UODO (Poland) - ZSPR.421.19.2019

From GDPRhub
Revision as of 19:33, 6 April 2020 by AK (talk | contribs)
UODO - ZSPR.421.3.2018
Authority: UODO (Poland)
Jurisdiction: Poland
Relevant Law: Article 14 GDPR
Type: n/a
Outcome: Violation
Decided: 9. 3. 2020
Published: 26.3.2020
Fine: 4673 EUR
Parties: Bisnode
National Case Number: ZSPR.421.19.2019
European Case Law Identifier: n/a
Appeal: Yes
Original Language: Polish
Original Source: UODO (PL)

The President of the Personal Data Protection Office in Poland (UODO) imposed the first fine in the amount of over PLN 943 000 for the failure to fulfil the information obligation.

English Summary

Facts

The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. In total, the company has 7'594'636 records of data concerning natural persons, and the company fulfilled the information obligation in relation to only 682'439 persons in relation to whom it has email addresses within the database record. The company raised the ground that the communication by registered letter would cost its turnover for the year 2018, which would constitute a "disproportionate effort" and would critically disturb the functioning of the company.

Dispute

1) What is the applicable provision?

2) Does the company fulfill its obligation of information towards all data subjects?

3) Is it sufficient to place a privacy notice on the company's website to fulfill the information obligation towards natural persons who were not informed by email?

4) Is the information obligation impossible or disproportionate pursuant to Art. 14 par. 5 lit. b GDPR?

Holding

The President of UODO found that:

1) The applicable provision is the Art. 14 GDPR since the data controller collects the personal data from public sources.

2) No, the company completed its obligation only in relation to 682'439 natural persons conducting business activity, whose personal data has been processed by the company's IT "N system", in relation to which the company had an electronic address.

3) No, the mere placement of the information on the company's website cannot be considered as sufficiently fulfilling the obligation mentioned in the Art. 14 GDPR.

4) No, in the assessment of the President of UODO, sending out information related to Art. 14 GDPR by regular mail to the address of a natural person conducting business activity or transmitting it via telephone contact, is not an “impossible” activity, and it doesn’t involve “a disproportionate effort” in the situation when the company is being in possession of address data of natural persons conducting one-man business activity (currently or in the past) and also, in addition to that, the telephone numbers in reference to a fraction of these persons, in its IT system. However, it is necessary at this point to mention that as opposed to the above mentioned natural persons, the situation of shareholders or members of companies’ bodies and other legal persons, whose data are being processed by the Company, is different. In public registers (in particular in the National Court Register) the telephone/address data are not included, and in this regard the Company would have to search for this data in other sources, which could mean “a disproportionate effort” for the Company.

Finally, the fact that the company justified the non-fulfillment of the obligation resulting from Art. 14 GDPR with possible high costs, and even tried to shift the responsibility – in case of the fulfillment of this obligation - for possible decrease of its competitiveness on the market, the loss of financial liquidity and even the need to terminate its business activity, has to be recognized as an aggravating factor. It should be emphasized that although the company obtains personal data from public sources and such data are the subject of its long-term commercial activity, the data subjects lack the information regarding the processing of their personal data by the company. In the assessment of the President of UODO, the liability towards these data subjects lies with the company, in particular with regard to the fulfillment of the obligation referred to Art. 14 (1) to (3) of the GDPR. Failure to fulfill the above-mentioned obligation, due to financial expenses claimed by the company, indicates lowering of the value of the rights of the data subjects, whose personal data are being processed by the Company, in relation to the value of company's finances – which cannot be considered as a valid argument in the light of the requirements of the GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Translation of the Decision

Below you can find the English translation of the decision (see PDF for Original)

