[closeparen]

Two of these are much more intense than I would have guessed:

>The fine concerned the proceedings related to the activity of a company which processed the data subjects’ data obtained from publicly available sources, inter alia from the Central Electronic Register and Information on Economic Activity, and processed the data for commercial purposes. The authority verified incompliance with the information obligation in relation to natural persons conducting business activity – entrepreneurs who are currently conducting such activity or have suspended it, as well as entrepreneurs who conducted such activity in the past. The controller fulfilled the information obligation by providing the information required under Art. 14 (1) – (3) of the GDPR only in relation to the persons whose e-mail addresses it had at its disposal. In case of the remaining persons the controller failed to comply with the information obligation – as it explained in the course of the proceedings – due to high operational costs. Therefore, it presented the information clause only on its website. According to the UODO this is not sufficient.

So, basically, only use open source datasets that come with contact information for every subject.

and

>The fine was imposed in relation to a data subject's request for data correction and erasure. NAIH levied a fine against an unnamed financial institution for unlawfully rejecting a customer’s request to have his phone number erased after arguing that it was in the company's legitimate interest to process this data in order to enforce a debt claim against the customer. In its decision, the NAIH emphasised that the customer’s phone number is not necessary for the purpose of debt collection because the creditor can also communicate with the debtor by post. Consequently, keeping the phone number of the debtor was against the principles of data minimisation and purpose limitation. As per the law, the assessed fine was based on 0.025% of the company's annual net revenue.

You can't just retain the database rows pertaining to accounts with current or likely litigation, but must choose the specific fields relevant to the nature of the dispute. Even the companies that successfully implemented propagation of deletion across their systems are probably going to get spanked for this one when some column in some backwater warehouse backup isn't strictly necessary for the precise claims in that account's lawsuit. Wow.

I hope this puts to bed suggestions that others were "overreacting" to GDPR, that there would be anything other than the meanest, most aggressive, most literal application to every case. Maybe this is a good thing! Maybe everyone needs the fear of God put into them. But I hope GDPR boosters who went around minimizing the threat to good-faith actors admit that they were wrong.

[TeMPOraL]

RE first example, read the linked official report[0]. Some choice quotes:

"the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data."

"In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed. Therefore, this case should be distinguished from another case decided by the Polish DPA a few years ago, when another company did not have such addresses at its disposal."

"The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because - as it was established during the proceedings - the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons."

"While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so."

This is precisely the kind of crap GDPR was meant to address, and I very much like the decision made here.

EDIT: If I'm Googling correctly and found the correct company, then here's an extra irony: they actually offered services and advice to companies in preparing for GDPR coming into force. It's safe to say they were fully aware of the obligations under law when they performed data mining on government databases of entrepreneurs.

--

[0] - https://uodo.gov.pl/en/553/1009

[DanBC]

> But I hope GDPR boosters who went around minimizing the threat to good-faith actors admit that they were wrong.

What? No. Your first example talks about "open source datasets" -- no such thing exists for my personal data. If you've gathered my data you need to tell me why you gathered it. Dumping it into a dataset for other people to use is clearly not ok.

Your misdescribe your second example. Notice the company weren't fined just because they had the phone number. They were fined because they had the phone number, they were asked to delete it, and they declined to delete it. The company were not claiming they couldn't erase the phone number because it would be too hard. They were trying to say that they wouldn't erase it because they needed it for debt collection. The regulator disagreed.

Neither of these are good faith actors and these are exactly the kinds of data misuse I wanted GDPR to handle.