On March 26, 2019, the Polish Supervisory Authority (“SA”) issued a fine of around €220,000 against a company that processed contact data obtained from publicly available sources without informing the individuals concerned (decision in Polish here and English summary here). Article 14 of the GDPR requires data controllers, who do not obtain personal data directly from the individuals concerned, to provide these individuals with information about how their data is processed within a reasonable time after obtaining the data (max. 1 month).
The company scraped contact data from public registries, such as the Polish Central Electronic Register and Information on Economic Activity, to prepare trade reports, contact lists and “to provide other business and management consulting services” to its clients. The company’s systems contained around 7,6 million records with personal data of natural persons (including sole traders and persons engaged in an economic activity).
In April 2018, the company sent an email to all the individuals of whom it possessed the email address (around 680 thousand individuals) with information about how it processes their personal data. The company also published on its website a data protection policy containing similar information. However, the company did not provide information by SMS or physical post to those individuals of whom it only had the phone number or postal address respectively (about 6,5 million individuals).
In its defense the company asserted that: (i) the data constitutes publicly available information; (ii) the processing only involved very limited data (only contact details); (iii) the risk to the rights and freedoms of the individuals was low; (iv) the company employs high security standards to protect the personal data; and (v) providing information by post to the individuals for whom it does not have an email address would have a serious impact on the company’s business. According to the company, just the cost of sending the registered mail would amount to more than €7.8 million, not considering the human resource costs and other costs (e.g., of printing, preparing for shipment and dispatch, paper, toner, envelopes, stamps, handling returns, etc.). On this basis, the company indicated that providing the information by post would constitute a “disproportionate effort”, triggering the derogation in Article 14(5)(b) of the GDPR.
In this case, the SA decided that the mere provision of the information through a website privacy policy did not suffice as it was not “impossible”, nor a “disproportionate effort” for the company to contact the individuals whose telephone number or postal address it had. However, the SA recognized that, where the company lacked the contact details of the individuals and would have to search this data in other sources, this would constitute a “disproportionate effort” for the company.
The company was found to have intentionally violated Article 14 GDPR motivated by a desire to avoid additional costs associated with informing the individuals about the processing of their data. In addition to the fine, the company was also ordered to inform, within 3 months of the decision, the individuals whose contact data it held.