[BreachExchange] First Fine Imposed by the Polish DPA Under the GDPR

Fri Apr 5 09:24:07 EDT 2019

https://www.jdsupra.com/legalnews/first-fine-imposed-by-the-polish-dpa-52611/

The President of the Personal Data Protection Office in Poland (Polish
DPA) imposed a fine amounting to PLN 943,470 (approximately EUR
220,000; approximately USD 245,977) for failing to fulfil the
company’s transparency obligations towards over six million data
subjects under Article 14 of Europe’s General Data Protection
Regulation (GDPR).

This is the first fine imposed by the Polish DPA under the GDPR and
Poland’s Act on Personal Data Protection of 10 May 2018 implementing
the GDPR. The decision provides some limited insights into the
interpretation of the term “disproportionate effort” within the
meaning of Article 14(5)(b) of the GDPR.

The company subject to the fine is a provider of digital business,
marketing, and credit information. The company collects the data of
business entities from publicly available sources including public
records such as the Central Register and Information on Economic
Activity (CEIDG), and the Official Business Register (REGON). In the
course of its activities, it processed personal data such as the
names, surnames, contact details, and PESEL numbers (Polish national
identification numbers) of over seven million people, including
independent traders, and people who are partners or members of
companies, foundations, and association bodies. According to the
president of the company, its data processing activities have been
inspected by authorities in two other countries besides Poland and no
irregularities had been found.

The company fulfilled the information obligation towards nearly
700,000 people whose e-mail addresses were stored in its databases. In
relation to those people whose personal data was only limited to their
mailing address or telephone numbers, the company decided not to
fulfil the information obligation through a personalised message since
this would have entailed excessively high costs amounting to over PLN
33 million (approximately EUR 7,676 million; approximately USD 8,603
million). Instead, the company decided to publish the information
concerning the data processing on its website.

The Polish DPA did not agree with the company’s line of defence which
was based on Article 14(5)(b) of the GDPR, under which the information
obligation is excluded if the provision of information involves a
disproportionate effort.

In its decision, the Polish DPA ordered the company to fulfil the
information obligation towards the remaining people within three
months following the receipt of this decision. When imposing the fine,
the Polish DPA took into account: the revenues of the company, the
fact that the breach of GDPR Article 14 was committed intentionally,
and that the company did not take any steps to cease the infringement
during the DPA’s inspection. In addition, the Polish DPA pointed out
that the breach concerned a significant amount of data subjects and
that, as a consequence of the breach, the data subjects could not
exercise their fundamental rights over their personal data.

The Polish DPA’s decision has received a great deal of attention in
Poland and has been widely discussed by Polish academics and lawyers.
The element of the decision that concerns the academics and lawyers
the most is that it lacks a clear interpretation of the term
“disproportionate effort” in the context of the information
obligation, or an explanation as to how to fulfil the information
obligation towards such an enormous group of data subjects without
suffering excessively high costs.

The company can now appeal against the decision to the
VoivodshipAdministrative Court in Warsaw within 30 days following its
receipt of the decision.