Select Page

XV European Data Protection Day

2021-01-27 | Prawo Cywilne

Today (January 28) we are celebrating the 15th European Data Protection Day . Undoubtedly, this is a good occasion to recall some of the key information on who, on what basis and how should protect personal data

What legal act regulates the matter of personal data protection in Poland?

The General Regulation of the European Parliament on the protection of personal data (hereinafter: GDPR) has been in force for over two years, which unified the rules for the protection of personal data throughout the European Union.

For its full transposition, the Act on the Protection of Personal Data (of May 10, 2018) was adopted in Poland. Based on this Act certain entities bear obligations for data protection, and penalties may be imposed for non-compliance.

Who checks the compliance of procedures with the GDPR in Poland?

Along with the GDPR, a new office was established – the Office for Personal Data Protection. It’s competences include checking the compliance of all activities with the GDPR and the Polish law, indicating defective elements of such processes or imposing penalties for non-compliance.

What are the penalties for violating the GDPR?

The Head of the Personal Data Protection Office may impose a financial penalty of up to EUR 20 million or 4% of turnover in the case of the most serious violations (including data processing rules, the rights of data subjects, or non-compliance with the orders of the supervisory authority).

For the remaining, less serious violations, the fine can reach up to EUR 10 million or 2% of turnover (whichever is higher).

In addition to fines, the Head of the Personal Data Protection Office may issue orders to restore compliance with the GDPR, and even order the processing of data to be limited only to their storage, which may undoubtedly inhibit the company’s development and be more severe than any financial penalty.

It is worth mentioning among the most famous penalties imposed by the Personal Data Protection Office penalty imposed on Morele.net sp. z o. owhich, due to the leakage of customer data and failure to inform on time about this event, were punished with a penalty of almost PLN 3 million, or almost 2 million penalties for Virgin Mobile Polska sp. z o. owhich, as a result of an inspection after data leakage, found a violation of numerous provisions of the GDPR, including in the field of appropriate safeguards or regularity of their verification.

Who is required to apply the GDPR?

The EU rules on the protection of personal data apply to almost all entities that have any connection with activities in the territory of the EU Member States. GDPR must be applied by:

  • companies or entities that process personal data as part of the activities of their branch based in the EU, regardless of where (in which place) the data processing takes place or
  • enterprises based outside the EU, if they offer goods or services (paid or free of charge) or monitor the behavior of citizens of European Union

Which entrepreneurs do not have to apply the GDPR?

If the entrepreneur has its headquarters (main branch) outside the EU and does not target its offer specifically to EU citizens, it is not subjected to the regulations contained in the GDPR. However, if any of these elements exists (either a branch or an offer addressed to EU citizens), then it is obliged to apply EU rules on the protection of personal data.

It will not be an offer to EU citizens if the entrepreneur’s customers from outside the EU will use his services in the EU (example: An Argentinian citizen uses mobile services provided by an Argentine entity – e.g. a mobile operator – in the EU. in this case, there is no obligation to apply the GDPR).

Does the information on the processing of personal data (information obligation) has to be translated?

The provisions of the GDPR do not introduce an obligation to translate the page containing the “information obligation” into foreign languages (including the languages of the EU countries from which potential buyers may come).

However, we need to pay attention to Theme 39. Of the Regulation and its Article 12 sec. 1. According to them, the data controller (most often: an entrepreneur) should provide the person whose data is processed with information about the processing in the form of clear, understandable, easily accessible and written in clear and simple language.

In the absence of a translation of such a page, if the person to whom the offer is addressed does not use the specified language, he may not be able to read the information, which would mean that the information obligation was not fulfilled.

Such a justification could mean that information obligations should be translated into all languages of the world (taking into account the global reach of the Internet). This has two major drawbacks. First of all – it would be a solution so expensive that only the largest entities could afford it. Second, it would mean hundreds of thousands of additional tabs, with a questionable number of views. So how do you get out of it?

It is assumed that this problem is solved in a fairly simple way: The information obligation should be translated into as many languages as the main website is available in. For example – if the website has a translation into English German, the privacy policy should also be translated into these languages.

It is based on the (quite reasonable) assumption that when deciding to use a website in a specific language, the user should do it responsibly, i.e. knowing and taking into account his / her own language skills. And since they can use a website in a specific language, they should be able to read the information obligation.

It is worth adding that the information obligation should be translated in a professional manner, ensuring internal consistency, linguistic correctness, appropriate language style and connection with the GDPR conceptual grid.

Personal data leak – what’s next !?

Regardless of the security measures taken, there may be situations in which personal data may fall into the hands of unauthorized persons. What must the entrepreneur then do? What can the affected person?

In the event of a breach of personal data security, the administrator must immediately (no later than within 72 hours after discovering the breach) notify the Head of the Personal Data Protection Office. https://www.biznes.gov.pl/en/e-uslugi/00_0889_00 In addition, if an incident carries a high risk of violating the rights and freedoms of persons whose data is processed (e.g. identity theft), such information should be sent to these persons with information on what they can do in this situation.

At the same time, the persons whose data is processed, being informed about the leaked data, have the opportunity to take appropriate actions as soon as possible – for example, change login passwords to various portals (including e-mail and electronic banking), block their payment cards or ID cards (to avoid theft identity and possible incurring obligations, from which they will later have to free themselves).

In summary, the provisions of the GDPR are to protect publicly unavailable personal data, the leakage of which could expose individuals to serious consequences. Even in the event of a leakage of this data, the quick response of the data processor and information to customers can prevent its negative consequences. Therefore, failure to report a personal data breach is penalized much more severely than the mere fact that the leak occurred.

adwokat Jaskułowska logo
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.