Updated: Apr 15
The President of the personal data protection office (UODO) imposed its first fine for the quantity of PLN 943000 (about €220000) for the failure to fulfil the information obligation in March 2019.
“The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity”, emphasised Dr Edyta Bielak-Jomaa, President of UODO.
The source of the article can be found here
Many people whose data were processed through the organisation were not aware of this. The controller did not inform them about the processing and thus deprived them of the possibility to exercise their rights under GDPR. Therefore, they could not object to the further processing of their data, to request their rectification or erasure. The President of the personal data protection office considered the breach to be serious since it concerns the fundamental rights and freedoms of people, whose data are processed by the organisation. Imposing the fine is necessary because the controller does not comply with the law.
As Piotr Drobek, Director of the analysis and strategy department at UODO, explained- the organisation did not meet the obligation of the record about over 6 million people.
Out of about 90,000 people who were informed about the processing by the organisation, more than 12,000 objected to the processing of their data.
The decision of the UODO’s President involved the proceedings related to the activity of an organisation which processed the data subjects’ data acquired from publicly available sources, among other things from the central electronic register and information on economic activity, and processed the data for commercial purposes. The authority verified in compliance with the information obligation when it comes to natural persons conducting business activity – entrepreneurs who’re currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by presenting the information required under art. 14 (1) – (3) of the GDPR only in relation to the persons whose email addresses it had at its disposal. In the case of the remaining persons, the controller failed to comply with the information obligation – as it explained in the direction of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website.
In the opinion of the President of the personal data protection office, such action was insufficient – while having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them, that is it should have informed them among other things on their data, the source in their data, the purpose and the period of the planned data processing, as well as the data subjects’ rights underneath the GDPR.
In the opinion of the UODO’s President, the provisions do not impose an obligation on the controller to send such correspondence via registered e-mail, which was raised by the organisation as an excuse for not satisfying an expensive obligation.
In the relevant case, the entity had postal addresses and phone numbers and could, therefore, comply with the obligation to provide information to the persons whose data was being processed. Therefore, this case must be distinguished from another case decided by the Polish DPA some years in the past, when any other organisation did not have such addresses at its disposal.
The President of the personal data protection office found that the infringement of the controller was intentional, because – as it was established during the proceedings – the organisation was aware of the obligation to provide relevant information, as well as the need to inform persons directly.
While enforcing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so.