Responsibility for terms of consent supervision lays on data controller. Data controller must be able to prove that data subject, expressed the consent to do so. Data controller must also be able to prove that data subject expressed the consent to process the personal data had been informed about the right to withdraw the consent.
Additionally, in situation when data controller processes the data of person below age of 16, has to implement the procedure to obtain the parental or administrative approval for child’s personal data processing.
It’s worth to remember that in our country, according to the draft of personal data protection directive, this obligation lays on the controller, who processes data of the person below age of 13 (RODO gives a free hand to national authorities to determine the limit of minimal age).
Controller is obliged to provide the data subject the information, which will fulfill the informative duty, in regards to art. 13 and 14 of RODO. It was significantly expanded in comparison to currently binding regulations. According to point 60 from RODO preamble:
The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data.
On the basis of the current Directive, the controller is obliged to provide the data subject with the following information:
To above catalogue, RODO also adds, among others:
Release from informative obligation is possible in three cases:
Controller is responsible for informing data subject about profiling and its consequences, as well as possibility of laying a compliant (point 60 and 70 of RODO preamble, art. 13 sec. 2 letter F, art. 14 sec. 2 letter G RODO).
On the grounds of the binding personal data protection Directive:
“Profiling” in terms of principles constituted by RODO:
RODO enforces the obligation to maintain records of processing activities to ensure compliance with art. 30, however there are some exceptions for particular groups of data controllers.
Regarding the contents of such records, it reminds to a large degree the open personal data records maintained by ABI (Administrator Bezpieczeństwa Informacji – Data Security Administrator), however it is worth to note that RODO requires some additional components, such as necessity to determine the time limit for deletion of particular data categories.
In a case of personal data breach identified by controller, there is an obligation to notify the supervisory authority about this fact in the specified timeline:
The controller may be released from this obligation unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
The notification has to contain (art. 33 sec. 3 of RODO): nature of the breach, Data Protection Officer details, consequences of the breach, measure taken to address the personal data breach.
The processor shall also notify the controller without undue delay after becoming aware of a personal data breach.
There are two implications when the data subject shall be communicated the personal data breach:
If the implications above exist, the data controller shall communicate the personal data breach to the data subject without undue delay.
The communication shall demonstrate and include:
The obligation of communication may be released in situations below: (art. 34 sec. 3 of RODO):
In case when the data subject was not communicated:
Data controller bears civil liability. What is worth to know about the right to compensation.
RODO enforces administrative fines. According to new regulations fine shall be effective, proportionate and dissuasive. Fine is imposed depending on the circumstances of each individual case, taking under consideration:
The fine is calculated in three ways:
Penal liability – art. 84 of RODO
Member States shall lay down the rules on other penalties applicable to infringements of this Regulation in particular of infringements which are not subject of administrative fines pursuant to art. 83, and shall take all measures necessary to ensure that they are implemented. Such penalties should be effective, proportionate and dissuasive.
Such kind of sanctions will be enforced to the law order by the new personal data protection directive.
RODO enforces on the data controller the obligation of Personal Data Officer (IOD) designation in case when:
In cases other than those, IOD designation is facultative.
What is new in RODO, a group of undertakings may appoint a single data protection officer provided that a data protection officer is easily accessible from each establishment. The controller and the processor should ensure that the IOD is involved properly and in a timely manner, in all issues which relate to the protection of personal data,
As new powers/tasks of IOD may be indicated that IOD cooperates with supervisory authority, stands for a contact point for supervisory authority in the issues related to data processing as well as for complainants – in this sense it will act as a customer service office.
The data controller will be obliged to examine the agreements of entrust to verify whether they guarantee the implementation of appropriate technical and organizational measures required by RODO. According to that it will be necessary to review the subject agreements, making revisions and amendments.
It also seems inevitable to create an appropriate procedure which contains indications when a processor may be considered sufficiently reliable to implement proper technical and organizational measures required by RODO.
New regulations also stipulate a data controller’s requirement to be granted with authority to perform audits and/or inspections on processors.
Data protection impact assessment shall be performed if a high risk to the rights and freedoms of natural persons and type of processing, in particular when using new technologies, is likely to result.
In that case data controller is obliged to perform personal data protection impact assessment prior to processing. It is worth to add that if data protection officer was designated, a data controller shall consult with him or her during DPIA. One of the conveniences of RODO is the fact that a single assessment is sufficient for multiple processing operations sharing the similar risk level.
Moreover, the obligation to perform an assessment of the impact of the envisaged processing operations on the personal data is applicable if one of the situations below appears:
The catalogue indicated above is not a complete catalogue, the assessment shall be performed each time if a high risk to the rights and freedoms of natural persons is likely to result;
What the assessment shall contain
The assessment shall contain obligatorily:
Where necessary, the controller shall carry out a review to assess if processing is performed in accordance with the data protection impact assessment at least when there is a change of the risk represented by processing operations.
The data controller shall analyze (assess) the risk, that is eventuality of an event, which may have impact on fulfillment of presumed purposes. The risk is measured by the impact (consequences) and likelihood of appearance.
Among technical and organizational measures, RODO mentions in particular:
Data controller will analyze the risk in three stages:
It is worth to make a reference directly to RODO. According to point 75 from the preamble: The risk to the rights and freedoms of natural persons, of varying likelihood and severity, may result from personal data processing which could lead to physical, material or non-material damage, in particular: