On March 26, 2019, Urzędu Ochrony Danych Osobowych (UODO), the Polish Data Protection Agency (DPA) imposed a fine of around $250,000 on a company for failure to fulfill its information obligation as a controller.
The UODO explained that the controller did not meet the information obligation (Art. 14 (1) – (3), GDPR) in relation to over 6 million people. The company fulfilled the information obligation by providing the required information to the individuals whose e-mail addresses it had on file but not to other millions of data subjects, whose data it was processing and for which the company did not have the email address. For those data subjects, the company provided information only on its website.
The company alleges that the lack of information was due to high operational costs necessary to inform data subjects for which it did not have an email contact. Basically, the controller alleges that the exception to the duty to inform of Article 14.5(b) applies (“the provision of such information proves impossible or would involve a disproportionate effort”).
However, according to the UODO, the company had mail address and/or telephone number for those data subjects and could and should therefore have complied with the obligation to provide information to the persons whose data are being processed.
ZSPR.421.3.2018 is available (in Polish) at https://uodo.gov.pl/pl/324/787