1. What is RODO?
RODO - the Personal Data Protection Regulation, also known as the General Data Protection Regulation (GDPR) - the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and to the repeal of Directive 95/46/EC). It is a set of regulations that tell businesses and consumers what they are entitled to regarding private information and how it should be handled.
2. What is RODO for?
Data regulations are there to protect your privacy. You have the right to use your data in any way you want. Also, other people's data that you don't use for business or professional purposes is not covered by the regulations. The RODO only starts to apply when it comes to about processing for professional, business, commercial or official purposes. RODO is a Regulation of the European Parliament and of the Council - a legal act of the European Union, which for each EU country is a directly applicable act. This means that in Poland it is as applicable as any law. RODO replaced the old Polish Data Protection Act of 1997. The RODO spells out rules for handling data, the rights and obligations of "processors and processors," and even rules for imposing financial penalties for possible violations of the law. Only some issues can now be determined by national legislators themselves in their national laws.That's why a new Law on Personal Data Protection (dated May 10, 2018) was passed in Poland. However, we won't find there our rights and obligations, or knowledge of how to organize data processing - this is all already defined by the RODO. As a result, all EU countries must apply the same principles and measures to protect personal data.
3. What is personal data?
Personal data (Article 4(1) RODO) means information about an identified or identifiable natural person ("data subject"). An identifiable natural person is one who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person. Personal data is all data that pertains to a specific individual - from name and surname, PESEL number included in an identity document, through an e-mail address to the data on a business card. Personal data can also be a fingerprint, IP address, login to an online portal or phone number.
4. What are special categories of personal data?
Special categories of personal data are a group of sensitive (sensitive) data that are subject to special processing and protection rules. These are data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and data: genetic, biometric processed for the purpose of uniquely identifying a natural person, or data concerning health, sexuality or sexual orientation. Processing of special categories of personal data is prohibited unless, among other things, the data subject has given express consent to the processing of such personal data, the processing is necessary for the fulfillment of obligations and exercise of specific rights of the controller under labor, social security and social protection laws, the processing is necessary for the establishment, investigation or defense of claims or in the exercise of justice, the processing is necessary for archival purposes in the public interest, for scientific or historical research or for statistical purposes.
5. What is personal data processing?
Processing personal data is any activity that we perform with personal data, an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, structuring, storing, adapting or modifying, retrieving, viewing, using, disclosing by transmission, dissemination or otherwise making available, matching or linking, limiting, deleting or destroying.
6. Who is a Personal Data Controller (ADO)?
The Administrator of Personal Data is an individual or legal person, public authority, entity or any other entity that alone or jointly with others determines the purposes and means of processing personal data. The Administrator of Personal Data processed by TruckSystems.pl Sp. z o.o. with its headquarters in Rzeszow 35-317, Zakątkowa 10 Street is Tomasz Kaminski phone: 667 687 573 e-mail: service@etrucksystems.com.
7. What is lawful processing of personal data?
Lawful processing of personal data means, processing personal data in compliance with the law. For the processing of personal data to be in compliance with the law, one of the following prerequisites should be met:
the data subject has consented to the processing of his/her personal data;
processing is necessary for the performance of a contract or pre-contractual activity;
processing is necessary for the fulfillment of a legal obligation incumbent on the controller;
the processing is necessary to protect the vital interests of the data subject or another natural person.
8. What is an information obligation?
Compliance with the information obligation is a fundamental obligation under the RODO (Articles 13 and 14 of the RODO). The fulfillment of this obligation ensures transparency in the processing of personal data by the controller, and the possibility for the personal data subject to exercise control over the scope of the data provided to the controller and verify that it is processed in accordance with the requirements of the law.
9. What do the information clauses contain?
Information clauses must be prepared in an understandable, concise and clear form. There is a need to provide all information before the processing of data begins (in the case of data obtained indirectly, such person must be informed within a reasonable period of time, depending on the circumstances). Basic elements of the information clause:
information about the identity of the data controller,
contact details of the data protection officer,
indication of the legal basis for data processing,
- purpose of data processing,
the period for which the data will be stored (a specific date or the basis for determining the time when a specific date is not possible),
information about the subject's rights (Article 13-21 RODO),
- information about the right to lodge a complaint with a supervisory authority,
information about automated decision-making, including profiling,
information about the intention to transfer personal data to a third country or international organization (if such a procedure will take place).
10. What rights do people have when they share their personal dat
The data subject has the right to:
- request access to his/her data (Article 15 RODO),
- rectify his/her personal data (Article 16 RODO),
- to erase or restrict the processing of his/her personal data (Article 17 RODO and Article 18 RODO),
- object to processing (art. 21 RODO)
- data portability (Article 20 RODO),
- express/revoke consent to the processing of personal data (Article 7 RODO).
