Out-Law / Your Daily Need-To-Know

Case sets GDPR standard for publicising privacy notices

Out-Law News | 02 Apr 2019 | 10:44 am | 3 min. read

Businesses that do not collect personal data directly from consumers must potentially use any contact details they do gather about those consumers to notify them of the way they intend to use their data in light of recent enforcement action, a data protection law expert has said.

Rif Kapadi of Pinsent Masons, the law firm behind Out-Law.com, said action taken by Poland's data protection authority highlighted the standards of transparency businesses must meet under the General Data Protection Regulation (GDPR).

Businesses processing personal data are obliged to provide people to whom the data relates with information about that data processing. Specific information requirements are set out in Article 14 of the GDPR for cases where the personal data organisations gather has not been obtained from the data subject, such as where it has been collected from public sources of information.

The Personal Data Protection Office (UODO) in Poland recently imposed a fine of approximately €220,000 on a business over what it deemed to be an intentional failure to take sufficient steps to notify six million people about the processing of their data. The case was publicised by the European Data Protection Board (EDPB).

"Many people whose data were processed by the company were not aware of this," the EDPB's summary of the case said. "The controller did not inform them about the processing and thus deprived them of the possibility to exercise their rights under the General Data Protection Regulation. Therefore, they had no possibility to object to further processing of their data, to request their rectification or erasure."

"The president of the Personal Data Protection Office considered the breach to be serious, since it concerns the fundamental rights and freedoms of persons, whose data are processed by the company and relates to the basic issue – the information on the processing of data. Imposing the fine is necessary, because the controller does not comply with the law," it said.

The company fined in the Polish case gathered data about entrepreneurs past and present from publicly available sources. The business shared its privacy notice directly with some of those people, via email, but it did not hold email addresses for many of the other data subjects. In a bid to meet the Article 14 information requirements in respect of those people, the company posted its privacy notice on its website. However, the UODO said this move did not go far enough.

The UODO considered that the company held postal address details for some of the data subjects. It said the company should have posted its privacy notice to those data subjects, rejecting the company's argument that it would have had to have used registered mail and that the cost of this justified it not posting the information.

"While having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them," the UODO concluded, according to the EDPB's statement.

"In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed," it said.

Rif Kapadi of Pinsent Masons said the case holds lessons for other businesses.

"As ever, the case facts were somewhat unique to the controller's business and in particular, it seems from the EDPB press release that the fact data subjects may not have been aware of the processing at all, was probably an important aggravating factor, but the ruling by Poland's regulator confirms the high standards of transparency that organisations processing personal data are now subject to under the GDPR. So many businesses just rely on a website notification and do not budget for bespoke postal notice," Kapadi said.

"The case arguably creates an anomalous two-tier standard of disclosure that depends on whether and what contact details businesses hold about data subjects – on the one hand businesses cannot rely on simply publishing their privacy notice on their website to meet the information requirements of the GDPR in cases where they have no direct relationship with data subjects but have collected contact details for those individuals. The UODO case suggests that businesses should make use of the contact details they hold to meet their obligations on transparency about their data processing in such circumstances," he said.

"On the other hand, the situation will be different where businesses do not gather contact details for data subjects – in such cases posting privacy notices via public communication channels such as websites and on social media is likely to be sufficient to comply," Kapadi said.

"The costs of posting, other means of notice and the environmental impact should also be carefully balanced in practice. However, the UODO case shows that regulators are likely to apply a high threshold to the application of the proportionality concept that exists to the information requirements under Article 14 of the GDPR. GDPR contains an exemption where "the provision of such information proves impossible or would involve a disproportionate effort" – the UODO case shows that the cost of posting privacy notices through ordinary mail to six million people was not sufficient to trigger the exemption," Kapadi said. 

"I can also see this proportionality approach being applied in the data breach scenario, when controllers are deciding whether to reach out to data subjects directly or go for a public announcement, the standards and burdens on controllers are potentially quite high," he said.