Protection of personal data when accounting for subsidies


Polish law defines strict rules of conduct when processing personal data, i.e. performing any operations on this data (such as collecting, recording, storing, processing, changing, sharing and deleting them). And what does the protection of personal data look like when accounting for subsidies, when a necessary element in the application for EU or Polish funding is to provide your personal data?

What are personal data and sensitive data?

The definition of personal data can be found in art. 6 of the Act on the Protection of Personal Data (which will soon be adapted and replaced by the EU Regulation on the Protection of Personal Data - GDPR).

Article 6 of the Personal Data Protection Act (UODO)

1. Within the meaning of the Act, personal data shall be any information relating to an identified or identifiable natural person.

2. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social characteristics.

3. Information shall not be considered as making it possible to identify a person if it would require excessive costs, time or activities.

Based on the above article, we can see that the personal data includes such data as, for example, PESEL, fingerprints, DNA, date of birth, e-mail (if it specifies a given person) - that is, information or a set of information that uniquely identifies and recognizes a specific person (entity). Not always a single piece of information is personal data (e.g. surname), but in combination with others (e.g. with the date of birth) - it is protected as personal data.

Sensitive data - this is information about your personal life. They are listed in Art. 27 uodo, which says that: "It is forbidden to process data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or union affiliation, as well as data on health, genetic code, addictions or sexual life, and data regarding convictions, sentences and penal fines (...) ", and the GDPR (in Article 9) will extend this catalog with philosophical beliefs and biometric data.

Processing of personal data by designers

Pursuant to Art. 7 of the Personal Data Protection Act, the processing of personal data means "any operations performed on personal data, such as collecting, recording, storing, developing, changing, sharing and deleting, especially those performed in IT systems".

When filling in the application for funding, it is necessary to provide your personal data - it is necessary for the purposes of project implementation, granting funding. These data are automatically collected and stored by the entity that grants the grant - it is the data controller, because it decides about the purposes and means of data processing. In addition to the data controller, their recipient (sometimes called the processor), i.e. the entity to whom the data has been made available, should also be distinguished. The processor is most often the project coordinator or an intermediary body.

Example 1.

When the voivodeship marshal grants co-financing to companies from EU funds, the voivodeship is the recipient of the data and the EU body is the administrator.

In order for the project initiator to collect and process personal data in accordance with the law, the consent of the data subject is necessary for their processing. Such a clause, i.e. consent, should be included in the grant application. Other legal bases that allow to legally collect and process personal data are:

  • a relevant provision in the Personal Data Protection Act,

  • the need to provide data in connection with the concluded contract,

  • public good,

  • legally justified purpose of the administrator.

In most EU projects, the data controller is the entity distributing the funds, and the beneficiary (the entity implementing financial projects from the EU budget under a grant agreement) acts as a processor. The processor (e.g. project manager) may process data at the request of the administrator on the basis of an entrustment agreement, therefore it is the processor's duty to ensure that contracts for entrusting the processing of personal data are signed and that the entities applying for co-financing consent to the processing of personal data for the purposes necessary for the implementation project.

Start a free 30-day trial period with no strings attached!

Information obligation

The coordinator of the project under which the grant is granted is obliged to inform the applicant participants about who the data controller is, provide its address, the purpose of data processing and indicate the entities to which the data may be made available. The information should also contain content about the possibility of accessing your data and correcting it.

The interested persons have the right to obtain information on the processing of their personal data also on the basis of the submitted question or request. They may ask to what extent personal data are processed and where they come from. The response for which the processor (e.g. project coordinator) has 30 days should be provided in an easily understandable form. If the questioner does not receive an answer in due time - a complaint may be submitted to GIODO.

Data security, i.e. proper protection of personal data

Adequate protection of personal data is the most important responsibility of the project manager. There are three types of security:

  • physical,

  • technical,

  • organizational.

Physical security is limiting access to data, e.g. by using armored cabinets, window bars or alarms.

Technical security is security in information systems, ranging from computers to appropriate programs in the clouds.

Organizational safeguards include appropriate documentation, i.e. information security policy and instructions for managing IT systems used for data processing.

Detailed guidelines regarding data security are included in the regulation on personal data processing documentation and technical and organizational conditions to be met by devices and IT systems used to process personal data.

In addition to adequate data protection, the staff and the team should also be trained in the field of personal data protection in order to ensure comprehensive and lawful protection of personal data.