10 min czytania 23 September 2022

GDPR – General Data Protection Regulation

What is GDPR and what is it about?

GDPR, or the General Data Protection Regulation, is an EU piece of legislation. It is binding on all countries belonging to the European Union. This regulation deals with the rules on the processing, use and storage of personal data. The European Parliament and the Council of the European Union adopted the GDPR in 2016. As of 24 May 2016, it replaces the Polish Data Protection Act.


RODO – what it means?

The Data Protection Regulation is a European law on privacy breaches. It also concerns data processing. Due to the introduction of the Regulation, new obligations have been imposed on data controllers. It is worth first clarifying the definition of a controller. A data controller in simple terms is any company, all websites, applications, shops or services. They are the entities that collect any personal data.

Based on Article 4(7) of the Protection Act, a controller is:

  • an authority,
  • organisational unit,
  • entity or person who decides on the purposes and means of processing personal data.

It is sufficient that the entity in question records our email addresses or IP addresses. Their failure to comply with the GDPR regulation results in hefty financial penalties – fines are up to €20 million. The introduction and harmonisation of the regulation aims to strengthen the protection of personal data. It mandates companies and businesses to properly encrypt and secure customers’ personal data. The GDPR is a general regulation and does not contain specific solutions for securing data.

RODO – what does the data protection regulation cover?

The Data Protection Regulation applies to all entities operating within the European Union. According to the regulations, not only small, one-person companies but also large corporations are subject to it. Every entrepreneur is forced to comply with the law and comply with the regulation. All those who deal with personal data processed for private use are obliged to protect it. This is subject to strict protection from the moment they are collected. Personal data is protected irrespective of whether a person is acting as a consumer in a particular case. Data protection also extends to businesses, employees or company representatives.

Data processing under the Regulation includes:

  • collection of data
  • organisation of data
  • storage of data
  • adapting and modifying data
  • viewing, using data in the course of work
  • disclosing data (disseminating, distributing, sharing, deleting, destroying).

The scope of data is quite broad. It includes information that identifies a specific person.

Personal data is:

  • name
  • PESEL of the person
  • date of birth
  • residential address
  • telephone number
  • e-mail address
  • gender
  • eye colour, weight, height, i.e. all biometric data indicating the biological characteristics of the subject
  • vehicle registration number

The regulation is supposed to protect the data through which a person’s identity is determined. However, to make this more difficult, or impossible, the concept of ‘pseudonymisation’ has begun to be used. This is intended to increase the protection of the information. Data should be processed in such a way that it cannot be attributed to a specific entity.

At the same time, it is worth noting that although the GDPR does not apply to the processing of data relating to legal persons, it cannot exclude situations where data of a personal nature will nevertheless be associated with data relating to legal persons. An example of this could be data on natural persons, in particular where the company includes the name of a partner (e.g. with limited partnerships), or insofar as members of bodies are concerned.

GDRP clause

The GDPR clause is a data protection clause. It is generally added to the CV so that the recruiter can process our included data as a job candidate. Our consent to the processing of data in the CV is very important. You should not forget to add it. When we write a CV, we include so much data about ourselves. It does not only include our basic data such as name and address. As a rule, we also specify our career history, interests and qualifications.

Under the new regulations, any of this information can only be processed with our consent. It is obligatory to include the phrase “I agree” in every CV you write in order to start the recruitment process at all. Only then will the recruiter gain the right to use our CV and the information contained therein. The current text of the clause (for 2022) of the CV reads as follows:

“I consent to the processing of my personal data for the purposes necessary for the recruitment process (in accordance with the Personal Data Protection Act of 10 May 2018 (Journal of Laws 2018, item 1000) and in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR).”

Where to report a breach of GDPR

An GDPR breach is defined as the accidental or unlawful destruction, loss, modification, unauthorised disclosure of or unauthorised access to personal data transmitted, stored or otherwise processed. Based on the regulations of the Data Protection Authority, a personal data breach is when someone violates our confidentiality, availability or integrity of data. The breach can be the transfer of our personal data to unauthorised persons (without our consent), or making such data public. Such situations lead to very serious consequences.

One of the main remedies is a complaint to the supervisory authority. Any individual whose data protection has been breached has the right to lodge such a complaint. According to the DPA law, the notification of the breach can also be made by an authorised person. In other words, in case the complaint concerns the processing of another person’s personal data, it is necessary to attach a power of attorney.

The breach of personal data protection shall be notified to the President of the Office for Personal Data Protection. The notification in case of a data protection breach goes through a special procedure. In the event of a data protection breach, the employee should report the problem to his/her supervisor and to the Data Protection Officer. The Data Protection Officer will then investigate the circumstances of the incident. If no Data Protection Officer has been appointed in the company, the notification shall be made by the employee whom the controller has appointed to perform data protection tasks.

GDPR – what rights do you have?

As a business whose company processes personal data, you have a duty to properly store and protect the sensitive data of each of your customers. Your data should also be protected by the companies holding it.

The GDPR guarantees you, among other things:

  • the right to delete your personal data permanently,
  • The right to data portability,
  • the right to detailed information regarding the purpose of processing your personal data.

Penalties for non-compliance with GDPR

Failure to comply with data protection rules or breaches thereof will result in a fine. When determining its amount, the duration of such violation is taken into account. All damages for disclosed data are carefully analysed by the Polish Data Protection Supervisor. The highest fine that can be imposed on a company is EUR 20 million, or 4% of the company’s turnover.

Violations for which you may be fined under the GDPR:

  • Failure to consider data protection during the design phase
  • Lack of an entrustment agreement for the processing of personal data
  • Failure to register personal data processing activities
  • Failure to report an incident compromising the security of personal data processing
  • Breach of the security principle
  • Violation of the status of personal data protection officer
  • Violation of the purpose limitation principle
  • Combining consents for processing personal data
  • Lack of legal basis for processing personal data

If you would like to read more news on labour law, tax law, accounting or payroll services, please visit our website at