Poland’s data protection agency, the national Personal Data Protection Office (UODO) has issued its first fine for non-compliance with the General Data Protection Regulation (GDPR). The target was Bisnode, a Swedish-headquartered digital marketing agency which has an office in Poland. Bisnode was fined, a sum of approximately €220,000 for a failure to provide individuals with a privacy notice as required by Article 14 of the GDPR.
More significantly, in addition to the €220,000 fine, Bisnode was ordered to contact close to six million individuals who had not previously been provided with a privacy notice. Bisnode has estimated that this exercise will cost them in the excess of €8million in registered postage alone, let alone the cost of administration.
The case has raised alarm bells in data privacy circles beyond just Poland as Bisnode had considered that it was disproportionate for it to contact those in its database by post – it only needed to do so when it had e-mail addresses.
Bisnode appears to have obtained personal data by data scraping from various sources such as public registers and other databases relating to entrepreneurs and other business owners. Whilst some of the data it scraped was already in the public domain, such as company registered offices on the Polish version of Companies House, the vast majority wasn’t publicly available.
Where Bisnode obtained an individual’s email address, it would contact them by email. However, it did not have email addresses for the vast majority of individuals, totaling approximately 5.7 million. Bisnode had made a conscious decision not to contact these individuals directly due to the administrative burden and the cost of doing so, which Bisnode considered disproportionate. There is an exception to the requirement to provide a privacy notice where doing so would be impossible or involve disproportionate effort. As an alternative, Bisnode posted the privacy information on its website and believed that this satisfied its obligations under Article 14 of the GDPR.
The UODO disagreed that Bisnode had satisfied its obligations under Article 14 of the GDPR by placing a privacy notice on its website. The UODO found that Bisnode had made a conscious commercial decision not to contact the individuals, and that Bisnode should have factored in the cost of contacting individuals as part of the cost of the data.
The UODO stated that Bisnode should have complied with its obligations under Article 14 in an active manner. It was not good enough to merely place a privacy notice on its website and expecting the data subject to take pro-active steps to find it. On that basis, the UODO considered placing a notice on a website was too passive to comply with the Article 14 obligations.
This decision is potentially significant for all organisations which have been relying on the ‘disproportionate effort’ exception to avoid sending privacy notices direct to individuals, particularly those which have relied on their websites to communicate privacy information.
However, UK businesses should note that Bisnode has already confirmed that it will appeal the decision through the local courts, and is prepared to fight all the way to the Court of Justice of the European Union if necessary. Therefore it is entirely possible that this decision will be overruled. In addition, this is a Polish decision and is not binding in the UK. The ICO has not yet addressed this issue and may well take a different view to the UODO on the scope of the ‘disproportionate effort’ exception.
The GDPR is still less than a year old, and so there remains very little case law. Whilst the strict approach taken by the UODO in this case could well be a sign of things to come, UK businesses should avoid placing too much reliance on what is a single decision made by the Polish regulator which is not binding in the UK.
We will be watching carefully to see how both any appeal progresses and whether similar interpretations of the GDPR are adopted elsewhere.