Dane osobowe Rodo

FAQ

47
GDPR – Basic Terms
What is “personal data”?

Personal data is information relating to an identified or identifiable natural person, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural. This definition is derived from Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation or GDPR).

47
GDPR – Basic Terms
Does a legal person have “personal data”?

No. Personal data concerns only living natural persons, so GDPR does not concern the processing of data relating to entrepreneurs being legal persons, including their business names and legal forms, and contact data. In the case of a natural person conducting a business activity, his or her particulars are considered protected personal data.

47
GDPR – Basic Terms
What is “data processing”?

Data processing means any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

In practice:

Gathering personal data, for example, in archival email is considered personal data processing.

47
GDPR – Basic Terms
Who is a “data controller”?

A data controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

47
GDPR – Basic Terms
What is the difference between a “data controller” and a “processor”?

A controller is an entity that determines the purposes and means of personal data processing. A processor processes personal data on behalf of the controller under an agreement signed with the controller and on terms set out and described in such an agreement. GDPR indicates basic elements that a data processing agreement must contain.

47
GDPR – Basic Terms
Is it necessary to register data filing systems?

On the basis of provisions in force at present, it is no longer necessary to register data filing systems.

47
GDPR – Basic Terms
What is data pseudonymization and anonymization, and what are differences between them?

Pseudonymization means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separate and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person.

Anonymization means such data processing as to eliminate a possibility of the controller using such data to identify a natural person. Anonymization is an irreversible process (unlike pseudonymization) and if carried out effectively, it will no longer be possible to process personal data that has been anonymized.

47
GDPR – Basic Terms
What are “special categories of data” (sensitive data)?

Special categories of data (sensitive data) include personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning a natural person's health, sex life or sexual orientation.

47
GDPR – Basic Terms
What is “profiling” and when must consent to profiling be obtained?

Profiling means any form of automated processing of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. No consent is necessary for profiling alone, but consent is necessary to use profiling for automated decision-making on the basis of profiling results.

47
GDPR – Basic Terms
What does the “right to be forgotten” mean?

The right to be forgotten means that a data subject has the right to enforce controller the erasure of personal data concerning him or her without undue delay and the controller has the obligation to erase personal data without undue delay and take steps to have such data erased by entities to which the controller provided such data.

94
Principles of Personal Data Processing
When may special categories of data be processed?

Special categories of data may be processed in the following cases:

  • The data subject has given explicit consent;
  • Processing is necessary for the purposes of the controller carrying out obligations in the field of employment and social security and social protection law;
  • Processing is necessary to protect the vital interests of the data subject (e.g. to provide medical aid);
  • Processing is carried out in the course of legitimate activities by a foundation, association or any other not-for-profit body and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it;
  • Processing relates to personal data which has been made public by the data subject;
  • Processing is necessary for the establishment, exercise or defense of legal claims or whenever courts are acting in their judicial capacity;
  • Processing is necessary for reasons of substantial public interest;
  • Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of an employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;
  • Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.
94
Principles of Personal Data Processing
What body is currently the personal data supervisory authority?

In accordance with the 10 May 2018 Data Protection Act, the supervisory body with respect to personal data is the Personal Data Protection Office.

94
Principles of Personal Data Processing
Is it legal to collect data from the internet? On what conditions?

Yes, it is permissible to collect data from publicly available sources, e.g. from the internet or public registers (e.g. the National Court Register). Data so collected may be processed, but only for the purposes arising from the circumstances in connection with which the data has been made public.

For example, the contact data of a company’s spokesperson may be processed to contact her regarding issues related to the Company but not to send her information related to her private life.

95
Data Controllers’ Obligations
How is the legal basis for data processing determined?

Each instance of data processing must have a legal basis which is determined by indicating cases or activities whose fulfilment legalizes data processing.

