GDPR fine under Article 14

The Polish Data Protection Regulator imposes €220,000 fine under GDPR – Its first monetary penalty in March 2019 

The company breached the regulations by collating and sourcing it from publicly available sources and using it for verification purposes.

In greater detail; The company who are a classed as the data controller accessed personal data of business owners / entrepreneurs from public registers about business activities, sole proprietorship, active businesses, suspended business activities including business history, which is very similar to the data on UK’s companies house about directors.

The Polish regulator has imposed the penalty for breach of Article 14 GDPR advising that the company failed to notify the data subjects that they were collecting data about them from other sources in addition to the data subjects themselves.

The investigation found that 900,000 data subjects were affected out of 7,000,000.


The company challenged the regulator, advising that they did not have email addresses for all of the data subjects and that sending the notification to the data subjects by mail would have been disproportionate due to the high cost and drain on resources the same argument was stated about SMS notification also. Then then said that that it had all the necessary information about the data processing on its website.

The Polish regulator advised that having the information on the website is no enough, the company should have informed the data subjects individually. It is not reasonable to expect data subjects to visit the website for this information as it should have been provided to them and it is not reasonable to expect the data subject should be looking for the information.

  • What should the company have done to prevent this;
  • Data subjects should have been informed about the use of their personal data,
  • Data controller identity
  • Retention period
  • Purpose of processing
  • Rights under GDPR
  • Data sources

Further into the investigation,

it revealed that out of 900,000 persons that were properly informed about the processing, 12,000 decided to object.

Following these findings, the data protection authority advised that the breach was intentional, the company was aware of their duties under the regulations and this was not a one off mistake. The company had removed the data subjects’ rights under the GDPR therefore in view of the findings the regulator imposed the large fine on the company. The regulator also ordered the company to comply with Article 14 of the GDPR within 3 months following the investigation.


·      Individuals have the right to be informed about the collection and use of their personal data. This is a key transparency requirement under the GDPR.

·      You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. We call this ‘privacy information’.

·      You must provide privacy information to individuals at the time you collect their personal data from them.

·      If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.

·      There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.

·      The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

·      It is often most effective to provide privacy information to people using a combination of different techniques including layering, dashboards, and just-in-time notices.

·      User testing is a good way to get feedback on how effective the delivery of your privacy information is.

·      You must regularly review, and where necessary, update your privacy information. You must bring any new uses of an individual’s personal data to their attention before you start the processing.

·      Getting the right to be informed correct can help you to comply with other aspects of the GDPR and build trust with people but getting it wrong can leave you open to fines and lead to reputational damage.

This decision shows that the Polish regulator has adopted a strict approach and is taking data protection and the rights of data subjects very seriously. In its decision the authority stressed that data subjects who are unaware of the processing of their data cannot in fact exercise their fundamental rights under the GDPR. It is worth noting that the data subjects in question were not consumers, but sole entrepreneurs / sole traders which fall in scope of the regulations.

This is a GDPR fine and the same law applies to UK, if you require more guidance about what data is classified as personal data or how you can start complying please speak to us…. We’re here to help protect you.