The first administrative financial fine of 943,000 PLN was imposed on a company by UODO (the Polish Personal Data Protection Office) for a failure to provide information to data subjects on how their personal data is processed. Further, the company has been obligated to provide data subjects with necessary information within three months from the delivery of this decision.
The company – whose business name was not disclosed and whose core business activity for 25 years involved provision of services based on processing of personal data – had obtained personal data, including: names and surnames, the business names of enterprises, types of business activities, addresses for correspondence, e-mail addresses and telephone numbers, from publicly available sources (such as the KRS, the National Court Register; and CEIDG, the Business Activity Central Register and Information Records), and subsequently had processed that personal data for commercial purposes. In total, the company obtained the personal data of almost 3.59 million self-employed persons and the data of natural persons who suspended their business activity, as well as the personal data of 2.33 million natural persons who used to run such business activity. In total, this represents the personal data of approx. 6 million people, amounting to 15.7% of the population of Poland (https://stat.gov.pl/podstawowe-dane/).
The company did not obtain personal data directly from data subjects, so it was obliged to provide them with an information obligation based on Art. 14 of GDPR.
The company provided an information obligation on the processing of personal data to approx. 682,000 people whose e-mail addresses were held. This represented only 11.4% of the total amount of people whose personal data was processed by the company. It is worth noting that more than 12 thousand people from this group objected to the processing of their personal data. At the same time, the company had still possessed postal addresses or mobile numbers of the remaining data subjects.
A personal data breach has taken place
The crux of the dispute was based on assessing when the data controller is released from the obligation to provide information on processing personal data, due to the disproportionate effort needed to do so. As it follows from the decision, the company argued that meeting the information obligation by sending letters or SMSes would involve substantial costs which would result in a possible loss of competitiveness on the market, or even a loss of financial liquidity. Further, the company argued that performing such obligation would require the significant involvement of its staff.
However, the argument of incurring substantial expenses or involving the company’s staff constituting a disproportionate effort may raise some concerns, as primarily, business models should assume compliance with the relevant provisions of law. Further, the argument that the need to comply with mandatory provisions leads to disproportionate efforts may be difficult to argue. For example, such interpretation could allow non-compliance with environmental regulations as the performance of which might also reduce a company’s profitability. The intention to reach higher profits cannot release the company from its obligation to comply with the provisions of law.
Calculating the possible costs of performing the information obligation to data subjects can also raise some concerns. The company assumed that it would print and prepare the notifications itself and send them by registered letter. In this respect, UODO argued that there is no obligation to send the information obligation by registered letter. In addition to this, there are many entities on the market which offer mass mailing services and are certainly able to provide such services at a much lower expense.
During the proceeding before UODO, the company said that information on processing personal data was available on its website. However, this fact was questioned by UODO, as the mere publication of such information on the website was not considered as sufficient performance of provision of information on the processing of personal data as referred to in Art. 14 of GDPR. Especially in light of the company being in possession of each data subject’s address data and telephone numbers, and therefore being able to provide information on the processing of personal data by mail.
The key factor in imposing the administrative financial fine was the intentional and significant nature of the data breach, i.e. being a deliberate action and not providing information on the processing of personal data. The amount of the fine was also influenced by the fact that the company’s core activity is to process the personal data of a data subject, and the fact that the information obligation on the processing of personal data was not provided to a substantial amount of data subjects. Another important factor was the remaining data subjects’ lack of knowledge and the impossibility to exercise their rights under the GDPR.
UODO emphasized that, during the proceeding, the company did not seek to proactively cooperate with UODO to remedy the breach, but in contrast only responded to queries when sent. The above indicates that every entrepreneur should cooperate with UODO and, if possible, consider undertaking some mitigation or adaptation measures during any investigation.
The decision of UODO’s President is final. A company may file a complaint with the Regional Administrative Court in Warsaw, within 30 days of a ruling, through the President of UODO. We would like to remind you that pursuant to Art. 83 Sec. 5 letter b of GDPR, a breach of provisions related to the rights of data subjects is subject to an administrative financial fine of up to 20,000,000 EUR, and in the case of an enterprise, in an amount of up to 4% of its entire annual global turnover from the preceding financial year, whichever amount is higher.
This information has been prepared solely on the basis of decision no. ZSPR.421.3.2018 of UODO President, available at the following website address: https://uodo.gov.pl/decyzje/ZSPR.421.3.2018, and press releases.