UODO (Poland) - ZSPR.421.3.2018: Difference between revisions
(Created page with "{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" ! colspan="2" |HDPA - 38/2019 |- | colspan="2" style="padding: 20px; background-color:#ffffff" |File...") |
(All the decision) |
||
Line 1: | Line 1: | ||
[[Category:Article 4(1) GDPR]] | |||
[[Category:2019]] | |||
{| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" | {| class="wikitable" style="width: 25%; margin-left: 10px; float:right;" | ||
! colspan="2" | | ! colspan="2" |UODO ZSPR.421.3.2018 | ||
|- | |- | ||
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoGR.jpg|center|250px]] | | colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoGR.jpg|center|250px]] | ||
|- | |- | ||
|Authority:||[[ | |Authority:||[[UODO (Poland)]] | ||
[[Category:HDPA (Greece)]] | [[Category:HDPA (Greece)]] | ||
|- | |- | ||
|Jurisdiction:||[[Data Protection in | |Jurisdiction:||[[Data Protection in Poland|Poland]] | ||
[[Category: Greece]] | [[Category: Greece]] | ||
|- | |- | ||
|Relevant Law:|| | |Relevant Law:||[[Category:Article 5(2) GDPR]] | ||
[[Category:Article 5(2) | |||
[[Category:Article 6 GDPR]] | [[Category:Article 6 GDPR]] | ||
[[Category:Article 14 GDPR]] | [[Category:Article 14 GDPR]] | ||
[[Article 14 GDPR]] | |||
[[Article | |||
[[Category:Article 32 GDPR]] | [[Category:Article 32 GDPR]] | ||
|- | |- | ||
Line 29: | Line 22: | ||
|Outcome:||Violation | |Outcome:||Violation | ||
|- | |- | ||
|Decided:|| | |Decided:||15.03.2019 | ||
|- | |- | ||
|Published:||n/a | |Published:||n/a | ||
|- | |- | ||
|Fine:|| | |Fine:||EUR 220'000.- | ||
|- | |- | ||
|Parties:|| | |Parties:||Unknown | ||
|- | |- | ||
|National Case Number:|| | |National Case Number:||ZSPR.421.3.2018 | ||
|- | |- | ||
|European Case Law Identifier:||n/a | |European Case Law Identifier:||n/a | ||
Line 44: | Line 36: | ||
|Appeal:||n/a | |Appeal:||n/a | ||
|- | |- | ||
|Original Language:||[[Category:Greek]] | |Original Language:||Polish | ||
[[Category:Greek]] | |||
|- | |- | ||
|Original Source:||[https:// | |Original Source:||[https://uodo.gov.pl/en/file/314 UODO (PL)] | ||
|} | |} | ||
The | The President of the Personal Data Protection Office in Poland (UODO) imposed the first fine in the amount of over PLN 943 000 for the failure to fulfil the information obligation. | ||
==English Summary== | ==English Summary== | ||
===Facts=== | ===Facts=== | ||
The | The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. In total, the company has 7'594'636 records of data concerning natural persons, and the company fulfilled the information obligation in relation to only 682'439 persons in relation to whom it has email addresses within the database record. The company raised the ground that the communication by registered letter would cost its turnover for the year 2018, which would constitute a "disproportionate effort" and would critically disturb the functioning of the company. | ||
===Dispute=== | ===Dispute=== | ||
1) | 1) What is the applicable provision? | ||
2) | 2) Does the company fulfill its obligation of information towards all data subjects? | ||
3) | 3) Is it sufficient to place a privacy notice on the company's website to fulfill the information obligation towards natural persons who were not informed by email? | ||
4) Is the | 4) Is the information obligation impossible or disproportionate pursuant to Art. 14 par. 5 lit. b GDPR? | ||
===Holding=== | ===Holding=== | ||
The | The President of UODO found that: | ||
1) The | 1) The applicable provision is the Art. 14 GDPR since the data controller collects the personal data from public sources. | ||
2) | 2) No, the company completed its obligation only in relation to 682'439 natural persons conducting business activity, whose personal data has been processed by the company's IT "N system", in relation to which the company had an electronic address. | ||
3) | 3) No, the mere placement of the information on the company's website cannot be considered as sufficiently fulfilling the obligation mentioned in the Art. 14 GDPR. | ||
4) | 4) No, in the assessment of the President of UODO, sending out information related to Art. 14 GDPR by regular mail to the address of a natural person conducting business activity or transmitting it via telephone contact, is not an “impossible” activity, and it doesn’t involve “a disproportionate effort” in the situation when the company '''is being in possession of address data of natural persons conducting one-man business activity''' (currently or in the past) and also, in addition to that, t'''he telephone numbers''' in reference to a fraction of these persons, in its IT system. However, it is necessary at this point to mention that as opposed to the above mentioned natural persons, '''the situation of shareholders''' or members of companies’ bodies and other legal persons, whose data are being processed by the Company, is different. In public registers (in particular in the National Court Register) '''the telephone/address data are not included''', and in this regard the Company would have to search for this data in other sources, which could mean “a disproportionate effort” for the Company. | ||
