As of 2018, the regulation concerning the protection of personal data processing, commonly known as RODO, is formally in force in Poland. The provisions regulated by it apply equally to large, medium and small businesses. What should those running a micro-enterprise be aware of?
The acronym RODO stands for Regulation of the European Parliament and of the EU Council concerning the protection of individuals with regard to the processing of personal data. It has formally been in force since 25 May 2018.
The provisions of RODO All companies must comply, regardless of the number of staff they employ or the number of clients using their services. As soon as a company has any personally identifiable information, it absolutely must put in place measures to protection of personal data .
What data is protected under the RODO?
Any information that could in any way contribute to the identification of an individual is subject to the protection of the RODO. Typical data include:
- name of individual,
- adres,
- number PESEL,
- identity card number,
- e-mail address.
In the case of a company, personal data includes: the name of a specific person, a list of company employees, as well as e-mail addresses containing personal data in the name. Non-personal data, on the other hand, includes the company's contact information or its financial data.
Implementing RODO - key principles
Currently, there is no specific instruction on how to implement RODO in a company's operations. Typically, the entrepreneur is obliged to secure the personal data flowing through his or her business on his or her own. The steps taken are largely determined by the type and specifics of the business conducted.
When implementing RODO, it is worth bearing in mind a number of obligations that a business must fulfil:
- Obligation to inform individuals about the data processing and the owner of the data (Articles 13 and 14 of the RODO),
- Obligations concerning the exercise of the person's rights, such as providing him/her with information on how and for what purpose the data was obtained (Articles 15-22 RODO),
- Obligation to authorise persons who have access to the data and its processing (Article 29 RODO),
- Obligation to register activities, related to the processing of personal data. The register should include details of whose data the company holds, whether it is detailed, who has access to it, where it has been transferred and how it is secured (Article 30 RODO),
- Obligation to apply appropriate security measures, which must be subject to an assessment of effectiveness (Article 32 RODO),
- Obligation to report all breaches and irregularities involving leakage of personal data (Article 33 RODO),
- The obligation to appoint a Data Protection Officer to help implement the RODO, to supervise the company's activities, and to act as an intermediary between the company and the Data Protection Authority. The inspector is appointed by the business owner - i.e. the personal data controller (Article 37 RODO).
RODO in a small company - implementation
Implementation of RODO in companies which have several employees, it is worth starting with an audit. The audit will provide the owner of the company with information on what data the company is processing, for what purpose, and whether the customers whose data are in the company's database have been properly informed. In addition, the audit will indicate which data the employees have access to.
Every small business should keep records of all data it holds and processes, both employee and customer data. Documents containing such data should be adequately protected from third parties, as well as from possible theft or destruction. Only persons with specific written authorisation should have access to the data.
The control of personal data is usually handled by an inspector appointed by the owner. However, it must be remembered that data protection is the responsibility of the data controller, i.e. the business owner. The task of the inspector is solely to assist in the implementation of the RODO.
Facilitation for small businesses
The need to apply RODO to a company entails a number of new obligations. This places the greatest burden on small business owners. Therefore, the Act provides for certain simplifications that micro-entrepreneurs can benefit from. These concern the way in which personal data protection is communicated.
In order to comply with the information obligation, it is sufficient that there is a notice on the company's premises or website referring to the privacy policy. This facilitation applies to entrepreneurs who meet a number of conditions, including having fewer than 10 employees and a net income not exceeding EUR 2 million (PLN equivalent).
The simplifications do not apply to the situation where the recipient of the service has no way of knowing the administrator's information. This implies the impossibility to conclude a contract in person or via the Internet. The simplifications also do not extend to controllers processing confidential data and those making it available to other entities.
Grow your business with InPost Fulfillment
Storage, packing, shipping – you don’t have to do it yourself! Leave it to the professionals.
Take a minute to leave your contact details and gain more time while reducing costs.
- Lightning-fast delivery
- Cost reduction
- Zero shipping issues
- Peak-season support
- Tailor-made offer
Czytaj również
