The General Data Protection Regulation (GDPR, RODO) was established by the Regulation of the European Parliament and of the Council of April 27, 2016. This EU legislation contains provisions on the protection of individuals with regard to the processing of personal data and the free movement of such information. The purpose of the Regulation is to harmonize the process of personal data transfer across the EU. After a two-year transitional period, the Regulation will become effective in the Member States from May 25, 2018. The new regulations will be applied directly without the need for their implementation.

What is GDPR?

The text of the Regulation is divided into 11 chapters. Some of them are further subdivided into subsections (in terms of GDPR - Sections). The full list is given below:

Chapter I - General provisions
Chapter II - Principles
Chapter III - Rights of the data subject
Chapter IV - Administrator and processor
Chapter V - Transfers of personal data to third countries or international organizations
Chapter VI - Independent supervisory authorities
Chapter VII - Cooperation and consistency
Chapter VIII - Remedies, liability and penalties
Chapter IX - Provisions relating to specific processing situations
Chapter X - Delegated acts and implementing acts
Chapter XI - Final provisions

It is very important that each of the chapters outlined above regulates separate areas, in other words - serves different purposes. The preamble to the EU Regulation consists of 173 recitals. They are very important for the specific legal requirements described in GDPR. Without their knowledge, the realization, the meaning and purpose of many requirements of the Regulation can lead to numerous errors in the application of specific regulation.

Most frequently discussed issues

One of the pillars of RODO is to emphasize the importance of general principles. The location of the general principles for processing personal data in the initial part of the act - Art. 5 (Chapter II) - emphasizes that the intention of the European legislator was to strengthen the role of the rules for the processing of personal data under the provisions of the Regulation. RODO rules formulate 7 principles of personal data processing. They are:

  1. Principle of legality, reliability and transparency.
  2. Principle of limiting the purpose of data processing.
  3. Principle of data minimization.
  4. Principle of data regularity.
  5. Principle of limiting the storage of data.
  6. Principle of integrity and confidentiality of data
  7. Principle of accountability.

A very important element of GDPR is the requirement for Data Administrator responsibilities. Basically, the four chapters (Chapter II, III, IV, V) of the Regulation refer to the specific requirements which the Data Administrator must fulfill. The obligations arising are primarily related to the knowledge of the basic principles of processing personal data (Chapter II). The awareness of the rights of individuals regarding the processing of their personal data by specific Data Administrators is regulated by Chapter III. The requirements in the internal sphere of the organization specific to a particular Administrator and the relationships that occur within the context of contacts with external entities are the obligations regulated by Chapter IV. The Fifth Chapter of the Regulation contains requirements for the transfer of personal data to third countries or international organizations.

There are significant changes concerning compensation and high administrative penalties for data processing entities in case of non-compliance. All regulations in this regard are contained in Chapter VIII of RODO. A very controversial matter is the upper limit for sanctions for the protection of personal data. Article 83 of the abovementioned Chapter, depending on the gravity of the infringement, introduces a fine of EUR 10 000 000 or 2% of the total global turnover of the subject for lighter infringements. More serious infringements will involve penalties of EUR 20 000 000 or 4% of the total global turnover. The administrative character of the penalties forces the authority to abandon any investigation of the fault and the extent of the breach, only acknowledging the fact of the breach of the personal data protection law.

The most important change for GDPR is the unification of data protection legislation throughout the European Union (outside Great Britain). Changes resulting from this legislation are of enormous benefit especially to large enterprises. The ability to implement uniform procedures in almost the entire continent will reduce costs and increase profits. Introduction of RODO does not lead to a revolution in the sphere of personal data protection, but rather a natural step towards evolution in the direction of the current solutions. The enormous diligence of the changes and the amount of sanctions show that the entry of RODO into force will force every individual to take a very cautious approach to the security of personal data.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to [email protected], or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: [email protected].

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact