On 26 March, the President of the Personal Data Protection Office in Poland (UODO) announced the first administrative fine under the GDPR in the amount of approx. PLN 1 million (approx. EUR 230,000). The fine was imposed on a data broker for not providing approx. 6.6 million sole traders with its privacy notice.
The data broker (data controller) gathered information about sole traders and companies, including the names of members of the companies' bodies from public registries. The data broker provided the privacy notice in accordance with art. 14 (1 and 2) of the GDPR to those sole traders whose email address was available in the public database (around 650, 000 records). But the company decided not to provide the notice to sole traders without an email address claiming that the cost of sending registered letters was significant – approximately PLN 33.5 million (almost EUR 8 million), which is 97% of the company's turnover. Instead they published the notice on their website.
The data broker tried to rely on the exemption under art. 14(5) of the GDPR, claiming that providing the notice to sole traders without an email address would cause disproportional effort due to the costs of providing notices.
However, the authority did not agree with this reasoning. UODO stated that the company has postal addresses in their data bases and in some case telephone numbers. Thus, the data broker is able to notify sole traders. They could do it in the form of a standard letter without confirmation, which may reduce the cost. UODO emphasised that the rights of individuals (sole traders) prevail here, and the data broker should have taken into account the cost of notifying sole traders in their business model. The data broker has 90 days to notify the sole traders.
More UODO reasoning could be mentioned at European Data Protection Board website here.
UODO also stated that members of the companies' bodies do not have to be notified as there is no contact data for those individuals in the public registries, and the data broker would have to find more data only to provide the information notice which would be a disproportional effort.
The decision is subject to appeal before the administrative court. And we would expect that the company will appeal.
1. However, there is some good news for businessess streaming from this decision:
a. UODO did not question the legal basis of processing, which I assume is legitimate interest (but it may also be that was not subject to the proceedings so we may take it for granted).
b. Data controllers do not have to provide notice to members of the companies' bodies whose data were taken from the public registries. This will be soon explicitly stated in the amended in the Reuse Act.
c. Data controllers can send ordinary letters with notices by post (and not registered letters) which reduces the cost, however they need to follow the accountability principle.
2. The decision will impact data brokers, data aggregators, banks (for KYC purposes), recruitment agencies (short/long list services, market research services), and their clients and any other data controllers that collect data from public sources. They may decide to change their business model to shape the service to be a processor more than a controller. However, their clients that use the data broker service, if they are considered as data controller, should also consider notifying sole traders. As a result, we will have more privacy notices in our mail boxes and in our SMS boxes.
3. We believe that there are strong arguments to say that spending so much money to send the information notice should be considered as disproportional effort. There should be a balance between the cost of sending a notice and the ability to conduct business. We should keep in mind that the information is about sole traders and consumers, and sole traders should expect that if their data is publicly available their data may be re-used somehow for business legitimate purpose. The privacy sphere of sole traders should not be so broad as private persons. Another factor relevant to this case is that the gathered data was not publicly published but kept in the data brokers database.