Polish supervisory authority imposes fine for breach of information obligation under ART. 14 GDPR
A few days ago, it became known that the Polish supervisory authority (UODO) had imposed a fine of approximately €220,000 on the address trader Bisnode for breaching the information obligations under Article 14 of the GDPR.
Data collection from generally accessible sources
Bisnode, an address trader in Poland, collected for commercial purposes from publicly available sources (e.g. from the electronic central register), among other things, personal data relating to the economic activity of the data subjects. For this purpose, a corresponding database has been set up, which contains a total of approximately 7.5 million data records on natural persons, including sole proprietors and persons who are shareholders or members of the governing bodies of companies, foundations and associations.
Only limited information for those affected
When the GDPR came into effect in May 2018, Bisnode had only informed about 680,000 individuals from the database according to Art. 14 GDPR, as email addresses were stored in the database for these individuals. For the other persons in the database, Bisnode usually only had the address stored as contact information. These persons were not informed, as Bisnode invoked the disproportionate effort of the information obligation pursuant to Art. 14 GDPR in this regard. Information by mail (Bisnode assumed that information would be sent by registered mail) would involve too much organizational and financial effort. Instead, Bisnode had published a corresponding privacy notice on its website.
Assessment of the supervisory authority: Violation of Art. 14 DSGVO
From the UODO’s point of view, this was not sufficient to comply with the requirements of Art. 14 GDPR. In the fine notice, the supervisory authority made the following findings:
- Placing the information on the company website is not sufficient to inform the data subjects according to Art. 14 GDPR
- A postal information of the data subjects was not required according to Art. 14 para. 5 letter b DSGVO impossible or does not require a disproportionate effort.
- A disproportionate effort would only exist if a company had to research contact data first, provided that neither address data nor cell phone number or e-mail address are stored for the data records.
As a result, the Polish supervisory authority has adopted a very restrictive interpretation of the General Data Protection Regulation, as it did more frequently under the 1995 EU Data Protection Directive.
On the progress of the proceedings
According to initial announcements, Bisnode will not accept the fine. In court proceedings, a referral to the ECJ could be made if there are ambiguities regarding the interpretation of European law.
It is eagerly awaited whether this case will be settled by the courts and whether other supervisory authorities will follow the view of the Polish authority.
For questions regarding the implementation of the information requirements according to Art. 13, 14 DSGVO, please contact Hr. RA Wilfling at 0228/90248070