Poland’s Personal Data Protection Office Issues First GDPR Fine

Morgan Lewis
Contact
LinkedIn
Facebook
X
Send
Embed

Morgan Lewis

The Personal Data Protection Office (UODO) in Poland issued its first administrative fine on March 26 under the General Data Protection Regulation (GDPR). A fine of approximately €220,000 (approximately $247,000) was imposed on the unnamed company for failure to fulfil its information obligations under the transparency requirements in Article 14 of the GDPR when it collected and processed personal data from publicly available registers.

Under the GDPR, individuals have the right to be informed about the collection and use of their personal data. Articles 13 and 14 of the GDPR further specify what individuals have the right to be informed about. Different information requirements apply depending on whether companies collect information directly from the data subject (Article 13) or otherwise (Article 14).

The UODO found that the company had failed to inform more than six million data subjects whose data the company processed and therefore had deprived such data subjects of their rights to object to processing, to request rectification, or erasure. This was considered a significant breach by the UODO as it infringed the fundamental rights and freedoms of data subjects.

The company had fulfilled the information obligation by providing the information required under Article 14 (1) – (3) of the GDPR in respect of 90,000 individuals whose e-mail addresses it had readily available. For the remaining individuals, the company had postal addresses and telephone numbers to enable it to comply with the information requirements under Article 14, however, failed to do so due to the “high operational costs” in contacting data subjects by telephone and post.

The UODO held that the company was aware of the obligation to provide certain information and directly inform data subjects. Accordingly, the UODO found the infringement to be intentional. This was further evident from the continuing infringement and the controller’s inaction to remedy the infringement.

The significant fine (of almost PLN 1 million) imposed by the UODO demonstrates the regulator’s approach to companies who purposefully do not comply with the GDPR.

The UODO notice of the infringement is set out on the European Data Protection Board website.

 

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morgan Lewis | Attorney Advertising

Written by:

Morgan Lewis
Morgan Lewis
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Morgan Lewis on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide