Swedish owned digital marketing company, Bisnode, is fined €220K for failing to keep consent logs for up to 6 million people whose personal data they have scraped from the internet and used for marketing purposes. The company is thereby in violation with Article 14 of the GDPR and it may end up having huge consequences for their business model.
Last week, Polish Data Protection Authority, Urzad Ochrony Danyach Osobowych (UODO) issued its first fine under the General Data Protection Regulation (GDPR). The fine of €220.000 was handed to Swedish-headquartered digital marketing bureau Bisnode and its Polish offices for failing to comply with Article 14 of the GDPR.
Along with the fine also came a request to contact close to 6 million people to inform them of the use of their personal data and to acquire their consent. The act suggests that the strength of the data protection enforcement under the GDPR is more than just an economical sign of warning, the act can also change how businesses collect and process peoples’ personal data.
The case – scraping personal data without getting consent
Bisnode has acquired a variety of personal data from public registers and other public databases pertaining to millions of business owners – including their names, national ID numbers and any legal measures related to their business activity. However, in the process of scraping these registers, Bisnode has failed to obtain the consent to collect and use the data from up to 90% of the people. For most parts, Bisnode was only able to procure postal addresses and phone numbers.
Bisnode have scraped public registers and databases to obtain information about millions of business owners for marketing purposes
Email addresses were only obtained for a small subset of the individuals. Bisnode subsequently sent emails to those people — fulfilling its Article 14 information obligation. Thus, the UODO argues that Bisnode was aware of the obligation – as it did contact some people in the dataset by email – but that they willingly chose not to contact the majority of the contacts as it was simply too costly.
The UODO now requires Bisnode to contact, in some way or another, the remaining 6 million contacts in their dataset and inform them about the use of their personal data.
The right to be informed
According to Article 14 of the GDPR, data controllers, like Bisnode, must inform people, whose personal data are obtained indirectly, e.g. scraped off the public internet, that their data are processed and used for marketing purposes. Furthermore, the controller must collect a consent for these purposes from each and every user.
GDPR –Article 14
The protection afforded by this Regulation should apply to natural persons, whatever their nationality or place of residence, in relation to the processing of their personal data. This Regulation does not cover the processing of personal data which concerns legal persons and in particular undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
In the case of Bisnode, all individuals in the dataset must be informed of:
- who has their data (and who their data are shared with).
- the types of data obtained.
- what the data are used for.
- the right to decline the processing of their data.
Similar to Bisnode’s inadequate attempt to inform people of their scraping and processing of personal data, other stories about the rogue approach to collecting consent (as free and informed) prior to data processing have flourished vividly.
The risk and cost of (mis-)handling personal data
Less than one year into the GDPR, major enforcements are still waiting to see the light of day. However, that does not mean data-harvesters like Bisnode can bypass the requirements in the GDPR concerning collection of consent for the processing of personal data.
Data Protection Authorities around Europe are beginning to direct their attention to companies’ collection and handling of personal data. And in 2019 the first real economical warnings came from national DPA’s.
In januar 2019, the French data protection authority CNIL fined Google €50 million for lack of valid consent concerning personalization of ads; and in February, the Bavarian (Germany) DPA investigated 40 German companies and found none of them fully complied with the GDPR regarding the collection of consent on their websites. In March, the Danish DPA Datatilsynet recommended a national Taxi company to be fined €160.000 for storing customers’ personal information without their explicit consent.
Although the fine of €220k issued by UODO to Bisnode may be rather small, Bisnode estimates it would cost €8 million euros to contact all individuals on their lists by traditional mail. A cost far too great in respect to just deleting the data. This decision could end up changing the way Bisnode – and other companies – collect and handle personal data in the future. Bisnode intends to challenge the UODO’s decision in polish courts.
Is GDPR compliance too complicated and too costly?
Well, measures surely have to be taken to comply with the European General Data Protection Regulation. Is it complicated and too costly? It does not have to be.
Does your company also have mobile apps which need to be compliant, we also provide Mobile App Audits to secure your app service.
For a full list of our services – see which solution fits your company’s website so you can become fully GDPR and ePrivacy Compliant today.