If you’re collecting personal data from third parties rather than directly from data subjects themselves, a fine of around €220,000 recently imposed by UODO (the Polish personal data protection authority) should give you pause for thought. Brought to my attention by the Outlaw.com web site, the case centred on the expected level of effort to inform data subjects under Article 14 of the GDPR. The offending business collected publicly available information about entrepreneurs and, where they had found electronic contact details, informed them as required by Article 14 by email. However, in respect of numerous data subjects for whom only postal contact details were available, the business assumed that its online privacy notice was sufficient to fulfil its obligation, relying on the ‘disproportionate effort’ exemption of Article 14.5(b), arguing that the potential cost of mailing notifications to all these data subjects would be excessive. Unfortunately the Polish data protection authority disagreed.
The commentary at outlaw.com suggests that this decision could lead to a ‘two-tier standard of disclosure’ depending on whether contact details are available to the data controller. Now I’m not a lawyer, but I don’t think this should be allowed to happen. Remembering that this whole issue only concerns personal data obtained indirectly (not from the data subject themselves), a very basic principle applies. The data subjects are almost certainly unaware that you’re intending to process their personal data, and the only reliable way they’ll find out is if you inform them. So unless contact details you’re prepared to make use of are immediately available for a potential data subject you shouldn’t start processing their data for your own purposes. You should first look harder for usable contact details. If you can find them, use them. If not, you shouldn't be processing their data other than in very exceptional circumstances (certainly not just because you think you have a ‘legitimate interest’). Processing without informing data subjects effectively denies them the freedom to exercise all their rights – not just their specific data-related rights under the GDPR but also their relevant human rights under the European Convention. It’s thus very much a ‘no–no’ in the ordinary course of business. Cases demonstrating this are surfacing in increasing numbers and penalties are escalating.
The fundamental issue in this case was whether posting a privacy notice on your web site is sufficient to reliably inform people you have no relationship with (and who thus would not know unless informed) that you are processing their personal data. You should be ruthlessly realistic about the likelihood that anything posted on your web site is going to be found by a total stranger who knows nothing about your business. The supposition that they will read your privacy notice without being prompted is pure fantasy as there are several million active web sites out there of which yours is just one. This isn’t an esoteric or novel concept. Long before the web existed, Douglas Adams postulated a public document ‘made available’ by putting it in a locked filing cabinet in a disused lavatory behind a door labelled “beware of the leopard”. The scale of the web now effectively conceals the existence any individual site just as effectively unless attention is specifically drawn to it. Consequently, posting your privacy notice online should not be relied on as a primary means of communicating it to anyone unless you’re certain that they’re already aware of both your business and your web site, and you’re confident they already know you process their personal data. Whether online or not, your privacy notice should serve to advise data subjects in detail of what you're doing and on what basis, not as a first alert of intention to process. Article 14.3 doesn’t say ‘assume the data subject has stumbled on your privacy notice’ – it requires you to ensure you have provided the information.
A two tier standard might indeed emerge if we were to aim for doing the minimum we can get away with (but clearly this business didn’t get away with it). Ideally though, the intent should really be to protect the rights and freedoms of the people whose personal data we wish to process (which is what the GDPR, for all its faults, was enacted for). This principle is embodied in the requirement for data protection by design and by default. As Recital 78 states “In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data [...] transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing [...]”. So your obligations expressly include informing your data subjects, and compliance should not be a ritual performed to a budget – it should mean actually doing what’s required. That could involve a little extra effort to legitimise your processing or even the necessity to deny yourselves some processing you would like to perform. But that’s the way the cookie crumbles – the alternative could quite easily be up to a multi-million fine.
Mike Barwise
Director, BiR
05/04/2019