Month: May 2018

The Dolnośląskie Voivodship Board awarded the Wroclaw University School of Physical Education with a EU subsidy for the project called: Construction of a set of sports fields for open games complete with teaching and scientific facilities located on Pola Marsowe within the premises of the Olympic Stadium in Wroclaw”. It is here that among others The World Games in Wroclaw (Non-Olympic Sports Olympics) took place in 2017.

During an inspection, the employees of the Marshal’s Office for the Dolnośląskie Voivoship identified that the provisions of the Public Procurement Law have been infringed in course of execution of the project, which resulted in financial correction sanction and request to return of part of the EU subsidy.

The Voivodship Administrative Court in Wroclaw, in its decision of 19 April 2017, case file No. III SA/Wr 117/17 found that the request to return the funds is not justified, and there were no irregularities by the University in course of execution of the investment undertaking. The Dolnośląskie Voivodship Board lodged a cassation appeal against the judgement of the 1^st instance court, however it was dismissed by virtue of a decision of the Supreme Administrative Court of 27 October 2017, case file No. II GSK 2813/17. In the end, by virtue of a decision of 8 May, the Dolnośląskie Voivodship Board, being bound by the legal opinion expressed in decisions of administrative courts, has discontinued the administrative proceedings in the matter of decision to determine the amount of repayment.

Our Associate, Grzegorz Karwatowicz, was responsible for expertise when drafting the financial correction reversal and argumentation on grounds of the public procurement law, while our Attorney-at-Law, Joanna Sebzda-Załuska represented the University before administrative courts of both instances.

GWW has joined the TELFA (Trans-European Law Firm Alliance) network. An organization that brings together independent European and American law firms.

TELFA was founded in 1989 and nowadays has more than 1000 member lawyers.

Membership in the TELFA organization increases the recognition on the European market (TELFA recommends its member lawyers to those who seek contact in a given jurisdiction), and allows to share knowledge and good practices with lawyers from other countries.

GWW is the only Polish member of TELFA.

To find out more about TELFA please visit: http://www.telfa.law/ 

As the GDPR enters into force, entrepreneurs should expect intensified inspections by the supervisory authority inspectors. They will verify to what extent the new regulations have been implemented and there will be extensive fines for cases of violation. What exactly are they exposed to for violating the requirements set by the GDPR?

Currently, pursuant to national regulations, entrepreneurs face criminal, administrative and civil liability for infringement of the provisions on personal data protection.

As of 25 May, when GDPR enters into force, very high fines – even up to several million euros – will also be introduced. They are to be effective, proportionate and dissuasive. In each case, several factors will be taken into consideration, including:

• the nature, incumbrance and duration of the infringement, while taking into account the nature, scope or purpose of the processing in question, the number of affected data subjects and the extent of the damage suffered;
• intentional or unintentional nature of the infringement;
• actions taken by the administrator or the processing entity in order to minimize the damage to data subjects;
• degree of responsibility of the administrator or the processing entity, taking into account the technical and organizational measures implemented by them;
• any previous infringements by the administrator or the processing entity;
• the degree of cooperation with the supervisory authority to remove the infringement and mitigate its possible negative effects;
• the category of personal data affected by the infringement.

 

Fines resulting from GDPR

---

The following entities are among those subject to a fine up to 10 million Euro and in the case of an enterprises – up to 2% of its annual global turnover generated in the previous financial year (whichever is greater):

• the administrator and the processing entity in the case of infringement of among others obligations to obtain a child’s consent for processing of personal data, violation of personal data protection principles in the design phase;
• the certification body in the event of a breach of certification rules

Administrative fine up to 20 million Euro, and in the case of an enterprise – up to 4% of the annual global turnover generated in the previous financial, whichever is greater, can be imposed for infringement of the following provisions:

• infringement of the basic processing principles, including conditions of consent;
• violation of the data subjects' rights e.g. the right to data transfer, the right to be forgotten, the right to information or the right of access; transfer of personal data to a recipient in a third country or an international organization;
• infringement of any obligations resulting from Member State’s law;
• failure to comply with an order or temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority.

As one can see, the upper limit of the fines is set very high. It does not seem, however, that the penalties, especially those imposed at the beginning GDPR applicability, reach the upper limits.

According to the statistics provided by the Inspector General for Personal Data Protection (PL: GIODO), 192 inspections were carried out in 2016, and 199 inspections in 2017. According to the GIODO report, only 1% of reviewed IT systems failed to comply with the obligation to have personal data processing documentation. The study of IT systems in the years 2013-2016 with respect to technical and organizational requirements proved that almost all requirements were fulfilled with 100% effectiveness.

