GDPR compendium - DOIT.BIZ Sp. z o.o.

GDPR compendium

What is the GDPR?

It is the acronym for the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation). It defines the rules for the processing of personal data in the European Economic Area, including Poland.

What are personal data?

The term can be used to describe all information relating to a specific (identified or identifiable) person. This includes your first and last name, address, e-mail address, telephone number, PESEL [Personal Identification Number], NIP [Tax Identification Number], IP address of your computer, fingerprint, etc.

What is the difference between “common” and “sensitive” data?

Common personal data are not called “common” because they are unimportant. You can, for example, break into someone’s bank account based on a set of such data. This classification is due to the fact that these data are typically used to identify a person. Quite often, acquiring a single piece of such personal data does not require a lot of time or money either. Therefore, the processing of such data is permissible – under certain conditions, of course.

Sensitive personal data, on the other hand, refer to the more “intimate” spheres of our privacy. Their disclosure might expose an individual to particularly unpleasant consequences such as discrimination or ridicule. It is primarily such information that our right to privacy applies to. This set will include information concerning, for example, political views, religious or philosophical beliefs, opinions on political parties, sex life, racial or ethnic data, genetic code, etc. The processing of such data is therefore implicitly prohibited, unless special circumstances require it.

What does document anonymisation mean?

The purpose of this process is to transform information about an individual in such a way as to make it impossible to attribute specific personal or material data that would allow for the identification of this individual.

Can personal data be permanently deleted?

Yes. Final and permanent disposal requires the destruction of any media in a way that makes them irretrievable. Mechanical means (shredders) and IT means (computer programmes) are used for this purpose.

What is a personal data set?

It is one of the forms in which personal data are stored. It is permissible to store them in the form of individual pieces of information or in sets, which are collections of personal data (accessible based on specific criteria) structured in a particular way.

Who is the Personal Data Controller (PDC)?

It is a person that makes decisions on the purposes and manner of the processing of personal data. The function may be exercised both by legal and natural persons.

Can one person perform both the function of the Personal Data Controller (PDC) and the Data Protection Officer (DPO)?

It is possible. If the PDC chooses not to appoint a DPO, they will be obliged to fulfil the statutory obligations that apply to the DPO. In such cases, they have to take on most of the tasks. However, due to the broad scope of responsibilities, the PDC may appoint a DPO who will be responsible for compliance with data protection rules. The main duties of the DPO are to ensure compliance with personal data protection legislation, to maintain relevant documentation, and to cooperate with the President of the Personal Data Protection Office.

Who else can have access to personal data?

Such access can be obtained by any person who is authorised by the PDC and has undergone appropriate training in the processing of personal data. It is good practice to provide data protection training to all employees who may come into contact with the processing of such information. The training should include key definitions and information on basic legal regulations. In addition, it should address topics such as the permissibility of data processing, the rights of and obligations towards persons who give their consent to the processing of such information, responsibility for data processing, dealing with security breaches, ensuring adequate security of IT systems, etc.

Does the Data Protection Officer (DPO) need to be notified to the Personal Data Protection Office?

Yes. The designation of the Data Protection Officer entails the necessity to notify it to the President of the Personal Data Protection Office (PUODO) within 14 days of the designation. The only correct and effective way of notifying the designation, dismissal or change of details of the DPO is to submit the notification in an electronic form, with a qualified electronic signature or a signature confirmed via an ePUAP trusted profile (pursuant to Article 10(6) of the Personal Data Protection Act). The notification should be sent using one of the services available on the biznes.gov.pl website. The execution of the tasks of the Data Protection Officer can be entrusted to an external company.

What is PUODO and what do they do?

PUODO stands for the President of the Personal Data Protection Office. This institution is in charge of verifying the compliance of data processing with personal data protection legislation. It also issues administrative decisions and handles complaints related to failures by various entities to properly fulfil their legal obligations with regard to the processing of personal data. The PUODO undertakes a number of activities aimed at ensuring lawfulness of the processing of personal data by businesses and institutions.

What is personal data processing?

It is a series of activities in which personal data are used, i.e., collecting, recording, storing, archiving, altering, and deleting. All these processes are only possible and lawful if there is a so-called basis for data processing.

What can be the basis for data processing?

Personal data may be processed if one or more of the following conditions set out in Article 6(1) of the GDPR are met:

  • the person has given consent to the processing of their personal data for one or more specific purposes,
  • processing is necessary for the performance of a contract to which the person is party or in order to take steps at their request prior to entering into a contract,
  • processing is necessary for compliance with a legal obligation to which the controller is subject,
  • processing is necessary in order to protect the vital interests of the person,
  • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller,
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party.

In addition, the basis for the processing of sensitive personal data is set out in Article 9(2) of the GDPR.

UODO inspection vs. personal data protection audit

The main objective of an inspection of the Personal Data Protection Office is to determine the actual state of compliance with the law on the processing of personal data in a given institution or enterprise. It is carried out by a team of inspectors and the inspection activities are carried out on site – at the premises of the entity. The purpose of the audit is, on the one hand, to verify the correctness and functioning of the procedures adopted for the processing of personal data and, on the other hand, to adequately prepare for an inspection.