The Personal Data Controller (ADO) is obliged to address the aforementioned requests of the data owner, and in practice the ADO will take them into account in the context of legal provisions
(e.g., labor code, study regulations), or possibly other legal grounds for processing such data.
11. What is consent for the processing of personal data?
Consent to the processing of personal data is a voluntary, specific, informed and unambiguous demonstration of will by which the data subject, in the form of a statement or a clear affirmative action, consents to the processing of personal data concerning him/her (Article 1(11) of the RODO). Consent can take the form of a statement of intent, expressed in writing or electronically, e.g., a consent clause attached to a paper-based personal questionnaire, with the purpose for which the data is being obtained and will be used being clearly stated. The data subject has the right to withdraw consent at any time. The withdrawal of consent does not affect the lawfulness of processing that was carried out on the basis of consent before its withdrawal. The data subject shall be informed of this before he/she gives consent. Withdrawal of consent must bé as easy as giving consent.
12. What is an authorization to process personal data?
An authorization to process personal data serves to fulfill the accountability obligation under the RODO, i.e. TruckSystems.pl Sp. z o.o. must demonstrate that only authorized persons have been allowed to process personal data. Authorization is also a document that limits access to data resources by unauthorized persons.
13. What is the right to be forgotten?
The RODO grants data subjects the right to erasure of personal data and to be forgotten. In the event of a legitimate request for erasure, the controller must immediately take appropriate steps to do so. If the data in question has been transferred to other entities, it is also the controller's responsibility to inform joint controllers and processors of the erasure request as well. The administrator's obligation to delete personal data is required in the following cases:
the personal data are not necessary for the purposes for which they were collected;
the data subject has withdrawn consent and there is no other legal basis for processing the data;
the data subject has objected to further processing and there are no overriding legitimate grounds for processing;
the personal data have been processed unlawfully;
the personal data must be erased in order to comply with a legal obligation under EU or national legislation (e.g., legislation on the destruction of medical records);
the data was collected for the purpose of providing online services to the child.
14. What is a data breach?
A data breach is a single event or series of events, related to data security, that threatens the confidentiality, availability or integrity of data. Not only the disclosure of personal data is an incident, it can also be the modification of personal data and the unavailability of personal data. It should be added that an incident concerns not only personal data, but broadly defined information system resources, such as people, services, software, data, hardware and other elements that affect the security of processed data. A breach, for example, disclosure of data to an unauthorized person, publication on websites without legal basis of information containing personal data such as name, PESEL number, index number, telephone number or exam grade. Violations of data protection can also be: sending e-mail addresses to other addressees, putting documents in the trash instead of the shredder, insufficient data security on workstations - lack of: access passwords, anti-virus protection, etc. Violations of personal data protection also apply broadly to information system resources and other elements that affect the security of processed personal data.
15. Who is obliged to report personal data protection violations?
The obligation to report data protection violations rests with the personal data controller, who is obliged to absolutely report the incident within 72 hours of its discovery. It is permissible to deviate from this rule when the breach is unlikely to result in a risk of violation of the rights or freedoms of individuals.
16. What do we mean by the "minimization principle" and "adequacy principle"?
The principle of minimization of personal data indicates the need to limit the processing of data only to those that are necessary to achieve the intended purpose of processing.
The principle of adequacy means that the controller should process only such data without which it would be impossible to achieve the intended purpose, with the scope of such data to be established at the latest at the time of collection.
17. What is data anonymization and pseudonymization?
Anonymization is the act of removing the link between data and the data subject. Anonymized data is therefore not personal data, as it does not involve an identified or identifiable natural person. Accordingly, the RODO does not apply to the processing of such anonymized information.
Pseudonymization means the processing of personal data in such a way that they can no longer be attributed to a specific person to whom the data pertains, without the use of additional information, provided that such additional information is stored separately and is covered by technical and organizational measures preventing its attribution to an identified or identifiable natural person (Article 1(5) RODO).
18. What does" privacy by design" mean?
The principle of "privacy by design" specifies the need to consider the protection of personal data at the stage of identifying the processing activities of a project. According to this approach, the protection of personal data should be an indispensable part of any new project, with appropriate technical and organizational measures. Ensuring the security of personal data must be taken into account and guaranteed when designing a new specialty, implementing an IT system, reorganizing a dean's office, etc.
19. What is "privacy by default"?
"Privacy by default" defines the default inclusion of adequate privacy safeguards in the initial settings of any personal data processing system. According to this rule, only data that is necessary to achieve the purpose for which it was collected can be processed.
20. What is a personal data protection impact assessment?
A personal data protection impact assessment is a process to describe the processing of personal data, to assess the necessity and proportionality of the processing, and to help manage the risk of violation of the rights or freedoms of individuals arising from the processing of personal data. A personal data protection impact assessment allows for the adoption of appropriate technical and organizational measures to safeguard personal data, and indicates what actions should be taken to minimize the risks of processing personal data.
