Two GDPR fines (220000 Euro and 13 000 Euro) were issued by the Polish Data Protection Authority (DPA). The first fine concerned a business information bureau’s failure to inform self-employed entrepreneurs about the processing of their data, the second the disclosure of personal identification numbers and home addresses of sport referees.
The first fine – relatively high for the Polish conditions – raised controversy among lawyers and practitioners. The company operated as a business information bureau – it gathered data of self-employed entrepreneurs which were publicly available in state-run records and created databases allowing other entrepreneurs to verify the credibility of their potential business partners. It’s no doubt that the data of self-employed persons constitutes personal data and therefore all GDPR obligations should be met, including the obligation to inform data subjects about the processing of their data. The company fulfilled that obligation in relation to entrepreneurs who provided their e-mails by directly messaging them. In relation to people whose contact data included only postal addresses, the company concluded that sending a letter to each and every one of them will constitute ‘disproportionate effort’ and decided to rely on Article 14 par. 5 b, which allows the controller not to fulfill the information obligation in such case. Instead, the company posted a general information about data protection on their website.
The Polish DPA came to the conclusion that the company failed to appropriately inform data subjects about the processing of their data and that it cannot rely on the exemption provided for in Article 14. As a result, the DPA fined the company 220,000 Euros, which amounts to almost 1 million Polish zlotys. The DPA’s interpretation of disproportionate effort sparked a debate among lawyers and companies about how data controllers should fulfill information obligations.
What’s important in this case is that the Polish DPA did not question the use of the personal data as such (business information bureaus may use publicly available data on the basis of their legitimate interests). The DPA emphasised, however, the importance of the right to be informed. Indeed, knowing that our data is processed is a precondition to exercising all the other rights under the GDPR. When it comes to the amount of the fine, the Polish DPA said during a press conference that fines should be proportionate and effective in a particular case, and that they should be such as to make it impossible for companies to factor them into the costs of running a business.
The second fine issued by the Polish DPA concerned a disclosure of personal data. A sports federation published personal identification numbers (unique numbers accorded by the state to all citizens) and home addresses of referees. By doing so, the federation subjected the referees to the risk of abuse of their data, such as using it steal their identification and raise loans on their behalf. The data breach was notified to the DPA by the federation itself. Despite this and the good will of the federation who cooperated with the DPA, the supervisory body decided to fine the federation 13,000 Euros, taking into consideration also the duration of the infringement and the number of people it concerned (585).
Punishing careless handling of citizens’ personal data is certainly a correct thing to do in itself. One can, however, wonder what message this case sends to the companies: will it not discourage them from notifying data breaches?