In a recent decision issued by the President of the Personal Data Protection Office (UODO), a company was fined just over PLN 943,000 (EUR 220,058). What is more, it was ordered to fulfill its obligation to provide information on processing personal data to several million people.

The company in question processed data subjects’ information accessible from publicly available sources, including the Central Registry and Information on Business Activity (CEIDG), register of entrepreneurs of the National Court Register (KRS) and the REGON database of the Central Statistical Office. The company sold the data described as part of its business activity.

It failed to directly inform the data subjects for whom it did not have an email address about processing their personal data, citing the high operational cost of doing so. Instead it provided information on processing personal data on its website. Over 6 million individuals were not directly informed processing their personal data. Of the 90,000 who were informed, over 12,000 objected to processing their personal data.

The UODO held that the website notice was insufficient to meet the company’s GDPR obligations. In view of this decision, the following specific issues must be taken into consideration:

• Placing information on a website while being in possession of email addresses and telephone numbers is not sufficient to fulfil the information disclosure requirements in Art. 14.1-2 of the GDPR.
• Fulfilling the obligation to provide data subjects with information on processing their personal data by the controller in situation where processed personal data is obtained from a source other than directly from the data subject (in this case, from publicly accessible data) requires active work on the part of the data controller, meaning that an appropriate notification must be sent.
• The potential costs of traditional mail or text messages, which could reach millions does not justify a failure to fulfill the information disclosure requirements, given that in this case the data controller’s main business activity was to make available personal data obtained from public sources to its clients for a fee.
• Cooperation with the data protection authority during the audit, in the form of timely responses to inquiries, did not result in leniency (fine reduction), because the company did stop the infringement found, or even declare an intention of doing so.

Recommendations

We absolutely recommend that organisations revise procedures for providing data subjects with information on processing personal data. It is vital for the data controller to be able to prove during an audit that the disclosure requirement has indeed been fulfilled.

We recommend utmost care in the case of large-scale data processing involving the creation of databases of job candidates towards whom information disclosure requirements have not been fulfilled.

Should you be contacted by the UODO, it is necessary not only to cooperate with the data protection authority by responding to inquiries immediately, but when the supervisory authority investigates an area where there is a risk of fines, remedial action must also be taken immediately to address all issues that were noted.