President of the Polish Personal Data Protection Office has slapped the first fine for breach of the GDPR

by Jarosław Kamiński and Michał Liszka

15 April 2019

First fine for breach of GDPR

Nearly 10 months after the effective date of the General Data Protection Regulation (GDPR), the President of the Polish Personal Data Protection Office (PDPO) has imposed the very first fine for unlawful data processing. The fine has been imposed on a company which processes publicly available data from e.g. the Polish Central Registry and Information on Businesses. The company uses the above data for analysis using the scoring models.

Unfulfilled information obligation

The President of the PDPO has explained that the fine of more than PLN 943 thousand has been levied for the failure to fulfil the information obligation towards more than 6 million people. Those people were not informed about the processing of their personal data and thus were deprived of their right prescribed by the GDPR such as the right to rectify data or the right to be forgotten. The company fulfilled that obligation only towards people who had disclosed their e-mail addresses (about 90 thousand, of which 12 thousand objected to the processing). However, they failed to inform the people whose other contact details, such as phone numbers or correspondence addresses, were in their possession). The company argued that the costs of such an operation would be excessive.

The amount of the fine has been greatly affected by the PDPO President's assumption that the company acted intentionally because it took no steps to remove the breach despite being aware of the obligation.

The fine and the costs of fulfilling the obligation

The fined company issued a press release questioning the well-foundedness of the fine and the PDPO's arguments. Article 14(5)(b) of the GDPR is the most controversial. It says that the information obligation may be waived if it proves impossible or would involve a disproportionate effort. The company invoked that article claiming that the costs of fulfilling the information obligation met that criterion. However, the interpretation of that provision is very difficult and many lawyers believe that a request for a preliminary ruling from the court considering the company's appeal to the Court of Justice of the European Union to clarify the doubts could be crucial here. Most certainly the case is going to be followed and commented on broadly because an unfavourable court ruling could trigger a series of fines for other entities.

Whatever the ruling, the PDOP President's decision gives a clear signal that after almost a year of the Regulation's lifetime, the time for the businesses to adapt to the new regulations is over. Further inspections by the President of PDPO announced in the media may bring more sanctions (including financial ones). Therefore, it is important now more than ever to conduct an audit of personal data processing in your company to check if you operate in compliance with the applicable laws and you store information in a secure way.