Taking the above into account, the question should be asked: why is the issue of personal data so important, especially in the case of modern businesses remaining in the startup phase? One of the obvious answers that comes to mind concerns potential penalties, which may be imposed by a specially appointed authority – the President of the Data Protection Office. A natural consequence of accepting such a status quo is the need for so-called “GDPR (RODO) implementation”. As far as this statement remains true, it should be pointed out that a sufficiently early approach to the issue of personal data protection by entrepreneurs not only avoids the necessity to modify the existing model of data processing in a business, but in case of a conscious approach to this issue, it also allows (surprisingly!) to improve the functioning of a business and to introduce mechanisms that may play an important role also in other areas – such as cyber security. But, from the beginning…
In order to understand the importance of the issue of personal data protection in the startup community (but not only), it is necessary to begin by explaining the term “personal data”. According to the provision of Article 4(1) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter “GDPR/RODO”). For the purposes of this GDPR/RODO, “personal data” means any information relating to an identified or identifiable natural person (“data subject”); An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person. Although this definition is not very complicated, the catalogue of information that could potentially constitute personal data is still very broad. A common problem that entrepreneurs face is the necessity to determine whether the information they possess is in fact personal data. To simplify the issue, a kind of assumption can be made: if there is a doubt whether a particular information or a set of information constitutes personal data, it seems to be safer to assume that it does. Of course, it is necessary to make some caution here that not in every case the use of such assumption will be not only justified but also beneficial for the entrepreneur. Nevertheless, in most cases this assumption is correct.
The second key issue related to the protection of personal data is the term Controller of Personal Data (hereinafter the ” Controller”). According to Article 4(7) of GDPR/RODO, For the purposes of this GDPR/RODO “Controller” shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by EU law or Member State law, the Controller may also be nomination by EU law or Member State law, or specific criteria for his or her designation may be specified. In practice, this will usually be an entity that collects personal data and then uses it for its own purposes such as business purposes, marketing, etc.
CAN I PROCESS ANY CATEGORY OF PERSONAL DATA?
Entrepreneurs have to remember that while the processing of personal data remains a common and unavoidable process in the era of progressive digitisation, the processing of certain data is subject to significant limitations under the GDPR/RODO. Pursuant to Article 9 section 1 of the GDPR/RODO, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning health, sex life or sexual orientation of that person is prohibited. There are exceptions to this principle provided for in Article 9 section 2 and 3 of the GDPR/RODO. As an example, a case shall be pointed out where the processing of personal data remains necessary to protect the vital interests of the data subject or of another natural person, and the data subject is physically or legally incapable of giving his/her consent (e.g. the processing of personal data of an unconscious patient to whom an ambulance has been called). In addition, it is important to note that the processing of personal data relating to criminal offences and criminal convictions or related security measures under Article 6 section 1 of the GDPR/RODO may only be carried out under the supervision of public authorities or if the processing is permitted by EU law or Member State law providing adequate safeguards for the rights and freedoms of data subjects. Any complete records of criminal convictions shall only be kept under the supervision of public authorities (Article 10 GDPR/RODO).
PRINCIPLES AND OBLIGATIONS OF ECONOMIC OPERATORS WITH REGARD TO THE PROCESSING OF PERSONAL DATA
However, the key provision of Article 24 section 1 of the RODO, which states that taking into account the nature, scope, context and purposes of the processing and the risk of violation of the rights or freedoms of natural persons of different probability and seriousness, the Controller shall implement appropriate technical and organisational measures to ensure and demonstrate that the processing is carried out in accordance with this GDPR/RODO. These measures shall be reviewed and updated if necessary. As it results from the above, on the one hand the main obligation of the Controller remains to ensure the processing of personal data in compliance with the GDPR/RODO, and on the other hand to be able to demonstrate such compliance. It should be remembered that the issue of accountability is crucial from the point of view of the entrepreneur’s interests in case of a data protection incident or an inspection by the Office for Data Protection.
In order to ensure the compliance of personal data processing with the GDPR/RODO, entrepreneurs are obliged to comply with the principles of personal data processing indicated in Article 5 of the GDPR/RODO. Personal data must be:
- processed lawfully, fairly and in a manner transparent to the data subject (“lawfulness, fairness and transparency”);
- collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; further processing for archiving purposes in the public interest, for scientific or historical research purposes or for statistical purposes shall not be considered under Article 89 section 1 as incompatible with the original purposes (“purpose limitation”);
- adequate, relevant and limited to what is necessary for the purposes for which they are processed (“data minimisation”);
- accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data which are inaccurate in the light of the purposes for which they are processed are immediately erased or rectified (“accuracy”);
- kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed; personal data may be kept for longer periods insofar as the data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes pursuant to Article 89 section 1, provided that appropriate technical and organisational measures required by this GDPR/RODO to protect the rights and freedoms of data subjects are implemented (“storage limitation”);
- processed in a manner which ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, by means of appropriate technical or organisational measures (“integrity and confidentiality”).
As mentioned above, the legal regulations impose numerous obligations on entrepreneurs that are in some way meant to ensure that the data are handled in accordance with the aforementioned principles. Basically, the Controller ‘s duties related to personal data protection can be divided into three main categories, i.e. duties to ensure personal data security, duties towards the data subjects and duties towards the competent supervisory authority.