Finally, the fact that the company justified the non-fulfillment of the obligation resulting from Art. 14 GDPR with possible high costs, and even tried to shift the responsibility – in case of the fulfillment of this obligation - for possible decrease of its competitiveness on the market, the loss of financial liquidity and even the need to terminate its business activity, has to be recognized as an aggravating factor. It should be emphasized that although the company obtains personal data from public sources and such data are the subject of its long-term commercial activity, the data subjects lack the information regarding the processing of their personal data by the company. In the assessment of the President of UODO, the liability towards these data subjects lies with the company, in particular with regard to the fulfillment of the obligation referred to Art. 14 (1) to (3) of the GDPR. Failure to fulfill the above-mentioned obligation, due to financial expenses claimed by the company, indicates lowering of the value of the rights of the data subjects, whose personal data are being processed by the Company, in relation to the value of company's finances – which cannot be considered as a valid argument in the light of the requirements of the GDPR. | |||
==Comment== | ==Comment== |
Revision as of 08:08, 23 January 2020
UODO ZSPR.421.3.2018 | |
---|---|
Authority: | UODO (Poland) |
Jurisdiction: | Poland |
Relevant Law: | |
Type: | n/a |
Outcome: | Violation |
Decided: | 15.03.2019 |
Published: | n/a |
Fine: | EUR 220'000.- |
Parties: | Unknown |
National Case Number: | ZSPR.421.3.2018 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language: | Polish |
Original Source: | UODO (PL) |
The President of the Personal Data Protection Office in Poland (UODO) imposed the first fine in the amount of over PLN 943 000 for the failure to fulfil the information obligation.
English Summary
Facts
The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. In total, the company has 7'594'636 records of data concerning natural persons, and the company fulfilled the information obligation in relation to only 682'439 persons in relation to whom it has email addresses within the database record. The company raised the ground that the communication by registered letter would cost its turnover for the year 2018, which would constitute a "disproportionate effort" and would critically disturb the functioning of the company.
Dispute
1) What is the applicable provision?
2) Does the company fulfill its obligation of information towards all data subjects?
3) Is it sufficient to place a privacy notice on the company's website to fulfill the information obligation towards natural persons who were not informed by email?
4) Is the information obligation impossible or disproportionate pursuant to Art. 14 par. 5 lit. b GDPR?
Holding
The President of UODO found that:
1) The applicable provision is the Art. 14 GDPR since the data controller collects the personal data from public sources.
2) No, the company completed its obligation only in relation to 682'439 natural persons conducting business activity, whose personal data has been processed by the company's IT "N system", in relation to which the company had an electronic address.
3) No, the mere placement of the information on the company's website cannot be considered as sufficiently fulfilling the obligation mentioned in the Art. 14 GDPR.
4) No, in the assessment of the President of UODO, sending out information related to Art. 14 GDPR by regular mail to the address of a natural person conducting business activity or transmitting it via telephone contact, is not an “impossible” activity, and it doesn’t involve “a disproportionate effort” in the situation when the company is being in possession of address data of natural persons conducting one-man business activity (currently or in the past) and also, in addition to that, the telephone numbers in reference to a fraction of these persons, in its IT system. However, it is necessary at this point to mention that as opposed to the above mentioned natural persons, the situation of shareholders or members of companies’ bodies and other legal persons, whose data are being processed by the Company, is different. In public registers (in particular in the National Court Register) the telephone/address data are not included, and in this regard the Company would have to search for this data in other sources, which could mean “a disproportionate effort” for the Company.
Finally, the fact that the company justified the non-fulfillment of the obligation resulting from Art. 14 GDPR with possible high costs, and even tried to shift the responsibility – in case of the fulfillment of this obligation - for possible decrease of its competitiveness on the market, the loss of financial liquidity and even the need to terminate its business activity, has to be recognized as an aggravating factor. It should be emphasized that although the company obtains personal data from public sources and such data are the subject of its long-term commercial activity, the data subjects lack the information regarding the processing of their personal data by the company. In the assessment of the President of UODO, the liability towards these data subjects lies with the company, in particular with regard to the fulfillment of the obligation referred to Art. 14 (1) to (3) of the GDPR. Failure to fulfill the above-mentioned obligation, due to financial expenses claimed by the company, indicates lowering of the value of the rights of the data subjects, whose personal data are being processed by the Company, in relation to the value of company's finances – which cannot be considered as a valid argument in the light of the requirements of the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
There is no available machine translated decision. Please refer to the Greek original decision for details.