6 most frequently asked questions about the GDPR and brief answers


Although the General Data Protection Regulation, in short, GDPR, entered into force on May 25, 2018, new questions related to it still arise. What is still a problem for entrepreneurs? What questions are most frequently asked? Read our article in which we answer the 6 most frequently asked questions about the GDPR!

1. What is the GDPR and when is it effective?

The GDPR is the General Data Protection Regulation (GDPR), applied in all European Union member states. The legal basis for the introduction of the GDPR is Art. 16 sec. 2 of the Treaty on the Functioning of the European Union. The GDPR was adopted by the European Parliament and the Council of the European Union in April 2016.
The regulation lays down detailed rules for the processing, use and storage of personal data and imposes many new obligations on entities that process data of natural persons in any way.

Legal regulations related to the GDPR must be implemented from May 25, 2018.

2. What is personal data and what does processing mean?

To begin with, let's explain what exactly we can consider personal data and their processing.

Definition 1.
Personal data means information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, internet identifier or one or more specific physical, physiological, genetic, mental factors, the economic, cultural or social identity of a natural person.

In order to decide whether we are dealing with personal data, it is therefore necessary to analyze whether the information we use makes it possible to identify the natural person in an easy and quick way (e.g. using the Internet), without incurring significant costs.

Examples of personal data are:

  • first name and last name,

  • PESEL,

  • ID number,

  • address,

  • e-mail adress,

  • Phone number.

Definition 2.
Processing means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, disseminating or otherwise sharing, matching or combining, limiting, deleting or destroying.

3. Who is affected by the new legal regulations?

The provisions related to the GDPR apply to all entities collecting and processing data of natural persons.

Definition 3.
The personal data controller is a natural or legal person, public authority, entity or other entity that independently or jointly with others determines the purposes and means of processing personal data.

The Personal Data Administrator is therefore responsible for the selection and practical application of appropriate organizational and technical solutions ensuring the protection of natural persons' data within the meaning of the new regulation.

In the case of sole proprietorships, the personal data administrators are entrepreneurs.

Definition 4.
The processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.

As we can see, the administrator and the processor can also be an entrepreneur running a sole proprietorship, as long as he processes the data of his clients or employees.

4. How to secure data in the context of GDPR?

The new legal regulations do not define specific activities that should be applied by entrepreneurs, they only define a set of rules that should be followed. Personal data should be processed in a manner ensuring appropriate security and appropriate confidentiality, including protection against unauthorized access to them and equipment used for their processing and against unauthorized use of these data and equipment.

The implementation of the GDPR for each company is an individual matter, because many aspects related to the processing of personal data must be taken into account. The specificity of the business has a significant impact on the way the GDPR is applied to a specific organization. Therefore, each entrepreneur should select appropriate organizational and technical solutions that guarantee adequate protection of personal data.

Guidelines ensuring the protection of personal data include:
  • pseudonymization and encryption of personal data,

  • the ability to continuously ensure the confidentiality, integrity, availability and resilience of processing systems and services,

  • the ability to quickly restore the availability of personal data and access to them in the event of a physical or technical incident,

  • regularly testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

5. What is the purpose of the introduced changes and what rights do natural persons gain?

The main purpose of the GDPR is to unify the regulations related to the protection of personal data in force in the European Union and to confirm the position that the protection of personal data is the overriding right of every citizen.

The natural person whose data is processed gains, inter alia, the following permissions:

  • the right to access data,

  • the right to rectify or supplement data,

  • the right to object to data processing,

  • the right to transfer data,

  • the right to be forgotten,

  • the right to claim compensation.

6. What are the sanctions for non-compliance with the GDPR?

The new legal regulations provide for severe penalties, therefore every entrepreneur collecting and processing data of natural persons should carefully analyze the General Data Protection Regulation.

Breaking the provisions may result in criminal, administrative and civil liability. The foreseen financial penalties amount to EUR 10 million or 2 percent. the company's annual global turnover achieved in the previous financial year, and in the event of a specific breach of regulations, up to EUR 20 million or 4%. trading.