WSA Warsaw - II SA/Wa 1030/19

From GDPRhub
WSA Warsaw - II SA/Wa 1030/19
Courts logo1.png
Court: WSA Warsaw (Poland)
Jurisdiction: Poland
Relevant Law: Article 14(1) GDPR
Article 14(2) GDPR
Article 14(5)(b) GDPR
Decided: 11.12.2019
Parties: Bisnode
National Case Number/Name: II SA/Wa 1030/19
European Case Law Identifier:
Appeal from: UODO (Poland)
Appeal to:
Original Language(s): Polish
Original Source: Orzeczenia NSA (in Polish)
Initial Contributor: n/a

The Provincial Administrative Court for Warsaw (Wojewódzki Sąd Administracyjny w Warszawie) decided that a controller collecting entrepreneurs’ personal data from open records for the purpose of providing commercial services is obliged to fulfill the information obligation directly in relation to those persons.

English Summary[edit | edit source]

Facts[edit | edit source]

"The entrepreneur conducting business activity consisting in obtaining information, including personal data of persons conducting business activity, from publicly available public registers [e.g. the National Court Register (KRS), the Central Registration and Information on Business (CEIDG), the Registry of National Economy (REGON)] and in analysing, interpreting and subsequently making this information available to interested customers, must comply with the information obligation in relation to those persons referred to in Article 14 of the General Data Protection Regulation (GDPR) by providing information directly to the data subject, as is apparent from the judgment of the Voivodeship Administrative Court in Warsaw of 11 December 2019 (ref. no.: II SA/Wa 1030/19). Moreover, according to the Voivodeship Administrative Court, the possible high cost of sending this information by post does not constitute a basis for the exemption from the information obligation.

This concerns a case in which the President of the Personal Data Protection Office ordered by way of an administrative decision to fulfill the information obligation and imposed on the company an administrative fine in the amount of more than PLN 943 000 (for more information on this issue see:

Let us recall that the company was penalised in connection with a breach of the information obligation (Article 14 (1-3) of the General Data Protection Regulation), consisting in failure to provide the information contained in Article 14(1) GDPR and Article 14(2) GDPR to all natural persons whose personal data are processed by the company who are currently or were in the past sole traders, as well as to natural persons who have suspended their activity as sole traders.

The company appealed to the Voivodeship Administrative Court against that decision. It argued, inter alia, that it was not under the information obligation resulting from Article 14 of the GDPR. The entity considered that it was exempted from this obligation under Article 14(5)(b) GDPR. According to the company, providing such information would involve a disproportionate effort, given the high cost of implementing this obligation by sending this information by post."[1]

Dispute[edit | edit source]

Holding[edit | edit source]

"That argumentation was not accepted by the Voivodeship Administrative Court. The Court considered that the high cost of sending such information by post cannot prejudge the existence of a ‘disproportionate effort’.

In its judgment, the Court dismissed the action in the scope concerning the order to fulfill the information obligation in relation to natural persons who are currently conducting business activity and natural persons who have suspended such business activity, and to whom that information has not yet been provided.

At the same time, in view of the procedural deficiencies which have been identified, the Court annulled the decision of the President of UODO in the part concerning the order to fulfill the information obligation in relation to natural persons who conducted business activity in the past.

In that regard, the President of UODO is to carry out the administrative proceedings again in accordance with the instructions of the Court. Dismissal of the action only in the part relating to persons who are currently conducting or have suspended business activity and the annulment of the decision in the part concerning the persons conducting such activity in the past, means that the number of data subjects affected by the breach has changed. This number was relevant for the imposition of the fine and the determination of its amount. For that reason, in accordance with the judgment of the Voivodeship Administrative Court, the President of UODO will have to re-examine those issues during the administrative proceedings. This judgment is not final."[2]

Comment[edit | edit source]

Share your comment here!

Further Resources[edit | edit source]

Z. Gulczynska, “Scraping personal data from internet pages - a comparative analysis of the Polish Bisnode decision and the US hiQ Labs v LinkedIn Corp judgment”, European Law Review, vol. 45, no. 6, pp. 857–869, 2020.

English Machine Translation of the Decision[edit | edit source]

There is no machine translated decision available. Please refer to the Polish original decision for details.