Bisnode – €220,000 Fine (Poland, 2019)

The decision of the UODO’s President concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. In total, the company has 7'594'636 records of data concerning natural persons, and the company fulfilled the information obligation in relation to only 682'439 persons in relation to whom it has email addresses within the database record. The company raised the ground that the communication by registered letter would cost its turnover for the year 2018, which would constitute a "disproportionate effort" and would critically disturb the functioning of the company. 1) What is the applicable provision? 2) Does the company fulfill its obligation of information towards all data subjects? 3) Is it sufficient to place a privacy notice on the company's website to fulfill the information obligation towards natural persons who were not informed by email? 4) Is the information obligation impossible or disproportionate pursuant to Art. 14 par. 5 lit. b GDPR? The President of UODO found that: 1) The applicable provision is the Art. 14 GDPR sin