The Personal Data Protection Office (UODO) in Poland issued its first administrative fine on March 26 under the General Data Protection Regulation (GDPR). A fine of approximately €220,000 (approximately $247,000) was imposed on the unnamed company for failure to fulfil its information obligations under the transparency requirements in Article 14 of the GDPR when it collected and processed personal data from publicly available registers.
Under the GDPR, individuals have the right to be informed about the collection and use of their personal data. Articles 13 and 14 of the GDPR further specify what individuals have the right to be informed about. Different information requirements apply depending on whether companies collect information directly from the data subject (Article 13) or otherwise (Article 14).
The UODO found that the company had failed to inform more than six million data subjects whose data the company processed and therefore had deprived such data subjects of their rights to object to processing, to request rectification, or erasure. This was considered a significant breach by the UODO as it infringed the fundamental rights and freedoms of data subjects.
The company had fulfilled the information obligation by providing the information required under Article 14 (1) – (3) of the GDPR in respect of 90,000 individuals whose e-mail addresses it had readily available. For the remaining individuals, the company had postal addresses and telephone numbers to enable it to comply with the information requirements under Article 14, however, failed to do so due to the “high operational costs” in contacting data subjects by telephone and post.
The UODO held that the company was aware of the obligation to provide certain information and directly inform data subjects. Accordingly, the UODO found the infringement to be intentional. This was further evident from the continuing infringement and the controller’s inaction to remedy the infringement.
The significant fine (of almost PLN 1 million) imposed by the UODO demonstrates the regulator’s approach to companies who purposefully do not comply with the GDPR.
The UODO notice of the infringement is set out on the European Data Protection Board website.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following Morgan Lewis lawyers:
Gregory T. Parks
Mark L. Krotoski
W. Reece Hirsch