Data protection

RODO - Data Protection Regulation or OROD - General Data Protection Regulation, GDPR). A body of legislation concluded by the European Union relating to the protection of natural persons. Concerns the processing of personal data and its free movement. Published by the Official Journal of the European Union L 119 on 4 May 2016. Entered into force on 25 May 2018. Applicable to all entities operating within the EU, including small businesses as well as large multinational corporations. 

What are the penalties for non-compliance with RODO? 

The maximum penalty is €20,000,000. Unfair companies are to pay up to 4% of their total annual worldwide turnover for the previous year (Article 83(5)(a) RODO). 

General principles of data processing: 

  • Legal compliance, transparency and integrity; 
  • Restrictions on the purpose of processing; 
  • Correctness and minimisation; 
  • Storage restrictions; 
  • Confidentiality and integrity; 
  • Accountability. 

Step-by-step training plan: 

Employees learn the new regulation

     1.Learning the following concepts: 

  • profiling, 
  • personal and biometric data, 
  • pseudonymisation; 

     2 Introducing RODO into the organisation: 

  • how to get started? 
  • what to focus on?  
  • task priorities, 
  • procedures required; 

      3 Basic tasks of the controller and data processor: 

  • legislation and principles, 
  • privacy by design and by default, 
  • register of processing activities and categories, 
  • duties to provide information;[Division of text wrap]. 

      4 The role of the Data Protection Officer: 

  • what qualifications it has, 
  • position in the company; 

      5 The rights of individuals in relation to their data: 

  • access, oblivion and others, 
  • what does a data breach look like? who to report violations to?[Text wrap-up breakdown][Text wrap-up breakdown]. 

How has RODO changed domestic regulation? 

  • The new Data Protection Act of 10 May 2018 (effective from 25 May 2018) came into force; 
  • The Information Security Administrator (ABI) has been replaced by a Data Protection Officer (DPO); 
  • The institution of the Inspector General for Personal Data Protection has been abolished in favour of the President of the Personal Data Protection Office (PUODO). 

Who is affected by data protection? 

All entrepreneurs (including sole proprietorships) without distinction by number of employees, size or scope of work (Article 2 and Article 3 of the RODO). Excluded are activities not covered by European Union law, individuals performing domestic or personal activities. 

What information are they linked to? 

  • name;  
  • residential address (location); 
  • PESEL or other identifying number; 
  • email name; 
  • factors defining the physiological, physical, genetic, mental, economic, social or cultural identity of an individual.  

What data must not be processed? 

Especially protected ones such as: 

  • racial origin; 
  • health status; 
  • sexual orientation; 
  • biometric data. 

Basic operations: 

  • collection; 
  • recording; 
  • preview; 
  • modification;  
  • use; 
  • disclosure;  
  • dissemination; 
  • sharing; 
  • fitting; 
  • linking; 
  • destruction; 
  • reduction; 
  • removal. 

Article 6 of the RODO lists a number of circumstances authorising the processing of personal data.  

The trader is obliged to obtain consent for their processing from the data subject or when needed for the performance of a contract. 

The data controller may be a legal or natural person who: 

The inspector checks compliance with procedures
  • implements safety procedures; 
  • determines the manner and purpose of acquisition and processing; 
  • defines the scope; 
  • performs legal acts; 
  • ensure safety; 
  • assess the risk of a data breach; 
  • will take into account the cost of security features. 

You can read in the Regulation that safeguards can be in organisational or technical form. They should be related to the scope, nature, context, purpose of the processing and also take into account the risk of infringement of the freedoms and rights of the persons who provided the data. 

In the DPA, we find the following guidelines that can be used by the controller in appropriate circumstances: 

  • Continuously ensure integrity, confidentiality, availability, resilience of processing systems and services - the level of security should be the same. 
  • Data backup. Ability to restore the availability of personal data also in the event of a technical or physical incident. 
  • Encryption and pseudonymisation - processing personal information so that it cannot be identified and attributed to a person, without access to other information. 
  • Conducting regular tests, checking and measuring the effectiveness of organisational or technical measures that ensure secure processing. Safeguarding is an ongoing process, constantly undergoing analysis and improvement. 
  • Safe measures: 


  •  protection manual;  
  • allowing only authorised employees; 
  • and a commitment to confidentiality; 
  • clean screen and desk practice; 
  • issuing keys to authorised persons; 
  • recording of processing activities, except for businesses with fewer than 250 employees; 


  • data encryption; 
  • protection against malware; 
  • computer network security 
  • authentication system with the need to enter a user login and password; 
  • cabinets or rooms for storing information in physical form.  

It is important to remember that the generation of data involves a risk of violation of freedoms or rights. It is not sporadic, and includes sensitive data or data relating to legal violations and convictions. 

Who is the Data Protection Officer and when is he or she appointed? 

Supports companies in complying with the regulations. Provides information on the obligations related to RODO for the processor or controller. In addition, cooperates with the PUODO. The obligation to appoint an inspector occurs in certain situations under Article 37 RODO when: 

laptop on desk

"the processing shall be carried out by a public authority or body, with the exception of courts in the exercise of their judicial functions; the core activities of the controller or processor consist in processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale; or the core activities of the controller or processor consist in the processing on a large scale of special categories of personal data referred to in Article 9(1) and of personal data relating to criminal convictions and offences as referred to in Article 10."