This is the first fine imposed by the Polish DPA under the GDPR and Poland’s Act on Personal Data Protection of 10 May 2018 implementing the GDPR. The decision provides some limited insights into the interpretation of the term “disproportionate effort” within the meaning of Article 14(5)(b) of the GDPR.
The company subject to the fine is a provider of digital business, marketing, and credit information. The company collects the data of business entities from publicly available sources including public records such as the Central Register and Information on Economic Activity (CEIDG), and the Official Business Register (REGON). In the course of its activities, it processed personal data such as the names, surnames, contact details, and PESEL numbers (Polish national identification numbers) of over seven million people, including independent traders, and people who are partners or members of companies, foundations, and association bodies. According to the president of the company, its data processing activities have been inspected by authorities in two other countries besides Poland and no irregularities had been found.
The company fulfilled the information obligation towards nearly 700,000 people whose e-mail addresses were stored in its databases. In relation to those people whose personal data was only limited to their mailing address or telephone numbers, the company decided not to fulfil the information obligation through a personalised message since this would have entailed excessively high costs amounting to over PLN 33 million (approximately EUR 7,676 million; approximately USD 8,603 million). Instead, the company decided to publish the information concerning the data processing on its website.
The Polish DPA did not agree with the company’s line of defence which was based on Article 14(5)(b) of the GDPR, under which the information obligation is excluded if the provision of information involves a disproportionate effort.
In its decision, the Polish DPA ordered the company to fulfil the information obligation towards the remaining people within three months following the receipt of this decision. When imposing the fine, the Polish DPA took into account: the revenues of the company, the fact that the breach of GDPR Article 14 was committed intentionally, and that the company did not take any steps to cease the infringement during the DPA’s inspection. In addition, the Polish DPA pointed out that the breach concerned a significant amount of data subjects and that, as a consequence of the breach, the data subjects could not exercise their fundamental rights over their personal data.
The Polish DPA’s decision has received a great deal of attention in Poland and has been widely discussed by Polish academics and lawyers. The element of the decision that concerns the academics and lawyers the most is that it lacks a clear interpretation of the term “disproportionate effort” in the context of the information obligation, or an explanation as to how to fulfil the information obligation towards such an enormous group of data subjects without suffering excessively high costs.
The company can now appeal against the decision to the Voivodship Administrative Court in Warsaw within 30 days following its receipt of the decision.
Authored by Ewa Kacperek and Weronika Wolosiuk