A look back at Poland and GDPR
Earlier in March 2019, Poland’s GDPR supervisory authority issued its first decision, imposing an administrative fine of PLN 943,000 (approximately EUR 220,000) for violating the information obligation under GDPR Article 14.
The fine targeted a data broker company that processes information about individuals conducting business activities and board members, with data sourced from publicly available registers. The company notified approximately 680,000 individuals who had shared email addresses in the registers. However, over 6 million remaining individuals were not informed about their data processing, despite having partially known postal addresses.
The company attempted to invoke an exemption under GDPR Article 14.5(b), claiming that “the operational costs of printing the required information and sending it by post would be disproportional high in comparison to the expected profit.” Instead, the company published an informational notice on its website.
Results
The Polish Personal Data Protection Office rejected this approach and imposed the fine. The authority ordered the company to fulfill the information obligation by notifying data subjects whose addresses were known through postal contact. The web-based informational clause was deemed insufficient.
The authority determined that affected individuals were “deprived of the possibility to exercise their rights under GDPR; in particular, the right to object to further processing of their data or to request their rectification or erasure.”
Thoughts
Though subject to appeal, this substantial fine demonstrates that GDPR enforcement is becoming increasingly rigorous across the European Union, signaling that data processors must take compliance seriously.