What is GDPR?

The distant vision of the draft data protection reform in the European Union becomes a reality. The EU's work on the introduction of uniform legislation launched in 2012 will soon come into effect. What does reform really mean? What is GDPR, RODO and what are the changes?

General data protection ordinance (GDPR, RODO) is an EU legislation containing provisions on the protection of individuals with regard to the processing of personal data and on the free movement of personal data. The Regulation was adopted on April 27, 2016. From May 25, 2018, after a two-year transition period, the RODO will become effective in EU Member States. GDPR comprehensively regulates the protection of personal data in the European Union. The main aim of the work on the regulation was to reduce the variation of regulations between individual Member States of the Community. The legislative act itself, in the form of a regulation, allows its direct application and does not require any special adaptation of the national laws of the individual EU countries. The changes are primarily intended to ensure the security of the pan-European personal data processing system.

The most important changes

The GDPR does not carry a revolution, it does not turn the world of data protection upside down. The process of change taking place and the transitional two-year transition period allows for taming with the coming changes and harmonious entry into the new legal order. The gradual path of evolution does not, however, mean the total absence of major changes that will affect entrepreneurs. The necessity of adjusting the processes and technical back-up, as well as the resulting duties, however, are changes to which and to which to prepare.

An important element of the new regulation - the definition of personal data - does not significantly differ from the current regulations. The GDPR explains the concept of an identifiable person, pointing out that it is sufficient to identify with an online identifier. The fact is that the IP address and the identifiers in the so- Cook will become personal data within the meaning of GDPR.

A large change is a way of expressing consent to the processing of sensitive data, in accordance with the regulation for this purpose, consent is expressly expressed in any express way. GDPR extends the range of sensitive data to biometric data. The issue of breaches of personal data protection is changing. GDPR introduces a restrictive obligation to notify personal data breach within 72 hours of the discovery of the breach by the data controller. The competent authority for this type of notification is (GIODO).

GDPR introduces a data protection impact assessment and prior consultation with the data protection authority - if the way data is processed, particularly with the use of new technologies, may pose a risk to the rights and freedoms of individuals identified.

Huge controversy raises a provision envisaging high administrative penalties for violating the protection of personal data. More serious infringements will result in fines of up to EUR 20 000 000 or 4% of total global turnover. Lighter scams are subject to a fine of up to EUR 10 000 000 or 2% of the total global turnover of the entity.

Another key change is the separation of the catalog of 7 principles of personal data processing, which sets the direction in which the whole system of security and protection of personal data follows. From the above it follows, among other things, the principle of protection of privacy by design, by default.

The RODO grants a number of new and broadly extends the existing rights of citizens. This includes, for example, the right to be forgotten (the ability to delete data from the database), the right to request data transfer, and the enhanced access and access rights of the citizen to his data.

Regulating in the EU also entails consequences for entities other than Administrators or processors established in a Member State. Entities, whether countries or companies outside the Union processing personal data relating to the trading of goods and services, are obliged to comply with the provisions of the Regulation.

Another key element of the change is the obligation of both the Administrator and the data subject to process the data protection inspector. This person must have expert knowledge of the protection of personal data. This obligation implies the obligation to prepare and maintain comprehensive records of processed data.

As you can see, the changes that the General Data Protection Regulation imposes on the need for companies to take concrete action. The regulation will inevitably generate costs associated with ensuring a high level of IT security. According to the IDC Research Center, in 2018, 34% of IT security spending in Europe will be associated with the adaptation of enterprise systems and processes to new legal requirements for the protection of personal data. Therefore, the process of customizing a company to RODO can not be fully excreted and forgotten. Of course, the help of experts and external consultants is not prohibited in this element, but it is important to remember that the company itself has acquired the necessary know-how on how to manage the area of ​​personal data.

Lemlock ebook. Expert Guidebook: Three vievs on cybersecurity
Are you interested in a comprehensive solution
for your data security?
Consent to  data processing for contact purposes
I confirm that I have read the  information clause of Sagiton Sp. z o.o.

I hereby give consent to the processing of my personal data by the Personal Data Controller (hereinafter: "PDC") – Sagiton Sp. z o.o. ul. Fabryczna 19, 53-609 Wrocław, within the scope of: full name, e-mail address or telephone number, for the purpose of sale of products and services of Sagiton Sp. z o.o. and for the purpose of sending me feedback and making contact with me by Sagiton Sp. z o.o.

At the same time, I acknowledge that: at any time I can request the removal of my personal data from the PDC Sagiton Sp. z o.o. database, by sending an e-mail to hello@sagiton.pl, or a letter to Sagiton Sp. z o.o., ul. Fabryczna 19, 53-609 Wrocław, with a statement containing the relevant request, which shall result in the deletion of my personal data from the PDC Sagiton Sp. z o.o. database; I have the right to access my data; providing my data is voluntary, however refusal to provide it is tantamount to not receiving information regarding sale of products and services of Sagiton Sp. z o.o., as well as not receiving feedback and making contact with me by Sagiton Sp. z o.o.

In accordance with Art. 13 section 1 of the General Data Protection Regulation of 27 April 2016, (GDPR), we would like to inform you that the controller of your personal data is Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław, e-mail: hello@sagiton.pl.

Your personal data shall be processed within the scope of: full name, e-mail address and/or telephone number in order to answer your question/request for contact and send feedback – pursuant to Art. 6 section 1 (a) of the GDPR, i.e. consent to the processing of personal data.

The data controller would like to inform you that your personal data shall not be disclosed to third parties.

Your data shall not be transferred outside of the European Economic Area or to international organizations.

Your personal data shall be processed until you withdraw your consent to the processing of data, as well as if the purpose for processing this data shall no longer be applicable.

You have the right to access your personal data, rectify it, delete it, restrict its processing, the right to transfer it, as well as the right to object.

In the case of giving your consent, you have the right to withdraw it at any time. Exercising the right to withdraw the consent does not affect the processing carried out before the consent was withdrawn.

You have the right to lodge a complaint with the supervisory body, i.e. the President of the Office for Personal Data Protection, ul. Stawki 2, 00-193 Warsaw.

Providing your personal data is a prerequisite for making contact with you by Sagiton Sp. z o.o. with its registered office at ul. Fabryczna 19, 53-609 Wrocław. In the case of not providing your personal data, Sagiton Sp. z o.o., shall not be able to contact you.

The Data Controller, Sagiton Sp. z o.o., would like to inform you that they shall not use your personal data for automated decision-making, which is based solely on automated processing, including profiling, and has legal effects for you or affects you significantly in a similar way.

Let's stay in contact