 

 

---

*Author: Katarzyna Blachowicz, Attorney-at-Law, Junior Partner at GWW

The General Data Protection Regulation shall be applied directly, thus entrepreneurs processing data will be directly obliged to follow all the rules concerning the protection of privacy. Entrepreneur! Prepare for evolution in personal data protection now.

What is “personal data processing”? According to the GDPR, processing means “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction” (Article 4(2) of the GDPR).

This list is however only of exemplary nature – the catalogue of processing activities remains open, since it is impossible to determine in advance what activities can be potentially included in the processing. What’s important – and non-intuitive – collecting personal data as such is considered its processing.

The list of issues to be managed by any administrator is provided below:

1. Transparency, fairness and lawfullness (compliance with law) principles

 

Transparency.

The principle of transparency is strictly associated with the disclosure requirements imposed on the administrator. Compliance with this principle means that the data subject concerned will be informed about his/her rights in a concise, transparent, intelligible and easily accessible form.

Fairness.

The requirement of fairness means the obligation of processing data in compliance with the principles of social co-existence (i.e. following the principles underlying the legal order).

Lawfulness

One of the most common prerequisites for data processing is the consent expressed by the data subject. In view of this principle, it is of course necessary to follow all the provisions concerning personal data processing during processing (unlawfulness of processing means that the administrator processes data without legal basis).

2. Principle of purpose limitation

---

Personal data should be processed in line with specific, explicit and legitimate purpose. When specifying the purpose, general or vague descriptions of the processing purposes should be avoided.

This principle is linked to the disclosure requirement i.e. the administrator’s obligation to communicate the purpose of personal data processing to the data subject concerned.

3. Principle of data minimisation

---

Pursuant to this principle, the scope of processed data should be adequate, relevant and limited to what is necessary in relation to purposes, for which it is processed.

In practice, it means processing of only such data, which will be necessary to achieve the given purpose. Concluding a distance sales agreement serves as a good example here. Data necessary to execute such agreement includes:

• name and surname,
• residence address,
• phone number (in certain cases).

This data will be in most cases sufficient to execute such agreement. In the discussed case, requiring from the prospect to provide e.g. age, education or forms of leisure activities, seems to be unnecessary.

4. Principle of accuracy

---

This principle is linked with the obligation to ensure accuracy of data and updating it, if it was found inaccurate or incomplete as well as with the obligation to rectify data upon request of the data subject.

Personal data should be accurate, true and up-to-date.

5. Principle of storage limitation

---

Pursuant to this principle, personal data should be kept for no longer than is necessary for purposes, for which it is processed.

Keeping a bank account is a good example. Upon achieving the purpose (closing of the bank account) processing data of the bank account holder should be considered illegal.

6. Principle of integrity and confidentiality (data security)

Personal data controller is obliged to process data in a way ensuring appropriate security.

This includes primarily protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Data protection should be ensured using appropriate technical or organisational measures.

7. Principle of accountability

---

This is a new principle implemented by the GDPR. The administrator shall be responsible for compliance with all the aforementioned principles and, what’s crucial, must be able to demonstrate compliance with them. This principle imposes the obligation of recording and storing information enabling demonstration of legal compliance of the activities undertaken by the administrator.  

---

*Author: Katarzyna Blachowicz, Attorney-at-Law, Junior Partner at GWW.

On the 25^th of May 2018, the GDPR shall become applicable to all entrepreneurs who process data. This is the most comprehensive amendment to the provisions on personal data protection in 20 years and a complete new approach to data processing. The essential amendments are presented below.

 

What are the penalties for invasion of privacy?

---

The fines will reach even EUR 20 million or 4% of the total worldwide annual turnover of an undertaking and their value will be determined depending on the circumstances of each individual case. When imposing a fine, a competent authority (in Poland it will be the so-called PIPDP (PL: PIODO) – the Polish Inspector for Personal Data Protection) shall draw the attention to among others:

• the nature, gravity and duration of the infringement,
• the intentional or negligent nature of the infringement, any action taken by the administrator or processor to mitigate the damage suffered by data subjects,
• the categories of personal data affected by the infringement.

 

How GDPR extends the rights of data subjects?

---

GDPR introduces:

• the “right to be forgotten” – that is the right to erase personal data processed by the given entity on permanent basis,
• the right to request data transfer – that is the ability to move personal data to the other entity when amending the agreement,
• the extended right to information on the type of processed data, purpose of data processing and the processor,
• the right to access personal data of a data subject,
• the extended right to object data processing.

 

GDPR and personal data of children

---

GDPR pays particular attention on child privacy protection. Any information and communication relating to personal data of children should be made in clear and plain language to ensure that it can be easily understood by a child.

If a child is under 16, such processing shall be legal only if and to the extent that consent is given or authorised by the child’s parental custodian.

