Home page

Compendium

RODO – terms of consent

Responsibility for terms of consent supervision lays on data controller. Data controller must be able to prove that data subject, expressed the consent to do so. Data controller must also be able to prove that data subject expressed the consent to process the personal data had been informed about the right to withdraw the consent.

Additionally, in situation when  data controller processes the data of person below age of 16, has to implement the procedure to obtain the parental or administrative approval for child’s personal data processing.

It’s worth to remember that in our country, according to the draft of personal data protection directive, this obligation lays on the controller, who processes data of the person below age of 13 (RODO gives a free hand to national authorities to determine the limit of minimal age).

RODO – the clause containing so called „informative duty”

Controller is obliged to provide the data subject the information, which will fulfill the informative duty, in regards to art. 13 and 14 of RODO. It was significantly expanded in comparison to currently binding regulations. According to point 60 from RODO preamble:

The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data.

On the basis of the current Directive, the controller is obliged to provide the data subject with the following information:

  • Controller’s name and contact details
  • The purpose of data processing
  • Information about personal data recipients (categories of recipients)
  • Information about the rights of data subject

 

To above catalogue, RODO also adds, among others:

  • Contact details of Data Protection Officer (if appointed);
  • Name, contact details of a representative in EU territory (if exists);
  • Legal basis for processing;
  • Legitimate interests of controller, which means the interests resulted from ie. connections between the controller and data subject being in business relation or direct marketing;
  • Legitimate interests of third party other than: controller, data subject, data processor acting on behalf of controller (ie. service provider) or person authorized to access the data by controller or processor (in case it is a basis for data processing);
  • Period of data storage (or criteria to determine such period). It concerns ie. legal timelines for data archiving or if we predict data processing until the end of service or consent withdrawal;
  • Information about the right to lay a complaint to supervisory authority;
  • Information about automated decision-making, including profiling, and information regarding principles of making such decisions, as well as about relevance and predicted consequences of such processing for data subject.

 

Release from informative obligation is possible in three cases:

  • If data subject already has this information in his or her disposal;
  • If data processing is required by law;
  • When notification is impossible or extremely difficult.
RODO - profiling

Controller is responsible for informing data subject about profiling and its consequences, as well as possibility of laying a compliant (point 60 and 70 of RODO preamble, art. 13 sec. 2 letter F, art. 14 sec. 2 letter G RODO).

On the grounds of the binding personal data protection Directive:

  • Profiling is a non-defined term;
  • However it fills the criteria of art. 26a sec. 1 of Directive, according to which “Final resolution of individual case of data subject is unacceptable if its contents is only the result of operational activities on personal data, processed in information technology system”;

 

“Profiling” in terms of principles constituted by RODO:

  •  This term defined in art. 4 point 4 of RODO: means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
  • Creating profiles means: (1) collecting data from various sources: data transmitted to controller + data transmitted to other controllers (ie. social media) or (2) profiles created in statistic way, when attribute 1 implicates appearance of attribute 2, 3 etc.
  • Not always RODO will find applicable usage for profiling. Three premises need to be met simultaneously: (a) method of processing – any form of automated data processing and (b) purpose – analysis or prediction of aspects concerning natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.
  • In fact, RODO constitutes two types of profiling. What distinguish these two types is automated decision-making. When automated decision-making is not present, art. 21 sec. 1 and 2 of RODO are applicable. When automated decision-making is present, regulations 13, 14, 15, 22 and 35 sec. 3 point c of RODO should be applied.
  • Automated decision-making is allowed when: it is allowed by European or national law, which stipulates appropriate means to protect rights, liberties and legitimate interests of data subjects; when it is necessary to conclusion or fulfillment of contract between controller and data subject as well as in the situation when data subject clearly expressed his or her consent.
  • For profiling with automated decision-making it is necessary to perform data impact assessment by controller
RODO – obligation to maintain records of processing activities:

RODO enforces the obligation to maintain records of processing activities to ensure compliance with art. 30, however there are some exceptions for particular groups of data controllers.

Regarding the contents of such records, it reminds to a large degree the open personal data records maintained by ABI (Administrator Bezpieczeństwa Informacji – Data Security Administrator), however it is worth to note that RODO requires some additional components, such as necessity to determine the time limit for deletion of particular data categories.

