Nowe zasady ochrony danych osobowych – co zmieni ogólne rozporządzenie o ochronie danych?

I wish you all a pleasant reception. I give the floor to the speaker. Good morning, my name is Piotr Siemieniak. I am in charge of personal data protection. I will give a less technical lecture, because it will concern legal aspects of personal data protection. As some of you may know, in one and a half years the General Data Protection Regulation will come into effect, will introduce new rules related to the processing of personal data. During the lecture I will say a few words about why the General Data Protection Regulation was created, what will change, what will be the rights and duties of data administrators, What will the data entities benefit from? That is, we, the people who give their

data to the data administrators in order to achieve a goal. What else will be introduced, which has not been done so far? Or did it appear in other normative acts? but it was not implemented at a higher level before. It was only related to sector issues. We will explain it in such a model that it will explain the principles of processing personal data, i.e. such foundations, how the information obligation has changed, what regulations will come about data security, What new documentation duties will appear? What will be the role of the information security administrator? In this case, it will be the personal data protection inspector. I will also talk about the almost forgotten data, about almost data export, and also about a few

other elements such as the model Privacy by Design, territorial range and some news, i.e. financial penalties.

Why did the General Data Protection Regulation come into being? The main problem was that the EU directive from 1995 was simply outdated. The European Union states had to implement a directive on the processing of physical data every time. This meant that was not implemented directly, i.e. each state had to change or introduce new legal acts only to implement this directive. It was often the case that the directive was implemented in an incorrect, incomplete way, In Poland, for example, the directive generally introduced the principle of data collection. In Poland, it was implemented in such a way that it was necessary to send a lot of applications to the GEODO. Only the appointment of the information security administrator slowed

down the data administrators. from the registration duty of regular data collection. It is still necessary to register sensitive data. However, this issue was only improved a year ago. So since 1997, since the Law on Personal Data Protection until the beginning of 2015, all data collection had to be registered. The time to register the usual data collection is usually at least two years. The purpose of the regulation is also to harmonize the regulations in the entire European Union, to provide free data flow between the EU countries, the need to strengthen the rights of the data entities, to implement technological neutrality and to implement more intelligent legal solutions that are intended to protect us, to protect the individual. I will say

a few words about the principles. The principles of data processing are: The principles are: legality, purpose, adequacy, time limitation, safety and accountability. These principles apply to the current personal data protection law, and in the general data protection regulation. This means that nothing changes. The rule of law is that we can only process personal data if we have a legal basis for it. It may be the consent of the person to which we will process the data. It may be based on a contract between the person and the person in order to carry out a legal relationship. It can be, for example, processing personal data for the public good. The principle of purposefulness means that if we process personal data for the consent of

the person, We have to define the purpose of the processing. It must be precisely defined that, for example, personal data is processed exclusively for the delivery service of a monthly newsletter. Data can be processed only for this purpose and using it for a completely different purpose will be an illegal action. The principle of adequacy, otherwise the principle of data minimalism. If we process personal data, we should process it only in such a range that is necessary to achieve this goal. To send a newsletter, we need a name and an email address. Sometimes only an email address. Collecting PESEL and NIP numbers would violate this rule. The rule of correctness. The personal data administrator should ensure that the data is properly

verified. The rule of time limitation: we can process personal data only as long as it is necessary to achieve this goal. If the goal has been achieved, then we should delete personal data. The rule of safety: it appears maybe directly in the personal data protection act, it is not in the framework of general principles of processing, but also personal data administrators are obliged to introduce appropriate technical and organizational means in order to ensure that personal data is not revealed, is not destroyed, modified, etc. The rule of accountability. It seems that this element is perhaps new, but in reality it is not, because again the administrators of personal data must prove that they have taken the

most various means to ensure It's a trio of security, which is confidentiality, integrity and availability. It's nothing new. Information duties. In the personal data protection act, data administrators must inform the data entities every time about the address and full name of the entity, what is the purpose of the data, I can't hear you. What is the purpose of collecting data? Who is the expected recipient of data? What are the categories of data recipients? It must also inform about the access to the content of its data and the possibility of improving it. about the voluntary data transfer or if it is due to some obligation, then it is stated that there is such an obligation and a

