On Tuesday, March 26th, 2019, the President of the Office for Personal Data Protection (PUODO) Edyta Bielak - Jomaa announced that the first fine was imposed for violation of the General Data Protection Regulation (GDPR). At first glance, the penalty seems quite high - almost PLN 1 million. In addition, the punished entity was obliged to send letters to persons who were not informed about the processing of their personal data.
The penalty is a consequence of the failure of the company seated in Warsaw to fulfill its information obligation towards persons whose data was obtained from publicly available sources (including Central Registration and Information on Business, National Court Register). The acquired data was used by the company to create databases allowing verification of the entities' credibility. It was about people who are currently running a business as well as people who suspended or ceased to conduct business.
The company fulfilled the information obligation only towards persons whose e-mail addresses were available in the registers (the company sent emails to these people). In the case of other people, the company had only correspondence addresses or telephone numbers. In the latter case, the punished entity referred to the exception provided in the GDPR (i.e. Article 14 sec. 5.b). According to it, it is not necessary to fulfill the information obligation for each individual person, if it is impossible to provide information on the processing of data or would involve a disproportionate effort. The punished entity claimed that the costs related to fulfilling the information obligation by sending registered letters are very high. Therefore, the company decided to publish an information clause concerning the processing of personal data on its website.
However, PUODO did not accepted the company’s point of view.
In the opinion of the President, there was a serious violation of the basic obligations, the failure of which deprives individuals of their rights. The information presented so far shows that PUODO has focused precisely on the aspect of violation of the rights of individuals, but has not deeply analyzed interpretation of the exception described in Article 14 sec. 5.b of GDPR.
There is no doubt that the data of natural persons conducting business activity are subject to the same protection as the personal data of consumers, and fulfillment of information obligations towards those persons is important. However, it is difficult to accept the lack, as it seems, of a thorough analysis, whether in this case we were not dealing with a disproportionately large effort in fulfilling the indicated obligation.
After information published by PUODO in the media, there are news that the database used by the penalized company had about 6 million records, and only in the case of about 90 thousand people this entity had e-mail addresses. Although, according to PUODO, it is not required to send registered letters, it can be assumed that the cost of sending even standard letters (i.e. unregistered letters) in this case will significantly exceed the fine imposed. In addition, the question arises whether in the case of sending standard letters, the company would be able to prove that it has performed the information obligation in accordance with the principle of accountability?
We have to wait for publication of the decision of PUODO with justification (here you will find the link of the PUODO’s decisions base: https://www.uodo.gov.pl/pl/129). Then we will analyze this matter in detail. In the justification of the decision, we should find the grounds on which PUODO imposed a penalty (the grounds are indicated in Article 83 sec. 2 GDPR). In addition, it should justify why it was impossible in this particular case to invoke the exception regulated in Article 14 sec. 5.b GDPR. Certainly, the possible lack of a broader justification in the abovementioned scope will need to be critically evaluated.
The decision of PUODO is subject to a complaint to the administrative court, from which the company will certainly benefit from. Filing a complaint suspends the execution of decision in the area of the administrative fines.
This matter is undoubtedly very interesting and will have a major impact on the interpretation of the provisions of the GDPR regarding the implementation of the information obligation. We will certainly follow this topic and inform you about its progress on an ongoing basis on our website.
March 26th, 2019 r., attorney-at-law Agnieszka Rapcewicz