According to media reports, the Polish data protection supervisory authority has fined a responsible party the equivalent of around EUR 220,000 in penalties. The person responsible apparently obtained information from public registers and used it for a commercial product. The processing affected around 6 million data subjects.
However, the person responsible only actively informed the approximately 90,000 people whose e‑mail address he knew. For reasons of cost, the person responsible refrained from individually informing the remaining persons concerned – e.g. by letter to their postal address or by telephone call, and the privacy policy on its website was judged to be insufficient. In particular, according to the authority, the controller would not have been required to send a privacy statement by registered mail, which the controller had claimed.
The following factors apparently played a role in the assessment of the fines:
- The intent of the person responsible, who was aware of his duty to inform;
- the seriousness of the violation, because a violation of the transparency obligation (Art. 14 GDPR) results in the data subjects not being able to exercise their rights;
- the fact that of the 90,000 people informed, around 12,000 objected to the processing, which shows the poor acceptance of the processing;
- that the controller did not cease the non-transparent processing during the investigation and apparently did not declare its intention to cease the violation.
It remains open whether a privacy statement on the website would have been sufficient had the controller not had the addresses of the data subjects.