1
Warsaw, 15 March 2019
DECISION
ZSPR.421.3.2018
Under Art. 104 § 1 of the Act of 14 June 1960 The Code of Administrative Procedure (Journal of Laws of 2018, item 2096, with amendments) and Art. 7(1) and (2), Art. 60 and Art. 101 of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, with amendments) in connection with Art. 12(1), Art. 14(1)–(3) and Art. 58(2)(d) and (i) and Art. 83(5)(b) of the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, with the amendment announced in OJ L 127, 23.05.2018, p. 2), after having conducted administrative proceedings in the case of personal data processing by X. Sp. z o. o., the President of the Personal Data Protection Office
having established the breach by X. Sp. z o. o. (limited liability company) of the provisions of Art. 14 (1)-(3) of the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, with the amendment announced in OJ L 127, 23.05.2018, p. 2), consisting in failure to provide the information contained in Art. 14 (1) and (2) of the above mentioned Regulation to all natural persons, whose personal data are processed by X. Sp. z o. o., who are currently conducting one-man business activity or conducted it in the past as well as to natural persons who suspended this type of activity:
1. orders X. Sp. z o. o. to fulfil the obligation to provide the information specified in Art. 14 (1) and (2) of the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, with the amendment announced in OJ L 127, 23.05.2018, p. 2) to natural persons, whose personal data are processed by X. Sp. z o. o. , who are currently conducting one-man business activity or conducted it in the past as well as to natural persons who suspended this type of activity, to whom this information has not been provided – within three months from the date of receipt of the decision;
2. imposes on X. Sp. z o. o. an administrative fine in the amount of PLN 943 470 (in words: nine hundred forty three thousand four hundred seventy Polish Zloty) for the breach established in this decision.
STATEMENT OF REASONS
From […] to […] September 2018 and from […] to […] September 2018 (reference no. […]) authorised employees of the Personal Data Protection Office performed an inspection at X. Sp. z o. o. (hereinafter referred to as: the „Company”), for the purpose of checking the compliance
2
of processing of personal data by the Company with the provisions on personal data protection, i.e. the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, with the amendment announced in OJ L 127, 23.05.2018, p. 2), hereinafter referred to as: the „Regulation 2016/679” and the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, with amendments), hereinafter referred to as: the „Act”.
The inspection covered the processing by the Company of personal data obtained from publicly available sources, including public registers (among others the Register of Entrepreneurs of the National Court Register, Business Activity Central Register and Information Record, REGON Database of the Polish Central Statistical Office).
The President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych, hereinafter referred to as: „President of UODO”) with the letter of […] January 2019 (number: […]), informed the Company of instituting ex officio administrative proceedings in the case of failure to fulfill the information obligation referred to in Art. 14 of the Regulation 2016/679 in relation to these natural persons conducting business activity in case of whom the Company did not have e-mail address in its database, whereby it concerns both entrepreneurs which are currently conducting business activity or suspended this type of activity and to entrepreneurs which do not conduct such activity, but conducted it in the past.
The President of UODO, on the grounds of collected evidence, established the following facts of the case.
1. Within its activity the Company offers in particular commercial reports […]. The object of the Company’s prevailing activity is other information related service activity, not classified elsewhere (PKD [Polish Economic Activity Classification] 63,99,Z). The scope of the Company’s activity includes as well inter alia issuing lists (such as address, telephone lists), data processing, websites management (hosting) and similar activity, as well as other counselling on conducting business activity and management ([…]).
2. In the IT system called „N[…]” (hereinafter referred to as: „N […] system”) the Company is processing personal data of natural persons conducting business activity, which were collected from publicly available sources, including public registers, inter alia from Business Activity Central Register and Information Record, REGON Database of the Polish Central Statistical Office, the Court and Commercial Gazette (Monitor Sądowy i Gospodarczy ([…]).
3. The database of „ N […] system” contains the data concerning ca. 3 590 000 natural persons conducting currently one-man business activity and natural persons who suspended such activity as well as 2 330 000 natural persons who conducted business activity in the past ([…]).
4. In „ N […] system” the Company is processing in particular address data (register address, correspondence address, operational address) pertaining to natural persons conducting business activity ([…]).
3
5. On 27 April 2018, i.e. before the date on which the Regulation 2016/679 began to apply, the Company sent information on the processing of personal data called „[…] – GDPR – information obligation” to all e-mail addresses available in the database of the N […] system assigned to entrepreneurs conducting one-man business activity ([…]). In the course of information campaign, the Company sent 902 837 e-mails ([…]).
6. The Company placed as well on its website with the URL www.[…].pl, in the tab „Data and privacy”/”Information on personal data processing”, information on personal data processing by X. ([…]). The Company published also on its website www.[…].pl, in the tab „Data and privacy”/”Information on personal data processing”, at https://www.[…].pl/rodo/, a full information notice meeting the requirements of Art. 14 (1) and (2) of the Regulation 2016/679.
