First fine for GDPR infringement in Poland

Poland

The Polish data protection authority – UODO – has imposed a fine of almost PLN 1 million (equivalent to EUR 220,000) on a controller for failing to fulfil the information obligation under Article 14 of the GDPR. This is the first financial sanction for infringing the GDPR in Poland and it was imposed as a result of UODO’s inspection.

The fined company’s business activity consists in running a commercial database composed of over 7.5 million records of personal data concerning sole traders, shareholders and officers of companies, foundations and associations. The data included in the database is collected from publicly available registers, such as registers of sole traders (CEIDG) and companies (KRS).

The company met the information obligation with respect to over 682,000 sole traders whose email addresses were provided in the public registers. The company also posted an information clause on its website.

Although the company had postal addresses or telephone numbers of the remaining persons, it decided not to provide them with the information clause. The company argued that it would involve a “disproportionate effort” because of the additional organisational load and excessive costs - sending the clause via traditional registered mail would amount to over PLN 33 million.

UODO disagreed with the company’s argumentation. The main issues discussed were as follows:

“Disproportionate effort”

  • Given that the company’s main business activity is based on processing personal data and that it had access to contact details of sole traders, informing them about the processing of their data should not be regarded as involving disproportionate effort. Interestingly, the authority considered that the failure to inform shareholders or officers was different, as the company did not have those persons’ private contact details – thus, pursuant to UODO, the company would need to make disproportionate effort to search for contact details needed to inform them. It seems from the foregoing that access to contact details rather than the cost of providing the information was a decisive factor in the assessment whether the effort was disproportionate.
  • Including the information clause on the company’s website cannot be considered as meeting the transparency requirement, as the persons concerned were not aware that the company was processing their personal data.

Intentional and on-going nature of the infringement

  • The intentional nature of the infringement – the company made a choice not to inform data subjects who did not provide their email addresses – was one of the most important aggravating factors in UODO’s view.
  • The fact that the infringement was an on-going one (it was not limited to a one-off situation) and that the company did not undertake steps to cease the infringement was also considered by UODO as an aggravating circumstance.

In addition to the fine, UODO obliged the company to meet the information obligation with respect to the remaining data subjects. The company may appeal against the decision.