In accordance with Article 6 of the GDPR data processing is lawful when:

  • The data subject has given consent to processing;
  • Processing is necessary for the performance of a contract to which the data subject is a party or to take steps prior to entering into a contract;
  • It is necessary for compliance with a legal obligation;
  • Processing is necessary in order to protect the vital interests of a data subject;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • Processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party.
95
Data Controllers’ Obligations
What are the fundamental features of a correct consent?

A statement expressing consent must be unambiguous and must be clearly distinguishable from other statements. In addition, consent must be informed and voluntary and must precisely specify the purpose for data processing and the scope of data to which it relates. It is inadmissible to collect general consents or constructive consents (e.g. based on the lack of action).

95
Data Controllers’ Obligations
Can a consent be granted by default?

A consent may not be granted automatically or by default. To be valid, a consent must be granted by taking an appropriate action that expresses consent, e.g. by ticking an appropriate box.

95
Data Controllers’ Obligations
From what age and when can children grant consent on their own?

Under Polish law, a minor who is 13 years old may grant consent to personal data processing in the case of information society services dedicated directly to children (e.g. social media). With children below 13 years of age, a parent or guardian may grant consent on their behalf.

95
Data Controllers’ Obligations
How long may personal data be stored?

Personal data may be stored only for a period necessary to achieve the objectives for which such data has been collected. After that period the data must be erased.

95
Data Controllers’ Obligations
When may an offer or marketing materials be sent without having to ask for consent?

No consent is necessary for sending offers as part of marketing of own services of a data controller who processes data in performance of a contract. For any other marketing activity (e.g. marketing of the controller’s affiliates), consent must be obtained.

95
Data Controllers’ Obligations
What are additional requirements for lawful direct marketing?

If own services are marketed via means of electronic communications, consent to receiving such messages must be obtained (Article 10 Section 2 of the 18 July 2002 Electronic Services Act). Marketing without obtaining such consent may be treated as sending unsolicited commercial information.

When terminal telecommunication equipment and automated calling systems are used for direct marketing, consent must be obtained to sending such information via such means (Article 172 Section 1 of the 16 July 2004 Telecommunications Law).

95
Data Controllers’ Obligations
What is a “privacy policy” and when must it be implemented?

The GDPR does not directly introduce an obligation to implement a document called a “privacy policy”, but it imposes an obligation to provide a user with certain information under the GDPR, that may be most conveniently provided in a privacy policy. A privacy policy (a document for a data subject) is different from a security policy that is an internal document that each data controller must have.

A privacy policy must contain information that each data controller is obligated to deliver to persons whose data the controller processes, such as information about the purposes and duration of data processing and the rights of data subjects. The document should also include information about cookies (if a privacy policy concerns a website using such files).

95
Data Controllers’ Obligations
When is it necessary to designate a data protection officer?

A data protection officer must be appointed in the following cases:

  • Processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • Core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or,
  • Core activities of the controller or the processor consist of processing of special categories of data (sensitive data) on a large scale.
95
Data Controllers’ Obligations
May a third party be a data protection officer?

Yes. A data protection officer may be the controller’s employee or may function pursuant to a service contract. It is important that he or she has suitable qualifications, and in particular has the knowledge of law and data protection practices, and is capable of performing the tasks imposed on him or her by the GDPR.

95
Data Controllers’ Obligations
When must a record of processing activities be maintained?

Generally, all controllers must maintain a record of processing activities. Controllers who employ fewer than 250 persons are exempt from this duty, unless the processing they carry out:

  • Is likely to result in a risk to the rights and freedoms of data subjects;
  • Is not occasional; or
  • Includes special categories of data or personal data relating to criminal convictions and offences.
95
Data Controllers’ Obligations
What does the “duty to assess data processing risk” mean?

If a controller processes personal data and therefore it is highly likely to result in a high risk of violating rights or freedoms of natural persons, the controller must, before starting such processing, assess the consequences of the planned processing operations. If the high risk is established, before starting to process the data the controller must consult the supervisory authority (the President of the Personal Data Protection Office) who may give appropriate recommendations.

