If you need HELP, SUPPORT or just have a GDPR question please call +44 (0) 208 133 2545 or email us at email@example.com.
Alternatively please visit our contact page
FREE GDPR Helpline
Call +44 (0) 208 133 2545
The Personal Data Protection Office (UODO) in Poland issued its first administrative fine on March 26 under the General Data Protection Regulation (GDPR). A fine of approximately €220,000 (approximately $247,000) was imposed on the unnamed company for failure to fulfil its information obligations under the transparency requirements in Article 14 of the GDPR when it collected and processed personal data from publicly available registers.
Under the GDPR, individuals have the right to be informed about the collection and use of their personal data. Articles 13 and 14 of the GDPR further specify what individuals have the right to be informed about. Different information requirements apply depending on whether companies collect information directly from the data subject (Article 13) or otherwise (Article 14).
The UODO found that the company had failed to inform more than six million data subjects whose data the company processed and therefore had deprived such data subjects of their rights to object to processing, to request rectification, or erasure. This was considered a significant breach by the UODO as it infringed the fundamental rights and freedoms of data subjects.
The company had fulfilled the information obligation by providing the information required under Article 14 (1) – (3) of the GDPR in respect of 90,000 individuals whose e-mail addresses it had readily available. For the remaining individuals, the company had postal addresses and telephone numbers to enable it to comply with the information requirements under Article 14, however, failed to do so due to the “high operational costs” in contacting data subjects by telephone and post.
The UODO held that the company was aware of the obligation to provide certain information and directly inform data subjects. Accordingly, the UODO found the infringement to be intentional. This was further evident from the continuing infringement and the controller’s inaction to remedy the infringement.
The significant fine (of almost PLN 1 million) imposed by the UODO demonstrates the regulator’s approach to companies who purposefully do not comply with the GDPR.
This was originally posted here: https://www.jdsupra.com/legalnews/poland-s-personal-data-protection-48932/