On 25 March 2019, the president of the Personal Data Protection Office announced the imposition of the first-ever fine in Poland for failure to comply with the EU’s General Data Protection Regulation. The fine is quite high (about PLN 1 million) and involves noncompliance with the information obligation by a company that harvested personal data—addresses and telephone numbers of individuals operating businesses—from publicly available sources and then processed the data.
What is the information obligation under GDPR and when can it be avoided?
Providing certain basic information to data subjects about the processing of their personal data is one of the fundamental obligations under the GDPR. Significantly, this obligation exists both when the processed personal data are obtained from the data subject and when the data subject is not the source of the data. The latter case arises under Art. 14 GDPR. According to Art. 14(1), the data controller must provide the data subject with, among other things, information on the identity of the data controller, the purposes for processing of the personal data, and the categories of processed data. But this is not an absolute obligation, as Art. 14(5) excludes the information obligation in a number of instances, for example when the data subject already has the information or when providing the information proves impossible or would involve a disproportionate effort.
Does notification of processing of data by letter involve a disproportionate effort?
In this case, the company that was fined relied on the exclusion in Art. 14(5) GDPR, arguing that notifying the data subjects would require disproportionate costs connected with transmission of letters by post—according to the company’s estimates, up to PLN 30 million. For this reason, the company merely posted the relevant information on its own website and sent notices to the data subjects for whom it had email addresses.
The president of the Personal Data Protection Office did not share the company’s view. The regulator found that sending letters to the data subjects in this situation would not involve disproportionate effort. Rather, a disproportionate effort would arise if the company did not have the persons’ addresses and would have to make a special effort to obtain the addresses in order to fulfil the information obligation.
The amount of the fine has generated controversy. Some argue that the fine is disproportionate to the seriousness of the infringement. And the failure in this case to notify individuals operating businesses of processing of their personal data does not automatically mean that their rights and freedoms have been infringed. Others claim that the fine is appropriate, because noncompliance with the information obligation prevents the data subjects from exercising other rights they may have under the GDPR. The view is also presented that the underlying problem in this case is not the amount of the fine, but the assumption that there was an information obligation at all under the facts. It is unquestioned that individual business operators, whose data are available in public registers, have lower expectations of privacy than, for example, consumers who do not run a business and whose data are generally not publicly available. This issue was not extensively addressed by the regulator.
There are also doubts surrounding the regulator’s approach to the condition of “disproportionate effort.” Arguments can be made that if performance of the information obligation could generate costs exceeding the undertaking’s turnover (and that was indeed the case here, according to media reports), then the situation excludes the necessity of performing the information obligation.
The company fined in this case has a right to challenge the regulator’s decision in the administrative court, and if review is sought the court will no doubt examine these disputed issues.