RE first example, read the linked official report[0]. Some choice quotes:
"the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data."
"In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed. Therefore, this case should be distinguished from another case decided by the Polish DPA a few years ago, when another company did not have such addresses at its disposal."
"The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because - as it was established during the proceedings - the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons."
"While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so."
This is precisely the kind of crap GDPR was meant to address, and I very much like the decision made here.
EDIT: If I'm Googling correctly and found the correct company, then here's an extra irony: they actually offered services and advice to companies in preparing for GDPR coming into force. It's safe to say they were fully aware of the obligations under law when they performed data mining on government databases of entrepreneurs.
"the company did not meet the information obligation in relation to over 6 million people. Out of about 90,000 people who were informed about the processing by the company, more than 12,000 objected to the processing of their data."
"In the relevant case, the entity had postal addresses and telephone numbers and could therefore comply with the obligation to provide information to the persons whose data are being processed. Therefore, this case should be distinguished from another case decided by the Polish DPA a few years ago, when another company did not have such addresses at its disposal."
"The President of the Personal Data Protection Office found that the infringement of the controller was intentional, because - as it was established during the proceedings - the company was aware of the obligation to provide relevant information, as well as the need to directly inform persons."
"While imposing the fine, the authority also took into account the fact that the controller did not take any action to put an end to the infringement, nor did it declare its intention to do so."
This is precisely the kind of crap GDPR was meant to address, and I very much like the decision made here.
EDIT: If I'm Googling correctly and found the correct company, then here's an extra irony: they actually offered services and advice to companies in preparing for GDPR coming into force. It's safe to say they were fully aware of the obligations under law when they performed data mining on government databases of entrepreneurs.
--
[0] - https://uodo.gov.pl/en/553/1009