RODO after 2 years still a challenge for factoring

Monday, May 25, 2020 marked two years since the entry into force of the RODO Regulation. During this period, the President of the DPA issued notices to violators of the RODO Regulations administrative fines In amounts ranging from PLN 20,000 to almost PLN 3 million. It's also worth mentioning that one of the inspections regarding compliance with RODO ended with a suspicion of committing a crime under Article 108(1) of the Personal Data Protection Act. The District Prosecutor's Office in Katowice has already filed an indictment in this case against the president of the inspected company to the court.

When RODO came into force, it was suspected that the entities that might face sanctions first would be those that had not taken any steps to comply with the new regulations. Meanwhile, penalties are also affecting entities that have erroneously complied with RODO, or are committing violations and negligence - examples include the proceedings against two limited liability companies in the Internet sales industry and a business intelligence firm. Interestingly, one of the first fines involved an entity that cooperated with a number of companies in the factoring industry.

What potential oversights are factoring companies making when applying RODO regulations? I have taken the liberty of listing a few subjective insights.

  1. Information obligation

According to Article 12(1), second sentence, of the RODO, the default form of providing information to data subjects is in writing. However, the RODO also provides for the use of other, unspecified means - including electronic means. Undoubtedly, the information obligation in Article 13-14 of the RODO is one of the most important obligations under the RODO for factoring companies. Some oversights can be found in this area. Which ones?

Non-transparent and hard-to-reach messages

The information provided to the person whose data is being processed must be, first and foremost, for him or her readily available. This means that where and how to access the information should be instinctive, without unnecessarily combing through the entire website. Quite a number of factoring companies do not separate information on data protection from the privacy policy. A "wall of text" is then created, among which it is not so easy to find information relating to the processing of personal data. Entities that choose to do so should clearly distinguish, for example, by bolding and increasing the font of the text, the point at which information relating to the protection of personal data begins.

use of ambiguous wording

Data protection information should not only be easily accessible to the subject but also clear, understandable and formulated using simple language - do not use overly legalistic, specialized or technical language, as can be seen in the practice of some companies. According to the Article 29 Working Party's guidelines on transparency under Regulation 2016/679, the use of ambiguous words should be limited in the first place. If data controllers choose to use more ambiguous wording, the accountability principle requires that they be able to demonstrate why the use of such wording could not be avoided and that it does not affect the fairness of the processing.

Lack of categorization of information at the level of different entities 

Looking at the practice of factoring companies in providing information on personal data protection, it can be noted that many of them provide information relating to unspecified entities - there is no separation of which group of legal entities in contact with the factoring service the information relates to. Meanwhile, a factoring transaction may involve the processing of personal data not only of the factor (assignor) but also of its representatives and employees, of the factoring recipient (counterparty) and its employees designated as contact persons for balance confirmation, and even of guarantors, spouses of factors, etc. There is no way to "stuff" all this information into one message without indicating the dissimilarities (both the purposes of processing and the means of obtaining the data). It is advisable to develop several pieces of information. Of course, one can argue about how much all of it should be on the facturer's website. This issue is debatable. However, it is unquestionably crucial to ensure the availability of generic messages for each rights holder. So if, for example, with a promissory note guarantor's declaration on the back of the declaration there is information about the processing of the guarantor's personal data then OK. However, one can always ask the question - can anything more be done? It seems that in order to maintain a security buffer (there is always a risk that somewhere you forgot to attach information about the processing of personal data) it is not better to make all categories of communications available on the home page of the factor in a dedicated tab dedicated to the processing of personal data. In my opinion, such a solution is not only safe, transparent but also convenient - because in the event of a change (update) of the content of the communication, access for the rights subjects to the current content will always be guaranteed. Therefore, it is worth stipulating in the communication that its current content is always available in a dedicated tab on the website, and keep the current content of the communications there.

omission of Article 14 of the RODO

Some entities overlook the dissimilarity of the content of the provisions of Articles 13-14 of the RODO, overlooking the obligation under Article 14 of the RODO, especially forgetting the situation of obtaining personal data from third parties (e.g., an intermediary). The above is also evident at the RCP level.

  1. Overlooking changes in regulations and guidelines

RODO and a long nothing? Not necessarily. After RODO came into force, the legislative action did not end. A new Law on Personal Data Protection was passed, amended by the Law of 21.02.2019. A number of guidelines, clarifications, positions were issued. Many of them clarified issues unknown on 25.05.2020 also in the field of communications, websites, data processing in certain segments. Moreover, new legal solutions have also emerged as a method / source of permanent data processing - e.g. White List of VAT taxpayers, Central Register of Real Beneficiaries, etc. Documentation and procedure should take into account the current state of knowledge, not just the one as of 25.05.2018.

