Would you like to know more about RODO? Take advantage of our training courses!

The General Data Protection Regulation, known to everyone more widely as RODO, has been in force in our country and throughout the European Union for four years now. When we are employed in successive workplaces, run businesses or constantly use public facilities, we come across the RODO every time and, when reading the regulations for personal data processing, we are increasingly reminded that our knowledge of it is not complete, yet very much needed. Therefore, take advantage of our training offer today!

RODO is a regulation that is a data protection function across all European Union countries. The word RODO is an abbreviation of the full name Personal Data Protection Regulation, while the full English name is General Data Protection Regulation - GDPR for short. This piece of legislation is a set of rules regarding the processing of individuals' data.


A brief history of RODO

The introduction of this regulation in Poland and other EU countries in 2018 was intended to replace the previously applicable directive and make personal data protection a new better quality. After four years of work and discussion on this regulation, it was adopted by the Council of the European Union and the European Parliament on 27 April 2016. In Poland, the Data Protection Act of 29 August 1997 was previously in force. It was based on principles related to Directive 95/46/EC, adopted by the European Parliament and the Council of the European Union on 25 October 1995. The legal standards for RODO in Poland were implemented by the Ministry of Digitalisation. By the composition of the Sejm of the Republic of Poland of the 8th term, Regulation 2016/679, or RODO, was enacted on 10 May 2018 and the authority of the President of the Office for Personal Data Protection was established after the abolition of the office of the Inspector General for Personal Data Protection.

RODO in practice

The RODO is by far the biggest change ever in the regulation of information about individuals. The main task of this regulation is to protect personal data within the European Union, regardless of where they are processed. The improved quality of personal data protection in this regulation applies, among others, to more strengthened rights of natural persons, unification of legal norms binding in the European Union, better efficiency of information exchange, as well as forms of protection against unauthorised access adjusted to the threats of the 21st century.

The RODO applies to all data holders who process data and their owners who transmit them for processing - in companies and organisations located in the European Union. On the other hand, those who are not covered by this obligation include deceased persons, legal entities and those whose processed data are neither related to a commercial or business activity nor to a practised profession.

RODO has a large number of benefits. These include:

  • faster and easier access to data and more information on how it is processed
  • facilitated data transfer between service providers
  • the so-called 'right to be forgotten', consisting in the immediate deletion of one's data by the controller, at the request of the individual concerned
  • the controller's obligation to inform the data owner of a data breach
  • the right to rectification and the right to object to processing incompatible with the individual's wishes
  • better incentive to comply with the rules due to extremely severe fines

What is personal data

As personal data submitted for processing we refer to that amount of information which is capable of identifying the identity of an individual. It consists of:

  • name
  • identity card number
  • residence/registration address
  • IP address
  • data relevant for medical assistance, held by medical practices and hospitals

In turn, among the information prohibited for processing are:

  • racial or ethnic origin
  • sexual orientation
  • religious beliefs
  • political views
  • data relating to infringements of the law, court judgements (unless permitted by national law)

The authorities that are responsible for the processing of personal data are the controller, who is the person responsible for deciding the purpose and means of processing, and the processor, who carries it out and stores the information.

Data Protection Officer

A very important element for correct data processing is the monitoring performed by the data protection officer. The person in this position not only ensures that everything is done according to procedure, but also provides relevant information to controllers and processors on their obligations and acts as a consultant for them and the data owners by providing contact possibilities.

The activity of the Data Protection Supervisor is mandatory for every public institution except the courts, entities dealing with criminal and similar cases, and those whose activity involves the automatic processing of data.

Transfer of data to a country outside the EU

It is important to remember that the data protection of the RODO is invariably applicable even when data is transferred to a non-EU area. This means that the destination country should have data protection measures that are acceptable to the EU. The company or organisation should also ensure that the contract that will link this transfer includes an appropriate clause as a form of safeguard, that the said recipient is sure to comply with the EU requirements, and the explicit consent of the data owner.

Businesses have an obligation imposed by the RODO to maintain a breach register and a register of processing activities. The breach register is designed to collect notifications of a personal data breach within 72 hours of observing the breach. Such notification is referred to as the notification obligation. The register of processing activities, on the other hand, is intended to keep information about both the purpose for which personal data is collected and the purpose for which it is processed. The register of processing activities, however, only applies to employers with no more than 250 employees.

Penalties for breach of RODO

Criminal liability for breach of the principles of the Data Protection Regulation is incurred by the company or organisation. We are talking about a financial penalty, which can take the following amounts:

  • 10 million euro or 2% of the company's annual worldwide turnover in the previous financial year
  • 20 million euro or 4% of the company's annual worldwide turnover in the previous financial year

When awarding financial penalties, the determination of the amount that would be deducted shall take into account, inter alia, the purpose of the data processing and its scope, the intentional or unintentional nature of the infringement, the controller's efforts to minimise harm to individuals, or previous infringements.

In order to prepare your company well and reliably for learning about RODO regulations, learn this and much more at our training courses.