Poland’s data protection authority (UODO) issued its first GDPR fine against the digital marketing company Bisnode for failing to fulfill its data subject rights obligations under Article 14. The financial penalty amounts to EUR 220,000 ( PLN 943,000) and the company has been given three months to reach out to 6 million people in order to meet its Article 14 information notification requirements.
So what was the actual issue? Apparently, Bisnode has aggregated personal data from publicly available registers (like the Central Register and Information on Economic Activity (CEIDG) and the National Court Register (KRS)) and reused it for commercial purposes without notifying them. The company is said to have aggregated personally identifiable information on over six million polish data subjects, of which only 90,000 were informed because they were the only ones with a provided email address. Of these 90,000, 12,000 have objected to having their data used.
“The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because — as it was established during the proceedings — the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons,” the UODO said in a notice.
“While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so.”
The company may now appeal the decision in court, suspending the execution of the decision until a final judgment by the court.
The UODO is said to be preparing another two decisions imposing penalties but no further details have been disclosed.