By Ewa Kurowska-Tober and Magdalena Koniarska
On 25 March 2019, the Polish data protection authority (DPA) (referred to in Polish as “PUODO”) announced the imposition of the first GDPR-related fine in Poland. A data controller was fined approximately PLN 1 million (approx. EUR 230,415 ) for a failure to comply with the information obligation set forth in Article 14 of the GDPR.
The proceedings – basic information
Although the regulator decided not to disclose the name of the entity on which the fine was imposed, the description of the factual background was sufficient to quickly identify the company. Based on all circumstances it was almost sure that the entity subject to the fine was Bisnode, a Polish company providing entity verification services. Moreover, Bisnode quickly published an official statement on its website in response to PUODO’s decision, while an interview with its CEO appeared in one of the biggest Polish newspapers just two days later.
Bisnode is a company that aggregates personal and other data from publicly available documents and registers, such as the Central Register and Information on Economic Activity (CEIDG) and the National Court Register (KRS). It then uses the data it collected in order to prepare reports, summaries, etc., which it offers to clients as part of providing company-verification services. The personal data referred to in PUODO’s decision was the data of people conducting business as sole traders, including those who are currently active and those who have conducted business activity in the past or have suspended it, as well as the personal data of people who are shareholders or members of the boards of companies, foundations and associations.
Background of the case
Bisnode holds a total of more than 7.5 million records of data relating to natural persons. The company fulfilled the individual information obligation in relation to 682,439 people, where it had their e-mail addresses as part of the database record, by sending an e-mail. However, with reference to almost 200,000 people, Bisnode only had their mobile telephone numbers, and in relation to almost 6.5 million people, it only had their postal correspondence addresses (of which almost 3 million records related to inactive businesses). The company decided not to fulfill the information obligation stemming from Article 14 of the GDPR towards these data subjects on the basis that doing so would constitute a “disproportionate effort” as specified in Art. 14 5(b) of the GDPR.
However, it should be noted that Bisnode also took action to fulfill its information obligation by posting a statement on its website, in a tab entitled “Data and privacy” / “Information on the processing of personal data”. The information in this tab was compliant with the requirements of Art. 14 par. 1 and par. 2 of the GDPR.
According to Bisnode’s explanations, if it was to fulfill the information obligation laid down in Article 14 par. 1 – 2 of the GDPR, individually with respect to all natural persons whose data was the subject of the proceedings before the PUODO, using traditional mail, the cost of doing so would be almost PLN 34 million (approx. EUR 33,999,996) (this amount was calculated by multiplying the number of data subjects to whom an information notice was not sent by email by the cost of sending a standard registered letter via Polish Post, without additional administrative costs). This would be more than the company’s turnover from 2018 (according to its CEO).
In the course of the proceedings, Bisnode claimed, therefore, that fulfilling the information obligation in its basic form (i.e. individual contact with each data subject) would result in a “disproportionate effort” on its part, as referred to in Art. 14 par. 5 letter. b of the GDPR. Bisnode argued that this would constitute an organizational burden, i.e. the need to delegate employees and material resources (computers and office equipment) specifically and exclusively to perform only this task, as well as a financial challenge, i.e. the cost of printing, preparing for shipment and dispatching the information notices (including paper, toner, envelopes, and postage stamps); the cost of handling the returned correspondence; and the possible remuneration of entities to which the company could outsource this task. Bisnode claimed that this would seriously disrupt its functioning, to the extent that it might involve the need to cease operating in Poland.
DPA’s argumentation. The notion of “disproportionate effort”
In the justification of its decision, PUODO presented the following reasoning: first and foremost, it claimed that the mere inclusion of information required under Art. 14 par. 1 and par. 2 of the GDPR on the company’s website, in the situation where the company had the address data (and sometimes also the telephone numbers) of natural persons operating as sole traders (currently or in the past), enabling the traditional mailing of correspondence containing information required by this provision (or communicating it by telephone), cannot be considered as sufficient fulfillment by the company of the obligation referred to in Art. 14 par. 1-3 of GDPR.
Further, PUODO disagreed with Bisnode’s understanding of the notion of “disproportionate effort” and rejected it as a valid reason for the company’s not fulfilling the information obligation towards some of the data subjects. Namely, PUODO stated that sending the information referred to in Art. 14 of the GDPR by post, to the address of a natural person running a business, or by telephone, is not an “impossible” activity and does not require a “disproportionately large effort” in the situation in which the company had a database in its IT system containing the address data of natural persons acting as sole traders (currently or in the past), and also – in relation to some of these people – their telephone numbers as well.
