Polish DPA issues the first fine for a violation of the GDPR – and it’s harsh
On 25 March 2019, the Polish data protection authority (DPA) (referred to in Polish as “PUODO”) announced the imposition of the first GDPR-related fine in Poland. A data controller was fined approximately PLN 1 million (approx. EUR 230,415 ) for a failure to comply with the information obligation set forth in Article 14 of the GDPR.
The proceedings – basic information Although the regulator decided not to disclose the name of the entity on which the fine was imposed, the description of the factual background was sufficient to quickly identify the company. Based on all circumstances it was almost sure that the entity subject to the fine was Bisnode, a Polish company providing entity verification services. Moreover, Bisnode quickly published an official statement on its website in response to PUODO’s decision, while an interview with its CEO appeared in one of the biggest Polish newspapers just two days later.
Bisnode is a company that aggregates personal and other data from publicly available documents and registers, such as the Central Register and Information on Economic Activity (CEIDG) and the National Court Register (KRS). It then uses the data it collected in order to prepare reports, summaries, etc., which it offers to clients as part of providing company-verification services. The personal data referred to in PUODO’s decision was the data of people conducting business as sole traders, including those who are currently active and those who have conducted business activity in the past or have suspended it, as well as the personal data of people who are shareholders or members of the boards of companies, foundations and associations.
Background of the case Bisnode holds a total of more than 7.5 million records of data relating to natural persons. The company fulfilled the individual information obligation in relation to 682,439 people, where it had their e-mail addresses as part of the database record, by sending an e-mail. However, with reference to almost 200,000 people, Bisnode only had their mobile telephone numbers, and in relation to almost 6.5 million people, it only had their postal correspondence addresses (of which almost 3 million records related to inactive businesses). The company decided not to fulfill the information obligation stemming from Article 14 of the GDPR towards these data subjects on the basis that doing so would constitute a “disproportionate effort” as specified in Art. 14 5(b) of the GDPR. ..Read more..