Last week the Personal Data Protection Office (“UODO“) in Poland issued a €220,000 fine to a digital marketing company for breaching its obligations under Article 14 of the GDPR (i.e. to provide a privacy notice to individuals). The decision has some important practical implications for organisations, including that:
- the collection of publicly-available information from the internet does not relieve you of your obligations under the GDPR;
- a significant cost (in this case €8 million) involved with providing privacy notices to individuals is not sufficient to be able to rely on the ‘disproportionate effort’ exemption under Article 14; and
- the GDPR is not prescriptive about how individuals must be provided with privacy information but the ‘passive’ posting of a notice on a website is unlikely to be sufficient where the individuals are unaware of the collection of their data.
What does Article 14 say?
Article 14 of the GDPR requires data controllers who have obtained personal data other than directly from the data subject, to provide the data subject with certain information (i.e. effectively provide them with a privacy notice).
The data controller must provide this information within a reasonable period of obtaining the personal data and in any event within one month (Article 14 (3)(a)). This obligation will not apply to the extent that the provision of such information is ‘impossible or would involve a disproportionate effort’ (Article 14 (5)(b)).
What did the company do?
The company scraped publicly-available data from the internet in respect of over 6 million individuals, and proceeded to use the data for commercial purposes.
Of those 6 million individuals, the company had obtained email addresses for at least 90,000. The company contacted these 90,000 data subjects by email to inform them that it was processing their data (and over 12,000 of these data subjects objected).
However, the company made no attempts to contact or inform any of the other individuals, even where it had obtained their postal addresses or telephone numbers. This was a conscious decision: the company, aware of its obligations under Article 14 of the GDPR, had assessed that it would cost around €8 million in registered postal charges to write to the data subjects it had physical addresses for (leaving aside any administrative costs or telephone bills). Consequently, the company decided that instead, it would post a notice on its website stating that it had emailed the data subjects it had obtained addresses for, and stating its belief that informing the remaining data subjects via post or telephone was disproportionate, and that therefore the company considered that it had fulfilled its Article 14 obligations.
What did the UODO say?
In short, the UODO considered that the company’s intentional failure to contact the data subjects for whom it had obtained postal addresses or telephone numbers was a breach of Article 14.
The UODO acknowledged the calculated cost of registered post, but pointed out that the GDPR does not specify a method of communication, and that unregistered post, hand-delivered mail, or SMS messages, for example, would have been satisfactory, and that therefore the company was unable to rely on the Article 14 (3)(a) exemption.
The UODO also criticised the ‘passive’ approach, noting that data subjects who were unaware that their data was being processed by the company would be unlikely to look for the notice that the company had posted on its website.
In addition to the €220,000 fine which was levied on the company, the UODO requires the company to remedy its breach of Article 14 by contacting the remaining data subjects within 3 months.