legal basis. If we process data in a direct way, personal data is collected by automata, which download something from the Internet, or a friend gave us some data of a person, then we must also inform this person about the source of data, which is such a constant element. What will change in the order when it comes to the information duty? there will be even more elements. At this point, there will be the elements I mentioned earlier and the next data, i.e. contact data of the Data Protection Inspector. It is only not known whether it should be the data specified in such a way, such an indirect name, the name of the Inspector of Personal Data, or it may be some information in

the form of data that does not reveal this inspector, such as: Security, Małpa, Example.com. The basis of legal processing, in addition to the purposes of processing. The period through which the data will be stored. If it is not possible, then it will be necessary to present the criteria that serve to determine this period. This means that data administrators will have to clarify in reality how long the data will be processed and when it will be deleted. Of course, this obligation existed much earlier. But no one did it. Most of the time, there were very few companies that would take care of deleting data after the right time. By the way, data removal is a rather difficult process. That's why it is

necessary to design something like this earlier, to do it in a way that will be safe, for example, not to remove too many data. It should also be remembered that if we remove personal data, we also have to remove them from backup copies. Therefore, we need to think hard about what strategy should we adopt to remove data. In addition, the personal data administrator should inform us whether he is using so-called profiling or whether he plans to process personal data for some other purpose. This information obligation will increase, it will force administrators to increase the resources that will go to data protection, because it will come to the design of removing personal data, wider information, etc. Moreover, to express

the consent to process personal data, the data administrator will have to show that he has received the consent to process personal data. So he will have to somehow prove that this person's data has been collected legally. I suspect that it will be quite difficult. It must also be guaranteed that each person has the right to withdraw consent to process personal data at any time. Moreover, the issue of processing children has been regulated. The European legislator gives the state some room for maneuver, because maybe as a child you can treat a person from 16 years of age or from 13 years of age. This will remain a matter of member states. Excuse me, yes? Can the

proof of this agreement be digital or in the form of a digital version? It can be digital. Besides, the way of informing should be as transparent as possible. That is, the person who wants to express their consent to the processing must be informed in such a way that it is fully aware that its personal data will be processed in a way that is in accordance with the law, on a specific legal basis, in a limited time. I will show you an element from the project of the General Order on the Protection of Personal Data. Fortunately, it did not appear. The legal expert, Win Lin, wanted to do something like this: every time before expressing consent

to process personal data, these specific graphic elements appeared. From my point of view, it would lead to people giving up on sharing their data to administrators. In my opinion, it is very scary. I don't know what you think, but it could have a very negative impact on the administrators themselves and how they will earn money, the number of clients, etc. That's why probably some administrators would be more likely to pay for not showing such charts, to violate the law, to be sure that there will be a risk of punishment, but it can risk and increase your income. Documenting processes for processing personal data. At this point, The Law on the Protection of Personal Data in Article 36 refers

to the regulation on technical and organizational conditions, etc., which requires the implementation of security policy and instructions. Some of you may have encountered this. The implementation of this type of documentation It often takes a lot of time. There are requirements that may not make sense. For example, personal data administrators are obliged to create a description of the data collection structure with the connections between information fields. I think I met one company that had it. Many, many, many companies. Another thing. If you are appointed as an administrator of information security, it is necessary to make evidence of personal data collection. The plus is that we are free from the registration of data collection in Giodo. It must regularly conduct audits, i.e. it

works out the check-ups, performs the checks, i.e. another documentation element comes in. As I have mentioned several times, there is a duty to register data collections, regular data collections, if ABI is not established, if ABI is established, then only sensitive data collections. The general data protection regulation is less specific, which gives us a free hand in preparing documentation. The general regulation simply requires the implementation of appropriate data protection policies. is the obligation of the registration of personal data collection, but there is also the obligation of the registration of the processing activity. There is also risk analysis, assessment of the effects for data protection, i.e. the so-called privacy impact assessment, documentation of data protection violations, i.e. Something disappears, something

