Regulator Issues First GDPR Fines

Polish Data Protection Regulator Issues First GDPR Fines

Polish Data Protection Regulator Issues First GDPR Fines

Poland’s Personal Data Protection Office (UODO) has issued its first fines post-implementation of the European General Data Protection Regulation (GDPR). The data protection agency fined Bisnode, a digital marketing company, €220,000 for failing to comply with GDPR. The move signals that more regulatory agencies are comfortable issuing GDPR-related fines.

UODO determined Bisnode failed to comply with Article 14 of GDPR, which pertains to data subject rights obligations. Bisnode is headquartered in Sweden but has offices throughout Europe, including in Poland.

Bisnode scraped personally identifiable information from more than six million Polish citizens, obtained from Poland’s Central Electronic Register and Information on Economic Activity. Bisnode failed to notify all of the people whose data they took of the purpose and time period of the data processing.

Article 14 requires data controllers to notify people when the firm itself did not obtain the data they plan to process. In this case, it was Bisnode’s responsibility as the data controller to notify users that data they made available elsewhere will now be used by Bisnode, and to explain the purpose. Using private data without notifying users can result in up to €20 million in fines or 4 percent of global revenue.

Bisnode only notified the 90,000 users who had emails listed. According to regulations Bisnode is supposed to notify users by telephone or letter, not email. Bisnode claims high operational costs (an estimated €8 million) prevented them from contacting the millions affected. The agency’s decision requires Bisnode to contact all six million people impacted to fulfill its Article 14 obligation within three months.

Bisnode’s business model relies on scraped data to help companies make data-driven business decisions. UODO argues that because Bisnode did notify some users about the data usage, they understood their obligations under GDPR. Of the 90,000 users Bisnode contacted, 12,000 objected to having their data used.

Rather than spend money notifying the millions of Polish citizens affected, Bisnode will delete the records. Bisnode also plans to challenge the ruling in Polish courts, testing language in Article 14 regarding how much effort a data controller needs to make to inform users their data is being processed.

If Bisnode challenges the decision in Polish courts, and if the case eventually heads to the Court of Justice of the European Union (CJEU), it would strengthen legal definitions around Article 14 and covert data scraping practices. Court cases like this potential case are an opportunity to test GDPR more broadly after its recent implementation.

GDPR passed in April 2016, and went into effect in May 2018. It establishes a strong framework for protecting user data. It impacts both organizations within the European Union and organizations outside the EU who might handle data for EU citizens.

To date the largest fine issued for GDPR was €50 million: France’s Commission nationale de l'informatique et des libertés (CNIL) fined Google for failing to notify users how their data is used for personalized Google Ads. As of February 2019, more than 59,000 breaches have been reported to GDPR regulators.

At IDMI.Net, we put a premium on user data privacy. We’ll help you build a website that keeps your business in compliance with legal regulations and retain your customers’ trust. Find out more by contacting us today.