Key information on RODO

What is GDPR?  

RODO stands for the Regulation on the Protection of Personal Data. It is an EU regulation in which we can read the provisions that protect us from the disclosure of our personal data. It was adopted on 27 April 2016 and came into force on 25 May 2018 and thus must be complied with from that point onwards.  

Why does RODO exist? What is its purpose?  

The main objective of the regulation is harmony, which will allow personal data to flow freely across the borders of the European Union. This will result in EU residents having greater control over their own data. Another undoubted benefit is the reduction of bureaucracy and, as a result, greater customer confidence.  

On 10 May 2018, the Sejm passed the Personal Data Protection Act, which ensures that as a country we will comply with the European Union regulation and, in addition, creates a new body that will be responsible for controlling this process - hence the position of the President of the Personal Data Protection Authority. The law came into force on 25 May 2018.  

Who is the President of the Office for the Protection of Personal Data? 

It replaced the Polish Inspector General for the Protection of Personal Data, and its responsibilities are defined only by the Act. The position was created on the same day as the RODO Act. He took over the duties of his predecessor, but in addition: 

• may request the creation of new or the amendment of existing provisions that concern the protection of personal data;  
• may impose financial penalties whenever it finds a breach.  

What does the new law presuppose?  

• Easier access to data and providing more information on how to process data and transparency.  
• New right to data portability, making it easier to transfer data between service providers.  
• The right to be forgotten, which allows us to quickly delete our data.  
• The right to be informed in the event of a data hacking attack.
• New technologies such as pseudonymisation (reducing the ability to identify an individual) and encryption.  

What are the principles of personal data processing?  

There are seven main principles for the processing of personal data, which are the starting point for the special provisions: 

1. Principle of fairness and legality and transparency.  

2. Principle of purpose limitation.  

3. Data minimisation principle.

4. Principle of regularity. 

5. Storage restriction principle. 

6. Principle of integrity and confidentiality. 

7. Principle of accountability.  

Can penalties be expected for non-compliance with RODO rules? 

In the regulation we can find information about what will happen if we break the RODO rules. These are mainly fines. Two ranges of penalties for Data Controllers can be distinguished: 

• Up to €10 million for breaches related to the failure of data controllers to comply with their obligations, such as: 

- information obligation;  

- Lack of consideration of data protection by design and data protection by default;  

- incorrectly maintained register of processing activities or lack thereof;  

- inadequate security of IT systems;  

- failure to carry out a data protection impact assessment;  

- failure to appoint a Data Protection Officer where there was an obligation to do so.  

• Up to €20 million in the case of:  

- the violation by data controllers of the basic principles of personal data processing, including the failure to comply with the conditions for obtaining consent; 

- violations of data subjects' rights;  

- improper transfers of personal data to recipients in third countries or international organisations.  

Importantly, any person who, as a result of an oversight by data controllers, has suffered some damage - has the right to claim compensation. Of course, there is a way out of every sub-optimal situation, so the controller, once it proves that the oversight was not its fault, will not automatically be burdened with having to pay compensation.  

What is consent to the processing of personal data?

RODO implies that it is the company's responsibility to inform the customer of the existence of RODO and to ask for such consent. Keep in mind that consent must be: 

• voluntary, no one can force us to sign the consent - it is up to us;  
• concrete;  
• specific, consent is valid if it is given for a specific use of the data;  
• conscious and therefore transparent;  
• withdrawing it should be easy. 

What are the minimum requirements for consent?  

• Identity of the data controller/controller - there must always be information about who is asking us for this consent and who will use our data.
• The purposes of each processing operation must be clearly defined.
• Types of data capture and use and the possibility to withdraw consent.
• Information on decisions that can be taken automatically.  
• Information on the possibility of sending data to third countries.  

Due to the amount of data there is to know about RODO, there is an opportunity to take a course to structure our knowledge. The training courses are mainly designed for people who are in contact with the principles of personal data processing on a daily basis or at work, but this does not exclude an outsider from attending. It is important to be aware of what we are signing, what to expect and what our rights are. With RODO training, we can get a number of answers to questions we are interested in and may not have even realised are important for our security. Each course ends with confirmation of participation and knowledge gained in the form of a certificate.