On Dec. 11, 2019, the Polish Regional Administrative Court in Warsaw overturned the decision of the Polish data protection authority, Urząd Ochrony Danych Osobowych, with regard to the first financial penalty imposed on a company under the EU General Data Protection Regulation. The case will need to be reconsidered once again by the UODO regarding the imposition of the fine.  

The UODO imposed a fine of approximately 221,000 euros on a data analytics company, accusing the company of infringing its information obligations under Article 14 of the GDPR in connection with sole traders who were or still are active in carrying out their business activities. The company collected data from publicly available sources, such as public registers, and processed it, creating reports and summaries on a variety of industries. More than 6 million people were affected, of whom 682,000 were informed that their data would be processed, and more than 12,000 objected.

The DPA argued that the provision relied upon by the company (GDPR Article 14.5(b)) to justify its failure to fulfill the GDPR’s information obligations was inapplicable to this case.

The court’s judgment

In its December 2019 ruling, the court partially overruled the DPA’s decision. As a result, the company at the moment is not required to pay the initially imposed fine of 221,000 euros. Notably, the court rejected the company’s argument that compliance with the information obligations would impose a disproportionate effort or financial burden on it.

The court further stated that, by merely publishing the information obligations required by the GDPR on its website, the company had not sufficiently complied with the obligation arising from Article 14. It held that the company was perfectly capable of informing individuals that it was processing their data, as it was required to do pursuant to Article 14, because it possessed all the contact information that would enable it to do so.

The court upheld the DPA’s decision regarding the need to comply with the information obligations created by Article 14, in relation to sole traders who conduct their business activities and who have temporarily suspended their business activities.

According to the court’s ruling, the DPA is now required to repeat the administrative proceedings regarding the imposition of the fine. This is because the court overruled the authority’s decision concerning the infringement of information obligations in connection with sole traders who conducted business activity in the past; hence, the number of individuals whose rights were potentially infringed by the company changed. This, again, is material as it constituted the basis for calculating the fine.

Court’s defines ‘disproportionate effort’ 

The court’s ruling stated the concept of disproportionate effort cannot be translated as a financial or organizational cost. According to the court, such a definition would oppose the very foundation of personal data protection, as the processing and storage of personal data invariably generates certain costs. Neither organizational nor financial costs can be allowed to outweigh the right to have one’s data protected, even if the source of the data is publicly available registers.

The court stated: “When referring to disproportionate effort — this concerns a situation where providing the information referred to in Art. 14 par. 1 and 2 of the GDPR is objectively possible, but extremely difficult (bordering on an inability to provide such information).” In other words, the disproportionate effort rule may only be relied upon when gathering contact information and contacting entities is, in practice, impossible or virtually impossible.

Implications of the ruling

The court’s ruling is in some respects controversial given the fact that the main participants of the procedure were sole traders and not consumers. The decision to grant the same GDPR protection to both groups could have far-reaching consequences for other areas of business activity.

Moreover, the ruling defines and interprets the concept of “disproportionate effort” for the first time, but it is highly likely that this will represent merely the beginning of a long line of jurisprudence on the same issue.

It is important to note that the court significantly opposed the company’s contentions on the fact that it made use of publicly accessible registers. The court was very clear that using public registers did not justify the company's failure to comply with its information obligations. There is a substantial difference between publishing data in a public register for administrative reasons and using this data for further processing by a commercial actor seeking to derive an economic benefit.

The ruling is not necessarily final. The company said it is bringing an appeal to the Supreme Administrative Court of Poland.

 

Photo by k u on Unsplash