In connection with the implementation of the requirements resulting from the new General Data Protection Regulation, as part of broadening awareness about the GDPR, we would like to bring the topic of the subject closer in a few points.
What is the GDPR?
This is Regulation of the European Parliament and of the Council (EU) 2016/679 from 27 April 2016 in case protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46 / EC1. The new laws on the protection of personal data in individual countries clarify only certain concepts used in the Regulation, based on the laws in force in your country and they introduce changes in other national regulations to comply with the Regulation (e.g. through amendments to the Labor Code).
The primary purpose of the GDPR is to ensure effective protection of individuals in the field of their personal data . It is necessary to analyze the effects of all personal data processing operations and to undertake appropriate measures to prevent risks, in proportion to how we assess them. It is a continuous process based on the assessment of the current situation, aimed at minimizing potential negative consequences of incorrect processing of personal data.
The regulation only imposes a certain framework in which we can move — by imposing duties related to this.
Since when is GDPR valid?
The regulation entered into force on May 17, 2016 and became applicable directly in national law
legal orders from May 25, 2018 . The regulation binds everyone who processes data personal in connection with business activity.
What are «personal data”?
«Personal information means information about an identified or identifiable individual person
(«The data subject»); an identifiable person is a person who can be directly or indirectly identify. »
So personal data is data that allows you to identify individual person (as interpreted by the Commission European are also one-man business activities and Civil Companies ). Such as e.g. name, surname, email address, telephone number, mailing address, IP (Internet ID), identification number (e.g. PESEL), NIP. Personal data are also data of health status, special factors defining the identity of a person (sex, religion, beliefs) etc., which are so-called personal data sensitive, which are subject to increased protection. The owner of this data is the person whom they concern.
The nationality of the person whose data is protected is irrelevant for the application of the GDPR. It’s important that this person stays in the European Economic Area (ie the area of the European Union, Iceland, Norway and Liechtenstein). The administrator may have headquarters or servers outside of the EU and even then GDPR will apply to such people.
What is processing?
The definition in the Regulation specifies that processing means an operation or a set of operations being carried out on personal data or personal data sets in an automated way or non-automated, such as collecting, fixing, organizing, storing, adapting or modifying, downloading, browsing, using, disclosing by sending, distribution or other type of sharing, matching or merging, limiting, deleting or destructing.
So, it is practically every action related to personal data in any form — paper, electronic or any other; regardless of whether it is an ordered collection of many people personal data (e.g. a file) or personal data of a single person (e.g. a personal form).
Administrator or processor?
Administrator — is the one that obtains the data and is responsible for the purpose and the way they are processed, how long are stored and to whom it is transferred. Of course, he must do it legally which means that he acquires and processes them to the extent permitted by law.
Data processor — is the one that receives data from the Administrator to perform a specific action. The processor is responsible for data security and for the fact that they will only be used for this purpose, in which they were given to him.
What does it mean?
For example, by signing a contract with a client, our company becomes the administrator of its personal data on based on legal provisions that allow us to process data necessary to perform the contract (both in the scope resulting from the provisions of the contract itself, but also in the scope resulting from legal regulations related to such activity – e.g. the Accounting Act). If we pass all or part of this data to the accounting office that runs our work accounting, it becomes their processor.
Co-administrators, who is this?
In the case of our companies Timex Card and UTA Polska, appears the concept of co-administrators introduced by the GDPR. Because they perform identical tasks and the entire GDPR policy is carried out on the same principles, we fulfill the conditions described in the Regulation: «if at least two administrators jointly sets goals and methods of processing, they are co-administrators . »
This does not affect the scope of duties and the application of the provisions of the GDPR but only simplifies the case, e.g. informing clients about their rights — you do not have to do it twice . As you know, according to the contract concluded with customers, UTA Polska already entrusts the execution of all activities to Timex Card.
The most important changes resulting from the GDPR
Direct liability of the data processor — as an organization that processes entrusted personal data, we are directly responsible for breaking the GDPR record.
Any person whose data is processed may also apply to us for compensation for damages resulting from a violation of her personal data.
