Pol­and: GDPR fine of EUR 220,000 (breach of transparency).

Accor­ding to media reports, the Polish data pro­tec­tion super­vi­so­ry aut­ho­ri­ty has fined a respon­si­ble par­ty the equi­va­lent of around EUR 220,000 in pen­al­ties. The per­son respon­si­ble appar­ent­ly obtai­ned infor­ma­ti­on from public regi­sters and used it for a com­mer­cial pro­duct. The pro­ce­s­sing affec­ted around 6 mil­li­on data subjects.

Howe­ver, the per­son respon­si­ble only actively infor­med the appro­xi­m­ate­ly 90,000 peo­p­le who­se e‑mail address he knew. For rea­sons of cost, the per­son respon­si­ble refrai­ned from indi­vi­du­al­ly informing the remai­ning per­sons con­cer­ned – e.g. by let­ter to their postal address or by tele­pho­ne call, and the pri­va­cy poli­cy on its web­site was jud­ged to be insuf­fi­ci­ent. In par­ti­cu­lar, accor­ding to the aut­ho­ri­ty, the con­trol­ler would not have been requi­red to send a pri­va­cy state­ment by regi­stered mail, which the con­trol­ler had claimed.

The fol­lo­wing fac­tors appar­ent­ly play­ed a role in the assess­ment of the fines:

• The intent of the per­son respon­si­ble, who was awa­re of his duty to inform;
• the serious­ness of the vio­la­ti­on, becau­se a vio­la­ti­on of the trans­pa­ren­cy obli­ga­ti­on (Art. 14 GDPR) results in the data sub­jects not being able to exer­cise their rights;
• the fact that of the 90,000 peo­p­le infor­med, around 12,000 objec­ted to the pro­ce­s­sing, which shows the poor accep­tance of the processing;
• that the con­trol­ler did not cea­se the non-trans­pa­rent pro­ce­s­sing during the inve­sti­ga­ti­on and appar­ent­ly did not decla­re its inten­ti­on to cea­se the violation.

It remains open whe­ther a pri­va­cy state­ment on the web­site would have been suf­fi­ci­ent had the con­trol­ler not had the addres­ses of the data subjects.