What is RODO?
On May 25, 2018, the legislation on the protection of personal data in Poland came into force. Individuals have the right to have their personal data removed from any source, and firms and government institutions must make a number of changes. Failure to comply with the requirements of the law faces a punishment in the form of a large monetary fine in the form of hundreds of thousands of zlotys or even millions of euros.
RODO - Rozporządzenie o Ochronie Danych Osobowych (GDPR - General Data Protection Regulation) is data protection legislation that applies in all EU countries.
This legislation applies to absolutely all companies and government organizations in Poland that accumulate and use personal data of individuals. All firms that have personal data or personal information of individuals must inform their owners about the storage and use of this information. At the request of an individual, all information can be deleted from a specific organization.
This legislation has only advantages, since there should be no incomprehensible calls from various organizations. For example, those who want to advertise their products or services. Each individual has the right to demand information about where his personal data came from this or that company.
10 important changes related to RODO
1. Financial penalties
RODO introduces financial penalties for the failure to implement and comply with the new laws on the protection of personal data.
Firms can receive fines ranging from 10 to 20 million euros or from 2% to 4% of the company's total turnover.
For state organizations, a fine of PLN 100,000 is provided.
Fines are applied proportionally to the violations committed.
2. Responsibility of the organization
The head of the company is responsible for violations of legislation on the protection of personal data. Responsibility is immediate and the appointment of a data protection officer in a company or the transfer of this function to a third party does not exempt from this responsibility. The head of the enterprise is a responsible person both to the supervisory authority and to the courts of the relevant instances. It is impossible to transfer this responsibility to some of the employees of the enterprise.
3. Data Protection Inspector (IOD) - New Feature
The Data Protection Officer (IOD) is a new function of the person in charge in the organization, who not only deals with personal data issues, but also who is responsible for reporting violations to control authorities. The concept of a personal data administrator (ABI), which existed before, ceases to exist.
The definition of IOD is mandatory for legal entities that, during the conduct of their activities, process such types of personal data, the lack of security of which may lead to a violation of the rights and freedoms of individuals, for example, children.
It is mandatory for the IOD to assign:
public state organizations: schools, state. administration of um, social assistance organizations, utilities, etc.,
firms that regularly process and store personal data of individuals, for example, telecommunications firms, advertising firms, firms that conduct various kinds of surveys, insurance companies, etc.,
others, which the legislation of the RODO speaks of.
IOD must have knowledge of the storage of personal data in order to properly manage the storage policy of the enterprise.
4. Notice of violations within 72 hours
The IOD Personal Data Inspector has an obligation to notify the regulatory authorities about a breach of the security of personal data at the enterprise within 72 hours from the moment the violation occurred.
In some cases, there is a need to notify the individuals directly affected by the incident (leak).
5. Register of violations
One of the changes that the RODO imposes on us is a new obligation for the inspector of personal data at the enterprise - keeping a log-register of violations. According to the legislation, IOD must document any violations of the security of personal data, the essence of the violations themselves, as well as describe the actions that were taken in this regard.
Keeping records in this way should enable the regulatory authorities to check whether the company has complied with the RODO rules regarding the maintenance of such records, as well as the ability to check the notification of the regulatory authority about such violations.
6. Risk analysis
Risk analysis will be mandatory for organizations that store personal data of "high risk", such data include: data that relate to health (physical, mental, use of medical services), data about children, confidential data.
7. New procedures and regulations
The need to develop and implement procedures, as well as mechanisms that will ensure the security of personal data processing, testing and assessing their effectiveness is a responsibility the personal data inspector RODO.
New responsibilities are a matter of increased responsibility for the personal data inspector, given the lack of ready-made solutions in this area. The RODO does not directly indicate which documents, procedures and policies need to be implemented. In general terms, it is mentioned that the firms themselves must exercise caution and diligence in ensuring these processes so that during the processing of personal data it does not come to a violation.
8.The obligation to take inventory of information containing personal data RODO is not obliged to register data registers that contain personal data. However, they introduce an obligation to maintain an internal register for the processing of such data, which should include the following information: the reason for processing specific personal data, a description of the category of personal data, registers of violations, data of the responsible persons who are responsible for processing a specific data object at the enterprise.
9.Right to delete personal data and the right to view the history of stored personal data RODO recognizes the right of an individual to demand from organizations that store personal data of an individual to delete personal data about themselves, such a request has no possibility of refusal.
A few details:
- “The right to be forgotten” or the right to delete personal data about oneself; this applies to information: in digital form, on paper, as well as information in backup copies,
- extended right of an individual to view his personal information, for example: the right to receive a copy of stored personal data.
10.Processing of personal data of children
The data administrator must ensure that parents can express their consent to the storage of personal data of children (this primarily applies to services on the Internet).
Documents that govern RODO issues
- European Parliament Regulation 2016/679 of 27 April 2016 concerning the protection of personal data
- An addition to the European GDPR regulations is the draft law of 13 September 2017 on the protection of personal data.