Article 14 of the GDPR obliges data controllers to inform the persons whose personal data they intend to process when the information in question was not obtained from the data subject. When data has been extracted from diverse sources as the internet, this information procedure is also always mandatory. Data subjects must also be informed about their right to complain to object to the use of their data.
This information must also include the identity and contact details of the controller and the purposes of the processing operation for which the personal data are intended as well as the legal basis of the processing operation.
A few months ago, the Polish DPA (the data protection agency) imposed its first fine in the application of the European General Data Protection Regulation (GDPR). The Polish UODO, the national data protection office, had observed that the Swedish-based digital marketing company “Bisnode” had failed to comply with the obligations regarding data subjects’ rights set out in Article 14 of the GDPR. The Polish DPA then imposed a fine of EUR 220 000 on the company.
The authorities also asked Bisnode to contact almost six million people who had not yet fulfilled their obligations to notify information under Article 14. The DPA gave Bisnode three months to comply with its requirements.