Poland’s data protection regulator made an interesting decision affecting a Swedish based digital marketing company named Bisnode.
Poland’s regulator, the national Personal Data Protection Office (UODO in Polish), fined Bisnode 220,000 Euros for failing to comply with Article 14 of GDPR.
Article 14 requires a data controller to inform a person when it collects data about that person from another source. In addition, you have to tell them the purpose that you are collecting the data for and give them the option to object.
Bisnode’s business model is to collect data from public records of various types and then, we assume, sell that data.
Bisnode apparently understood that obligation to notify people because of the 6 million records they scraped, they sent out notices to the people for whom they had email addresses. That represented about 90,000 businesses. Of those 90,000, about 12,000 or 13% responded back saying that the company did not have their permission to use this data for the purpose stated.
For the rest of the people, even those for whom they had a phone number, they opted not to notify them at all.
Instead, they put a notice on their web site. Of course, those 6 million people had no reason to look at the company’s website and besides, I am guessing that they did not include a list of 6 million names on the web site, but maybe they did.
Bisnode objected to having to notify people because they said it would be too expensive to send everyone a registered letter. Of course an email is not equivalent to registered mail, actually closer to a postcard, and they could have sent 6 million postcards for a whole lot less than the cost of 6 million registered letters.
There is a lot more information in the source article linked below, but for now the point is that businesses that depend on scraping other people’s data and selling it should be wary about their business model.
At a bare minimum, they need to consider the notification requirements and understand that each distinct purpose the data is being used for requires its own notification (if you know now that it will be used for, say, 3 purposes, you can include all three purposes in one notice, but if you decide next month that you have new purpose, you have to renotify. And, the notice cannot be generic in nature like “we are going to sell your information to folks who are going to do stuff with it, like spam you”.
The Polish DPA also required them to notify the 5.9+ million people that they didn’t notify. Bisnode is thinking about deleting the data instead, but even if they do, will that relieve them of their notification obligation?
Assuming Bisnode does appeal, hopefully that appeals decision will improve the clarity of the rules under GDPR, but given what I have seen in the past, Bisnode is unlikely to get a free pass in this situation.
So for businesses that depend on the ability to take data from third parties and use it in a way that the consumer did not anticipate, anticipate that you could be on the wrong side of a DPA decision and then will need to decide if you can afford to fight. Not being able to do that freely may make the business not viable, so either way, those businesses have a problem.