Poland and Denmark Issue First GDPR Fines (covering Transparency and Data Minimization)
Poland and Denmark announced their first fines under the European Union General Data Protection Regulation (GDPR) as Data Protection Authorities are starting to exercise their new regulatory power in data protection. Although these fines don’t compare in size to the EUR 50 million fine of Google by France, they do signal that forced consent, the lawful basis of processing and the large tech companies are not the only areas of the new privacy law that the DPAs are investigating.
The Poland Article 14 Fine
Poland issued its first penalty under GDPR to a Polish data controller that was aggregating publicly available personal information without the required disclosures under Article 14. The company was issued a fine of EUR 220,000, though the company may appeal the decision and this would suspend execution of it until a final judgment.
GDPR Article 14 requires the controller to make disclosures to the data subject when they obtain personal data from a place other than the data subject. The required disclosures include, among other things, the identity and the contact details of the controller, the categories of personal data concerned, the purposes of the processing, and the legal basis for the processing.
The press release by the Polish Personal Data Protection Office indicated that the company informed some people of the processing of their personal data by email. However, they did not inform more than 6 million others.
The company defended its conduct by claiming that there was a high operational cost to notifying individuals where the company was not in possession of their email. Instead, the company provided an information clause on their website. Its defense relied on Paragraph 5 of Article 14 according to a news report – this is likely referring to subsection b, which waives the notification obligation if it “would involve a disproportionate effort ….”
The Poland DPA rejected this defense as the company had access to their postal address and telephone number. The press release indicates that the decision was distinguishable from a prior case a few years ago where the company did not have any contact information.
The DPA also said that the violation was intentional because the company was aware of its duty to inform the data subjects and this resulted in the decision to impose a higher fine. The company was ordered to provide the data subjects with an Article 14 notification within three months of the decision.
The Denmark Data Minimization Fine
Denmark has recommended a fine of $180,000 against a company for violating the data minimization principle of GDPR. The company deleted the the name and address of their customers after two years but maintained other personal data, such as their telephone number, in their records. Denmark law does not permit the DPA to issue administrative fines but the national courts can impose the fine as a criminal penalty.
Data minimization falls within the scope of Article 5 and Article 25. Article 5 of the GDPR sets forth the principles relating to processing of personal data. It says that personal data shall be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’). The data protection by design requirements of Article 25 require the controller to “implement appropriate technical and organisational measures … which are designed to implement data-protection principles, such as data minimisation, in an effective manner ….”
The company’s deletion of customer names appears to be an attempt at anonymization of the records after two years, though it was found insufficient due to the maintenance of the phone number for an additional three years. The company claimed that the the phone numbers were integral to the database. However, the DPA rejected this defense and found that a large amount of personal data was stored without a factual purpose.
The recommended fine was around 2.8% of the company’s annual revenue. The Denmark DPA has turned the case over to the Copenhagen police. The police can pursue the fine through the court system should they choose to pursue it.
Other Relevant Posts:
Consent Required by Danish DPA for Customer Service Call Recording under GDPR
EDPB Releases GDPR Guidance on Contractual Necessity Lawful Basis
Third-Party Data Sharing In Focus Again with Finland DPA Investigation
Dutch DPA Issues Policy on GDPR Fines
EDPB Issues Opinion on Intersection of GDPR and ePrivacy
Dutch DPA Says No Cookie Walls Because of GDPR Consent
Summary of Ireland’s Data Protection Commission Annual Report
EU Issues Third Proposal of ePrivacy Regulation Changes in February
Romanian Presidency Offers ePrivacy Regulation Compromises
CNIL Releases Data Sharing Guidance for Third-Party Marketing under GDPR – Requires Informed Consent
Ready for the new California privacy law coming on January 1, 2020? Learn more about CCPA compliance and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.