Poland’s Personal Data Protection Office (UODO) has issued its first GDPR (General Data Protection Regulation) fine and fined an unnamed firm over PLN 943,000 ($245,950) for processing the personally identifiable information of over six million Polish citizens.
According to UODO, the company collected and processed this personal data from the country’s Central Electronic Register and Information on Economic Activity which is a publicly available source.
The company informed 90,000 people that their personal data was being processed via email and 12,000 of these people objected to this processing. The company also placed a notice about this data processing on its website. However, it failed to directly inform over six million other people of this data processing because of “high operational costs.”
GDPR requires companies to handle data in a way that respects people’s privacy. Some of the main requirements for companies under GDPR are to:
- Tell people how their personal data will be used
- Gain consent for this usage before processing the personal data
- Be able to demonstrate that this consent was given by each person
- Allow people to opt out of personal data processing and have their personal data deleted at any time
In its statement about the fine, UODO said that since the unnamed company had both postal addresses and telephone numbers for the people whose data it was processing, placing a notice on its website was insufficient. UODO added that the company should have used this contact data to directly notify people about:
- The data it was using
- How it obtained this data
- The purpose and the period of the planned data processing
- Their rights under GDPR
UODO also said that the infringement of GDPR was intentional because the company was aware of the obligations to provide relevant information about personal data processing and directly inform users about any personal data being processed. However, despite this awareness, the company didn’t attempt to end the infringement or suggest any intentions to do so.
This is the latest in a series of fines and complaints that have been issued since the introduction of GDPR in 2018. In total:
- 59,000 data breaches have been reported to GDPR regulators
- 91 fines have been issued with Google receiving the largest fine at €50 million ($57 million) for violating the GDPR in France