21. What is a register of processing activities?
The register of processing activities is a document that shows in which processes the Personal Data Controller processes personal data. The register takes into account, among other things, the purpose of data processing, the basis for data processing, the category and scope of data processed, and how the data are secured. The register of processing activities may be kept in paper or electronic form. It should be noted that the concept of personal data processing activities is not precisely described in the RODO, which may cause difficulties in identifying personal data processing activities. A processing activity can be identified by categories of data subjects or purposes of processing, e.g. college recruitment.
22. What is entrustment of personal data processing?
Entrustment of personal data processing is the processing of a specific range of personal data on behalf of the Personal Data Controller. Entrustment of personal data processing is carried out on the basis of a personal data processing entrustment agreement or other legal instrument that binds the Personal Data Controller and the entity that processes the data on behalf of the ADO.
The entrustment of personal data processing should regulate, among other things:
the purpose and nature of the entrustment;
the subject matter of the entrustment - type of data, category of data subjects;
the duration of the entrustment;
ADO's duties and rights;
Under entrustment of processing;
Obligation of authorized persons to maintain confidentiality;
application of appropriate safeguards;
Assistance in the exercise of data subjects' rights;
deletion or return of data upon termination of entrustment;
providing assistance to the ADO in fulfilling its obligations to the supervisory authority;
- consenting to inspection of personal data processing by the ADO.
23. Why enter into a processing entrustment agreement?
Sometimes neither the data controller nor his employees perform all the operations on the data in use by themselves. If the data controller wants someone else to perform certain operations with personal data for him and on his account then he enters into a processing entrustment agreement with that someone. The controller selects an entity that provides adequate security for personal data and specifies to it the terms under which it will entrust such data. The minimum scope of such an agreement is specified in Article 28 of the RODO. The entity that accepts the data processing entrusted to it is called a "processor" or "sub-processor." It performs certain activities for the controller and does not have any purposes of its own in processing the data entrusted to it. However, the processor is jointly and severally liable with the controller for data processing and damages associated with it. It must also cooperate with the controller and submit to certain obligations and ensure that it documents that it processes data correctly and responds promptly to incidents. Entrustment of processing almost always occurs in connection with some specific cause. Outsourcing to some company for HR or accounting services usually requires processing of data by that company, and the data is then entrusted for processing. The same is true with IT support - usually there are personal data in the systems/computers, and access to them is necessary for the employees of the system provider for maintenance activities. Ordering the translation of documents and files containing personal data, arranging travel arrangements and arranging visas, outosurcing the collection of debtors, or ordering mailings to solicit applicants for conferences will rather always require entrustment of processing. Even a contract for the destruction of personal records and computer media will involve entrustment of personal data processing.On the other hand, the services of an occupational health clinic, a legal counselor or an attorney running his own law firm do not necessarily require a processing entrustment agreement. These are entities that have their own purposes (and even obligations under the law) in processing personal data in connection with the services they provide. It does not justify concluding a contract for entrustment of processing of personal data to conclude an ordinary contract for the supply of products, where, although the data of contact persons are placed, these contacts are carried out using the business addresses and telephones of employees employed, among other things, precisely for the purpose of handling such contacts.
24. What are technical and organizational data protection measures?
Technical and organizational data protection measures are measures that must be applied to ensure the security of personal data adequate to the risks of personal data processing. Organizational measures are e.g. implementation of personal data protection policies, appointment of a DPO, KOD, ASI, LADO, personal data protection training for employees, issuance of authorizations to process personal data. Technical measures are, for example, the use of anti-virus software on workstations, ensuring access to the system using a login and password, the use of a firewall or UPS, recording information about user activities performed on the IT system. Technical and organizational measures can also include physical security measures such as locked doors and cabinets, burglar-proof roller blinds, bars on windows, safes and armored cash registers, security guards or an alarm system.
25.What are the differences between a processing activity register and a processing category register?
The register of processing activities is maintained by the personal data controller and is a document that includes a list of all the organization's processes in which personal data is processed. According to Article 30(1) of the RODO, the register of processing activities should include such information as:
the name and contact details of the controller and any joint controllers,
the purposes of the processing,
description of categories of data subjects and categories of personal data,
categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries or international organizations,
when applicable, the transfer of personal data to a third country or international organization, including the name of that third country or international organization,
if possible, the planned deadlines for deletion of particular categories of data,
if possible, a general description of technical and organizational security measures.
