Earlier in March of this year, the Polish GDPR supervisory authority issued its first decision, imposing an administrative fine in the amount of PLN 943,000 (approx. EUR 220,000) for the infringement of the information obligation stipulated in GDPR Article 14.
The fine was imposed on a company (data broker) which processes, in particular, the data of individuals conducting business activity, as well as of board members. The data was obtained from publicly available registers. The company fulfilled the information obligation only towards approx. 680,000 individuals who had disclosed their e-mail addresses in the registers. All remaining individuals (over 6 million people) were not informed about processing, even though their postal addresses were partially known.
The company sought to apply for an exemption from GDPR Art. 14.5(b), arguing that the information obligation could not be complied with because the operational costs of printing the required information and sending it by post would be disproportional high in comparison to the expected profit. Consequently, the informational clause was only published on the company's website.
The Polish Personal Data Protection Office disagreed with such approach and imposed the aforementioned fine. It also ordered the company to fulfil the information obligation by notifying those data subjects whose addresses are known by post. This obligation was therefore not imposed towards board members whose addresses are not disclosed in the registers. The informational clause presented on the website of the company was found by the authority to be insufficient, as in the case of the data subjects whose contact details were known, the company could have complied with the information obligation.
Consequently, the authority argued that the concerned individuals were deprived of the possibility to exercise their rights under GDPR; in particular, the right to object to further processing of their data or to request their rectification or erasure.
Although this decision is subject to appeal, the fact that such a substantial fine has been imposed gives moment of thought to all corporate actors across the European Union that GDPR is starting to be treated seriously, and data processors should act accordingly.