RODO – what it’s all about

On the 25^th of May 2018, the GDPR shall become applicable to all entrepreneurs who process data. This is the most comprehensive amendment to the provisions on personal data protection in 20 years and a complete new approach to data processing. The essential amendments are presented below.

What are the penalties for invasion of privacy?

The fines will reach even EUR 20 million or 4% of the total worldwide annual turnover of an undertaking and their value will be determined depending on the circumstances of each individual case. When imposing a fine, a competent authority (in Poland it will be the so-called PIPDP (PL: PIODO) – the Polish Inspector for Personal Data Protection) shall draw the attention to among others:

• the nature, gravity and duration of the infringement,
• the intentional or negligent nature of the infringement, any action taken by the administrator or processor to mitigate the damage suffered by data subjects,
• the categories of personal data affected by the infringement.

How GDPR extends the rights of data subjects?

GDPR introduces:

• the “right to be forgotten” – that is the right to erase personal data processed by the given entity on permanent basis,
• the right to request data transfer – that is the ability to move personal data to the other entity when amending the agreement,
• the extended right to information on the type of processed data, purpose of data processing and the processor,
• the right to access personal data of a data subject,
• the extended right to object data processing.

GDPR and personal data of children

GDPR pays particular attention on child privacy protection. Any information and communication relating to personal data of children should be made in clear and plain language to ensure that it can be easily understood by a child.

If a child is under 16, such processing shall be legal only if and to the extent that consent is given or authorised by the child’s parental custodian.

What is amended by virtue of GDPR?

Record of processing activities

Since May this year, practically all administrators shall maintain a record of personal data processing activities under their responsibility. What’s important, the obligation to maintain the record of processing activities  shall not apply to an enterprise or an organisation employing fewer than 250 persons, unless the processing of data:

• could cause a risk of infringement of the rights and liberties of data subjects
• is not occasional,
• includes special categories of personal data or personal data relating to criminal convictions and offences, referred to in Article 10 of the GDPR.

Data Protection Officer

GDPR provides for obligatory designation of the Data Protection Officer, where:

• the processing is carried out by a public authority or entity,
• core activities of the administrator or the processor consist in processing operations which, due to their nature, scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale,
• core activities of the administrator or the processor consist in processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.

For example: The Data Protection Officer needs to be appointed by a hosting company, a company providing call centre services, by a pharmacy and a hospital.

Pseudonymization

This is a brand new term in personal data protection. Pseudonymization is the measure increasing security of personal data able to help administrators and processors to meet their data-protection obligations. Pseudonymization process consists in processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information.

Profiling

This is the very first time in history that any EU law introduced the definition of profiling. Profiling means any form of automated processing of personal data consisting in the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance (e.g. interests, preferences). These types of data operations are commonly used in the banking or finance sectors.

Notification of personal data breach to the supervisory authority

In the case of a personal data breach, the administrator shall without undue delay – not later than 72 hours after having become aware of it – notify the personal data breach to the supervisory authority. In addition, when the personal data breach is likely to result in high risk of violating the rights and liberties of natural persons, the administrator shall notify the data subject of such breach without undue delay.

* Katarzyna Blachowicz, Attorney-at-Law, Junior Partner at GWW.