Poland Imposes Fines for Web-Scraping of Personal Data When Notification to Individuals Did Not Occur
Poland’s data protection agency issued its first fine under the EU’s General Data Protection Regulation (GDPR), imposing a 220,000 euro fine to Bisnode, a European digital marketing company headquartered in Sweden. The Poland Personal Data Protection Office (UODO) determined that the company had failed to inform individuals that it was processing their data after scraping that data from websites. Notification is required under Article 14. In addition to the fine, UODO required Bisnode to contact the nearly six million people it had not already contacted as required by the GDPR and gave the company three months to comply with the order.
Article 14 obligates data controllers to inform people whose personal data they intend to process when the information in question has not been obtained directly from the individual. Bisnode’s business model centers on processing data obtained from public databases and registers found on the Internet in order to create verification services and reports.
The data set under scrutiny by UODO contained approximately 7.6 million records of personal data. Bisnode was able to provide the correct privacy notification to roughly 700,000 individuals where records included email addresses. Bisnode only had mobile numbers and postal addresses for the remaining individuals in the data set. Bisnode displayed a notice on its website for those individuals who did not receive a privacy notice by email.
UODO argued that the company business model is based on processing scraped data, and that the company was aware of its obligations under Article 14. It further stated that the mere inclusion of information on the company’s website could not be considered sufficient fulfillment of Article 14 requirements.
The Polish case follows actions taken by data protection authorities in 2018 in Italy, the UK and France in which warnings were issued but no fines imposed. Actions were also taken in which fines were imposed in countries that include Belgium, Austria, Cyprus, Germany, Denmark and Spain.
ACHIEVED COMPLIANCE – HELPING YOU NAVIGATE THE COMPLEX WORLD OF DATA COMPLIANCE.
Through its software guided review and remediation process, education tools and representation services, Achieved Compliance makes it possible for companies to take all the steps needed for meaningful compliance that meets regulators’ expectations.
For more information as to how we can help your organization be GDPR compliant please contact firstname.lastname@example.org.