appears. I don't know yet if it will be a very big burden for the administrators of data or if it will be measured similar to the previous one. Yes? Yes. No, we won't talk about the cloud, because it's a very general presentation. But in case of what, please ask. What's in the cloud? In this situation, is it a private cloud or a public one? If the personal data administrator uses services like Amazon, then? We are not able to do something like that. We include a personal data transfer agreement with such an administrator, where we simply specify certain things related to data security, trust, etc. Such things are not usually accepted in policies, because this type

of administrators can have policies. It is a matter of regulating contracts between parties. I have a contract for the transfer of data. I found it in the client's account. I can transfer it from the client's account. It just contains a contract for the transfer of data. And this is a real contract? Yes. But we should remember that responsibility is still on our shoulders. If the data administrator fails, the data leaks, you must remember that you are responsible. And then you have something like a rift in the data administrator's face. It is always important to remember, and maybe a good practice would be to check if it is possible, such a data administrator, if it is a small local server, whether they can take care of

backups, have some processes implemented, whether you are safe when it comes to technical issues. What else would I recommend? Definitely making backups to some other server, regardless of that. Yes? Yes. I don't understand. Yes. That is, they are not the administrator of the security of information. The administrator of the security of information is simply a specific person, for example, Yes, or an outsourced ABI that deals with data protection in this organization. Okay, documenting data protection violations. I'll come back to this in a moment. This has existed for many years in telecommunications law. Telecommunications entrepreneurs were obliged to document such violations and report such violations to the GEODO, to perform certain activities after incidents, etc. Next. I have already talked a

little about security. In general, nothing has changed here. The content of these regulations has changed a bit, but the meaning is the same. So we have to take care of trust, integrity and availability of personal data. Nothing more. The General Data Protection Regulation introduced a few more elements. These are certain terms such as pseudonymization, data encryption, ability to quickly return, certain duties related to regular testing, measurement. The general order shows us the way, what we should do to act properly, in accordance with the law, so that our data is fully safe. The next thing is the risk associated with the processing of data. Personal data administrators have the possibility to prove that they process personal data in a

way that is in accordance with the law, through certification mechanisms or the use of good practices. These issues have not yet been developed in any way. We are waiting for the certification mechanism to look like. What will the code of good practices look like? What will be the norm of good practices? The information security administrator will turn into a data protection inspector. This is just a conceptual change. The rules of appointment will change. At this point, the appointment of the information security administrator is optional. In the future, in a year and a half, it will be mandatory in some situations. It will be mandatory in such a situation as: the appointment of the Data Protection Inspector in public administration units, when we process

sensitive data on a large scale, and in several other situations. The organizational dependency will be the same, i.e. the Data Protection Inspector will be subject only to the personal data administrator directly, Contact data will be available when collecting funds for processing personal data. Another novelty: financial penalties. Until now, financial penalties did not exist. It was possible to impose these penalties by GEODO. But this process lasted for a very long time and it was necessary to make a strong effort to get such a financial penalty. Because the Code of Administrative Procedure was used, considering the duration of proceedings and the possibility of applying these penalties, they were not as large as the General Data Protection Regulation

predicts. Depending on the type of violations, financial penalties are predicted to be up to 10 million euros or up to 2%. or up to 20 million euros or up to 4% of the annual global turnover for the previous year. These penalties are very, very high, because there is a doubt whether Polish authorities are responsible enough to impose such financial penalties. I am not convinced of this yet. The GEODO office in Poland employs only about 200-250 people. Even when it comes to various political events, I noticed that the earnings of the GEODO itself or the earnings of GEODO employees are inadequately low to the possibilities that the general order gives them, i.e. small earnings, huge responsibility. Of

course, raising their salaries will not solve the problem, good measurement of these penalties, but it is worth paying attention to it. Other changes. Yes. Yes. Yes. Up to 10 million is the smaller penalty, up to 20 million is the larger one. So, let's say that 10 million would be much more than 2% of the total, then I would pay 2% or 1 billion? It depends on... it will be the higher value and it depends... yes. And I have another question, what is the difference between whom you pay the penalty? The General Data Protection Inspector will be the one to impose such penalties, so the General Inspector's account will be charged with such money. The account of

