GDPR in the company – the most important rules

The GDPR – i.e. the EU Regulation on the Protection of Personal Data – has revolutionised the principles of data protection in many respects, at the same time becoming synonymous with a number of formalities to be fulfilled by an entrepreneur processing personal data. Their non-compliance or incorrect implementation is associated with far-reaching sanctions, primarily financial.

What is ‘data processing’?

It is impossible to properly apply the provisions of GDPR, including the implementing regulations of the Polish Act on personal data protection, without understanding what “personal data processing” is.

Unfortunately, in practice this term is often misunderstood. This results, among others, from the fact that in everyday use the verb “to process” – with reference to the data – means “to process the collected data”, that is to undertake some activity in relation to the data.

On the other hand, the processing of personal data – in the meaning given to the term by the Polish and EU legislator – covers the very collection of data, as well as recording, organizing, structuring, storing, adapting or modifying, downloading, browsing, using, disclosing by means of sending, distributing or otherwise making available, adjusting or combining, limiting, erasing or destroying.

In a word: basically any operations relating to personal data, i.e. data about an identified or identifiable natural person.

Who is the controller and processor?

Ensuring the correct processing of personal data is always primarily the responsibility of two entities, i.e. the controller and the processor.

The first one is each natural person, legal person and organizational unit which has only legal capacity, as well as public authority, unit or other entity which alone or jointly with others determines the purposes and means of the processing of personal data.

On the other hand, the processor shall mean the natural or legal person, public authority, unit or other entity which processes personal data on behalf of the controller.

It is worth emphasizing that the proper determination of the relationship between the controller and the processor may be crucial for the liability for any possible negligence of the obligations in this respect.

Therefore, it is best to specify them in writing, e.g. in an agreement.

GDPR- what must not be forgotten?

From the perspective of proper application of the GDPR regulations in a company, the key issue is to ensure security of the processed data.

In practice, this primarily means:

• properly securing personal data against access to it by any unauthorised persons, and especially against its theft;
• using data only for the purposes for which the data subject gave his/her consent or which are justified by law;
• to allow the data subject to exercise his or her rights of access, rectification and withdrawal of consent to data processing.

Considering the serious sanctions that may be imposed on entrepreneurs for violating the rules of personal data processing, this issue should be approached with great care, scrupulously fulfilling the obligations arising from the EU Regulation on personal data protection and the provisions of the Act on data protection in force in Poland.

Therefore, it is worth implementing special procedures in the company and monitoring their observance on an ongoing basis. It shall always be remembered that the higher the risks related to the processing of personal data, the more attention shall be paid to their minimisation.

Appropriate solutions in the field of personal data protection cannot be forgotten also in case of business development, which very often involves obtaining – and thus processing – personal data of new customers.

Thus, it often requires adjusting procedures adopted in the company to the growing database.

In each case one should also not forget about appropriate training of the employees – with particular emphasis on those who directly deal with the issue of personal data processing.