As of 2018, Poland is bound by RODO, a regulation that imposes certain restrictions on anyone who processes, uses or stores personal data in any way. However, the concept is still associated with a lot of speculation and uncertainties. We therefore explain the most important issues related to RODO.
Since 25 May 2018, the Personal Data Protection Regulation, commonly known by its acronym RODO, has been in force in Poland. It is an EU piece of legislation that is binding on all EU member states. Its purpose is to protect the personal data of individuals, in relation to its processing, use and storage by businesses, companies and all institutions.
What is covered by the term personal data?
Personal data is defined as any information that could in any way contribute to the identification of an individual. W Data Protection Regulation It is stated that protected data includes:
- name,
- location data,
- web ID,
- factors determining genetic identity.
Sensitive data relating to an individual's ethnic or racial origin, political, religious or philosophical views, religious, party or trade union affiliation, information on health status, genetic code, as well as any data on judicial or administrative proceedings are also specifically protected.
RODO - who is affected?
Compliance with the requirements set out in the RODO applies to all companies whose activities focus to any extent on the collection and subsequent use of personal data. All companies (whether large corporations, sole proprietorships or online shops) holding information about their customers' and employees' data must therefore comply.
Situations that the RODO obligation does not apply to are:
- the processing of data by individuals in an activity which is not connected with a professional or commercial activity,
- processing of data in the framework of activities outside the scope of EU law,
- data processing by EU and diplomatic institutions,
- the processing of data by authorities whose purpose is the prevention of crime or the enforcement of penalties.
Wider data protection law
As the name suggests, RODO is primarily associated with increased protection of personal data. With its entry into force, it has brought new powers to individuals to control the flow of data:
- right to be forgotten - This involves the complete deletion of personal data,
- the right to request data portability - This means that any individual can request that his or her data be transferred to the designated controller,
- the right to access and inspect your data - an individual can access his or her data at any time.
The broader right to personal data protection is also directly connected with new regulations concerning all forms of data processing - i.e. copying, storing or saving. This is a very important point for entrepreneurs, as the regulations mentioned in the regulation refer mainly to obtaining consent from an individual in order to carry out legitimate data processing.
According to the RODO, there must be such consent:
- voluntarily expressed by an individual,
- expressed to a specific entity,
- formulated in a clear and comprehensible manner,
- the consent given should clearly describe the purpose and the place for which it is given, as well as its duration.
Every trader, company or institution is also obliged to inform the individual about by whom his or her data are processed, as well as about the possibility of withdrawing the consent given.
RODO - what does it mean for the entrepreneur?
All entrepreneurs who process personal data in their business are obliged to adequately secure the data from being seen by third parties, as well as from possible leakage. However, there is no precise provision in the Data Protection Regulation as to how this must be done.
Businesses are therefore obliged to ensure the security of the stored data on their own. In addition, specific obligations are imposed on each data controller:
- each time consent for the use of data is obtained and the documentation relating to its acquisition is kept,
- to provide individuals with information about the processing of their data and the possibility to inspect the data,
- documenting all their processing operations (during an inspection, the supervisory authority may request to see the documentation to confirm that the law is being complied with),
- to put in place appropriate measures (technical and organisational) to allow the data to be used only for specific operational purposes,
- reporting any breaches of data security to the supervisory authority.