this office. I will just say that these penalties depend on the type of violation, so that it is clear. Other changes. The right to delete data. This law actually existed, but it was not written in the style of "Right to be forgotten", It was simply due to our regulations in the Personal Data Protection Act. At this point it will be even more difficult because the personal data administrators will have to try to in the event that they will publicly share our personal data, they also removed this personal data from other registers, so if our data is shared, it will remain for example in a local newspaper, then probably this data will be indexed by the

search engine and then such an administrator should try to remove such data from search engines. What is... Oh, this is a very good question. Who is the administrator of personal data? To make it easier to explain, the personal data administrator will be the entrepreneur. This is a human language, because it is an entity that decides the goals and means of processing personal data. So, if we have a company called ZOO, the administrator will not be the board, there will be no council, only the company will be the administrator of personal data. He should inform you that it is... Yes. They often say that they have already issued this number, but this is against the law of telecommunications.

I'm sorry.

I would have to know the exact situation, because it is an individual case. You have to look into the law of telecommunications. That's one. Two, try to look for this number, possibly ask the Giodorz, that from this and that number they called me, they have my data and you would like to determine the administrator of personal data. The procedure will probably take a very long time. And maybe it won't be easy to determine, but we can try. There is a letter, but Giodo accepts qualified electronic signature. So if you have such a signature, you can use it and send such a request electronically. No, ePUAP. ePUAP is for communication with public administration. I can't hear you. But you can use a

qualified signature, that's for sure. So it is for private contacts, plus it should also be ok between public administration. The right to remove data, I said, the right to transfer data. Data entities will have the opportunity to simply turn to the personal data administrator to give them this data, in a common format. So that the other personal data administrator can import and use this data. So this is a possibility of leaving the administrator and moving to another one. The Privacy by Design model It is a Canadian model from the 90s, which was implemented and added to the General Data Protection Regulation. It is about the fact that personal data administrators should, in the design phase of

some IT systems, make sure that To protect our privacy. It can look in different ways. It is about ensuring such default privacy settings, using appropriate security, implementing appropriate encryption rules and probably many other solutions. There will come something like the concept of co-administrator. It is something like that a couple of different entities, so let's say we have three different companies, can be together administrator of personal data, which was not in Polish law before, it appeared in British law. The announcement of personal data violations, I have already mentioned this, the data administrators within 72 hours after the incident will have to report to the GEODO that we have broken the case, the data has leaked, something has happened to

it, Gildo can impose a financial penalty or not. It is not yet known what it will look like, but there are 72 hours for this. It will be necessary to describe the type of incident, what happened to this data and also describe the benefits that have been implemented. Privacy Impact Assessment Data administrators will have to create certain documents in some cases related to the impact on our privacy. These will be certain activities related to processing. This is simply an assessment of the effects of processing personal data. The requirement for consultation will be met either with the Data Protection Inspector, i.e. the current ABIM, or with the Giodo consultation, which in my opinion is quite burdensome, i.e. as we had a huge queue to register

a collection of personal data, the same will be here, not far away, a queue in front of a certain green building to consult the consequences of processing personal data. If we have a collection of ordinary data at the time of reporting, if we have a collection of sensitive data only from registration. Another thing that I could say at the beginning, but I decided to move it to the end, will be a completely different territorial area of using the General Data Protection Regulation. will also apply to countries that are not in the European Union. So if in the United States the personal data of the EU citizens are processed, who are located within the EU, then

these entities will have to meet the requirements, including the information duty, as I said at the beginning, and many other requirements. The right to compensation. I think this is an interesting solution. Everyone will be able to run away from compensation for violations related to personal data protection. So if your data is revealed to be damaged, you will be able to fight in court for a specific compensation. Maybe it will lead to something like so-called "processed folly". Maybe the physical persons will want to attract administrators of data, they will try to confuse some damage in some situations. We'll see how it goes. So the general data protection regulation is a revolution or evolution? I can't answer that. It will come out in the washing.

Well, a little more than a year and a half. Certainly, a lot of burden will disappear, but new ones will come. Companies will be formally forced to take care of this level of data protection. So, whether it is a revolution or evolution, you have to decide for yourself. Thank you. Maybe some questions? I have a question. No. There will certainly be some rules related to the application of penalties. There is a new law on personal data protection that will regulate some things, so we just have to wait and see. For now, I am not able to answer this question. Any more questions? OK, thank you.