Bisnode, a Swedish data analytics company with a base in Poland, has been hit with a €220,000 (PLN 944,470) fine from Poland’s data protection authority, UODO.
The fine was issued after Bisnode failed to inform millions of people that it was processing their data, denying them the opportunity to object to the processing, and the right to rectification or erasure of their details, as noted in Article 14 of the GDPR (General Data Protection Regulation).
UODO president Edyta Bielak-Jomaa said: “The controller was aware of its obligation to provide information. Hence the decision to impose a fine of this amount on this entity.”
Piotr Drobek, director of UODO’s analysis and strategy department, noted that Bisnode failed to meet its information obligation with regard to approximately 6 million people.
The organisation only informed about 90,000 people that their data was being processed, of which more than 12,000 objected.
The cost of non-compliance
Bisnode admitted that it failed to comply with proceedings due to the high operational costs it would incur. The organisation previously estimated that it would cost €8 million to contact the remaining people by phone or email.
According to local press reports, instead of contacting the persons as outlined by UODO, Bisnode will delete the sanctioned records from its database.
It also intends to challenge UODO’s decision, which could lead to UODO clarifying the results of the fine given to Binode or setting stricter rules for collecting personal data.S