7. The Company decided not to fulfil the information obligation by sending SMS in relation to persons, whose data it obtained from publicly available sources (including natural persons conducting business activity), since it does not have telephone numbers in relation to each of those persons, and also due to high costs of such action. Due to high costs the Company did not decide either to fulfil this obligation by sending regular mail do persons whose data are processed by it , ([…]).
8. The Company’s explanations presented in the letter of […] February 2019 allow to conclude that the data processed by it are the data publicly available, collected in official public registers, the scope of these data is relatively narrow, and the risk to the rights and freedoms of data subjects related to their processing is law. In total the Company has 7 594 636 records of data concerning natural persons, including entrepreneurs conducting one-man business activity and persons being partners or members of bodies of companies, foundations or associations. The Company fulfilled the individual information obligation in relation to 682 439 persons in relation to whom it has e-mail addresses within the database record. In relation to 181 142 persons the Company has only cellular telephone numbers, and in relation to 6 490 226 it has only correspondence addresses, whereof 2 924 443 records concern not active business activities. The Company’s explanations allow to conclude that if it was supposed to fulfil the information obligation established in Art. 14 (1) and (2) of the Regulation 2016/679, individually in relation to all natural persons whose data are the subject of the proceedings, with the use of regular mail, the cost of such operation would amount to over PLN 33 749 175 (the amount obtained by multiplying the number of data subjects to whom the information notice was sent by e-mail by the cost of sending through the Polish Post Office (Poczta Polska) a registered letter (2nd class mail), without additional administrative costs), which constitutes […] of the Company’s turnover for the year 2018.
9. Moreover, the Company’s explanations allows to conclude that the fulfilment of the information obligation in its basic form (i.e. individual contact with each data subject) would cause on the Company’s side a „disproportionate effort”, referred to in Art. 14 (5)(b) of the Regulation 2016/679, understood as organisational burden (i.e. the need to delegate employees and physical resources – computers, office equipment – to realise exclusively this task) and financial burden (i.e. the cost of printing, preparing for mailing, including the cost of paper, toner, envelopes, stamps, handling of returned correspondence, possible remuneration for entities to which the Company could outsource the execution of this task), which would
4
critically disturb the functioning of the Company to the extent which could imply the need to terminate conducting activity in Poland.
10. The company applies high-quality technological protection measures to personal data processed by it, , […] The company has implemented specific procedures and instructions for employees ensuring the security of data processing.
11. The company also referred to the decision of Inspector General for the Protection of Personal Data (GIODO) of 12 July 2016 (reference no. DIS/DEC-587/16/62309), in an analogous case in which, after the decision of the Supreme Administrative Court of 24 January 2013 (reference no. I OSK 1827/11) and the Voivodeship Administrative Court in Warsaw of 24 April 2013 (reference no. II SA/Wa 507/13), GIODO stated that the information obligation exists and the appropriate means for its implementation was to include the required information on the website of the company being the data controller. In the Company’s opinion, there are no indications that in this proceeding, the assessment made by the President of UODO would be different in this respect.
12. The company attached to the letter of […] February 2019 the following: Management Board’s statement on net revenues from sales and equalized with them for 2018 in the amount of PLN 34,778,450.50, and the Company’s financial statements for the financial year from 1/01/2017 to 31/12/2017, which shows the amount of net revenues from sales and equalized with them: PLN 29,026,755.76.
After analysing the evidence collected in the case, the President of the Personal Data Protection Office states the following.
The President of UODO is the authority competent in matters of personal data protection (Art. 34 of the Act of 10 May 2018 on the Protection of Personal Data) and the supervisory authority within the meaning of Regulation 2016/679 (Art. 34 § 2 of the Act of 10 May 2018 on the Protection of Personal Data.)
With regard to Art. 57(1) of Regulation 2016/679, without prejudice to other tasks set out under this Regulation, each supervisory authority shall on its territory monitor and enforce the application of this Regulation (a); conduct investigations on the application of this Regulation (h). The instruments for the implementation of tasks referred to Art. 57 of Regulation 2016/679 are in particular corrective powers granted by virtue of Art. 58(2), to order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period (d) and the application, in addition to, or instead of, the measures referred to this point, of an administrative fine under Article 83, depending on the circumstances of the specific case (i).
According to Art. 14(1) of Regulation 2016/679, where personal data have not been obtained from the data subject, the controller shall provide the data subject with the following information:
(a) the identity and the contact details of the controller and, where applicable, of the controller's representative;
(b) the contact details of the data protection officer, where applicable;
5
(c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
(d) the categories of personal data concerned;
(e) the recipients or categories of recipients of the personal data, if any;
(f) where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.
However, as results from Art. 14(2) of Regulation 2016/679, in addition to the information referred in paragraph 1, the controller shall provide the data subject with the following information necessary to ensure fair and transparent processing in respect of the data subject:
