2 months to RODO

Day May 25, 2018 A new EU Regulation on the protection of personal data (the so-called "Data Protection Regulation") will come into force in Poland this year. RODO). There is therefore little time left to prepare your company for the changes resulting from RODO. Contrary to first associations, the acquisition and processing of personal data takes place in each company - With respect to employees, customers, contractors, as long as they are natural persons. This applies both to the processing of personal data by automated means (e.g., data from forms) and by other means (e.g., data from orders, invoices, emails, contracts, HR, including employment contracts). The obligations of RODO therefore apply to any company, and even to entities that are not formally entrepreneurs (e.g., an individual renting several premises)..

Importantly fines for failing to comply with RODO obligations can range from Up to EUR 20,000,000 or 4 % annual turnover entrepreneurs. But this is not the only motivation for compliance. Efficient implementation of the new regulations is also an expression of competitiveness and being better than others in the market. Undoubtedly, efficient preparation for RODO is also motivated by the potential liability of managers for non-compliance and the risk of being used for blackmail by 'pseudo-companies' (do you remember the famous cases of prohibited clauses in the regulations of online stores?).

The significant scale of the changes envisaged by the RODO makes it necessary to existing data protection procedures become outdated and require re-examination and implementation of changes, or preparation from scratch. In their absence, it is necessary to develop and implement them. Procedures must take into account the specifics of the company and the scope of its activities. Using someone else's procedure will not constitute compliance with the obligation under the RODO.

The most important, in our opinion, legal aspects of the new regulation (in brief):

  • It will be permitted to obtain data only to the extent that is necessary to achieve the stated purpose;
  • The RODO formulates new rules for obtaining consent for the processing of personal data (e.g., prohibition of fine print clauses, understandable language, informing about the possibility of withdrawing consent), which will result in the need to Adaptation of procedures and forms for obtaining such consents to the new regulations under penalty of declaring the consent invalid and risking a fine;
  • The information obligations that must occur when obtaining personal data (e.g., providing an email address) have been greatly expanded;
  • It has been made mandatory to record the consents obtained;
  • It will be necessary to implement security, monitoring and response measures on personal data (including the introduction of user access controls to data, security rules, data leakage response measures, etc.).;
  • All communications to individuals must be formulated in an understandable manner. It will become necessary to review the content of communications regarding personal data for compliance with the Ordinance;
  • The RODO requires that the entrustment of the processing of personal data shall be carried out only to entities that provide technical and organizational measures to guarantee the processing of data in accordance with the requirements of the Regulation;
  • The requirements for the content of contracts under which personal data processing is entrusted to an external company will also change. Therefore, it becomes necessary to review the content of data processing agreements for mandatory provisions and possibly annex them;
  • The RODO abolishes the requirement to register personal data sets replacing it with an obligation to keep a register of internal personal data processing operations for certain companies;
  • A Data Protection Officer will take the place of the ABI. Whether to appoint a DPO must be decided by the entrepreneur himself, following the guidelines in the RODO.

Bearing in mind the huge scope of changes resulting from RODO and potential sanctions for non-compliance with the obligations under the Regulation, we offer you support in preparing to comply with the obligations under RODO - in particular, in developing a procedure for the protection of personal data and its implementation, as well as training employees and managers in the application of the new regulations.

Share on...

Worth Reading

Bartosz Nadra



Poland's first blog on the legal aspects of factoring

Lukasz Jaskowiak

Attorney | Managing Partner

#time real estate

A blog dedicated to real estate law in its broadest sense

Piotr Szwechłowicz

Legal Counsel | Managing Partner


Welcome to the blog dedicated to public transportation and the TSL industry.