Information obligation in the GDPR - what changes will the new regulations introduce?


On May 25, 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC (General Data Protection Regulation) (hereinafter: "GDPR"). The information obligation in the GDPR changes the approach to dealing with personal data in a revolutionary way. By imposing, among others on personal data administrators (hereinafter: "ADO") a number of new obligations, not provided for by the previously applicable Personal Data Protection Act of August 29, 1997 (i.e. Journal of Laws of 2016, item 922, as amended) ( hereinafter: "UODO"), including the information obligation.

Informing data subjects about their processing is one of the basic obligations of PDC. But what is this obligation and why do the new regulations introduce a previously unknown approach to the issue of personal data? The answer to such questions will be given below.

What is personal data?

Before we take a closer look at the information obligation under the GDPR, we should first answer the question, what are personal data and what data identifying a person does the GDPR qualify as personal data?

In the preamble to the GDPR, we read that economic progress, as well as the development of new technologies, especially information technology, have increased the threats to the privacy zone of a person, which is his personal data, which had to result in extending the scope of the concept of personal data.

GDPR indicates that personal data includes: name and surname, identification number (i.e. NIP, PESEL or ID card number), location data, internet identifier (e.g. IP number, e-mail address) or one or several specific factors determining the physical, physiological, genetic, mental, economic, cultural or social identity of a natural person, including DNA and RNA, i.e. data on the inherited or acquired genetic characteristics of a natural person.

Who does the information obligation under the GDPR apply to?

The entrepreneur, in the field of business activity, under the GDPR, will act as the administrator of personal data. The mere collection by an entrepreneur of the personal data of his clients, employees or co-workers makes it incumbent on him to ensure the security of the administration of such data, and, consequently, to apply the provisions set out in the GDPR.

The entry into force of the GDPR has the effects of, inter alia, for entrepreneurs running online stores, including those who sell goods via shopping platforms, provide electronic services, provide newsletters or sell tickets for various types of events. It can be seen at first glance that the subjective scope of application of the new regulations is very wide.

Pursuant to Art. 4 point 7 of the GDPR, PDC means both a natural person, a legal person, and another entity that independently or jointly with others determines the purposes and methods of personal data processing. Therefore, the information obligation under the GDPR rests on both entrepreneurs running a sole proprietorship and commercial law companies - both those with legal personality and limited liability companies. or S.A., as well as personal ones, i.e. general partnership, limited partnership, limited partnership and limited joint-stock partnership. It should be noted that persons performing managerial functions, i.e. members of the management board or other management personnel, do not obtain the ADO status. Only the company as such obtains the ADO status.

Information obligation - scope of information

The information obligation under the GDPR is the obligation to provide the data subject with comprehensive information on the processing of personal data.

This obligation is updated already at the stage of obtaining personal data, as well as at the stage of making a decision on their further processing. In addition, the PDC is obliged to provide information regarding the processing of personal data also at every stage of their processing, if the data subject requests the information (Article 15 of the GDPR).

The basic information obligation of PDC is specified in Art. 13 and 14 GDPR. These provisions can be used to create the following list of information that PDC is required to provide to the person whose personal data is processed:

Articles 13, 14 of the GDPR

Art. 24-25 and art. 32 UODO

1. his identity and contact details and, where applicable, the identity and contact details of his representative;

repetition with the Personal Data Protection Office


2.where applicable, the contact details of the data protection officer;

new (not in the Personal Data Protection Office)

3. purposes of personal data processing and the legal basis for processing;

as regards providing the legal basis - new (not included in the Personal Data Protection Office)

4.if processing is necessary for the purposes of the legitimate interests pursued by the administrator or by a third party - legitimate interests pursued by the administrator or by a third party;

new (not in the Personal Data Protection Office)

5.information about the recipients of personal data or categories of recipients, if any;

repetition with the Personal Data Protection Office

6. where applicable, information on the intention to transfer personal data to a third country or international organization and on the determination or failure to establish an adequate level of protection by the Commission, or in the case of transfer;

new (not in the Personal Data Protection Office)

7.the period for which personal data will be stored, and if this is not possible, the criteria for determining this period;

new (not in the Personal Data Protection Office)

8.information about the right to request the administrator to access personal data relating to the data subject, rectify it, delete or limit processing or the right to object to the processing, as well as the right to transfer data;

Restriction of processing, the right to transfer data - new (not included in the Personal Data Protection Office)

9.if the processing is based on art. 6 sec. 1 lit. a) or Art. 9 sec. 2 lit. a) - information on the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal;

new (not in the Personal Data Protection Office)

10. information on the right to lodge a complaint with the supervisory authority;

new (not in the Personal Data Protection Office)

11.information whether providing personal data is a statutory or contractual requirement or a condition for concluding a contract and whether the data subject is obliged to provide it and what are the possible consequences of not providing data;

new (not in the Personal Data Protection Office)

12.information about automated decision making, including profiling referred to in art. 22 sec. 1 and 4, and - at least in these cases - relevant information about the rules for their taking, as well as the significance and envisaged consequences of such processing for the data subject.

new (not in the Personal Data Protection Office)

In order to fulfill the above-described information obligation specified in the GDPR, the entrepreneur should carefully verify the documentation and regulations in the field of personal data processing.

The principle of transparency - in what form should the information obligation be fulfilled and by what deadline?

Art. 12 sec. 1 GDPR specifies that the information provided in relation to the processing of personal data must comply with the principle of transparency, which requires that any communication addressed to the data subject should be easily accessible and understandable, and drafted in clear and simple language. Moreover, the EU legislator assumes that the information provided with the use of graphic symbols may turn out to be more understandable and transparent for the recipient. For this reason, Art. 12 sec. 7 GDPR, it is indicated that: Information that is provided to data subjects pursuant to Art. 13 and 14, can be provided with standard graphic signs that will visibly, understandably and legibly represent the meaning of the intended processing.

The information referred to in the GDPR is provided in writing and, where applicable, in electronic form. If the data subject so requests, the information may be provided orally, provided the identity of the data subject is confirmed by other means.

Undoubtedly, the information obligation can be fulfilled already when obtaining consent to the processing of personal data. The easiest form will be to provide all the necessary information regarding the GDPR in the regulations for the provision of services or the online store. Nevertheless, the GDPR provides for a one-month period for the fulfillment of the information obligation from the moment of obtaining personal data or the moment of receiving a request for relevant information from the data subject.

Responsibility for breach of the information obligation

Although the PDC may commission the performance of obligations in the field of personal data administration, it is he who is responsible for the proper protection of personal data resulting from the provisions of law. Meanwhile, severe sanctions were provided for the failure to properly fulfill the information obligation.

Particularly noteworthy in this respect is Art. 83 of the GDPR, which specifies that breaches of the provisions on disclosure obligations are subject to an administrative fine of up to EUR 20,000,000, and in the case of a company - up to 4% of its total annual worldwide turnover from the previous financial year. It should be recognized that this is a grossly high penalty. Moreover, irrespective of this fact, GIODO will apply national regulations on sanctions for improper performance of disclosure obligations.

Considering the fact that the sanction for breach of information obligations is the risk of imposing a very high fine, it is necessary to carefully approach the newly defined obligations and prepare documentation related to the protection of personal data with the utmost diligence.