This does not absolve employees from their liability — employees are fully responsible for compliance procedures and regulations. If the administrator proves that the damage was not his fault, but, for example negligence or non-compliance with procedures, responsibility falls on a specific person.
For this purpose, the GDPR imposes an obligation of transparency, which in practice means the need for monitoring any operations on data and logging (logs) of who performed these operations. We did a large part of it in the past, now we’re going to do it in the whole range of data. It will also be sharpened access policy, assigning passwords and assigning access levels.
Reporting of infringements — as a data administrator, we have an obligation to report all kinds of violations within 72 hours, which may result in the threat of rights and freedoms of persons whose data have been violated.
No notification may result in a high financial penalty being imposed on us. You will be trained, what situations constitute a violation and how and who to inform about them.
New extended citizens’ rights
The Regulation gives the owner of personal data the right to:
- correcting data,
- to delete data,
- to limit processing (if the owner decides that part of the data is being processed unnecessarily or incorrectly),
- the right to transfer data (consists the possibility of submitting an application for transferring all
personal data processed by the administrator to another administrator — e.g. from one bank to another),
- the right to limit automatic profiling (he right not to be subject to a decision that is based solely on an automated process, so that the final decision would be made by a man),
- the right to object to data processing (in the case of direct marketing you can request to stop processing).
Assignation of the Data Protection Inspector — Because we do not fulfill the premises for companies that they must designate DPI, set out in the Regulation, we will not currently designate DPI. However, we will have a designated person who will oversee matters related to the GDPR.
Approval – the GDPR introduces new rules for obtaining valid and verifiable consents for processing
personal data from data subjects. If we are going to process someone’s personal information on based on his approval and not on the basis of other premises (e.g. contracts), we must obtain his consent. Such consent must be «voluntary, specific and conscious». Unambiguous presentation of the will may take the form of a statement or explicit action confirming consent to the processing of personal data (on the one hand, this means, for example, the ban on placing pre-selected consents on various forms, but also the possibility of expressing such consent in a different form, e.g. a request). If in our business such consent will be necessary, you will be informed and equipped with appropriate formulas.
It should be remembered that some approval — for example to correspondence via email — result from other regulations that do not change or not replaced by the provisions of the GDPR.
Extending the information obligation — regulations of the GDPR indicate what information should be provided to the owner of personal data:
- who is the Administrator of Personal Data,
- the basis of processing,
- the intention to transfer data to a third country (if it takes place),
- the period during which personal data will be stored or the criteria for determining this period,
- Information on the right to lodge a complaint to the supervisory body (in Poland, the President of UODO),
- indication of possible consequences of not providing data, e.g. when concluding a contract — none
information about the financial situation will result in a higher security,
- information about the rights of the data subject described above.
The relevant information clauses have already been provided to you.
How to act according to GDPR?
The easiest way – in accordance with the information given to the data owner; that is why you should familiarize yourselves with the informational clause (“Duty to notify clients”), which was sent out to the clients:
- We process the data in compliance with stated purpose, what is more, we process only necessary data – data minimization principle, which roughly translates to not storing excess data. You should also verify whether we collect some excess data, just because that is how it has always been. Of course, in due time we will be introducing appropriate procedures, but you submitting your valid remarks and suggestions will be of great help.
- We process the data in compliance with lawful basis (for processing) – g. do not call prospective client, who has already withdrawn his/hers agreement. GDPR gives a right to withdraw the agreement and a right to be forgotten (right to erasure).
- We process the data only for a time specified during their collection – data retention;
- Inform the client about his rights: during the first contact the, so called, informational obligation must be fulfilled. You have already received information about the appropriate procedures – now, you only have to remember them.
- Delete data incompatible with the aforementioned rules: if you save personal data in any form, e.g. for makeshift/interim need (e.g. list of prospective clients you want to visit with information exceeding only their name and surname) delete said data and continue deleting it right after you have used it. Do not create unnecessary copies, reports and other files or documents – unless it really is necessary for completing your duties.