The processing category register, on the other hand, is a list of activities maintained by each processor to whom the controller has entrusted data processing. It contains the following information:
the name and contact details of the processor(s) and each controller on whose behalf the processor acts,
the categories of processing performed on behalf of each controller (e.g., purpose and scope of service, entrustment agreements),
where applicable, transfers of personal data to a third country,
if applicable, a general description of technical and organizational security measures.
Thus, this is a list of entities that have contracted a contractor for some service (e.g., IT support) and for this purpose entrusted certain data for processing - Article 30(2) of the RODO.
26. Is it legal to share information containing personal information over the phone?
NO. If we are not sure about the person we are talking to, sharing information containing personal information is prohibited.
27. What should I do if I temporarily leave my workstation?
If you leave a personal data processing area while it remains unattended by authorized persons, you should lock the room. Room keys should remain under the supervision of authorized persons. When temporarily leaving the workstation, log out of the system or run a password-protected screen saver. Do not leave documents containing personal information in plain sight. After finishing work, log out of all systems used during work, lock documents containing personal data or other legally protected secrets in cabinets.
28. How long should a password for an information system be?
It is recommended to use passwords of a minimum of 8 characters, consisting of upper and lower case letters, numbers and special characters. Passwords of at least 15 characters are welcome. Do not use passwords consisting of first and last names, dates of birth, default passwords such as admin, password, etc. If you need to change your password, do not "lightly" modify the old password.
29. Am I required to have a business email address?
YES, any person performing tasks of a business nature should use an email address established by the Administrator. The use of private email addresses for business purposes is prohibited.
What should I do when sending an email containing documents with personal data?
When sending emails containing files with personal information, the file should at least be secured with a password, which should be communicated to the recipient in another form, such as by phone or text message.
30. I store personal data in the cloud what should I do?
Files stored in what is known as cloud computing, if they contain personal data or other information that requires protection, should be encrypted, and only those people who need access to the data to perform their job duties should have access to the cloud.
31. How to handle personal data processed on paper?
documents and printouts containing personal data should be kept in premises physically secured against unauthorized access;
users are required to apply a "clean desk policy", it involves securing documents containing personal data in cabinets, desks, locked rooms, limiting access by unauthorized persons;
documents should be carried in a way that prevents their theft, loss or misplacement;
it is advisable to destroy documents and temporary printouts in shredders as soon as the purpose of their processing ceases.
32. How to handle electronic storage media for personal data?
Data is stored on portable media only in cases where it is necessary, for the time necessary to fulfill the purpose for which it was stored on the media. After the expiration of the storage period, the contents of the data carrier are subject to deletion;
personal data in a computer system are stored for the time required to fulfill the purpose for which they are processed. After the expiration of this purpose, the data are subject to archiving, deletion or anonymization;
portable electronic data storage media shall be stored by users in a manner that minimizes the risk of damage or destruction, in particular in locked cabinets and office furniture;
if it is necessary to take data carriers outside the organizational unit, the user is obliged to be particularly careful and secure the carrier, it is necessary to use cryptographic protection measures (data encryption);
when using electronic mobile devices (including smartphones, tablets), it is required to use the following security measures: screen lock (pin/password/graphic symbol), memory/memory card encryption, antivirus, disabling unused services (e.g. - 9 - Personal Data Protection in UW practice wi-fi, bluetooth, nfc), installing software from trusted sources, using encryption or VPN when using public hotspots;
- when using mobile computers outside the data processing area of the organizational unit, use them in a way that prevents unauthorized reading of data from the screen and use cryptographic protection measures;
- the security of portable computers, mobile devices, data carriers is the responsibility of their users. It is forbidden to leave data carriers unattended by an authorized person.
33. What are the penalties for violating RODO?
Formal answer:
A data controller who violates the RODO is subject to legal-administrative liability (decisions by the President of the DPA may include fines, as well as various types of orders aimed at ensuring compliance with the RODO) and civil liability (the data subject is entitled to compensation for property damage or non-property damage resulting from a violation of the RODO). In addition, any person who illegally processes personal data or frustrates an inspection of compliance with data protection regulations is subject to criminal liability under the Data Protection Law. The last type of liability is the disciplinary liability of an employee who violates data protection rules. An employee who commits this type of violation is subject to admonition, reprimand or even self-inflicted dismissal.
34. Practical answer:
The President of the DPA can impose a fine of up to €20 million or 4% of turnover for the most serious violations, including processing rules, data subjects' rights, or failure to comply with supervisory authority orders, and for other violations, up to €10 million or 2% of turnover, whichever is higher. In addition to fines, the President of the DPA can issue orders related to restoring compliance with the RODO, and even order the restriction of processing to storage only, which can deaden the business process and be more severe than a fine.
In addition, an employee who violates RODO should also face liability for damages in the event of a lawsuit, criminal liability in the event of a notice to the public prosecutor's office, or disciplinary liability in the event of failure to comply with internal policies and procedures.