There was a decision a couple of months ago about data scraping in the EU (see link).
The data scraper had collected personal information from a variety of public sources. Under the GDPR, if a business collects personal information from sources other than the person, the business should provide notice to the person (GDPR Art 14 (3) and (4)). In this case, the business reached out to a 700,000 people it had email addresses for, but not the other 5.7 million records for which it only had mailing addresses. The business argued that to reach the other 5.7 million people would require a "disproportionate effort" under GDPR Art 14(5)(b) and that it complied with the GDPR by posting a notice of such collection on its website, and thus it was not required to notify those people.
The Polish Data Protection Authority (DPA) disagreed. Given the purpose of GDPR Art 14, to provide people with notice of who had their personal information, the Polish DPA ordered the business to contact each person for which it collected personal information.
The business has said it would instead delete the sanctioned records and appeal the decision.
Image by Balasoiu on Freepik.