Polish DPA slams Swedish marketing bureau for failing to keep consent logs

Polish DPA slams Swedish marketing bureau for failing to keep consent logs

Swedish owned digital marketing company, Bisnode, is fined €220K for failing to keep logs for up to 6 million people whose personal data they have scraped from the internet and used for marketing purposes. The company is thereby in violation with Article 14 of the GDPR and it may end up having huge consequences for their business model.

Last week, Polish Data Protection Authority, Urzad Ochrony Danyach Osobowych (UODO) issued its first fine under the General Data Protection Regulation (GDPR). The fine of €220.000 was handed to Swedish-headquartered digital marketing bureau Bisnode and its Polish offices for failing to comply with Article 14 of the GDPR.

Along with the fine also came a request to contact close to 6 million people to inform them of the use of their personal data and to acquire their consent. The act suggests that the strength of the data protection enforcement under the GDPR is more than just an economical sign of warning, the act can also change how businesses collect and process peoples’ personal data.

The case – scraping personal data without getting consent

Bisnode has acquired a variety of personal data from public registers and other public databases pertaining to millions of business owners – including their names, national ID numbers and any legal measures related to their business activity. However, in the process of scraping these registers, Bisnode has failed to obtain the consent to collect and use the data from up to 90% of the people. For most parts, Bisnode was only able to procure postal addresses and phone numbers.

Bisnode have scraped public registers and data bases to obtain information about millions of business owners for marketing purposes

Bisnode have scraped public registers and databases to obtain information about millions of business owners for marketing purposes

Email addresses were only obtained for a small subset of the individuals. Bisnode subsequently sent emails to those people — fulfilling its Article 14 information obligation. Thus, the UODO argues that Bisnode was aware of the obligation – as it did contact some people in the dataset by email – but that they willingly chose not to contact the majority of the contacts as it was simply too costly.

The UODO now requires Bisnode to contact, in some way or another, the remaining 6 million contacts in their dataset and inform them about the use of their personal data.

The right to be informed

According to Article 14 of the GDPR, data controllers, like Bisnode, must inform people, whose personal data are obtained indirectly, e.g. scraped off the public internet, that their data are processed and used for marketing purposes. Furthermore, the controller must collect a consent for these purposes from each and every user.

GDPR –Article 14

The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.

In the case of Bisnode, all individuals in the dataset must be informed of:

  • who has their data (and who their data are shared with).
  • the types of data obtained.
  • what the data are used for.
  • the right to decline the processing of their data.

Similar to Bisnode’s inadequate attempt to inform people of their scraping and processing of personal data, other stories about the rogue approach to collecting consent (as free and informed) prior to data processing have flourished vividly.

The risk and cost of (mis-)handling personal data

Less than one year into the GDPR, major enforcements are still waiting to see the light of day. However, that does not mean data-harvesters like Bisnode can bypass the requirements in the GDPR concerning collection of consent for the processing of personal data.

Data Protection Authorities around Europe are beginning to direct their attention to companies’ collection and handling of personal data. And in 2019 the first real economical warnings came from national DPA’s.

In januar 2019, the French data protection authority CNIL fined Google €50 million for lack of valid consent concerning personalization of ads; and in February, the Bavarian (Germany) DPA investigated 40 German companies and found none of them fully complied with the GDPR regarding the collection of consent on their websites. In March, the Danish DPA Datatilsynet recommended a national Taxi company to be fined €160.000 for storing customers’ personal information without their explicit consent.

Link: French DPA, CNIL, fines Google €50 million for lack of valid consent concerning personalization of ads

Although the fine of €220k issued by UODO to Bisnode may be rather small, Bisnode estimates it would cost €8 million euros to contact all individuals on their lists by traditional mail. A cost far too great in respect to just deleting the data. This decision could end up changing the way Bisnode – and other companies – collect and handle personal data in the future. Bisnode intends to challenge the UODO’s decision in polish courts.

Is GDPR compliance too complicated and too costly?

Well, measures surely have to be taken to comply with the European General Data Protection Regulation. Is it complicated and too costly? It does not have to be.

Start by achieving full compliance on your most prominent channel of communication: your company website. Inform your website’s visitors which third-party cookies you use (cookie policy), which data they collect and process about your visitors. Obtain a valid consent for the collection and processing of your website visitors’ personal information. It is fairly easy.

With Cookie Information’s Consent Solution your company’s website automatically collects users’ consent for setting cookies through a cookie pop-up banner on your site. The users are given the option to decline certain types of cookies with privacy controls.   Furthermore, you will get a detailed cookie policy and a list of cookies on your site, and(!) Cookie Information will store each and every users’ consent on a secure Microsoft Azure Platform Solution should you be subject to inspection by your national Data Protection Authority.  

Does your company also have mobile apps which need to be compliant, we also provide Mobile App Audits to secure your app service.

Link: Cookie Information’s Mobile App GDPR Audit

For a full list of our services – see which solution fits your company’s website so you can become fully GDPR and ePrivacy Compliant today.

About Cookie Information

Cookie Information is a Privacy Tech Company specialized in developing software that helps you and your company ensure that your websites and mobile apps are GDPR & ePrivacy compliant. Cookie Information provides solutions globally, and we help more than 1.000 companies and handle more than 6 billion consents each year.
Visit Cookie Information