The Polish Data Protection Authority (UODO) imposed its first fine for a violation of the General Data Protection Regulation 2016/679 (GDPR). Bisnode, a data aggregation company headquartered in Sweden, was fined just under PLN 1 million (around EUR 220,000). The decision found that Bisnode had failed in its duties to inform data subjects how it processes their personal data under GDPR article 14.
GDPR article 14
GDPR article 14 requires companies to explain to individuals how they process their personal data if the companies did not obtain it directly from the individuals. A typical example is companies gleaning information from open sources, such as a social media profiles. GDPR article 14 requires controllers to explain to affected individuals what personal data is processed, how it is processed, how long it will be retained, and so on.
GDPR article 14(5) contains exemptions from this obligation. Controllers are released from their obligation to inform affected individuals where “the provision of such information proves impossible or would involve a disproportionate effort” or where the obligation “is likely to render impossible or seriously impair the achievement of the objectives of that processing”.
Bisnode obtained personal data from public databases and registers in order to provide verification services and reports. The personal data focused on current and past entrepreneurs and business owners.
The data set under scrutiny by UODO contained approximately 7.6 million records of personal data. Bisnode was able to provide the correct privacy information to roughly 700,000 individuals where records included email addresses. Bisnode only had mobile numbers and postal addresses for the remaining individuals in the data set. Bisnode displayed a notice on its website for those individuals who did not receive a privacy notice by email.
Bisnode reasoned that the cost of sending privacy information to these individuals by post and/or SMS would have been disproportionate. The postage cost alone was estimated to be around PLN 33 million (around EUR 7.7 million). Bisnode explained to UODO that this cost would have been greater than its turnover last year. Further, the additional burden placed on the company to allocate staff and resources to prepare, send and manage responses posed a significant strain on resources. Bisnode claimed it could threaten Bisnode’s continued operations in Poland.
Despite this, UODO found that Bisnode had failed to discharge its GDPR article 14 obligation to inform data subjects how their personal data was processed. In its decision, UODO stated that contacting affected individuals would not be impossible or involve a disproportionately large effort. UODO further found that Bisnode’s knowledge of its GDPR obligations as a controller and its continued processing were aggravating factors. Even though no damage to data subjects was established, UODO did not consider this to be a mitigating argument. Of those data subjects informed by Bisnode, around 12,000 objected to the use of their data. The decision states that the fine was set at a high level to deter companies from accounting for such fines as an operational cost.
Interestingly, UODO chose not to publish the identity of Bisnode in the decision. Bisnode later published an online statement revealing its involvement. This decision raises more questions than it answers and illustrates the need for clarity and consistency among EU regulators.
UODO’s decision sets a high bar for the use of GDPR article 14(5) exemptions. It is now unclear when these exemptions may reasonably be relied on. The tension between practices such as data scraping and the rights of data subjects are difficult to resolve. Currently, the UK Data Protection Authority advises that if privacy information cannot be provided, a data protection impact assessment must be carried out. This would not seem to be in line with UODO’s approach.
The main takeaway is for companies that process personal data gathered from public sources to tread carefully. Be mindful of your GDPR article 14 notification obligations. Be sure you document your processing decisions, particularly if you decide not to inform affected individuals how you process their personal data. And most importantly, be prepared for regulatory scrutiny and engagement.