Day May 25, 2018 A new EU Regulation on the protection of personal data (the so-called "Data Protection Regulation") will come into force in Poland this year. RODO). So there is very little time left to prepare your company for the changes resulting from RODO.
The regulation introduces a revolution in personal data protection. Significantly fines for failing to comply with RODO obligations can range from Up to EUR 20,000,000 or 4 % annual turnover entrepreneurs.
Contrary to first associations, the acquisition and processing of personal data takes place in each company - With respect to employees, customers, contractors, as long as they are natural persons. This applies both to the processing of personal data by automated means (e.g., data from forms) and by other means (e.g., data from orders, invoices, emails, contracts, HR, including employment contracts).
The significant scale of the changes envisaged by the RODO makes it necessary to existing data protection procedures become outdated and require re-examination and implementation of changes, or preparation from scratch. In their absence, it is necessary to develop and implement them. Procedures must take into account the specifics of the company and the scope of its activities. Using someone else's procedure will not constitute compliance with the obligation under the RODO.
The most important, in our opinion, legal aspects of the new regulation (in brief):
- It will be permitted to obtain data only to the extent that is necessary to achieve the stated purpose;
- The RODO formulates new rules for obtaining consent for the processing of personal data (e.g., prohibition of fine print clauses, understandable language, informing about the possibility of withdrawing consent), which will result in the need to Adaptation of procedures and forms for obtaining such consents to the new regulations under penalty of declaring the consent invalid and risking a fine;
- It has been made mandatory to record the consents obtained;
- It will be necessary to implement security, monitoring and response measures on personal data (including the introduction of user access controls to data, security rules, data leakage response measures, etc.).;
- All communications to individuals must be formulated in an understandable manner. It will become necessary to review the content of communications regarding personal data for compliance with the Ordinance;
- The RODO requires that the entrustment of the processing of personal data shall be carried out only to entities that provide technical and organizational measures to guarantee the processing of data in accordance with the requirements of the Regulation;
- The requirements for the content of contracts under which personal data processing is entrusted to an external company will also change. Therefore, it becomes necessary to review the content of data processing agreements for mandatory provisions and possibly annex them;
- The RODO abolishes the requirement to register personal data sets replacing it with an obligation to keep a register of internal personal data processing operations for certain companies;
- The Data Protection Supervisor will take the place of the ABI.
Given the enormous scope of changes resulting from the RODO and the potential sanctions for non-compliance with the obligations under the Regulation, we offer you support in preparing to perform your obligations under the RODO.
