business. Moreover, as the argument of “disproportionate effort” was disregarded , UODO also failed to provide almost any example of actions which could be considered as “disproportionate effort” as referred to in Art. 14 5(b) of the GDPR.
It is also disappointing that the decision said very little about the actual meaning of the information obligation, its importance, and the real effect that its absence may have on a data subject’s rights. Argumentation in this regard was limited and rather theoretical, which led many observers to consider the GDPR fine issued by the Polish data protection authority as excessive. This reaction is understandable because the justification of the decision does not contain sufficient explanations concerning the possible consequences of Bisnode’s misconduct.
It is clear that the Polish first GDPR related fine has caused a lot of controversy and interest. However, it is a great pity that the content of the decision is so limited. This is particularly worrying in the light of the fact that this first decision will be the first building block for future practice in this field. We are now eagerly awaiting Bisnode’s appeal to the administrative court and the court’s judgment, hoping that the proceedings will provide a forum for a more satisfactory legal analysis and higher quality conclusions.
On the same topic you may find interesting the article “Privacy information notice – more complicated with the GDPR“.