PUODO explained that Bisnode’s argument concerning disproportionate effort could apply to the personal data of people who are shareholders or members of company bodies and other legal persons, since there are no contact details of these people in public registers (in particular in the National Court Register), and therefore the company would have to search for this data in other places. According to PUODO, only this could be classified as a disproportionately large effort for the company; however, this argument was not valid in relation to other data subjects.
PUODO concluded that the company made an informed decision (motivated by the desire to avoid an additional financial burden) about the non-performance of the information obligation referred to in Art. 14 par. 1-3 of the GDPR towards natural persons that currently conduct business activity as a sole trader, or that have done so in the past, “due to costs running in to the millions of zlotys”. According to PUODO, this should be considered as an intentional violation of the indicated provisions of law, serving as an aggravating factor in the process of issuing the fine.
Although in the course of the proceedings it was not established that any damage had been suffered by the data subjects, this was not treated by PUODO as any mitigating argument and it emphasized that the further processing of personal data without the data subjects’ knowledge undoubtedly hinders or restricts them in exercising their rights, e.g. the right to delete data, to rectify it or to oppose its processing. Consequently, PUODO explained that the failure to comply with the information obligation led to the company’s privileged position in exercising its rights in relation to the rights of data subjects and constituted an important element of the company’s business.
PUODO also noted that both in the course of the audit and during the proceedings, Bisnode willingly cooperated, e.g. by sending explanations and replying to PUODO’s letters. However, this cooperation “was only aimed at ensuring the proper conduct of the proceedings, and not at removing the violation found during the inspection, or removing its consequences.”
Although, as explained above, PUODO limited its argumentation and explanations of the notion of “disproportionate effort” in a rather disappointing manner, its decision did include some important statements which may be relevant for future cases.
Firstly, PUODO explained that if the information obligation is to be fulfilled by traditional post, it is not obligatory to send letters by registered mail. This obviously has a significant impact on the cost of such an operation. PUODO pointed out that Article 14 of the GDPR does not imply that the information notice must be sent by registered mail, as long as the data controller is able to prove that it was delivered to the persons whose personal data is processed. “The essence of fulfilling the obligation is that the controller acts in an active manner, active towards the data subject, by providing this person with information specified in the provisions of Regulation 2016/679.”
Moreover, PUODO did not question the legality of Bisnode’s operations as such, nor the legal basis for gathering data from public sources and compiling them into reports and summaries. This is an important confirmation for other providers of such services. Finally, when explaining the size of the fine, PUODO stated that it would be effective if it led to the company’s bringing its data processing activities into line with the law, and also that it should deter the company from calculating it as a part of the costs of its activity. PUODO emphasized that it was also necessary to impose an administrative fine because the company, while being aware of the existence of the infringement, did not take, or even promise to take, any actions to remove it.
PUODO’s justification of the decision’s has been widely criticized due to its lack of in-depth analysis of the situation and, in particular, the notion of “disproportionate effort” – which is of great interest and concern to many players on the market (in particular, to entities that process large amounts of personal data as the core part of their business activity).
PUODO did not explain its reasoning in detail or comment on the very high cost (as calculated and presented by Bisnode in its explanations) of fulfilling the information obligation and the impact of bearing such costs on a company’s business. Moreover, as the argument of “disproportionate effort” was disregarded , PUODO also failed to provide almost any examples of actions which could be considered as “disproportionate effort” as referred to in Art. 14 5(b) of the GDPR.
It is also disappointing that the decision said very little about the actual meaning of the information obligation, its importance, and the real effect that its absence may have on a data subject’s rights. Argumentation in this regard was limited and rather theoretical, which led many observers to consider the fine as excessive. This reaction is understandable because the justification of the decision does not contain sufficient explanations concerning the possible consequences of Bisnode’s misconduct.
It is clear that the first GDPR-related fine in Poland has caused a lot of controversy and interest. However, it is a great pity that the content of the decision is so limited. This is particularly worrying in the light of the fact that this first decision will be the first building block for future practice in this field. We are now eagerly awaiting Bisnode’s appeal to the administrative court and the court’s judgment, hoping that the proceedings will provide a forum for a more satisfactory legal analysis and higher quality conclusions.