 

What is amended by virtue of GDPR?

---

Record of processing activities

Since May this year, practically all administrators shall maintain a record of personal data processing activities under their responsibility. What’s important, the obligation to maintain the record of processing activities  shall not apply to an enterprise or an organisation employing fewer than 250 persons, unless the processing of data:

• could cause a risk of infringement of the rights and liberties of data subjects
• is not occasional,
• includes special categories of personal data or personal data relating to criminal convictions and offences, referred to in Article 10 of the GDPR.

 

Data Protection Officer

GDPR provides for obligatory designation of the Data Protection Officer, where:

• the processing is carried out by a public authority or entity,
• core activities of the administrator or the processor consist in processing operations which, due to their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale,
• core activities of the administrator or the processor consist in processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.

For example: The Data Protection Officer needs to be appointed by a hosting company, a company providing call centre services, by a pharmacy and a hospital.

Pseudonymization

This is a brand new term in personal data protection. Pseudonymization is the measure increasing security of personal data able to help administrators and processors to meet their data-protection obligations. Pseudonymization process consists in processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.

Profiling

---

This is the very first time in history that any EU law introduced the definition of profiling. Profiling means any form of automated processing of personal data consisting in the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance (e.g. interests, preferences). These types of data operations are commonly used in the banking or finance sectors.

Notification of personal data breach to the supervisory authority

In the case of a personal data breach, the administrator shall without undue delay – not later than 72 hours after having become aware of it – notify the personal data breach to the supervisory authority. In addition, when the personal data breach is likely to result in high risk of violating the rights and liberties of natural persons, the administrator shall notify the data subject of such breach without undue delay.

---

* Katarzyna Blachowicz, Attorney-at-Law, Junior Partner at GWW.

---

The Personal Data Protection Regulation requires that any each entity processing personal data should adapt its security systems to the level of the risk of data protection breaches. In this respect, the Regulation introduces two important provisions – anonymisation and pseudonymisation. Therefore, how should the security of personal data be increased?

 

Pseudonymization is a process that is required when data is stored to transform personal data in such a way that the resulting data cannot be attributed to a specific data subject without the use of additional information. However, it is imperative that this data is not stored in the same place.

An example is the use of an identification number (instead of a full name and surname) and a limited data file.

When using pseudonymization, the administrator must ensure an appropriate division of tasks among those involved in this process. First of all, the administrator must designate a person responsible for assigning an identification number and a person who will have data enabling backward identification.

In addition to assigning roles, the administrator must also determine on what terms and in what cases backward identification of pseudonymized data is possible.

In Article 32 clause letter a of GDPR pseudonymization is mentioned as one of the technical and organizational measures that an administrator can use to improve data security.

Data anonymization is neither defined in the Personal Data Protection Act nor in the GDPR. It is mentioned only in item 26 of the GDPR recitals.

According to this provision, the principles of personal data protection should not apply to anonymised data, because anonymization is irreversible. Therefore, it is not possible to re-identify the persons to whom the data belongs because the data ceased to be personal. An example of data anonymization may be the removal of the so-called identifiers, e.g. name, surname or address of residence.

The basic feature that differentiates pseudonymization from anonymization is reversibility. Anonymization is an irreversible process, while by contrast pseudonymization is reversible. What is more important, pseudonymized data is still subject to regulations on the protection of personal data, and anonymised data no longer falls to this category. However, the direct introduction of pseudonymization to the GDPR does not serve to exclude other data protection measures.

 

 

---

*Author: Katarzyna Blachowicz, Attorney-at-Law, Junior Partner at  GWW

RODO simultaneously extends consumer rights and obligations of entities processing their personal data. The new rules introduce five key rights that every data controller must comply with.

 

1. Extended right to information

---

Persons whose data is processed must be informed about details of such process. In accordance with the personal data protection regulation, personal data administrator must:

 

• Inform that their data is collected, used, reviewed or otherwise processed.
• Inform about the extent, to which data is or will be processed.
• Inform about the risks associated with operations related to personal data.
• Inform data subjects about their rights: the right to access personal data, rectify, delete or limit its processing, the right to object to the processing, as well as the right to transfer data.
• Inform about the company's automated decision-making process based on data collected, including profiling (see item 5).
• Inform about whether the provision of personal data is statutory, contractual, or if it is a condition for the conclusion of an agreement.
• Inform about the obligation to keep data and the possible consequences of its non-disclosure.