(a) the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
(b) where the processing is based on point (f) of Article 6(1), the legitimate interests pursued by the controller or by a third party;
(c) the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject and to object to processing as well as the right to data portability;
(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
(e) the right to lodge a complaint with a supervisory authority;
(f) from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
(g) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
Art. 14 (3) of the Regulation 2016/679 indicates when the controller shall provide the information referred to in paragraphs 1 and 2, i.e.:
(a) within a reasonable period after obtaining the personal data, but at the latest within one month, having regard to the specific circumstances in which the personal data are processed;
(b) if the personal data are to be used for communication with the data subject, at the latest at the time of the first communication to that data subject; or
(c) if a disclosure to another recipient is envisaged, at the latest when the personal data are first disclosed.
Bearing in mind the findings made in this matter, it should be pointed out that the obligation referred to in Art. 14 of Regulation 2016/679, was completed by the Company only in relation
6
to 682 439 natural persons conducting business activity, whose personal data has been processed by the Company’s IT ‘N […]’ system, in relation to which the Company had an electronic address (e-mail address) and sent electronic correspondence including ‘Information on the personal data processing’ (number on the day of findings made during inspection).
However, this obligation resulting from Art. 14 of the Regulation 2016/679 was not fulfilled by the Company in relation to the remaining natural persons conducting business activity and whose data are being processed in the N[…] system, meaning the ones whose e-mail addresses were not at the Company’s disposal. The findings made by the President of UODO have shown that the Company had not fulfilled this obligation in relation to these natural persons whose e-mail addresses were not included in its database, and this applies to both entities currently conducting business activity (who did not “close” their operations, are currently active or have suspended their business activity), as well as to those who have ceased their business activity.
The Company has also placed on its website located at the address www.[...].pl, in the tab “Data and privacy”/”Information on personal data processing”, the information on the processing of personal data by the Company with regard to Art. 14(1)-(2) of the Regulation 2016/679.
In the above context the President of UODO concludes that mere placement of the information necessitated by Art. 14(1)-(2) of the Regulation 2016/679 on the Company’s website, in the situation where address-related data (and at times even telephone numbers) of natural persons conducting one-man business activity are at the Company’s disposal, what might allow sending them by regular mail correspondence including information necessitated by the above rule (or conveying these via telephone contact) cannot be considered as sufficiently fulfilling by the Company the obligation mentioned in the Art. 14(1)-(3) of the Regulation 2016/679.
Circumstance excluding the possibility of fulfilling the obligation to provide information, as prefigured in the Art. 14(5)(b) of the Regulation 2016/679, i.e. excluding the application of Art. 14(1)-(4)of the Regulation 2016/679 when – and where the provision of information to the data subject proves to be impossible or would involve a disproportionate effort, is not applicable in this case in relation to natural persons conducting business activity whose personal data are being processed by the Company in the N[…] system database.
In the assessment of the President of UODO, sending out information related to Art. 14 of the Regulation 2016/679 by regular mail to the address of a natural person conducting business activity or transmitting it via telephone contact, is not an “impossible” activity, and it doesn’t involve “a disproportionate effort” in the situation when the Company is being in possession of address data of natural persons conducting one-man business activity (currently or in the past) and also, in addition to that, the telephone numbers in reference to a fraction of these persons, in its N[…] IT system. It is necessary at this point to mention that as opposed to the above mentioned natural persons, the situation of shareholders or members of companies’ bodies and other legal persons, whose data are being processed by the Company, is different. In public registers (in particular in the National Court Register) the telephone/address data are not included, and in this regard the Company would have to search for this data in other sources, which could mean “a disproportionate effort” for the Company.
In the letter of […] February 2019 the Company presented a calculation of costs related to a potential dispatch of information mentioned in the Art. 14(1)-(2) of the Regulation 2016/679 by regular mail to natural persons whose data are being processed by the Company, using a
7
registered letter (2nd class mail) the cost of which would be more than PLN 33 749 175 (making up for […] of the Company’s 2018 turnover).
