UODO (Poland) - ZSPR.421.3.2018: Difference between revisions

From GDPRhub
(All the decision)
(The image)
Line 4: Line 4:
! colspan="2" |UODO ZSPR.421.3.2018
! colspan="2" |UODO ZSPR.421.3.2018
|-
|-
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:logoGR.jpg|center|250px]]
| colspan="2" style="padding: 20px; background-color:#ffffff" |[[File:UODO.jpg|alt=|center|180x180px]]
|-
|-
|Authority:||[[UODO (Poland)]]
|Authority:||[[UODO (Poland)]]

Revision as of 08:12, 23 January 2020

UODO ZSPR.421.3.2018
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law:

Article 14 GDPR

Type: n/a
Outcome: Violation
Decided: 15.03.2019
Published: n/a
Fine: EUR 220'000.-
Parties: Unknown
National Case Number: ZSPR.421.3.2018
European Case Law Identifier: n/a
Appeal: n/a
Original Language: Polish
Original Source: UODO (PL)

The President of the Personal Data Protection Office in Poland (UODO) imposed the first fine in the amount of over PLN 943 000 for the failure to fulfil the information obligation.

English Summary

Facts

The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. In total, the company has 7'594'636 records of data concerning natural persons, and the company fulfilled the information obligation in relation to only 682'439 persons in relation to whom it has email addresses within the database record. The company raised the ground that the communication by registered letter would cost its turnover for the year 2018, which would constitute a "disproportionate effort" and would critically disturb the functioning of the company.

Dispute

1) What is the applicable provision?

2) Does the company fulfill its obligation of information towards all data subjects?

3) Is it sufficient to place a privacy notice on the company's website to fulfill the information obligation towards natural persons who were not informed by email?

4) Is the information obligation impossible or disproportionate pursuant to Art. 14 par. 5 lit. b GDPR?

Holding

The President of UODO found that:

1) The applicable provision is the Art. 14 GDPR since the data controller collects the personal data from public sources.

2) No, the company completed its obligation only in relation to 682'439 natural persons conducting business activity, whose personal data has been processed by the company's IT "N system", in relation to which the company had an electronic address.

3) No, the mere placement of the information on the company's website cannot be considered as sufficiently fulfilling the obligation mentioned in the Art. 14 GDPR.

4) No, in the assessment of the President of UODO, sending out information related to Art. 14 GDPR by regular mail to the address of a natural person conducting business activity or transmitting it via telephone contact, is not an “impossible” activity, and it doesn’t involve “a disproportionate effort” in the situation when the company is being in possession of address data of natural persons conducting one-man business activity (currently or in the past) and also, in addition to that, the telephone numbers in reference to a fraction of these persons, in its IT system. However, it is necessary at this point to mention that as opposed to the above mentioned natural persons, the situation of shareholders or members of companies’ bodies and other legal persons, whose data are being processed by the Company, is different. In public registers (in particular in the National Court Register) the telephone/address data are not included, and in this regard the Company would have to search for this data in other sources, which could mean “a disproportionate effort” for the Company.

Finally, the fact that the company justified the non-fulfillment of the obligation resulting from Art. 14 GDPR with possible high costs, and even tried to shift the responsibility – in case of the fulfillment of this obligation - for possible decrease of its competitiveness on the market, the loss of financial liquidity and even the need to terminate its business activity, has to be recognized as an aggravating factor. It should be emphasized that although the company obtains personal data from public sources and such data are the subject of its long-term commercial activity, the data subjects lack the information regarding the processing of their personal data by the company. In the assessment of the President of UODO, the liability towards these data subjects lies with the company, in particular with regard to the fulfillment of the obligation referred to Art. 14 (1) to (3) of the GDPR. Failure to fulfill the above-mentioned obligation, due to financial expenses claimed by the company, indicates lowering of the value of the rights of the data subjects, whose personal data are being processed by the Company, in relation to the value of company's finances – which cannot be considered as a valid argument in the light of the requirements of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

There is no available machine translated decision. Please refer to the Greek original decision for details.