2. Right of access

---

The right to information is strictly connected with the right to access data. Everyone has the right to request confirmation that his/her personal data is processed by the administrator. An affirmative answer may be the basis for further demand for information about:

• the purpose of processing;
• categories of relevant personal data;
• recipients or categories of recipients to whom the data has been or will be disclosed;
• the planned period of data storage (or the criteria for determining this period);
• the right to require the controller to rectify, delete or limit the processing of personal data relating to the data subject, as well as to object to such processing (see items 3 and 4);
• the right to lodge a complaint with the supervisory authority;
• the source of data – if it has not been collected from the data subject;
• the automated decision-making, including profiling referred to in Art. 22 items 1 and 4 of GDPR;
• the principles for making these decisions, as well as of the significance and anticipated consequences of such processing for the data subject.

 

3. The right to rectify and delete data

 

---

At the request of the person concerned, the administrator is obliged to immediately rectify the incorrect personal data and supplement it, if incomplete. Rectification of data must take place each time the data subject points out any inconsistencies.

In addition, if personal data is no longer necessary to achieve purposes, for which it was originally collected, the data subject has the right to request the administrator to delete the data. The same shall apply should the data subject file an objection or withdraw the consent to process his/her data.

 

4. The right to object

---

The person whose data is being processed may, at any time, lodge an objection with the data administrator, who then must stop processing the data.

In addition, objection may be filed in the following situations:

• to the processing of personal data for direct marketing purposes, or
• to the processing of personal data for scientific or historical research, or statistical purposes pursuant to Article 89 clause 1 of GDPR, for reasons related to the specific situation of the data subject.
• Once an objection has been filed, the administrator can no longer process personal data unless there are premises strictly indicated in the GDPR.

The GDPR does not impose any specific requirements as to the form of objection – it can be made over the phone, by e-mail or by fax.

5. The right to be informed about profiling

---

Profiling is a form of automated processing of personal data that serves to assess personal factors of a natural person. Those who are affected by this process must be informed of this fact and its consequences. Profiling can be used to assess the economic situation, interests or preferences of people. The process of monitoring behaviour when using cookie files can serve as an example of profiling.

 

 

---

*Author: Katarzyna Blachowicz, Attorney-at-Law, Junior Partner at GWW

The requirements imposed by the GDPR affect not only entrepreneurs but also employees. The amendments to the Labour Code will allow employers to decide on the introduction of a special supervision over the workplace or the area around the workplace, in form of a technical video recording solution. So how will the situation of employees change? And will the entrepreneur be able to apply employee monitoring without restrictions?

 

Current regulations do not specify whether (and if so, when) it is possible to use employee monitoring.

Opinions about admissibility of its use differ. Recently, more and more employers have started to use employee monitoring and these practical activities have in some way developed the scope of application:

• firstly, it is crucial for the employer to inform employees about the use of cameras, for example by including an appropriate provision in the work regulations;
• secondly, it is necessary for the monitoring to serve an important purpose. This purpose must be justified, e.g. workplace safety.

The popularity of employee monitoring has required for this issue to be regulated directly on the legal grounds. The GDPR, which will enter into force on 25 May 2018, provided an opportunity to make regulations in this area.

 

GDPR vs monitoring of persons

---

The issue of protection of employees' personal rights is stipulated in Article 88 of the GDPR. The European Union has authorized Member States to include more detailed provisions in national legislation. They are to ensure that protection of rights and freedoms in the processing of personal data. At the same time, however, it was pointed out that these provisions must include appropriate and specific measures to ensure the data subject is treated with respect for his/her dignity, as well as legitimate interests and fundamental rights, including for instance the use of monitoring systems at the workplace.

 

In Poland, works are currently underway to introduce a new law on the protection of personal data, which will also amend the Labour Code.

The draft Personal Data Protection Act of 12 September 2017, contains provisions regulating the issue of monitoring. According to the provisions of this draft, a new article (Article 224) regulating the issue of workplace monitoring will be added to the Labour Code.

 

According to the proposed regulation, the employer shall introduce special supervision over the workplace or the area around the premises in the form of monitoring:

• if he deems it necessary;
• to ensure safety of employees or the protection of property or confidentiality of information, the disclosure of which may compromise the employer.

 

Moreover:

• the monitoring shall not constitute means of controlling work performance;
• it shall not cover sanitary rooms, cloakrooms, canteens, or smoking lounges;
• the employer will be obliged to inform employees about the implementation of monitoring no later than within14 days prior to its launch;
• the employer shall process personal data obtained as a result of monitoring solely for purposes, for which it was collected, and shall store data only for the period necessary to achieve these objectives.

Even though the final wording of the amended laws is not yet known and the provisions related to monitoring may change, the general rules of the GDPR will require the implementation of such mechanisms on the national legislator, the application of which will require employers to define the purpose and principles of conducting employee monitoring.

 

---

*Author: Katarzyna Blachowicz, Attorney-at-law, Junior Partner at  GWW.