New rules for the protection of personal data - worth knowing


New rules for the protection of personal data. How will the obligations of personal data administrators change?

In May 2018, the EU General Data Protection Regulation No. 2016/679 will enter into force and will replace the Polish Personal Data Protection Act of 1997. The General Data Protection Regulation marks a revolution in the protection and processing of personal data. In addition to expanding the catalog of rights of persons whose personal data are processed, the General Regulation will also introduce significant requirements for personal data administrators, and failure to meet them may result in financial penalties of up to EUR 20,000,000.

Personal data administrator, i.e. who?

The administrator of personal data is the entity that decides on the purposes, methods and scope of personal data processing. Thus, personal data administrators may be sole proprietors, companies or state offices. Schools and foundations are also administrators of personal data. It is important that a given entity becomes the administrator of personal data already when it processes personal data of at least one person. It should also be remembered that the fact of processing personal data for non-profit purposes does not mean that a given entity will not be considered the administrator of personal data.

Personal data, or what?

According to the General Regulation, personal data is any information relating to an identified or identifiable natural person. This means that personal data is such information as names and surnames, PESEL numbers, data about the place of residence or an image (photo) of a person. It is important that only a person can have personal data. Companies, offices or associations do not have personal data, but can be their controllers.

Responsibilities of the personal data administrator in the General Regulation

General The Regulation introduces a revolution in the obligations of personal data controllers. One of the most important changes introduced by the General Data Protection Regulation is the imposition on the controller of an assessment of the risk of violating the rights and freedoms of persons whose personal data is processed. In this aspect, the personal data controller will have to take into account the nature, scope, context and purposes of the processing of personal data in order to be able to implement appropriate technical measures to ensure the security of personal data and its lawful processing. The administrator will be able to develop appropriate personal data protection policies. Unfortunately, the currently applied security policies cannot be used because they do not take into account the premises set out in Art. 24 of the General Regulation, which include the assessment of the risk of violation of the rights and freedoms of data subjects, the scope of data processing and the context of processing. It is worth emphasizing that in a situation where the personal data administrator is a large entity (employs no less than 250 people) or processes sensitive personal data, such as data on health or political views, it will be required to keep a register of personal data processing activities.

Regardless of the detailed requirements, each personal data controller will have to process personal data fairly, lawfully and in a transparent manner for the data subject.

Quality marks - a new way for the personal data controller to demonstrate the lawfulness of data processing

The General Data Protection Regulation introduces new solutions, thanks to which data controllers will be able to demonstrate that they process personal data in accordance with the law. This solution is quality marks and personal data certificates. Independent certifying bodies, after auditing the administrator, will be able to issue the administrator with an appropriate quality label.

General Regulation a challenge for administrators

The entry into force of the General Data Protection Regulation will be a challenge for all personal data administrators. Changes to the rules for the processing of personal data will require the adaptation of procedures and systems at each personal data administrator. This is especially important as the General Regulation introduces pecuniary sanctions for unlawful processing of personal data, which can be very severe, as their upper limit is EUR 20,000,000.


Łukasz Łyczkowski

Lawyer dealing with the protection of personal data