The Polish data protection authority (UODO) has fined a company PLN943k (about £188k) for failure to inform data subjects about how they came to have their data and how they were planning on processing it (Article 14 of the GDPR).
Article 14 is part of the GDPR’s “right to be informed” provisions that require you to tell data subjects within one month of receiving their data from a third-party how you came to have their data and what you plan on doing with it (along with all the other right to be informed requirements (that you usually see in a privacy policies)).
Because the company had not informed the individuals that they had their data, there was no possibility for them to object to the processing or exercise their other rights under GDPR. So with this in mind UODO considered the breach as “serious”. Furthermore it was found that of 90,000 people the company had alerted, 12,000 of them have objected to the processing, thus indicating that of the 6 million data subjects data they had there was a good chance a large number would have objected, had they been informed.
The 90,000 they had contacted were data subjects they had email addresses for. Everyone else, they only had postal addresses and whilst the expectation is that they should have written to them the company opted not to, thus also indicating they understood the requirements of Article 14 but chose to ignore them for all data subjects they couldn’t easily email.
A little more detail about the case can be read on the EDPB website.