The first GDPR fine was imposed in Poland on the Polish subsidiary of Bisnode AB, a joint-stock company operating throughout the EU. This fine triggered many controversies, with expert opinions and press reports diverging widely.
The Polish data protection supervisory authority has imposed a fine of approx. 220,000 euros on Bisnode Polska – a large provider of digital business information, credit checks, credit information and company databases containing company and personal information – for non-compliance with information obligations under Art. 14 GDPR.
The company had processed more than 7 million data records from public sources, such as the Polish Commercial Register or the Central Register of Economic Activities. The data collected was recorded in a database and used for commercial purposes.
As the indication of the e-mail address in the relevant register was voluntary, the company had only exercised its obligation to provide information under Art. 14 GDPR to a small number of persons who had indicated their e-mail address. The company refrained from informing other persons by post or telephone and instead published an information clause on the company website. As a result, many data subjects were unaware of the commercial processing of their data by the company. This constituted a breach of the information obligations imposed by the Polish Data Protection Authority.
The provision of information on the company’s website was considered insufficient as the data subjects were not aware of the company’s processing of their data. In addition, a deliberate violation was alleged, as the company was fully aware of its information obligations, as well as insufficient cooperation with the data protection supervisory authorities.
Disproportionate effort vs. rights of data subjects?
From the company’s point of view, the active provision of information by post represents a disproportionate cost due to the excessive costs involved. In fact, Art. 14 (5) (b) GDPR provides an exception to the information rights in cases where the provision of information proves impossible or would require a disproportionate effort.
The supervisory authority, on the other hand, considered it reasonable for a company processing personal data for commercial purposes to provide information by simple letter. Since the majority of the data subjects had no opportunity to object to the commercial processing of their data or to demand rectification or deletion, this constitutes a serious breach of the information rights, according to the authority.
The authority’s decision has triggered controversial discussions
The restrictive decision and the amount of the fine are strongly criticised. Furthermore, the fine is questioned as the first symbolic GDPR fine in Poland.
In contrast, many experts are of the opinion that the provision of information by simple letter does not represent a disproportionate effort. A company that has been processing personal data for commercial purposes for years and thus generates profits should be in a position to bear the costs of fulfilling its information responsibilities under the GDPR.
Bisnode Polska would like to take legal action against this decision. Should the legal dispute reach the European Court of Justice, the decision will have European-wide significance.