The European Data Protection Officer (UODO), imposed the first administrative fine to a Polish based company for lack of performance of the obligation to inform data subjects of the processing which was occurring.
As per the elements reported by the authority, the company only informed the data subjects for which they have an email address (mostly given the cost of informing other data subjects) and via their website.
The UODO confirmed that such practise is not acceptable and entails a violation of the obligation of information.
In the opinion of the UODO President, this method of communication is insufficient.
In addition, was mentioned that such information must contain: i) which data, ii) the source of their data, iii) the purpose of the processing, iv) the retention period and v) the applicable rights.
Cost cannot be an argument to limit the rights of the data subjects, and more in specific cannot limit the obligation of information according to the UODO decision.
The 220.000€ fine imposed for not having informed data subjects directly (excepted those data subjects for which an email address was present), set a rule for future similar cases.