Bisnode to cough up eight million euros on postage due to GDPR breach – which is 36 times more than the fine!
220,000 euro fine for the Danish company Bisnode due to violations of the GDPR rules in Poland.
Apart from being the first fine of its kind in Poland, it is not in itself particularly startling. What is remarkable is that the company is required to inform the six million people whose data was affected, with an old-fashioned letter in the post, according to TechCrunch.
According to the company, the request, made by the Polish Data Protection Authority, will incur an expense of eight million euros for postage alone. Not to mention the other costs involved in sending out the many letters.
The crime committed by Bisnode in Poland is that they have collected data from publicly available sources without informing the people who this data belongs to. An action that is contrary to Article 14 of the European Personal Data Regulation. The company has been given three months to inform the people affected.
According to TechCrunch, who refer to Polish media, Bisnode is to take the decision to court. First, to the Polish judicial system and, if necessary, all the way to the top of the European Court of Justice. They will challenge Article 14 on exactly how much can reasonably be imposed on companies in the duty to provide information. Article 14 has exceptions that speak of proportionality or impossibility. The question is whether those exceptions can come into play here.
“The decision is seen as very radical, as it interprets Article 14 very literally,” IT security expert Lucasz Olejnik told TechCrunch. According to him, the Polish Data Protection Authority has taken a very principled decision in this case:
“They argue that the business model is based on data harvesting and that the company has made an active decision. They also argue that the company was aware of the obligation, since they did contact some of the individuals involved.”
It is not illegal to collect data from publicly available sources. However, you have a duty to inform people about the purpose for its use, among other things. In this case, Bisnode has collected data on entrepreneurs and business owners. They only had email addresses for a very small amount of them.
The majority – 5.7 million people – never heard a word
Bisnode has commented on the Polish website that they consider it unrealistic to have to contact 5.7 million people by mail or telephone. They also believe that a general output of information, for example a newspaper ad, would be preferable to both the sender and the recipient.
In addition to informing roughly 90,000 people that Bisnode had deleted their data, Bisnode made a post on their website. The Polish Data Protection Authority have clearly rejected this public post saying it is insufficient. Their reasoning is that not all people would find it.
In addition, of the 90,000 informed, 12,000 chose to say no. TechCrunch has attempted to get a comment from Bisnode on the matter.
For HR-Skyen (now HR-ON), GDPR cases are always relevant. When it comes to recruitment, companies cannot get around GDPR. Job applications contain a wide range of personal information that falls under the rules.
By using the system provided by HR-ON, companies can ensure that the information is always processed in accordance with the GDPR rules. This means, among other things, that companies will always be able to document how data is processed.