Meanwhile, from the established facts of the case it emerges that the Company is conducting its business activity on the Polish market for more than 25 years, and as of […] February 2019 it possesses in its database more than 7 594 636 records containing personal data of entrepreneurs and partners or members of bodies of companies, foundations or associations. From the clarifications submitted by the Company it also emerges that, as per the day of submission, the Company did not meet the individual obligation to provide information toward 6 671 368 persons in total. In relation to 181 142 persons the Company has only mobile telephone numbers at its disposal, which means that it is able to meet the obligation to provide information via this means of communication. When it comes to 6 490 226 persons, whose only contact details at the Company’s disposal are correspondence addresses, attention should be given to Art. 12(1) of the Regulation 2016/679. This rule provides for the controller, in the absence of data subject, to take appropriate measures to provide any information referred to in (inter alia) Art.14 of the Regulation 2016/679. In the assessment of the President of UODO this rule does not imply that the legislator imposed an obligation on the controller to send out this information via registered mail; it is only important for the controller to be able to prove by appropriate means that the obligation to provide information has been fulfilled towards the subjects whose personal data are being processed. The essence of fulfilling this obligation is a functional, proactive operation by the controller to provide the information defined in the Regulation 2016/679 to the data subject.
The obligation to provide information in a proactive manner is being emphasized by the Article 29 Working Party in the Guidelines on transparency under Regulation 2016/679 adopted on 29 November 2017 (as last revised and adopted on 11 April 2018). Independently from the above mentioned methods of fulfilling the obligation to provide information, in the assessment of the President of UODO, the Company is able to fulfil this obligation arbitrarily and in the context of Recital 171 of the Regulation 2016/679 where EU legislator stated that processing, which was already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force – it is the deadline of fulfilling the obligation that is decisive.
The personal data processed by the Company were gathered from sources of information available to the general public. The scope of data, with regard to all natural persons whose data are being processed, which are being processed by the Company for commercial purposes consists of (inter alia): first name, surname, PESEL number (personal identification number) (obtained from the National Court Register), and in relation to natural persons conducting business activity it includes inter alia the following data obtained from the Central Registry and Information on Economic Activity and REGON (National Business Registry) database of the Central Statistical Office: first name, surname, company name, registry address and other addresses, PKD (Polish Economic Activity Classification) activity code, telephone number (optional), e-mail address (optional), website address (optional), interdicts/powers/restrictions/licenses to conduct a certain kind of business activity, legal events in relation to the entity (accordingly to the scope of data outlined in the Appendix No. 63 – Case file No. 464).
8
The President of UODO acknowledges therefore that the investigated case of the Company in question is not analogical to the one that was being subjected to scrutiny by the Supreme Administrative Court of Poland (NSA) in the judgment of 24 January 2013 (File Ref. No. I OSK 1827/11) neither in terms of the amount of data obtained by the Company from publicly available sources nor fulfilling the obligation to provide information. In the latter case the NSA stated that: “From the findings made by the authority it emerges that the complainant company as part of its commercial activities of providing information services, is processing data related to legal persons and organisational units not having legal personality, data of which are being disclosed in the National Court Register (the Court and Commercial Gazette). These data files also contain natural persons’ personal data in the scope of: first name, surname, PESEL number, assigned responsibility, year of birth. The Court and Commercial Gazette does not include data on the addresses of natural persons. In this situation the complainant company had legitimately called into question the imposition of the obligation to provide information issued by the authority without any recommendation on how to and by which means the controller should obtain these data.” In contrast, in this case the Company has at its disposal a significantly broader scope of personal data, including correspondence addresses of natural persons and telephone numbers which means that it was able to fulfil the obligation to provide data, mentioned in the Art. 14 (1)-(2) of the Regulation 2016/679, towards natural persons whose data are being processed by it.
Considering the above findings, the President of UODO, drawing upon his power as defined in the Art. 58(2)(d) of the Regulation 2016/679, orders the Company – within three months from the date of receipt of this decision – to fulfil the obligation to provide information mentioned in the Art. 14(1)-(2) of the Regulation 2016/679 to these natural persons conducting business activity whose personal data it is processing, and to whom this information was not provided.
According to Art. 58 (2)(i) of the Regulation 2016/679, each supervisory authority shall have the right to impose an administrative fine pursuant to Article 83, in addition to, or instead of other corrective measures referred to in Article 58 (2) of this Regulation, depending on the circumstances of each individual case. The President of UODO hereby states that conditions justifying imposition of the fine on the Company have been met in the respective case. Pursuant to Art. 83 (2) of the Regulation 2016/679, administrative fines shall, depending on the circumstances of each individual case, be imposed in addition to, or instead of, measures referred in points (a) to (h) and (j) of Art. 58 (2). When deciding whether to impose the fine and assessing the amount of it, the President of UODO, pursuant to Art. 83 (2)(a) to (k) of the Regulation 2016/679, has taken into account the following factors: 1. The Company failed to comply with the obligation to provide the information specified in Art. 14 (1) to (3) of the Regulation 2016/679 to natural persons, who are currently conducting one-man business activity or conducted such activity in the past (which applies to both entities who are currently active or have suspended their business activity, as well as to those who have ceased their business activity), this state of matters continues to the present date, which proves that it is not an one-off, limited in time event, it is also affecting a total of 6.671.368 data subjects – according to Company’s explanation dated […] February 2019 r. (the nature, gravity and duration of the infringement);