The fulfilment of duties related to personal data security consists mainly in:
- developing documentation ensuring personal data protection, including security of its processing (including procedures, policies, etc.);
- analyzing and verifying personal data processing processes;
- implementing appropriate technical and organisational solutions in the company;
- signing contracts of personal data processing entrustment in justified cases;
- granting authorizations to process personal data, and current updating of the list of persons authorized to process personal data;
- cyclic trainings for employees/co-workers.
The issue of security of personal data processing is regulated separately in the provision of Article 32 section 1 of the GDPR/RODO, according to which, taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of the processing, and the risk of violation of the rights or freedoms of natural persons with different likelihood and seriousness, the Controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, among others, where appropriate
- pseudonymisation and encryption of personal data;
- the ability to permanently ensure the confidentiality, integrity, availability and resilience of the processing systems and services;
- the ability to rapidly restore availability of and access to personal data in the event of a physical or technical incident;
- regular testing, measuring and evaluating of the effectiveness of the technical and organisational measures to ensure security of processing.
The attention is drawn by the fact that the indicated solutions are in fact an open catalogue. In order to properly determine whether the enterprise maintains an adequate level of security of the personal data processing, it is necessary to carry out appropriate verification activities, including risk analysis which will be the subject of a separate article in this series.
Entrepreneurs shall also remember that the scope of their duties includes proper documentation of the personal data protection infringements, and in certain cases the notification of such infringement to the President of the Office for Personal Data Protection.
It should be remembered that pursuant to Article 1 section 2 of GDPR/RODO this regulation protects fundamental rights and freedoms of natural persons, and in particular their right to the protection of personal data. Therefore, there is no doubt that the key issue in terms of fulfilling the obligations imposed on entrepreneurs by particular provisions of the GDPR/RODO is the proper compliance of such entities with their obligations towards natural persons whose data are processed. Simplifying once again, it shall be indicated that the most important obligations of the entrepreneurs in this respect include
- proper fulfilment of information obligations referred to in Article 13 and 14 of GDPR/RODO
- exercise of natural persons’ rights guaranteed by law, including
- the right to rectification of personal data
- the right to erasure of personal data,
- the right to restrict processing of personal data,
- the right to personal data portability.
- taking appropriate action following notification of withdrawal of consent by the data subject;
- notification of a personal data breach to the data subject (if prerequisites resulting from GDPR/RODO are met)
- analysis and fair consideration of the data subject’s reported objection, and in the situation when the prerequisites specified in GDPR/RODO for further processing of such data subject’s personal data do not materialise, also erasure of the personal data.
As the above shows, numerous obligations have been imposed on entrepreneurs under the provisions of the generally binding law. It is worth bearing in mind that the failure to implement a proper procedure for processing personal data and to comply with the aforementioned principle of accountability may result in far-reaching negative consequences for the entrepreneur, including financial ones. Pursuant to the content of the provision of Article 101 of the Act of 10 May 2018 on personal data protection (i.e. Dz. U. z 2019 r., poz. 1781), the President of the Office may impose on an entity obliged to comply with the provisions of Regulation 2016/679, other than: 1) a unit of the public finance sector, 2) a research institute, 3) the National Bank of Poland – by way of a decision, an administrative fine on the basis and under the conditions set out in Article 83 of Regulation 2016/679. These fines may reach up to EUR 20,000,000 or 4% of its total annual worldwide turnover from the previous financial year. Therefore, it is already worthwhile from the point of view of legal and economic security alone to ensure the correct processing of personal data in an enterprise.
Many entrepreneurs also wonder why, when creating a modern business, it is worth to think about the so-called GDPR/RODO implementation, arguing that only after the business has developed, it will be reasonable to take care of the above issues. It is impossible to agree with such a conclusion. First of all, it should be noted that as soon as an entrepreneur obtains, collects and further processes personal data, he/she should meet the requirements of the GDPR/RODO. Apart from the legal requirements, it should be emphasised that in the case of a potential data leak and the lack of adequate procedures, policies and methods of data processing, the entrepreneur loses an opportunity to enter into a discussion with the Office for the Protection of Personal Data regarding sanctions. On the other hand, it is much easier (and most probably also cheaper) to design solutions concerning personal data protection at the stage of creating an enterprise, developing applications or designing new functionalities for existing tools. Such action is in line with the principle of privacy by design, which is indicated in Art. 25 section 1 of the GDPR/RODO stating that having regard to the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of the processing, and the risk of violation of the rights or freedoms of natural persons with varying degrees of probability and seriousness arising from the processing, the Controller shall, at the time of the determination of the means of processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, designed to implement effectively the principles of data protection, such as data minimisation, and to provide the processing with the necessary safeguards to meet the requirements of this Regulation and to protect the rights of the data subjects. It also seems that the adoption of the above procedure will avoid many additional complications which usually arise at a later stage of a enterprise’s operation. It is easier to make at an early stage the assessment of the effects of planned personal data processing operations, or to introduce the register of personal data processing activities, than to prepare the documents at the moment when the enterprise already has hundreds or thousands of personal data processing operations.
The compliance of an enterprise with data protection regulations requires not only taking appropriate measures, but also (or especially) changing its mental approach to the issue of personal data protection. While at the beginning it may seem like an abstraction, proper implementation of GDPR/RODO in a business allows, in the long run, to improve business management and to gain control over significant personal data processing processes, which seems to be something that every modern entrepreneur should care about.