As we approach the GDPR’s one-year anniversary, we are starting to see more enforcement activity by the EU Data Protection Authorities (DPAs) as they complete their initial investigations into data breaches. This blog looks at two recent fines issued by the Polish and Danish DPAs, which demonstrate the type of conduct likely to lead to enforcement activity.
Polish DPA issues first fine for failure to fulfil information obligation
The Polish DPA recently imposed its first fine of €220,000 on a company which aggregates personal data from official publicly available registers for commercial purposes. The DPA concluded that the company had failed to inform data subjects about how it processes their personal data, as required under Article 14 of the GDPR.
The company fulfilled its obligation under Article 14 of the GDPR in respect of those data subjects whose email addresses it had at its disposal. However, the company failed to comply insofar as it did not contact the remaining 6 million people, whose email addresses it did not have. Even though the company had the postal addresses, and in some cases telephone numbers, of those remaining data subjects, the company argued that sending information by registered post would have involved a disproportionate effort, as the cost of mailing letters would be over PLN 30 million (€6.9 million), which was more than the company’s annual turnover. Instead, the company displayed a notice about the processing on its website, in an effort to comply with Article 14.
In the DPA’s opinion, displaying the information on the company’s website was insufficient where the company had the data subjects’ contact information, enabling it to inform them directly. In addition, the DPA noted that Article 14 does not impose an obligation to provide the necessary information by registered post (or other specific medium), so the expense of doing so was not a valid excuse. The DPA concluded that the infringement was intentional, as the company was aware of its duty to directly inform the data subjects, and had made a conscious decision not to inform them on costs grounds. The DPA seems to have taken the view that the company, in conducting its business, should have taken into account the costs necessary to comply with its legal obligations. The company is reportedly challenging the DPA’s decision in the Polish courts.
The DPA’s decision has been criticised as being unduly harsh, as Article 14(5)(b) provides an exemption to a controller’s information obligation to the extent that the provision of such information would involve a “disproportionate effort”. In such cases the controller is required to take appropriate measures to protect the data subjects rights, including making the information publicly available. We await further clarification from the EU DPAs, EDPB and/or courts on the scope of the “disproportionate effort” exemption, and how much effort a data controller is expected to expend to inform data subjects that it is processing their data. In the meantime, companies carrying out data-scraping for commercial purposes should carefully consider how to do so in compliance with Article 14, and factor in the cost implications of such compliance.
Danish DPA issues first fine for failure to delete customer phone numbers
Denmark’s DPA has also recommended its first fine of DKK 1.2 million (approximately €160,754) on a taxi company. The DPA found the taxi company retained customer data (namely customer telephone numbers) relating to approximately 9 million taxi rides, for longer than necessary, in breach of the GDPR’s data minimisation obligation. The DPA recommended the fine after it discovered the taxi company deleted only the name of data subjects after a two-year retention period, but continued to hold onto individuals’ phone numbers for a further three years. The DPA dismissed the taxi company’s argument that telephone numbers were an essential part of its IT database and could not be deleted within a shorter time span. The DPA also found that the taxi company was unable to demonstrate (beyond a manually updated deletion log) how and when personal data is deleted in its systems and backup recovery files. It remains to be seen whether the Danish Court will approve and impose the fine recommended by the DPA.
The fine serves as a reminder to companies of the importance of having a comprehensive data retention policy in place, being able to justify relevant retention periods, and deleting data when it is no longer needed for the purpose for which it was collected.
Other enforcement activity
Earlier this year, the European Commission published an infograph (discussed here) highlighting GDPR fines issued by the German, Austrian and French DPAs, respectively, for failure to secure users’ data (€20,000 fine), unlawful video surveillance (€5,280 fine) and lack of consent for Ads (€50m fine). Other enforcement activities are set out on the EDPB’s website.
The Irish DPC has not yet issued any GDPR fines, as the 16 statutory inquiries it is conducting (as lead supervisory authority) into multinational technology companies are ongoing. Those investigations are apparently at an advanced stage, but are subject to the consistency and cooperation process which will take some time to conclude.