Fine against Bisnode Polska
Bisnode is an economic database. As part of the duty to inform, the company has informed only a fraction of the persons affected.
All those, where Bisnode did not knew the e-mail address, were only informed via the website because, according to the company, everything else would have been too much effort. The Polish data protection authority did not share this opinion and imposed a fine because the company deliberately violated the GDPR. Among other things, the explanatory statement stated that of the 90,000 affected persons who were informed about 12,000 had objected to the further processing of their personal data.
Conclusion
The GDPR has strict rules for informing people about processing their data. easyGDPR helps you to know which data processing is lawful and which is not. Before the GDPR entered into force in May 2018, many companies asked for a confirmation, that they are allowed to process personal data. If their customers have not send an additional confirmation, they deleted the personal data of them.
easyGDPR customers knew that a additional confirmation was not necessary, if the customers has already agreed to data processing before. Therefore, our customers could save their client base.
Decision data:
26.03.2019
Country:
Poland
Type of Issue:
violated duty to inform
Number of involved data records:
5 700 000
Special category of data involved:
No
Fine:
€ 220,000,-
Violation of GDPR Paragraph:
12. Transparent information, communication and modalities for the exercise of the rights of the data subject
13. Information to be provided where personal data are collected from the data subject
14. Information to be provided where personal data have not been obtained from the data subject
21. Right to object
25. Data protection by design and by default
5. Principles relating to personal data processing
6. Lawfulness of processing
7. Conditions for consent
83. General conditions for imposing administrative fines
Reference: