Poland's first fine under the GDPR
On 15 March 2019, the Polish Data Protection Authority (the “DPA”) imposed its first administrative fine based on the provisions of the GDPR of EUR 220,000.00. The fine was imposed on an information brokering company (the “Company”) which collects data from publicly available registers of entrepreneurs and subsequently, based on such data, offers commercial reports to its clients. According to the DPA, the Company did not comply with the requirements of Article 14 section 1-3 of the GDPR. The information obligation under the GDPR has been duly executed solely towards 682,439 data subjects by sending the respective information via e-mail. With respect to the remaining data subjects comprising over 6 million data records in total, the information clause was published on the Company’s website which the DPA found insufficient. Despite the fact that the Company was not in the possession of e-mail addresses of all data subjects, in the view of the DPA, the respective information could still have been provided via traditional mail.
The Company claimed that Article 14(5)(b) of the GDPR, constituting an exemption from the information obligation towards data subjects, applies in the case at hand. In the Company’s view, complying with such an obligation towards an extremely high number of data subjects would involve a disproportionate effort for the Company. As a “disproportionate effort”, the Company understands it to mean all the organisational and financial measures which would need to be undertaken, in particular employees dedicated for this purpose, material resources as well as the considerable expense of sending millions of information clauses by traditional mail. The Company argued that sending information via traditional mail to over 6 million data subjects would generate costs in excess of approx. PLN 34 million (approx. EUR 8 million). The Company’s revenue for the financial year 2018 amounted to approx. PLN 35 million (approx. EUR 8,180,000.00). Hence, due to the potential high costs of the mailing campaign compared with the Company’s revenues, the Company decided not to send traditional mail to all data subjects.
The DPA did not support the arguments put forward by the Company. In view of the DPA, in the case at hand, the financial expenditure cannot constitute a waiver from the obligation to provide data subjects with all information required under Article 14 of the GDPR. Firstly, the Company’s core business operations are based on a longstanding practice of collecting data from publicly available registers and processing such data. Secondly, acceptance of the applicability of the exemption stemming from Article 14(5)(b) of the GDPR in this case would interfere with data subjects’ rights and freedoms. The DPA highlighted that the information rights constitute one of the core data subjects’ rights under the GDPR.
The DPA’s decision is considered very controversial among data protection lawyers in Poland. Although the DPA listed the reasons for imposing this administrative fine, it did not provide detailed reasoning justifying the exact amount of the fine imposed. It is not clear how the fine of EUR 220,000.00 was calculated.
The DPA also refrained from clarifying when the data controller might benefit from the exemption under Article 14(5)(b) of the GDPR. In our opinion, this is a missed chance to present an interpretation clarifying the scope of the term “disproportionate effort”. As per Recital 62 of the GDPR, the number of data subjects, the age of the data and any appropriate safeguards adopted should be taken into consideration. We believe that the number of data subjects should be interpreted in connection with the potential financial expenditure of complying with the information obligation. The Company will most probably appeal the DPA’s decision to the administrative court. In such a case, the administrative court could possibly refer this question to the CJEU for a preliminary ruling.
It should also be pointed out that factual costs for the Company arising from the DPA’s decision are considerably higher than the imposed fine itself. In addition to the fine, the Company will have to cover the costs of sending the information to data subjects by traditional mail. Despite the fact that the DPA indicated it is not necessary to use registered mail, it does not significantly minimise the financial efforts to be made by the Company. On the contrary, this leads to further concerns. It is disputable whether sending information by regular, non-registered mail, complies with the principle of accountability under the GDPR.
Last but not least, the consequences of the DPA’s decision might potentially be far reaching not only for companies collecting publicly available data (especially data brokers), but also for all their clients. The information obligations under the GDPR apply to all data controllers.