A data processor in Poland has been hit by a PLN 943,000 (€220,000, £187,000 US$247,000) GDPR fine. The fine was imposed by the President of the Personal Data Protection Office (UODO). The unnamed company failed to contact data subjects and tell them that it had their data and what it was using it for. The UODO called this: “its failure to fulfil the information obligation.”
Dr Edyta Bielak-Jomaa, President of UODO commented: “The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity.”
What did the data processor do?
The data processor in question had scraped the Internet for data on individuals from publicly available sources. In this case from the Central Electronic Register and Information on Economic Activity. It gathered data on over 6 million individuals and then used the data for commercial services.
The issue for the UODO was how the data processor contacted those data subjects and what information it provided. Only where there was an associated email address did the data processor make contact. The UODO says that in this case it did meet the requirements of Article 14 (1) – (3).
If there was no email address but there was a telephone number or postal address, the company decided not to make contact and seek consent. It argued that there was no provision in the GDPR for it to send registered email to individuals seeking consent to use their data. However, while the UODO agreed with this, it decided that this did not provide the company with sufficient grounds to make no attempt to contact individuals.
The press release claims that of 90,000 people contacted, over 12,000 objected to the use of their data. Whether this was a sample set or out of the 6 million records only 90,000 contained an email address is unclear. If the latter, then this breach affected over 5.9 million people.
A conscious decision to ignore the GDPR
This is not a case of an accidental breach by a data processor. It actively sought out and acquired the data. It also decided to only contact those whose emails it had gathered. In the final ruling the President of the Personal Data Protection Office found that:
- The infringement of the controller was intentional.
- The company was aware of the obligation to provide relevant information, as well as the need to directly inform persons.
- There was no action taken to prevent the infringement, stop it once it had happened or declare that it would cease infringing the GDPR.
Enterprise Times: What does this mean
This scraping of data from the Internet to create mailing and marketing lists is not new. Barely a day goes by without ET being offered lists of people who use a specific product or technology. This data will have been gathered from a variety of sources, much like the data processor above. While some will provide unsubscribe options, they often use these to verify email addresses and then sell details on to other data list owners.
This ruling by the UODO could have a significant impact on the data processing industry if it is properly enforced. One of the challenges will be in tracking down the companies involved who operate across national borders. Reporting such companies under the GDPR was supposed to be simple. The reality is that the process of tracking down where a company is located and then getting an ICO to take action is difficult.
Will this stop the harvesting of data? No. As the UODO discovered, even when the company knew it was in breach of the GDPR it just carried on. It is not clear if the UODO has forced the company to change or improve its monitoring and reporting capabilities. Without that, it simply becomes a case of seeing the fine as a cost of doing business.