The Polish Office for the Protection of Personal Data imposed the first financial penalty in the amount of PLN 943,470 (approx 219 674 euros) for not fulfilling the obligation resulting from the provisions of the general regulation on data protection – GDPR.
The financial penalty was imposed on a company which processed in its database personal data from public registers – CEIDG and KRS – and did not fulfil the disclosure obligations. In accordance with the GDPR, anyone, who collects personal data other than from the data subject, should inform them particularly regarding the following:
- their identity and contact details,
- the aim for processing,
- the data retention period;
- their rights,
- the source of the data.
The entity that was audited had 7,594,636 personal data records in its database. Approximately 3.59 million records consisted of data on individuals currently running a sole proprietorship, on individuals who suspended their business and approximately 2.33 million individuals running a sole proprietorship in the past. The company fulfilled the information obligation in relation to 682,439 persons whose email addresses it had.
The controlled entity estimated that the cost of notifying all persons by letter would amount to approximately PLN 33.7 million (7, 84 million euros) and invoked the exemption from the obligation to provide information pursuant to Article 14(5)(b) of the GDPR. In accordance with that Article, to the extent that the provision of such information proves impossible or would involve a disproportionate effort, the obligation to provide information shall not apply.
The fact that a fine was imposed on a controlled entity due to failure to comply with disclosure requirements is controversial, as the company made a statement of net sales revenues and equivalent revenues for 2018 in the amount of approximately PLN 34.7 million (8 million euros), and the company’s financial statements for the financial year from 1 January to 31 December 2017. It shows that the amount of net sales revenues and equivalent revenues is over PLN 29 million (6.75 million euros). Therefore, when imposing the penalty, the UODO considered that the cost of fulfilling the information obligation, consuming the company’s annual revenue, is not a “disproportionate effort” for the company.
The general nature of the provisions gives rise to different interpretations. We may assume that the controlled entity will appeal against the decision described above and that the court may refer the question to the Court of Justice of the European Union about the interpretation of Article 14(5)(b) of the GDPR and the notion of ‘disproportionate effort’.
The UODO did not address the fact that the controlled entity had 181,142 persons in its database, to whom it had only mobile phone numbers, and for whom it also failed to comply with its information obligations, although this did not require a financial burden such as the sending of registered mail. However, the part of the justification by the UODO is very important:
“The resignation from direct contact only because of the costs associated with it should be assessed negatively, especially as operations on personal data are the subject of the basic, purely commercial, professional, long-term activity of the Company. The Company, as a professional in this type of activity, should be required to shape the business side of its activity in such a way that takes into account all the costs necessary to ensure its compliance with the law (in this case with the provisions on personal data protection).”
The Authority has thus taken the view that the economic operator should include all costs related to the performance of its legal obligations in the price of its services. Therefore, it can be concluded that the excessive costs in the economic operator’s view will not be sufficient for UODO to justify not complying with the provisions of the GDPR.
Apart from the obligation to pay an administrative fine in the amount of PLN 943,470 (219 734.4 Euros), the UODO ordered the controlled company to fulfil the obligation to provide information to individuals whose personal data it processes and set the deadline of three months for its implementation.
The decision of the UODO was published on the website of the Authority.