RODO has been with us for almost four years now. What is personal data? What obligations does the law impose? A reminder of what a sole proprietor should know about data protection.
RODO has been with us for almost four years now. What is personal data? What obligations does the law impose? A reminder of what a sole proprietor should know about data protection.
RODO, or the European Union's Data Protection Regulation (DPA), came into force on May 25, 2018, under Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/we. Entrepreneurs, regardless of company size or sole proprietorship, have had to comply with the EU requirements. This applies to absolutely all market participants. Financial penalties are up to 4% of a company's annual turnover or €20 million.
You, as a sole proprietor, are protected on a par with individuals. Compliance with regulations has many dimensions, including legal, process, technological or human. The latter is special, since proper processing of personal data depends mainly on ourselves.
Did you know that you deal with personal data on a daily basis?
Under the data protection regulations, personal data is defined as any information relating to an identified or identifiable natural person. An identifiable person is a person whose identity can be determined directly or indirectly, in particular by reference to an identification number or to one or more specific factors defining his physical, physiological, mental, economic, cultural or social characteristics. Personal data are not data by means of which it is impossible to identify a natural person due to excessive cost, excessive time, excessive action.
EXAMPLE
Does an email address constitute personal information?
piotr.nowak@banqup.com
This e-mail address contains personal information, i.e. name and place of work.
This e-mail address constitutes personal data, as it allows to identify the identity of a person.
Misiek56@gmail.com
This e-mail address does not contain personal information.
This e-mail address does not constitute personal data, as it does not identify a person's identity.
In what situations in your company might you encounter personal data processing?
Here are some examples:
- you sign contracts with external partners
- you are building a web portal or application with registration capabilities
- you use external databases
- you make a phone call
- you process contracts and payments
- you create reports that collect personal data
- you create access accounts
- you enter the suppliers' data
- you collect the data of the participants of the workshops you conduct
- You send invoices and receipts to the accounting office.
Processing of personal data means what?
An operation or set of operations performed on personal data in an automated or non-automated manner, such as:
- collection
- consolidation
- setting up
- ordering
- storage
- adaptation
- modification
- download
- review
- use
- disclosure by sending
- dissemination or other sharing
- fitting or combining
- reduction, removal or destruction
Basic obligations of the entrepreneur
It is up to you, as an entrepreneur, to decide how and to what extent you will conduct a privacy policy. However, the regulation also imposes mandatory measures, first and foremost:
- you must appoint a Data Protection Officer (DPO) if data processing is the basis of your business
- in the event of a data leak, the RODO imposes an obligation on every data administrator to inform the person whose data has been leaked within 72 hours if it is likely to cause private information to fall into the wrong hands.
- you must document the processing of personal data, i.e. keep a record that includes the type of data processed, the purpose and manner of processing, and information about the person responsible for processing the information.
Who is a personal data administrator and what does it do?
Administrator means a natural person, legal entity, public authority, unit or other entity that alone or jointly with others determines the purposes and means of processing personal data. The controller independently makes decisions regarding the processing of personal data. Its task is to demonstrate the lawfulness of processing, maintain a register of data processing activities, assess the effects of planned data processing operations before processing begins, report personal data protection violations to the supervisory authority and inform the data subject, appoint a data protection officer, minimize personal data processing, limit personal data storage, information obligations, respect the rights of data subjects (right to forget, object, rectify, access data).
In a one-person company, you are it yourself. When you hire employees, you are obliged to train them and provide them with the necessary information on personal data protection. Employees should sign voluntary consents for the processing of their personal data, and you inform them about how the data is processed and their rights. They also need to know how you administer personal databases.
Information obligation
Informing individuals about the processing of their personal data, is one of the basic duties of a data administrator. Only a person who is effectively informed is able to make informed decisions in connection with the processing of his or her personal data and effectively respond to any irregularities in this regard. The duty to inform updates in three situations:
- When collecting data, from the data subject
- When collecting data by means other than from the data subject
- For the entire period of processing of personal data (in connection with the data subject's right of access).
Threats
The primary data security risks include:
- Employees' failure to comply with data protection rules (e.g., failure to apply the clean desk/screen rule, password protection, etc.).
- inadequate physical security of premises, equipment and documents
- Inadequate security of IT hardware or software against leakage or loss of personal data.
The right to control your data
Individuals have the following rights with regard to the control of their personal data provided to the entrepreneur:
- The right to access personal data - as an entrepreneur, at any time you must provide detailed information about the data you have and how it is processed
- The right to data portability - an individual may request the transfer of their personal data to another processor
- The right to correct personal data - every individual has the right to correct the data that concerns them
- The right to be forgotten - any person can request the complete deletion of information concerning them.
Mandatory documentation
You must keep your data protection documentation in a language that can be understood by anyone who wants to read it. Here are the documents that the regulation requires of the entrepreneur:
- personal data security policy
- information resources inventory document
- Document of records of concluded contracts of entrustment of personal data processing
- key policy
- document of the register of processing activities
- list of processed personal data sets
- list of processing area
- documentation of information clauses
- Risk estimation protocol for traditional and electronic documents
- procedure for breach of processed personal data
- Documentation of the basic principles of data security and breach reporting.
The required documents depend on the type of business, it is worth making sure which ones apply to yours. You can prepare the documents yourself, using ready-made templates, or have them prepared by a law firm.
.jpg)
.jpg)
%20(1).jpg)
