On March 26, 2019, the Polish Supervisory Authority (“SA”) issued a fine of around €220,000 against a company that processed contact data obtained from publicly available sources without informing the individuals concerned (decision in Polish here and English summary here). Article 14 of the GDPR requires data controllers, who do not obtain personal data directly from the individuals concerned, to provide these individuals with information about how their data is processed within a reasonable time after obtaining the data (max. 1 month).

The company scraped contact data from public registries, such as the Polish Central Electronic Register and Information on Economic Activity, to prepare trade reports, contact lists and “to provide other business and management consulting services” to its clients. The company’s systems contained around 7,6 million records with personal data of natural persons (including sole traders and persons engaged in an economic activity).

In April 2018, the company sent an email to all the individuals of whom it possessed the email address (around 680 thousand individuals) with information about how it processes their personal data. The company also published on its website a data protection policy containing similar information. However, the company did not provide information by SMS or physical post to those individuals of whom it only had the phone number or postal address respectively (about 6,5 million individuals).

In its defense the company asserted that: (i) the data constitutes publicly available information; (ii) the processing only involved very limited data (only contact details); (iii) the risk to the rights and freedoms of the individuals was low; (iv) the company employs high security standards to protect the personal data; and (v) providing information by post to the individuals for whom it does not have an email address would have a serious impact on the company’s business. According to the company, just the cost of sending the registered mail would amount to more than €7.8 million, not considering the human resource costs and other costs (e.g., of printing, preparing for shipment and dispatch, paper, toner, envelopes, stamps, handling returns, etc.).  On this basis, the company indicated that providing the information by post would constitute a “disproportionate effort”, triggering the derogation in Article 14(5)(b) of the GDPR.

In this case, the SA decided that the mere provision of the information through a website privacy policy did not suffice  as it was not “impossible”, nor a “disproportionate effort” for the company to contact the individuals whose telephone number or postal address it had. However, the SA recognized that, where the company lacked the contact details of the individuals and would have to search this data in other sources, this would constitute a “disproportionate effort” for the company.

The company was found to have intentionally violated Article 14 GDPR motivated by a desire to avoid additional costs associated with informing the individuals about the processing of their data. In addition to the fine, the company was also ordered to inform, within 3 months of the decision, the individuals whose contact data it held.

Photo of Kristof Van Quathem Kristof Van Quathem

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of…

Kristof Van Quathem advises clients on data protection, data security and cybercrime matters in various sectors, and in particular in the pharmaceutical and information technology sector. Kristof has been specializing in this area for over fifteen years and covers the entire spectrum of advising clients on government affairs strategies concerning the lawmaking, to compliance advice on the adopted laws regulations and guidelines, and the representation of clients in non-contentious and contentious matters before data protection authorities.

Photo of Anna Oberschelp de Meneses Anna Oberschelp de Meneses

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate…

Anna Sophia Oberschelp de Meneses is an associate in the Data Privacy and Cybersecurity Practice Group.  Anna is a qualified Portuguese lawyer, but is both a native Portuguese and German speaker.  Anna advises companies on European data protection law and helps clients coordinate international data protection law projects.  She has obtained a certificate for “corporate data protection officer” by the German Association for Data Protection and Data Security (“Gesellschaft für Datenschutz und Datensicherheit e.V.”). She is also Certified Information Privacy Professional Europe (CIPPE/EU) by the International Association of Privacy Professionals (IAPP).  Anna also advises companies in the field of EU consumer law and has been closely tracking the developments in this area.  Her extensive language skills allow her to monitor developments and help clients tackle EU Data Privacy, Cybersecurity and Consumer Law issues in various EU and ROW jurisdictions.