RODO – obligation to notify personal data breach to the supervisory authority

In a case of personal data breach identified by controller, there is an obligation to notify the supervisory authority about this fact in the specified timeline:

  • as a general rule – without undue delay;
  • within 72 hours after having become aware of the breach, if feasible;
  • after 72 hours – the notification shall be accompanied by reasons of the delay.

 

The controller may be released from this obligation unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The notification has to contain (art. 33 sec. 3 of RODO): nature of the breach, Data Protection Officer details, consequences of the breach, measure taken to address the personal data breach.

The processor shall also notify the controller without undue delay after becoming aware of a personal data breach.

RODO – obligation to communicate the personal data breach to the data subject

There are two implications when the data subject shall be communicated the personal data breach:

  1. Personal data breach
  2. The data breach is likely to result in a high risk to the rights or freedoms of natural persons

If the implications above exist, the data controller shall communicate the personal data breach to the data subject without undue delay.

The communication shall demonstrate and include:

  • Clear and plain language
  • The nature of the data breach
  • Information related to Data Protection Officer
  • Description of data breach consequences
  • Description of applied or recommended measures to handle the data breach.

 

The obligation of communication may be released in situations below: (art. 34 sec. 3 of RODO):

  • The controller has implemented appropriate technical and organizational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption;
  • The controller has taken subsequent measures which ensure that the high risk to the rights and freedoms of data subjects is no longer likely to materialize.
  • It would involve disproportionate effort. In such a case, there shall be instead a public communication or similar measure whereby the data subjects are informed in an equally effective manner.

 

In case when the data subject was not communicated:

  • The supervisory authority may require the controller to do so;
  • The supervisory authority may decide that any of the conditions referred in art. 34 sec 3 of RODO are met.
RODO – fines and liability of data controller

Data controller bears civil liability. What is worth to know about the right to compensation.

  • Compensation can be claimed by any person who suffered damage (material or non-material) as a result of infringement of the Regulation;
  • Controller or processor are considered as liable actors;
  • Each controller or processor involved in the same processing shall be held liable for entire damage done;
  • The processor is held liable for damage caused by processing only if he or she has not fulfilled the obligations imposed by RODO upon processors or if acts beyond legal instructions given by controller or against them;
  • A controller or processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.

 

RODO enforces administrative fines. According to new regulations fine shall be effective, proportionate and dissuasive. Fine is imposed depending on the circumstances of each individual case, taking under consideration:

  • The nature, gravity and duration of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected and the level of damage suffered by them;
  • The intentional or negligent character of the infringement;
  • Any action taken by the controller or processor to mitigate the damage suffered by data subjects;
  • The degree of responsibility of the controller or processor;
  • Previous infringements;
  • The degree of cooperation with the supervisory authority, in order to remedy the infringement and mitigate the possible adverse effects of the infringement;
  • The categories of personal data affected by the infringement;
  • The manner in which the infringement became know to the supervisory authority;
  • Being in compliance with corrective powers imposed by the supervisory authority;
  • Applying the approved codex of behavior or certification mechanisms;
  • Other aggravating or extenuating

 

The fine is calculated in three ways:

  1. If a controller or processor intentionally or negligently for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.
  2. Administrative fine up to 10 000 000 EUR or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
  3. Such fine may be imposed in case of infringements of the following provisions:
    1. The obligations of the controller or the processor pursuant to art. 8 (conditions applicable to child’s consent in relation to information society service), art. 11 (processing which does not require identification); art. 25-39 (from section I of RODO general obligations, from section II of RODO security of personal data, from section III of RODO data protection impact assessment and prior consultation, from section IV of RODO Data Protection Officer), art. 42 (certification), art. 43 (certification body)
    2. The obligations of the certification body
    3. The obligations of the monitoring body
  4. Administrative fine up to 20 000 000 EUR or in case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.Such fine may be imposed in case of infringements of the following provisions:
    1. The basic principles of processing, including conditions for consent (art. 5, 6, 7, 9 of RODO);
    2. The data subjects’ rights (12-22 of RODO);
    3. The transfers of personal data to a recipient in a third country or an international organization;
    4. Any obligations pursuant to Member State law adopted under Chapter IX
    5. Non-compliance with an order or a temporary or definitive limitation on processing or the suspension of data flows by the supervisory authority or failure to provide access in violation of art. 58 sec. 1

Penal liability – art. 84 of RODO

Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular of infringements which are not subject of administrative fines pursuant to art. 83, and shall take all measures necessary to ensure that they are implemented. Such penalties should be effective, proportionate and dissuasive.

