Notifying data subjects of processing under the GDPR
What are proportional measures to take when meeting the informational obligation imposed on data controllers?
On 26 March 2019, the President of the Polish Data Protection Regulator (UODO) announced its first administrative fine for a company which had failed to meet the information obligations imposed on data controllers under Article 14(1-3).
The company, which processes data to assist their clients’ behaviours and decision – making, took the data of sole traders and members of companies’ bodies from publically available sources. However, the company did not inform the vast majority of the data subjects of the information required by the GDPR, such as the collected data, the data source, the purposes for which the personal data was intended, the data subject’s rights and crucially, the data subject’s right to object. The importance of informing the data subjects of the right to object was shown by the fact that of the 90,000 of the 6,000,000 data subjects who were indeed informed, 12,000 of them decided to object to the processing.
As the company did not have email addresses for the remaining data subjects, and only had addresses and telephone numbers for some, they resorted to publishing a notice on their own website. The company claimed under Article 14(5)(b) of the GDPR that to comply with the obligation was impossible or would involve a disproportionate effort as sending out letters to all of the remaining data subjects would financially debilitate them.
The UODO found that the company’s explanation for not notifying the data subjects was unsatisfactory. The UODO explained that the company could have contacted the data subjects either through their telephone numbers or through the method of a standard letter to their address. This option would have reduced the expense which the company argued was disproportionate. In addition, the UODO stated that the company should have taken into account the cost of notifying the data subjects in their business model, implying that they would not have processed the data from that number of data subjects had they known it was going to be expensive to notify them. Therefore, the UODO found that the company could have complied with their obligations under Article 14 of the GDPR.
Furthermore, in reaching the decision (and the large fine of €219,000), the UODO found that the company’s actions were intentional as the company was indeed conscious of the fact that it had to provide the information to the data subjects and had neither attempted to contact the data subjects nor had it announced its intentions to do so.
However, UODO did state that notification was not necessary for the members of the companies’ bodies as there was no contact data for these members from the source and therefore the company would have had to find more data regarding the members which would be classified as disproportionate.
Why is this important?
This ruling highlights the importance of notifying data subjects of your processing in accordance with Article 14 of the GDPR and the harshness of the penalties if you do not comply. It also portrays the court’s attitude towards the balance of costs and efforts of the data controller informing data subjects and the business’ capacity to trade.
Any practical tips?
Remember the obligation to notify under Article 14! If you are processing the data of a large number of data subjects (whose only contact details that you have are their address), it might be possible to notify them through the form of a standard letter which would significantly reduce the cost. In addition, the ruling suggests that processing information does not have to be given to members of companies’ bodies if their data was taken from publically available sources.