HWW Hewelt Wojnowski Lindner i Wspólnicy
News 9 February 2022 approx. 5 min read

Obligations under the RODO provisions and the consequences of breaching them

Zuzanna Bokina-Kielbasa Author Zuzanna Bokina-Kielbasa Radca prawny, Managing Associate
Obowiązki wynikające z przepisów RODO i skutki ich naruszenia

The GDPR, or Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, is a general data protection regulation applicable within the European Union governing the processing of personal data relating to natural persons in the EU by natural persons, businesses and organisations. It does not cover the processing of personal data relating to deceased persons or legal entities. It also does not apply to the processing of data by a natural person for purposes unrelated to their professional or commercial activities.

The new data protection regulations have been in force since 25 May 2018. Entities that process personal data under the Regulation often do not know what obligations they must fulfil and what the consequences of such failure may be.

Personal data and its processing

By personal data, we mean any information that allows us to identify a person directly or indirectly. This includes, amongst other things, name and surname, National Insurance number, residential address, but also, for example, an image, educational details, health status, voice recording, fingerprint or criminal record.

The processing of personal data, on the other hand, involves the collection, recording, organisation, storage, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, as well as the erasure or destruction of data.

To process personal data, we require a legal basis, which may be one of the following:

  • the consent of the data subject,
  • performance of a contract to which the data subject is a party, or taking steps at the request of the data subject prior to entering into a contract,
  • compliance with a legal obligation to which the controller is subject,
  • the protection of the vital interests of the data subject or another person,
  • the performance of a task carried out in the public interest or in the exercise of official authority,
  • the legitimate interests of the controller or a third party.

These grounds are self-contained, autonomous and independent, meaning that fulfilment of just one of them is sufficient for the processing to be considered lawful.

Obligations of the controller

The GDPR imposes a number of obligations on entities acting as data controllers, including:

  • the duty to provide information to the data subject. The information that the controller must provide is set out in Article 13 of the GDPR. It must be provided at the time of data collection or immediately prior to collection. This is done by providing the text of the so-called information notice;
  • taking into account the requests of data subjects, including those concerning the erasure of data, objection to data processing, data portability, and the withdrawal of consent that has been given;
  • determining whether a specific incident involving the processing of personal data constituted a breach;
  • notifying the data subject of the personal data breach.

A breach of the GDPR may result in the imposition of an administrative fine on the data controller or the data processor. They may also be held liable under civil law.

Civil liability

Each controller involved in the processing is liable for damage caused by processing that infringes the GDPR. However, a data processor is liable for damage caused by processing only if it has failed to fulfil the obligations that the GDPR imposes directly on data processors, or if it has acted outside the lawful instructions of the controller or contrary to such instructions.

Without prejudice to any available administrative or non-judicial remedies, including the right to lodge a complaint with a supervisory authority, every data subject has the right to an effective judicial remedy if they consider that their rights under the GDPR have been infringed as a result of the processing of their personal data in breach of the GDPR. Any person who has suffered material or non-material damage as a result of a breach shall also have the right to receive compensation from the controller or processor for the damage suffered.

The controller or processor may be exempt from liability if they prove that they are not at fault for the event that led to the damage.

Administrative fines

If a controller or processor intentionally or unintentionally breaches the provisions of the GDPR, they must be prepared to face potential financial penalties. In Poland, the authority empowered to impose financial penalties is the President of the Personal Data Protection Office.

Financial penalties should be imposed depending on the circumstances of each individual case (in addition to or instead of other remedial measures), and should therefore be proportionate but dissuasive. When imposing a financial penalty, the nature, gravity and duration of the infringement are taken into account, having regard to the nature, scope or purpose of the processing in question, the number of data subjects affected, and the extent of the damage suffered by them.

The amount of the fine depends on the type of entity and the nature of the infringement. An infringement by a controller or processor of, inter alia, the obligation to maintain a record of processing activities, or a breach of data protection principles at the design stage, may result in a fine of up to €10,000,000, and in the case of an undertaking, up to 2% of its total worldwide annual turnover from the previous financial year, whichever is higher.

On the other hand, a fine of up to €20,000,000, or in the case of an undertaking, up to 4% of its total worldwide annual turnover in the preceding financial year, may be imposed for, amongst other things, a breach of data processing rules, including the conditions for consent, the transfer of personal data to a recipient in a third country or to an international organisation, and the infringement of the rights of data subjects, such as the right to be forgotten. In this case, the higher amount also applies.

Zuzanna Bokina-Kielbasa
Author
Zuzanna Bokina-Kielbasa
Radca prawny, Managing Associate

Specializes in corporate services for business entities and personal data protection. Assists the firm's clients in the preparation of all corporate documentation, including the registration of commercial companies and the further registration of changes, and provides ongoing and comprehensive advice on business. Provides advice in carrying out transformation processes of commercial companies, including transformations and mergers. Prepares and gives opinions on contracts, regulations and current documentation…

View profile →
Do you have questions on this topic?

HWW lawyers offer consultations in Warsaw and online.

Send us a message

Related practice areas
Corporate and business law Tax law Energy law
Monthly Legal Check

Do not miss the next analysis

Key legal changes and their business impact, once a month to your inbox.

By subscribing you accept the privacy policy. Unsubscribe with one click.

Related publications

News 2 April 2024

Building permit

When is a planning permission required? As a general rule, the start of: commencing construction, carrying out construction work, carrying out construction works other than the …

Agata Bączkowska
Agata Bączkowska
2 min read

Book a consultation

Book a consultation with one of our lawyers.

Book a consultation → +48 22 100 42 24