Such kind of sanctions will be enforced to the law order by the new personal data protection directive.

RODO – new position of Personal Data Protection Officer

RODO enforces on the data controller the obligation of Personal Data Officer (IOD) designation in case when:

  • The processing is carried out by a public authority or body, except for courts acting in their judicial capacity
  • The core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale;
  • The core activities of the controller or the processor consist of processing on a large scale of special categories of data pursuant to art. 9 sec. 1 and personal data relating to criminal convictions and offences referred to in art. 10.

 

In cases other than those, IOD designation is facultative.

What is new in RODO, a group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. The controller and the processor should ensure that the IOD is involved properly and in a timely manner, in all issues which relate to the protection of personal data,

As new powers/tasks of IOD may be indicated that IOD cooperates with supervisory authority, stands for a contact point for supervisory authority in the issues related to data processing as well as for complainants – in this sense it will act as a customer service office.

RODO – verification of agreements concluded with processors

The data controller will be obliged to examine the agreements of entrust to verify whether they guarantee the implementation of appropriate technical and organizational measures required by RODO. According to that it will be necessary to review the subject agreements, making revisions and amendments.

It also seems inevitable to create an appropriate procedure which contains indications when a processor may be considered sufficiently reliable to implement proper technical and organizational measures required by RODO.

New regulations also stipulate a data controller’s requirement to be granted with authority to perform audits and/or inspections on processors.

RODO – Data Protection Impact Assessment

Data protection impact assessment shall be performed if a high risk to the rights and freedoms of natural persons and type of processing, in particular when using new technologies, is likely to result.

In that case data controller is obliged to perform personal data protection impact assessment prior to processing. It is worth to add that if data protection officer was designated, a data controller shall consult with him or her during DPIA. One of the conveniences of RODO is the fact that a single assessment is sufficient for multiple processing operations sharing the similar risk level.

Moreover, the obligation to perform an assessment of the impact of the envisaged processing operations on the personal data is applicable if one of the situations below appears:

  • a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person;
  • processing on a large scale of special categories of data referred to in art. 9 sec. 1, or of personal data relating to criminal convictions and offences referred to in art. 10;
  • a systematic monitoring of a publicly accessible area on a large scale.

 

The catalogue indicated above is not a complete catalogue, the assessment shall be performed each time if a high risk to the rights and freedoms of natural persons is likely to result;

What the assessment shall contain

The assessment shall contain obligatorily:

  • Systematic description of the envisaged processing operations and purposes of the processing, including, where applicable, the legitimate interest pursued by the controller;
  • An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
  • An assessment of the risks to the rights and freedoms of data subjects;
  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with RODO, taking into account the rights and legitimate interests data subjects and other persons concerned.

 

Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.

RODO – risk assessment

The data controller shall analyze (assess) the risk, that is eventuality of an event, which may have impact on fulfillment of presumed purposes. The risk is measured by the impact (consequences) and likelihood of appearance.

Among technical and organizational measures, RODO mentions in particular:

  • The pseudonymisation and encryption of personal data;
  • The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

 

Data controller will analyze the risk in three stages:

  • Stage 1 – shall define the risk, its source, causes and potential damage.
  • Stage 2 – the controller defines a likelihood of risk occurrence (including the risk assessment, dealing with the risk, the way of informing about the risk).
  • Stage 3 – the data controller eliminates or prevents the risk.

 

It is worth to make a reference directly to RODO. According to point 75 from the preamble: The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular:

  • where the processing may give rise to discrimination, identity theft or fraud, financial loss, damage to the reputation, loss of confidentiality of personal data protected by professional secrecy, unauthorized reversal of pseudonymisation, or any other significant economic or social disadvantage;
  • where data subjects might be deprived of their rights and freedoms or prevented from exercising control over their personal data;
  • where personal data are processed which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, data concerning health or data concerning sex life or criminal convictions and offences or related security measures;
  • where personal aspects are evaluated, in particular analyzing or predicting aspects concerning performance at work, economic situation, health, personal preferences or interests, reliability or behavior, location or movements, in order to create or use personal profiles;
  • where personal data of vulnerable natural persons, in particular of children, are processed;
  • where processing involves a large amount of personal data and affects a large number of data subjects.