One year after GDPR entered into force, it is possible to observe first penalties and fines imposed by different Data Protection Authorities to several undertakings. This brief analysis is useful to provide insights and clarifications over possible misapplications of GDPR and related consequences. 

Country: Poland | Industry: Software | Company: Bisnode | Non-Compliance: Lack of communication with data subjects 

 A first and radical decision released by the Polish Data Protection Authority (“UODO”) involves the common practice of obtaining personal data not directly from the data subject. The €220.000 fine has been handed to a Sweden-headquartered digital marketing company that has an office in Poland after it failed to comply with Article 14 of the GDPR.

Art. 14 of GDPR states information to provide where personal data have not been obtained directly from the data subject. In that case, data controller shall provide data subjects with relevant information such as: identity of controllers and Data Protection Officer, categories of data processed, purpose of processing, recipients of personal, the period for which the personal data will be stored, the right to lodge a complaint with a supervisory authority et cetera. 

Polish Data Protection Authority requires also that Bisnode contact all data subjects in order to fulfil Article 14 obligations. However, the amount of data subjects involved is close to six million. This is a radical decision because of the interpretation of “disproportionate efforts” in relation to the obligation to provide information. In fact, Recital 62 clearly states that it would not be necessary to impose the obligation to provide information where it is not possible or would involve a disproportionate effort. 

However, as stated by the UODO, whoever involved personal data collection from public registers and other online sources it should be required to shape the business on such activities. Furthermore, UODO stated that Bisnode did not fulfil its obligations under art. 14 by publishing in its website a statement declaring it has complied the GDPR. In fact, fulfilling the communication obligation requires an active approach. A passive notification under a tab on a website, as Bisnode did, cannot be defined as an active approach. Moreover, active notification approach has been affirmed by Article 29 Working Party in its Transparency Guidelines adopted on 29 November 2017.