9
2. The infringement identified in the present case is severe, as it relates to the fundamental rights and freedoms of the persons whose data are being processed by the Company, and it violates the fundamental principle of fairness and transparency with regard to personal data processing (Article 5 (1) (a) of the Regulation 2016/679). The Company did not meet the requirement to provide basic information regarding processing and rights of the data subjects related to such operations (referred to in Art. 15 to 21 of the Regulation 2016/679) which entails, inter alia, the risk of depriving these data subjects of the possibility to exercise their rights. The gravity of the breach is also increased by the fact that the Company, which processes personal data in a professional manner, as a part of its core business activity, for profit and on a very large scale (the number of data subjects affected by the violation is a total of 6 671 368), is burdened with a higher degree of responsibility and requirements than an entity, which processes personal data as a part of its side activity, incidentally or on a small scale. Moreover, the infringement is ongoing, which constitutes an aggravating circumstance in this case (the nature, gravity and duration of the infringement); 3. The Company made an informed decision, motivated by the desire to avoid any additional financial outlays, not to fulfill the obligation laid down in Art. 14 (1) to (3) of the Regulation 2016/679, towards natural persons who are currently conducting one-man business activity (including entrepreneurs who are currently active or have suspended their business) or were conducting such activity in the past, ‘due to millions in costs’ ([...]), which only confirms that the Company breached the above mentioned provisions intentionally (intentional or negligent nature of the infringement); 4. No damage for data subjects as a result of the breach identified was established in the course of the proceedings, however, further processing of personal data without the awareness of data subjects affected, certainly prevents or restricts them from exercising their rights, e.g. the right to obtain the erasure of data, the right to the rectification of data or to object to processing of personal data (12 630 data subjects have exercised this right as per [...] September 2018 - [...]). As a consequence, non-fulfillment of the obligation to provide information leads to Company's privileged position in exercising its rights in relation to the rights of data subjects, whose data constitute a significant part of the Company's business activity. Reference should be made to the standpoint of Supreme Administrative Court presented in its judgment of 16 December 2004 (file ref. no. OSK 829/04), in which the Court expressed the view that the protection of one’s interests cannot be ensured at the expense of violating the rights of others, which can be directly or indirectly inferred from many provisions of the Constitution of the Republic of Poland, e.g. from Art. 2, Art. 32 (1) and Art. 83 (actions taken to mitigate the damage suffered by data subjects); 5. The identified infringement is not related to the implementation nor quality of organisational and technical measures applied by the Company – pursuant to Art. 25 and 32 of the Regulation 2016/679 – therefore, there is no need to determine the degree of the Company's responsibility in this context (the degree of responsibility of the controller taking into account organisational and technical measures); 6. No previous violations of the provisions of the Regulation 2016/679 committed by the Company were identified which would be relevant for the proceedings; 7. Both during the inspection and in the course of the administrative proceedings, the Company cooperated with the President of UODO – within the specified time limit it sent
10
written explanations, replied to the letter of the President of UODO and submitted relevant documents to confirm its explanations. However, this cooperation was solely aimed at ensuring the proper conduct of the proceedings, as the Company did not intend to remedy the infringement identified during the inspection, or mitigate its adverse effects (the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement); 8. Personal data of natural persons conducting business activity (currently or in the past), which are being processed by the Company, come from publicly available sources of information and include: name, surname, company name, register address and other addresses, PKD activity code, telephone number (optional), e-mail address (optional), website address (optional), interdicts/powers/restrictions/licenses to conduct a certain kind of business activity, legal events in relation to the entity (accordingly to the scope of data outlined in the Appendix No. 63 – Case file No. 464). The Company indicated that it also has at its disposal: e-mail addresses, personal correspondence addresses and telephone numbers of natural persons (the categories of personal data affected by the infringement). The breach established in this case does not concern special categories of personal data referred to in Art. 9 of the Regulation 2016/679 (the Company does not process such data); 9. The President of UODO obtained the information on the Company’s failure to fulfill the obligation laid down in Art. 14 (1) and (2) of the Regulation 2016/679, during an ex officio inspection carried out at the Company’s headquarters (the manner in which the infringement became known to the supervisory authority); 10. Measures referred to in Art. 58 (2) of the Regulation 2016/679 have not previously been ordered against the Company with regard to the same subject-matter (compliance with such measures imposed on the controller in the same subject-matter); 11. The Company does not adhere to the approved codes of conduct pursuant to Art. 40 of the Regulation 2016/679 or to the approved certification mechanism pursuant to Art. 42 of the Regulation 2016/679 (adherence to approved codes of conduct or certification