RODO - Data Protection Regulation or General Data Protection Regulation, GDPR). A set of rules concluded by the European Union related to the protection of natural persons. Concerns the processing of personal data and its free movement. Published by the Official Journal of the European Union L 119 on 4 May 2016. entered into force from 25 May 2018. Applicable to all entities operating within the EU including small businesses as well as large multinational corporations.

What are the penalties for non-compliance with RODO?

The maximum penalty is €20,000,000. Unfair companies are to pay up to 4% of their total annual worldwide turnover for the previous year (Article 83(5)(a) RODO)

Employees learn the new regulation

General principles of data processing:

  • Legality, transparency and integrity
  • Purpose limitation of processing
  • Correctness and minimisation
  • Storage restrictions
  • Confidentiality and integrity
  • Accountability

Step-by-step training plan:

1.Learning the following concepts:

  • profiling
  • personal and biometric data
  • pseudonymisation
  1. Introducing RODO into the organisation:
  • how to get started?
  • what to focus on?
  • priorities of tasks
  • procedures required
  1. Basic tasks of the controller and data processor:
  • legal provisions and principles
  • privacy by design and by default
  • register of processing activities and categories
  • obligations to provide information
  1. The role of the Data Protection Officer:
  • what qualifications he/she has
  • position in the company
  1. Rights of individuals in relation to their data:
    • access, forgetting and others
    • what does a data breach look like? to whom do you report violations?

How has RODO changed domestic regulation?

  • The new Data Protection Act of 10 May 2018 came into force (effective from 25 May 2018)
  • The Information Security Administrator (ABI) has been replaced by the Inspector of Personal Data Protection (IODO)
  • The institution of the Inspector General for Personal Data Protection has been abolished in favour of the President of the Office for Personal Data Protection (PUODO)

Who is affected by data protection?

All entrepreneurs (including sole proprietorships) without distinction by number of employees, size or scope of work (Article 2 and Article 3 of the RODO). Excluded are activities not covered by European Union law, individuals performing domestic or personal activities.

What information are they linked to?

  • name
  • residential address (location)
  • PESEL or other identifying number
  • email name
  • factors defining the physiological, physical, genetic, mental, economic, social or cultural identity of an individual.

What data must not be processed?

Especially protected ones such as:

  • racial origin
  • health
  • sexual orientation
  • biometric data

The inspector checks compliance with procedures

Basic operations:

  • collection
  • recording
  • preview
  • modification
  • use of
  • disclosure
  • dissemination
  • sharing
  • fitting
  • linking
  • destruction
  • limiting
  • removal

Article 6 of the RODO lists a number of circumstances authorising the processing of personal data.

The trader is obliged to obtain consent for their processing from the data subject or when needed for the performance of a contract.

The data controller may be a legal or natural person who:

  • implements security procedures
  • determine the manner and purpose of acquisition and processing
  • defines the scope of
  • implements legal acts
  • provide security
  • assess the risk of a data breach
  • will take into account the cost of security features

You can read in the Regulation that safeguards can be in organisational or technical form. They should be related to the scope, nature, context, purpose of the processing and also take into account the risk of infringement of the freedoms and rights of the persons who provided the data.

In the DPA, we find the following guidelines that can be used by the controller in appropriate circumstances:

  • Continuously ensure integrity, confidentiality, availability, resilience of processing systems and services - the level of security should be the same.
  • Data backup. Ability to restore the availability of personal data also in the event of a technical or physical incident.
  • Encryption and pseudonymisation - processing personal information so that it cannot be identified and attributed to a person, without access to other information.
  • Conducting regular tests, checking and measuring the effectiveness of organisational or technical measures that ensure secure processing. Safeguarding is an ongoing process, constantly undergoing analysis and improvement.
  • Safe measures:


  • protection instructions
  • allowing only authorised personnel
  • and a commitment to confidentiality
  • clean screen and desk practice
  • issuing keys to authorised persons
  • recording of processing activities, except for businesses employing fewer than 250 persons


  • data encryption
  • protection against malware
  • computer network security
  • authentication system with the need to enter a user login and password
  • Cabinets or rooms for storing information in physical form

It is important to remember that the generation of data involves a risk of violation of freedoms or rights. It is not sporadic, and includes sensitive data or data relating to legal violations and convictions.

Who is the Data Protection Officer and when is he or she appointed?

Supports companies in complying with the regulations. Provides information on the obligations related to RODO for the processor or controller. In addition, cooperates with PUODO. The obligation to appoint an inspector occurs in certain situations under Article 37 RODO when:

  • "processing shall be carried out by a public authority or body, with the exception of the courts in the exercise of their judicial functions;
  • the core activities of the controller or processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or processor consist in the processing on a large scale of special categories of personal data referred to in Article 9(1) and of personal data relating to criminal convictions and offences as referred to in Article 10.".