GDPR Warning Sign

On March 26, 2019, the Polish Data Protection regulator (Urząd Ochrony Danych Osobowych – UODO) announced the first administrative fine imposed on a Warsaw-based company for failure to meet the informational obligation toward the data subjects whose data it processed, in violation of article 14 of the General Data Protection Regulation (GDPR).

The fined company – which considers itself a European leader in the provision of data and analytics – uses advanced analysis and scoring models to predict clients’ behaviour and to assist companies in making business decisions. It processes public information on more than six million enterpreneurs (both active and inactive), which it attains from various publicly available registers. The company’s database allows the verification of those entities’ credibility and are often used, in particular, by banks to verify the creditworthiness of the data subjects.

However, in violation of article 14 of the GDPR, the company failed to provide those data subjects with the necessary information (i.e. their data, the source of their data, the purpose and the period of the planned data processing, as well as the data subjects’ rights under the GDPR, most importantly, the right to object). Out of the six million data subjects, only 90,000 had been notified by the company via e-mail (12,000 of whom exercised the right to object). With respect to the remaining 5.9 million data subjects (whose e-mails were unknown), the company resorted only to publishing a general statement on its website. In doing so, the company relied on the vague exception provided in article 14.5.b) of the GDPR, which states that the controller is not required to comply with the obligation to inform the data subjects if the provision of such information proves impossible or would involve a disproportionate effort. The company claimed that sending out the notifications by registered mail (in light of the fact that e-mail addresses were unavailable) would cause exorbitant costs on its part. The Polish supervisory authority found this explanation insufficient, since the company has never effectively met the informational obligation towards the data subjects, even though it has been in operation for 25 years. The regulator emphasised that the company could have called the data subjects (since contact numbers were available) or sent notifications by regular mail (which would have decreased the expense).

As a consequence, the regulator imposed on the company a rather gargantuan administrative fine of PLN 943,000 (€219,000). The President of the UODO explained in its announcement that the company did not take any measures to mitigate the consequences of its behaviour nor has it – at any point – declared such intent; therefore, the fine is appropriately high.

It remains to be seen whether the company will appeal the decision to the administrative court (i.e. Voivodship Administrative Court). If it so decides, the case might ultimately be referred to the Court of Justice of the European Union (by way of request for preliminary ruling), since the term “disproportionate effort” is rather vague and may give rise to interpretational difficulties. One or the other way, if appealed, the matter will surely not be decided in an expedite manner and the fine imposed will be a wake-up call for those controllers who had hoped for the regulator’s continued leniency.