mechanism); 12. The fact that the Company justified the non-fulfillment of the obligation resulting from Art. 14 (1) - (3) of the Regulation 2016/679 with possible high costs, and even tried to shift the responsibility – in case of the fulfillment of this obligation - for possible decrease of its competitiveness on the market, the loss of financial liquidity and even the need to terminate its business activity, has to be recognized as an aggravating factor. It should be emphasized that although the Company obtains personal data from public sources and such data are the subject of its long-term commercial activity, the data subjects lack the information regarding the processing of their personal data by the Company. In the assessment of the President of UODO, the liability towards these data subjects lies with the Company, in particular with regard to the fulfillment of the obligation referred to Art. 14 (1) to (3) of the Regulation 2016/679. Failure to fulfill the above-mentioned obligation, due to financial expenses claimed by the Company, indicates lowering of the value of the rights of the data subjects, whose personal data are being processed by the Company, in relation to the value of Company's finances – which cannot be considered as a valid argument in the light of the requirements of the Regulation 2016/679. It should also be pointed out that the Company gains financial resources within its business activity, the object of which is providing personal data of natural persons to its clients (i.e. inter alia business entities, including persons conducting one-man business activity or public bodies),
11
perceived as separate controllers with regard to the products offered by the Company. In the “N [...] system”, the Company also stores data of persons who no longer conduct business activity because, as it follows from the inspection findings "(...), the Company's clients ask if there are entities, who have ceased their business activity, among their suppliers. The information on inactive clients is a part of the Company's product that consists in providing business information."([...]). In the assessment of the President of UODO, the additional aggravating factor in this case is the motivation that the Company was driven by when deciding that the sufficient form of providing information referred to in Art. 14 (1) and (2) of the Regulation 2016/679 to entrepreneurs whose e-mail addresses the Company did not have was publishing such information on its website. The Company does not conceal the fact that this choice was motivated by a constant calculation of financial outlays related to direct ways of reaching persons, whose data the Company was processing, and thus the desire to avoid additional costs. Yet the Company is fully aware that the appropriate form of providing data subjects with the required information, guaranteeing adequate level of protection to their rights and freedoms is direct contact initiated by the Company. The above is confirmed by the fact that such contact was chosen as first with regard to entrepreneurs whose e-mail addresses the Company had at its disposal (in this case, however, direct contact did not involve any real financial costs). The resignation from direct contact, due to financial expenses, should be assessed negatively, especially as operations on personal data are the object of the Company’s core, purely commercial, professional, long-term activity. The Company, as a professional entity performing this type of operations, should be required to shape the business side of its activity in a manner, which would allow to take into account all the costs necessary to ensure the compliance of its activities with the law (in this case, the provisions on the protection of personal data). According to Art. 83 (1) of the Regulation 2016/679 – setting out the general conditions for the imposition of administrative fines – each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of the infringement of this Regulation referred to in paragraphs 4, 5 and 6 of the above Article shall in each individual case be effective, proportionate and dissuasive. Deciding on whether to impose an administrative fine, as well as determining its amount, the President of UODO considered the intentional nature of the violation, i.e. the Company’s conscious decision not to comply with the obligation to provide information, to be the most important aggravating factor. It is also absolutely crucial that the Company’s decision had affected and still affects a large number of data subjects, towards whom the information obligation was not fulfilled. The following consequences of failure to fulfill this obligation are also significant: the lack of awareness regarding processing operations of data subjects, whose personal data are being processed and their lack of possibility to exercise their rights guaranteed by the provisions of the Regulation 2016/679. The duration of the infringement should also be assessed negatively, especially taking into account the date of entry into force of the Regulation 2016/679, as well as the date of the beginning of its application. What also matters in this particular case, is the fact that the breach – in accordance with Art. 83 (5) (b) of Regulation 2016/679 – pertains to one of the fundamental rights of natural persons, to which a higher maximum amount of the administrative fine shall apply.
12