  1. Omission of data processing impact assessment (DPiA)

The RODO requires controllers to conduct a data protection impact assessment (DPiA) when the type of processing in question , "may cause a high risk of violation of the rights or freedoms of individuals. The purpose of the DPIA is to systematically analyze new situations that could lead to a high risk of violations of individuals' rights and freedoms. A significant number of factories did not perform any DPiA, some performed them as part of the implementation of RODO. The banking sector which assessed these issues comprehensively, like a heavily regulated sector, looks better here.

On 8.07.2019, the PUODO Announcement of 17.06.2019 on the list of types of personal data processing operations requiring an assessment of the effects of processing on their protection was announced. On the Blog we wrote about it here. This list allows factoring companies to assess which of their personal data processing activities require such analysis.

Factoring companies should look at the following activities in terms of DPIA analysis:

  • Performing activities of automatic assessment of customer's financial capacity, using artificial intelligence and so-called scoring machines, and requesting disclosure of data not directly related to the assessment of financial capacity;
  • conditioning the decision to finance / grant a factoring limit on the basis of information contained in databases containing information on debtors or similar databases;
  • customer profiling - In particular, on the basis of aspects relating to the economic situation, reliability or behavior, location or movement of the data subject. Also applies to indirect profiling, which involves evaluating a person/customer on the basis of membership in a certain group and therefore offering such person more favorable terms.
  • Operation of whistleblowing systems (whistleblowing) - especially when it processes employee data, especially on a large scale and electronically;
  • Collecting data on pages viewed, banking operations performed, purchases made in online stores, and then analyzing them to create a profile of the person;
  • monitoring the working time of employees and the flow of information in the tools they use (e-mail, Internet);
  • employee location monitoring particularly in the context of working from home and working remotely;
  • processing of biometric data for the sole purpose of identifying an individual or for access control purposes, e.g., facial recognition systems, workplace identity verification for access control, device/application identity verification (including voice, fingerprint, facial recognition);
  • The use of applications with communication functions and software to exchange information with the immediate environment and remotely through the telecommunications network - i.e., among other things, the use of devices with different types of interfaces (speaker, microphone, camera) and software and communication system enabling the transmission of data over telecommunications networks.

Each company should therefore assess whether it is using the above solutions and whether it should submit them for DPiA evaluation.

  1. Implementing RODO and... doing nothing

Some entities after 25.05.2018 have done nothing more, stopping at the efforts made before the regulations came into force. Some companies do not even update the RCP. Meanwhile, the measures put in place before the entity to ensure the security of processing should be regularly checked for effectiveness and updated, as is clear from Article 24 para. 1 of the RODO, which clearly indicates that the technical and organizational measures implemented should be reviewed and updated as necessary.

At a minimum, companies - especially those that process data on a large scale - should update their processes and procedure and the templates used with the changes and guidelines discussed above, update documents (including RCP), conduct training, conduct periodic audits, reviews, apply new measures and solutions in compliance with the RODO, conduct assessments under DPiA. In order to avoid mistakes that may result in the imposition of a fine by the President of the DPA on the data processor, it is worthwhile to conduct a A RODO compliance audit to illustrate how and what personal data is processed by the entity. It is particularly beneficial to carry out audits, 1-2 year reviews, which is conducive to catching errors, correcting them and ensuring compliance with RODO, as a reliable compliance system should. An important, although not obligatory element of the RODO audit is the mapping of data processing processes, through which the entity will obtain, among other things, information on what legal basis personal data is processed and to whom it is entrusted. This will contribute to a more efficient preparation of the RCP, which the controller is obliged to maintain under Article 30 of RODO and for which it is responsible.

  1. Summary

The huge scope of regulatory changes for the factoring industry in recent years should not be an excuse for factoring companies' failure to evaluate, update and improve their personal data processing system. A reliable compliance system (the creation of which has been forced by the changes of recent years) requires that the processing of personal data be a proactive system, and that any errors identified be rectified promptly. The first 2 years of RODO have caught some of them, so the this is a great time to audit/review the processes and documents used, which we encourage you to do, also using external parties. In this case, knowledge of the specifics of the factoring industry is important, because the processing of personal data in the factoring process involves taking into account the special characteristics of such a transaction related to the assignment and participation of various entities at different stages.

The text purposely omits the still highly questionable issue of the processing of personal data of participants in factoring transactions under the silent factoring.

The above assessment is subjective in nature and is based on the text author's own assessment of the RODO solutions from the perspective of the factoring industry.

Share on...

Worth Reading

Bartosz Nadra

Attorney | Managing Partner

#timefactoring

Poland's first blog on the legal aspects of factoring

Lukasz Jaskowiak

Attorney | Managing Partner

#time real estate

A blog dedicated to real estate law in its broadest sense

Piotr Szwechłowicz

Legal Counsel | Managing Partner

#Timatransport

Welcome to the blog dedicated to public transportation and the TSL industry.