An announcement published on the website of the European Data Protection Board (EDPB) confirms that, in March 2019, the Polish data protection authority (UODO) imposed its first fine on a Swedish company pursuant to the data personal protection Regulation (EU) 2016/697 (“GDPR”), ordering it pay a penalty of 220,000 euro. The Swedish company had processed the personal data of a number of people without them knowing and without giving them appropriate information on the processing of their data, in flagrant breach of art. 14 of the GDPR.
Reference Regulations
Where personal data have not been obtained directly from the data subject, art. 14 of the GDPR requires that the controller provides the data subject with the following information:
- the identity and the contact details of the controller and, where applicable, of the controller’s representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- the categories of personal data concerned;
- the recipients or categories of recipients of the personal data, if any;
- where applicable, that the controller intends to transfer personal data to a third country outside the European Union;
- the period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
- the legitimate interests pursued by the controller or by a third party;
- the existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing and to object to processing as well as the right to data portability;
- where processing is based on consent given, the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- the right to lodge a complaint with the supervisory authority;
- from which source the personal data originate, and if applicable, whether it came from publicly accessible sources;
- the existence of automated decision-making, including profiling, and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences for the data subject.
The controller must provide said information within a reasonable period, at the latest within one month from the date of collection or at the time of the first communication to that data subject or to third parties.
The facts
In the case examined, the fined company – which supplies decision-making support in the form of digital business, marketing and credit information – had processed the personal data of a large number of natural persons (entrepreneurs) without them knowing.
The data subjects were not informed that their personal data were being processed and were thus deprived of the possibility to exercise their rights under the GDPR. Nor were they able to object to further processing or request the rectification or erasure of the personal data.
Specifically, the company provided the information set out in art. 14 of the GDPR only to those persons for whom it had an email address. For the other persons, it did not to satisfy the information requirement because of (on its own admission) the “significant operating costs” involved in sending the notice to the data subjects by recorded delivery – therefore limiting its action solely to the publication of the privacy notice on its website.
According to the President of the UODO, since the company had the postal addresses and telephone numbers of such persons, it should have satisfied the information requirement using that information. In fact, the GDPR does not require the controller to send notices by “recorded delivery”.
The President of the UODO thus held that the breach was intentional, since – as established during the procedure – the company was aware of the requirement to provide appropriate information and of the need to inform the data subjects directly.
In imposing the fine, the UODO also considered that the company had failed to take any action to remedy the breach, or declare its intention to do so.
To conclude, the UODO considered the breach to be very serious as “it affects the fundamental rights and freedoms of the persons whose personal data the company has processed, and refers to the basic issue of: the information to be provided to data subjects regarding the processing of personal data concerning them. The fine must be imposed since the controller has not complied with the law”.
Comments
The decision is important insofar as (i) the fine arises from the breach not of a national law but of a European law (applicable also in the Italian legal system) on the protection of personal data and (ii) it highlights an error in terms of corporate compliance. Indeed, by failing to notify the data subjects that data concerning them was being processed, the company had failed to satisfy its legal obligation.