95
Data Controllers’ Obligations
When must incidents of a personal data breach be reported?

The controller must report, without undue delay but not later than 72 hours after having become aware of it, a personal data breach. Such a breach does not have to be reported unless the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.

95
Data Controllers’ Obligations
What are the fines for a breach of the GDPR provisions?

The GDPR sets out very high administrative fines for breaching personal data protection provisions.
A fine of EUR 10,000,000, and in the case of a company – up to 2% of its worldwide annual turnover of the preceding financial year is provided, among other things, for:

  • Failure to apply the privacy by design and privacy by default mechanisms;
  • Non-compliance with duties related to outsourcing of personal data processing;
  • Failure to apply adequate security measures.

A fine of up to EUR 20,000,000 and up to 4% of worldwide annual turnover may be imposed for (for instance):

  • Failure to comply with the fundamental rules for data processing;
  • A breach of data subjects’ rights.
95
Data Controllers’ Obligations
What other liability may be borne by a personal data controller?

Apart from high financial penalties, unlawful data processing may involve criminal liability in the form of a fine, limitation of freedom or imprisonment for a period of up to two years.

In addition, each data controller may bear direct liability for damages towards persons whose personal details are processed by that controller, on the general terms provided in the Civil Code.

95
Data Controllers’ Obligations
Are previously given consents to data processing still valid? On what conditions?

Consents given before the entry of the GDPR into force are still valid if they meet all requirements for giving consents set out by the GDPR. This means that a controller may process data on the basis of consents that were voluntary and informed, and the controller is able to prove it.

95
Data Controllers’ Obligations
Can consent be obtained over the telephone?

Yes, as long as it is possible to prove that such consent was given in line with the accountability principle.

In practice:

Obtaining consents over the telephone is possible when telephone calls are recorded.

96
Sharing and Transfer of Personal Data
On what terms may personal data be transferred out of the European Union?

Personal data being transferred outside of the EU may be transferred only when the controller and the processor or the organization in that third country ensure an adequate level of data protection.

When data is transferred to the US, the data recipient should be a certified entity under the Privacy Shield agreement or an entity that abides by the binding corporate rules or standard data protection clauses that ensure an adequate level of protection.

97
Rights of Data Subjects
What is an obligation to inform and who must comply?

A controller must provide the following information:

  • The controller’s data and contact particulars;
  • The data protection officer’s contact data;
  • Personal data processing purposes and the legal basis for processing;
  • Information about recipients or categories of recipients of personal data;
  • Information about an intention to provide personal data to a third country;
  • The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period;
  • Information about the right to request the controller for access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
  • Information about the right to withdraw consent at any time;
  • Information about the right to lodge a complaint with a supervisory authority;
  • Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data;
  • The existence of automated decision-making, including profiling.
97
Rights of Data Subjects
Is a collection of business cards regulated by the GDPR?

Generally, no. It is hard to imagine a business meeting without exchanging business cards. A person who gives us their business card should be assumed to consent to the processing of their personal data to maintain contact. If, however, a structured filing system is made using such business cards e.g. to send commercial information, the issue of conformity of personal data processing with the GDPR will arise.

97
Rights of Data Subjects
When is it not necessary to inform about data processing?

While acquiring personal data, both from a data subject and from third parties, the controller must comply with the duty to inform them about data processing.

This duty will not arise if the data subject already has such information. In addition, when data is acquired not from the data subject, no duty to inform must be complied with, when doing so is impossible or would require a disproportionately large effort, when the data must remain confidential, or acquisition and disclosure is clearly regulated by the EU law or laws of a Member State.

98
Data Processing Contracts
What is order data processing?

Order data processing occurs when a data controller engages a different entity to process personal data. That entity (the processor) processes personal data on behalf and request of the data controller.

98
Data Processing Contracts
What is necessary to contract out data processing correctly?

The basic requirement for a data controller is to sign an agreement with the processor. The scope of such an agreement is set out in detail in Article 28(3) of the GDPR.

