Poland Imposes Fines for Web-Scraping of Personal Data When Notification to Individuals Did Not Occur

Poland’s data protection agency issued its first fine under the EU’s General Data Protection Regulation (GDPR), imposing a 220,000 euro fine to Bisnode, a European digital marketing company headquartered in Sweden. The Poland Personal Data Protection Office (UODO) determined that the company had failed to inform individuals that it was processing their data after scraping that data from websites. Notification is required under Article 14. In addition to the fine, UODO required Bisnode to contact the nearly six million people it had not already contacted as required by the GDPR and gave the company three months to comply with the order. Article 14 obligates data controllers to inform…

READ MORE

Article 29 Working Party Provides Important Guidance about Data Protection Impact Assessments

Data Protection Impact Assessments (DPIAs) are critical to companies’ successful compliance with the General Data Protection Regulation (GDPR), and to their efforts to establish responsible, effective data governance within their organizations. Article 35 of the GDPR requires companies to conduct a DPIA when processing is likely to raise “high risk” to individuals. On August 6, we blogged about the advice of the Belgian data protection authority on this aspect of the GDPR. But the Belgian DPA did not issue its recommendations in isolation. The Article 29 Working Party (the “Working Party”) late last year adopted Guidelines on data protection impact assessments and determining whether processing is “likely to result…

READ MORE