GDPR or the General Data Protection Regulation is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. The Regulation is applicable throughout the European Union as of May 25, 2018 and binds everyone who processes personal data in connection with their business activities.
Who is subject to the GDPR?
The provisions of the General Data Protection Regulation apply to any business that collects and then uses data of individuals. Importantly, the provisions of the GDPR also apply to companies that are not based in an EU state, but offer their services to people living there. The regulations are therefore binding for large corporations with global reach as well as small businesses operating locally.
The impact of GDPR on your business
How GDPR affects the activities of a given company depends largely on its structure and the specifics of its operations. It is worth remembering that not only the personal data of customers who are natural persons are protected, but also, for example, data of persons applying for employment.
With the entry into force of the General Data Protection Regulation, new obligations have also arisen for Personal Data Administrators who are now obliged to keep appropriate records and report any incidents involving a breach of security of personal data, defined by the GDPR as those that “lead to the accidental or unlawful destruction, loss, modification, unauthorised disclosure of or unauthorised access to personal data”. A controller has 72 hours from discovering such an incident to report the fact of its occurrence to the GIODO (The Polish Inspector General for the Protection of Personal Data). The regulation also introduces many new rights for data subjects, among them: an enhanced right of access to and review of their data, the ability to request transfer or deletion of data (“right to be forgotten”). The GDPR also introduces new procedures, among which are privacy by design and privacy by default. These changes force controllers to implement privacy by design, and privacy by default should be a fundamental component of any project involving the processing of personal data.
Warsaw: GDPR Office
Our Firm specializes in advising on and handling proceedings involving personal data processing. Responding to the needs of business clients, we advise on implementation and maintenance of compliance with GDPR, we provide individual counselling as part of specialist advice on GDPR. We provide outsourcing of DPO functions.
We perform compliance audits and GDPR implementations across all market sectors, including:
1. comprehensive GDPR compliance audits;
2. partial audits (GDPR documentation audit, audit of DPO activities, audit of specific areas/sectors, website and mobile application audits);
3. implementing the changes indicated in the audit results – developing appropriate internal procedures related to personal data protection;
We prepare GDPR documentation, including but not limited to:
2. personal data protection policy;
3. retention policy for personal data depending on the legal basis for processing;
4. the procedure for handling data subjects’ requests;
5. data processing entrustment agreement, register of personal data breaches, register of personal data processing activities, register of categories of processing activities, information clauses, consent clauses.
If you are interested in legal advisory regarding the processing of personal data or in handling proceedings that result from incorrect or unlawful processing of personal data, please contact us. We will be happy to answer all your questions and help you implement effective legal solutions in this area. We operate not only in Warsaw – we welcome clients from all over Poland.