The Polish data protection authority (‘UODO’) announced, on 26 March 2019, that it had issued a fine of PLN 943,000 (approx. €220,000) against an unnamed company for its failure to comply with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). UODO highlighted that the fine is its first under the GDPR and that the organisation, acting as a data controller, failed to inform over six million data subjects that their personal data were being processed, which prevented them from exercising their rights under the GDPR.
Łukasz Czynienik, Counsel at DLA Piper Giziński Kycia sp.k., told DataGuidance, ”There is no doubt that this is a landmark decision. First of all, it is the very first and a fairly harsh […] decision in Poland where a financial penalty has been imposed under the GDPR regime. Before the ‘GDPR-era’, Polish data protection legislation did not, in fact, provide for any legal instruments that would permit the imposition of a financial penalty due to non-compliance […] Secondly, the amount of the fine […] is relatively significant bearing in mind Polish standards. Of course, this amount is far removed from what we have seen in France in the case of Google in January, but it nevertheless fulfils the purpose of being dissuasive pursuant to Article 83(1) of the GDPR. However, what seems to be key is that UODO’s decision clearly confirms that it had ended its grace period, which has been ongoing since 25 May 2018, and that it takes data controllers’ obligations under the GDPR very seriously.”
In its decision, UODO explained that the data controller obtained the personal data of individuals from publicly available sources, namely the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. Furthermore, UODO highlighted that in relation to the processing activities, the data controller only fulfilled its information obligations under Article 14 of the GDPR with respect to those individuals whose email addresses it had at its disposal, and failed to sufficiently inform the other individuals whose data were processed, despite having their postal addresses and telephone numbers.
UODO’s argumentation is not very detailed and such precise legal reasoning ought to be reasonably expected in such a case
Czynienik continued, ”UODO’s decision arouses many controversies, mainly because of the legal reasoning or, as [highlighted] by some privacy experts, because justification is missing here. The point is that the company […] opted to rely on the [information obligation] exception listed in Article 14(5) of the GDPR. In particular, the company argued that the cost of sending the required information to each individual via post would be substantial and would have exceeded its annual turnover; therefore the ‘disproportionate effort’ condition [under Article 14(5) of the GDPR] was met. In this respect, UODO’s argumentation is not very detailed and such precise legal reasoning ought to be reasonably expected in such a case.”
In UODO’s view, the data controller’s violation of its obligations under the GDPR was intentional, as the company was aware of its information requirements and failed to take measures to comply or declare its intention to do so. In particular, UODO revealed that rather than taking measures to directly inform the individuals, whose email addresses were not at its disposal, about the processing, the data controller opted to include an information clause on its website.
Czynienik concluded, ”The case is ongoing and according to press coverage, the company has brought an action challenging UODO’s decision before an administrative court. Thus, the final result of the case is still uncertain, and among privacy lawyers, the common view held is that because of the controversy, the case should be referred for a preliminary ruling to the Court of Justice of the European Union, so that the notion of ‘disproportionate effort’ is explained, particularly in relation to the financial threshold. In fact, the financial threshold was crucial in this case, but it is not precisely elaborated upon either in Article 14 of the GDPR nor in the related recitals.”
WERONIKA NATALIA BŁASZCZYK Privacy Analyst