Who is affected by the GDPR, i.e. the new provisions on the protection of personal data?


Currently, there is probably no person who would not come into contact with the concept of GDPR. But does everyone know what it really is, when is it in force, what obligations does it impose and who does the GDPR apply to?

What is GDPR?

The GDPR is a regulation on the protection of personal data. It is an EU regulation, therefore each member state is obliged to comply with these regulations.

The GDPR clarifies some issues, sometimes introduces new concepts, and above all replaces the provisions of the Act on the Protection of Personal Data of 1997 that have been in force in Poland so far.

The GDPR contains general guidelines on how to properly protect personal data, it also says that data processors should apply appropriate safeguards - but does not indicate specific safeguards - this task is already the responsibility of specific processors. It is pointless in the regulation to indicate specific security measures, as various entities are subject to the GDPR - from small sole proprietorships to large corporations. What will find application in a small company will not be useful at all in the other.

Who is affected by the GDPR?

GDPR applies to every company, both sole proprietorships, and companies - operating in the European Union, which processes personal data. The nationality of the persons whose data is processed, where the processing takes place or where the servers are located does not matter.

Examples of entities covered by the GDPR:

  • an entrepreneur with a headquarters outside the EU, but performing activities on its territory,

  • entities that offer their services to clients outside the Union, but have their headquarters in the territory of the Union,

  • companies processing data via cloud computing - it does not matter where the servers are located,

  • an entrepreneur running an accounting office whose activity consists in settling accounts with other companies,

  • an entrepreneur who does not have organizational units in the EU, but offers goods and services to citizens in the EU (e.g. an online store).

The GDPR does not apply to people who process personal data for private use, e.g. send Christmas cards to private recipients.
The entrepreneur is therefore obliged to comply with the provisions of the GDPR in relation to his clients, contractors, but does not have to apply them when sending Christmas cards to people from the private contact list.

What activities are subject to the GDPR?

The processing of personal data is subject to GDPR. In order to be able to say what the processing of personal data is, it should first be well explained what personal data is.

Personal data is information that can be used to identify a specific person. Sometimes one piece of information is enough to identify it (e.g. the highest person in the team), sometimes there must be more of this information (e.g. name, surname and date of birth). It happens that the same data in one place allows you to identify a specific person (e.g. PESEL number in a commune office), and in another it means nothing (e.g. PESEL written on a piece of paper).

Personal data can be divided into general data - these are "hard" or "dry" basic data, such as name, surname, PESEL number - and sensitive data (sensitive data), such as religion, ethnicity, orientation, etc. Personal data relates to the person, not the company. ABC company - there is no personal data here, Marek Nowicki from ABC company - such information already constitutes personal data. The processing of personal data is the performance of all operations on the above-mentioned data, e.g. collecting, saving, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing, deleting or destroying.

Who can process personal data?

Personal data may be processed by the entrepreneur as a data controller or as a processor.

The personal data administrator (ADO) is an entity that independently or jointly with others sets the purposes and methods of personal data processing. It is always a company, an organization, not a person.

Examples when the entrepreneur is the administrator of personal data:

  • employer in relation to employees,

  • the owner of the online store in relation to the customers,

  • the owner of the website in relation to people subscribed to the newsletter.

The data processor is a person who acts on the basis of a contract concluded with the PDC. The ADO still decides about the purposes and methods of data processing, however, it entrusts certain activities on these data to a separate entity. It can be both a natural person and another company. Examples of data processors:

  • an accounting office processing personal data provided to it for this purpose by clients on request,

  • an entity dealing professionally with the destruction of personal data, processing personal data in this regard at the request of its clients,

  • a person carrying out recruitment on behalf of the employer.

The data processor on request should conclude an appropriate contract with the data controller, the so-called an entrustment agreement, which will define the rules of data processing. In a given organization, personal data is actually processed by specific natural persons - employees or associates of the controller or the data processor. Such persons should be authorized to process personal data.

When can personal data be processed?

Personal data may be processed only when there is a so-called legal basis for data processing. In the case of entrepreneurs, the typical grounds for ordinary data processing are:

  • consent of the data subject,

  • data processing is necessary to perform the contract with the data subject (e.g. an online store that carries out orders),

  • processing is necessary to fulfill the legal obligation incumbent on the administrator (e.g. keeping accounting books),

  • processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party (e.g. a letter from the prosecutor's office).

In the case of special categories of data, typical grounds for processing are:

  • explicit consent of the data subject,

  • data processing is necessary to perform tasks related to employment, employee social insurance,

  • processing is necessary for the purposes of preventive healthcare or occupational medicine, to assess the employee's ability to work,

  • data processing is necessary to pursue rights in court.

It is always the data controller that should be able to demonstrate that it has an appropriate basis for data processing. It is his legal obligation resulting from the so-called accountability rules.

The stages of GDPR implementation in the company

The GDPR places particular emphasis on the correct protection of personal data when it is processed by a given entity. The implementation of the GDPR is actually the application of security measures so that the data is not processed unlawfully, and that unauthorized persons do not have access to this data.

In view of the above, the GDPR is the implementation of measures ensuring proper protection of personal data and avoiding the risk of incidents (events that expose the company to, for example, information leakage).

In order to avoid the above risk, it is recommended to take the following steps:

  1. In the first place, it is best to do the so-called inventory of the data processed so far, i.e. look at every process in the company, every department, every computer, cabinet and other places where data is collected. Such an inventory will help to collect all data processed in the company in one place and determine the purpose of their processing. If the purpose of processing specific data has already expired - such personal data should be deleted or destroyed.

  2. Then, on the basis of the above-mentioned verification, it is good to do a risk analysis, i.e. to think who has access to this data and who may have, what events may affect the data leakage (threat identification).

  3. Now it is enough to determine the severity and importance for each identified risk - what is the likelihood of a given hazard occurring and how significant it is.

  4. The next step is to identify solutions that will reduce, prevent or prevent the occurrence of risk - this is the definition of security measures. The GDPR does not indicate specific protection measures, it is an individual matter for each company - different solutions will work in a small company, different at school. It's important to be effective.

By thinking well in advance about the risks, we can prevent them because we have identified preventive measures in our risk analysis. And when a given risk occurs, we will know perfectly well how to remove it. Thinking about such activities in advance will make our actions scrutinized and smarter.

However, it should be borne in mind that the risk-based approach requires continuous monitoring of the level of risk related to the processing of personal data. Therefore, it is not enough to determine the level of risk once for a given process and apply data security measures - the level of risk should be constantly monitored as part of ongoing data processing processes.

Start a free 30-day trial period with no strings attached!

When will the GDPR come into effect?

The GDPR has been in force since 2016, because the regulation was adopted in the European Union two years ago. This regulation gives the Member States the deadline to implement the new rules by 25 May 2018.

May 25, 2018 is the time when the GDPR should enter into general application. Therefore, if companies want to implement the provisions of the GDPR before this time, nothing stands in the way.

The EU regulation resembles the Polish law due to the fact that it is binding on all Member States and is directly applicable, so it does not require implementation into national law - it is applied directly.

The provisions of the GDPR do not need to be adopted in Polish law, as is the case with directives. The GDPR will prevail, hence it will be directly applicable and directly effective. Individual countries are allowed to create provisions that specify more precisely in a specific scope, hence, of course, such provisions will also be created in Poland, but they must comply with the overriding provisions, i.e. with the GDPR.