98
Data Processing Contracts
When must a data processing agreement be executed?

A data processing agreement must be executed when a controller transfers data to another entity (e.g. as part of service outsourcing) and such data is to be processed on the controller’s behalf. Typically, a data processing agreement must be executed when HR and payroll services are outsourced to a third party.

98
Data Processing Contracts
Do I need to execute a data processing agreement with the Polish Post Office or a courier company?

No, it is not necessary to execute such an agreement because the Polish Post Office and courier companies provide their services under laws in force and decide on methods of data processing themselves. The agreement will need to be executed when we assign special tasks, e.g. a dispatch of contracts to be signed by clients, to such entities.

98
Data Processing Contracts
Do I need to execute a data processing agreement with a law firm?

No, a law firm is a personal data controller and not a processor on a client’s request. Law firms set data processing purposes and methods on their own and do not act on any third party’s request.

Advocates and legal advisors have special duties of professional secrecy needed for them to practice their professions. To a certain extent, an advocate and a legal advisor must be independent of their client as to the purposes and methods of processing the personal data provided to them or collected by them while providing legal services.

99
Documentation and Data Protection
What basic internal documents must be prepared and kept by a personal data controller?

A data controller must implement a data protection policy with such elements as a form of acknowledgement of personal data protection rules, as well as a form of authorization to process personal data. In addition to such documents, the controller must, subject to certain conditions set out by the GDPR, keep a register of processing activities. Such register may be kept in electronic form.

99
Documentation and Data Protection
When must an authorization be granted?

Each data controller who permits natural persons to process data must grant an appropriate authorization to them. The GDPR does not specify the form of such authorization but a written form is recommended for evidentiary purposes.

100
Protection of Personal Data of Employees
What is the legal basis to process employees’ personal data?

The legal basis to process an employee’s personal data is Article 221 Section 1 of the Labor Code that contains a list of data that employers may request job candidates to provide. As regards other personal data (such as an image), its processing may be generally based on the employee’s consent but it always needs to be checked if the condition of voluntary consent is satisfied.

100
Protection of Personal Data of Employees
Do employers have an obligation to inform employees?

Pursuant to Article 13(4) of the GDPR, information on the data controller and data processing purposes, data processing period and rights of data subjects (among other things) may be omitted if the data subject already has this information. It may be assumed that this will generally be true in the case of employees, because when providing data for the purposes of employment they know to whom and for what purpose they provided data.

Employers should make sure that employees receive information about their rights as data subjects, but this information may be provided in a personal data protection policy which each employee must read before starting employment.

101
Use of the Employee’s Image
On what terms may an employee’s/contractor’s image be used?

Generally, an employee’s personal data is processed on the basis of Article 221 of the Labor Code, which lists the personal data that employers may request. This provision does not list an employee’s image, so the employer generally needs to obtain an employee’s consent to use it.

This requirement does not apply when the image is necessary for purposes connected, for example, with securing access to the establishment or using the image on the Intranet. In such situation the employer may invoke the controller’s legitimate interest.

In practice:

It is recommended that the employee’s or contractor’s consent is granted in writing and expressly indicates the purpose and period during which the employer will use that image.

TEMPLATES

Principles of personal data processing
Data controllers’ obligations
Data processing contracts
Protection of personal data of employees

CDZ Legal Advisors owns and maintains CDZ LEGAL CARE

Information or templates contained in CDZ Legal Care do not constitute legal advice.
CDZ Legal Advisors is not responsible for the consequences of using this site without prior analysis of a specific case.

PRIVACY POLICY

CHAJEC, DON-SIEMION I PARTNERZY sp. k. z siedzibą w Warszawie
Sąd Rejestrowy: Sąd Rejonowy dla m. st. Warszawy w Warszawie, XII Wydział Gospodarczy Krajowego Rejestru Sądowego
KRS: 0000184058, NIP: 526-27-40-114