The first fine imposed by the President of the Personal Data Protection Office
The President of the Personal Data Protection Office (UODO) imposed the first fine in the amount of over PLN 943 000 for the failure to fulfil the information obligation.
-“The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity", emphasised Dr Edyta Bielak-Jomaa, President of UODO.
Many persons whose data were processed by the company were not aware of this. The controller did not inform them about the processing and thus deprived them of the possibility to exercise their rights under the General Data Protection Regulation (GDPR). Therefore, they had no possibility to object to further processing of their data, to request their rectification or erasure. The President of the Personal Data Protection Office considered the breach to be serious, since it concerns the fundamental rights and freedoms of persons, whose data are processed by the company and relates to the basic issue – the information on the processing of data. Imposing the fine is necessary, because the controller does not comply with the law.
As Piotr Drobek, Director of the Analysis and Strategy Department at UODO, explained- the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data. This shows how important it is to properly fulfil the information obligations in order to exercise the rights we are entitled to in accordance with the GDPR.
The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website.
In the opinion of the President of the Personal Data Protection Office, such action was insufficient – while having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them, that is it should have informed them inter alia on: their data, the source of their data, the purpose and the period of the planned data processing, as well as the data subjects’ rights under the GDPR.
In the opinion of the UODO’s President, the provisions do not impose an obligation on the controller to send such correspondence by registered mail, which was raised by the company as an excuse for not fulfilling an expensive obligation.
In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed. Therefore, this case should be distinguished from another case decided by the Polish DPA a few years ago, when another company did not have such addresses at its disposal.
The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because - as it was established during the proceedings - the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons.
While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so.
English translation of the decision is available below.