In the assessment of the President of UODO, the imposed administrative fine, taking into account the established facts of this case, achieves its objectives referred to in Art. 83 (1) of the Regulation 2016/679, i.e. it is effective, proportionate and dissuasive in this particular case. The fine should be considered effective, if its imposition will lead the Company to adapt its data processing operations to full compliance with legal standards. The amount of the fine should be sufficiently high so that the Company, as the punished entity, is not able to include it in its business expenses. Moreover, the effectiveness of such measure needs to be connected with the financial ailment for the Company being a data controller, which would be indisputable for a purely commercial entity, the activities of which (including those related to the established infringement) are driven purely by the will to increase its profits or to avoid additional costs (redundant in its opinion) or financial outlays. The imposition of an administrative fine in the respective case is necessary, considering that the Company, being aware of the breach, did not undertake or even declare the will to take any actions to remedy this infringement. In the assessment of the President of UODO, the fine imposed on the Company is proportionate to the breach established in this case, in particular considering the gravity of the breach, the number of data subjects affected and the duration of the infringement. The above is indicated by the President of UODO as a result of thorough and detailed consideration of all the criteria referred to in Art. 83 (2) of the Regulation 2016/679. The dissuasive character of the fine entails the prevention of infringements, by penalizing their perpetration. The purpose of the fine is to deter the Company as well as any other entities from similar infringements. Moreover, when imposing the administrative fine, the President of UODO has taken into consideration both of its aspects: firstly – the repressive nature of sanction, given the fact that the Company has violated the legal provisions, and secondly – its preventive nature, given the fact that the Company, as well as other controllers would be effectively discouraged from violating personal data protection law in the future. The objective of the fine imposed in this case is to lead the Company to fulfill the obligation resulting from Art. 14 (1) - (3) of the Regulation 2016/679, and as a consequence, to bring processing operations into compliance with the provisions on the protection of personal data. In the established facts of this case, i.e. the established breach of the obligation referred to in Art. 14 (1) - (3) the of Regulation 2016/679, Art. 83 (5)(b) of the Regulation 2016/679 will apply, according to which the infringements of the provisions on the rights of data subjects (including the right to obtain information referred to in Art. 14 (1) and (2) of that Regulation) shall be subject to an administrative fine up to EUR 20 000 000 and, in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. With regard to Art. 103 of the Act, the equivalent of amounts expressed in Euro as referred to in Art. 83 of the Regulation 2016/679 shall be calculated in Polish Zlotys and converted at the average Euro exchange rate published by the National Bank of Poland in the exchange rate chart taking effect on 28 January of each year, and if in the given year the National Bank of Poland does not announce the average Euro exchange rate on 28 January - at the average Euro exchange rate published by the National Bank of Poland in the next exchange rate chart following that date.
13
The President of UODO, pursuant to Art. 83 (5) (b) of the Regulation 2016/679, in connection with Art. 103 of the Act, imposes on the Company for the infringement described in the operative part of this decision, an administrative fine in the amount of PLN 944 470 (equivalent to EUR 220 000) – using the average Euro exchange rate of 28 January 2019 (EUR 1 = PLN 4.885). In the assessment of the President of UODO, the imposed fine taking into account the established facts of the case meets the prerequisites referred to in Art. 83 (1) of the Regulation 2016/679, considering the gravity of the infringement identified in the context of the basic requirements and principles of the Regulation 2016/679 - fairness, transparency and the right to information. Referring to the principle of transparency – established in Art. 5 (1) (a) of the Regulation 2016/679, according to which data must be processed lawfully, fairly and in transparent manner in relation to the data subject – it should be pointed out that this particular principle is crucial to the fairness of personal data processing, especially in the context of significant extension (by virtue of the provisions of the Regulation 2016/679) of the obligations to provide data subjects with information regarding data processing and enabling data subjects to exercise their rights. One of the aspects of the information obligations arising from the principle of transparency is the formal aspect regarding fulfillment of the information obligation (including the one mentioned in Art. 14 of the Regulation 2016/679), as well as fulfilling it in appropriate time and form. The fulfillment of the information obligation pursuant to the principle of transparency is aimed at making data subjects aware of the risks, rules, safeguards and rights related to the processing of personal data, as well as of the methods of exercising these rights. Given the above, the President of Personal Data Protection Office ruled as stated in the operative part of this decision.
The decision is final. The party has the right to lodge a complaint to the Voivodeship Administrative Court (Wojewódzki Sąd Administracyjny) in Warsaw within 30 days from the receipt of this decision via the President of UODO (address: Urząd Ochrony Danych Osobowych, ul. Stawki 2, 00-193 Warsaw). With regard to the complaint a proportional filing fee, referred to in Art. 231 in relation to Art. 233 of the Act of 30 August 2002 on Proceedings before Administrative Courts (Journal of Laws of 2018, item 1302, consolidated text published on 5 July 2018), needs to be submitted. The party has the right to claim the right to receive help which includes court cost exemption and the appointment of an attorney, legal counsel, tax counsellor or patent attorney. The right to receive help might be awarded at the party’s request lodged before the start of the proceedings or with the proceedings underway. The request is free of court fees.
According to Art. 105 (1) of the Act of 10 May 2018 on the Protection of Personal Data (Journal of Laws of 2018, item 1000, with amendments) the administrative financial fine shall be paid within 14 days of the lapse of the deadline for lodging a complaint to the Voivodeship Administrative Court or of the day on which the ruling of the administrative court becomes final, into the UODO’s bank account at the NBP (the National Bank of Poland) O/O Warszawa (Warsaw branch) No. 28 1010 1010 0028 8622 3100 0000.