From the chronicler’s responsibility, let us remind you that as of May 25, 2018, the GDPR determines the rules concerning the processing, use and storage of personal data. Along with that regulations, new requirements and sanctions have been imposed on entrepreneurs in case of non-compliance with the regulation. Let’s start with the latter.
GDPR and financial penalties
First, a strong blow. A private sector entity that intentionally or negligently fails to comply with the provisions of the GDPR must face a penalty of up to 2% or up to 4% of its turnover.
In the public sector, it is EUR 10 million or EUR 20 million. The Polish law reduces this amount to PLN 100,000 – this is how much a public finance sector entity, the National Bank of Poland or a research institute, and the National Bank of Poland will pay. According to Polish regulations, the fine of PLN 10,000 PLN threatens state and local government cultural institutions.
However, these fines do not come from nowhere. The entity imposing these severe sanctions pays attention to elements such as the nature and duration of the violation, the scope of data processing, the number of affected people, and the seriousness of the damage they have sustained.
A mitigating factor may be the cooperation with the relevant authority, the sincere attempt to remedy the violation and its effects, and the way in which the supervisory authority has become aware of the violation.
GDPR and monitoring at work
The European Data Protection Board addressed the problem of the use of monitoring in the context of the functioning of the GDPR. The record on July 10, 2019 informs that the technologies used for this purpose must not violate the privacy of people. For example, there are outlined solutions that allow for disguising and mixing areas which are irrelevant to the surveillance. The regulation also states that an employer introducing monitoring must explain its purpose to employees. Each of the people working in the company should know about the monitoring – the information should be visible by hanging it on the boards in visible places.
The installation of monitoring must be justified, and thus ensure “the safety of employees or the protection of property or production control or the confidentiality of information, the disclosure of which could expose the employer to damage” (KP, Art. 222). Under no circumstances can the monitoring cover areas such as: cloakroom, smoking room, canteen or sanitary rooms. Rooms belonging to the company trade union organization (unless it is security related) cannot be displayed on the “preview”.
The recorded image may not be stored for more than 3 months from recording, and its processing must only concern the purposes for which it was recorded.
the GDPR and the company phone
Employees using company smartphones continuously receive SMS messages and e-mails containing personal data of contractors, customers and co-workers. It is rare for devices to stay in the office after working hours – they are usually taken home. Meanwhile, the phone, like any mobile item, can be lost or stolen. What does the GDPR say? The employer should determine the extent to which the device can be used, prohibit the use of the company’s equipment for non-professional purposes and install non-work related applications. The employee should also not make the company’s mobile devices available to third parties.
The company is responsible for risk analysis and implementation of adequate security measures, such as anti-virus software or encryption, in line with its results.
the GDPR and the company’s e-mail
When using the company’s e-mail box, the employee must remember that the employer may have access to company correspondence. Even if such monitoring is not only dependent on the boss’s vision, there are circumstances when he is fully allowed.
Since May 2018, Article 22 3 of the Labor Code has been in place to regulate the monitoring of company e-mails. According to the rule introduced two years ago, the employer may control an employee’s e-mail box only when it is absolutely necessary to ensure proper use of it and to maintain proper use of the work tools provided to the employee. The employer must remember not to breach the confidentiality of the employee’s correspondence.
According to the law, the scope and objectives of introducing monitoring should be strictly defined in the work regulations, collective agreement or in an appropriate notice. Moreover, the employee must be informed in writing about such monitoring before he is even allowed to work.
The employer monitoring the e-mail automatically becomes the administrator of personal data not only of the employee, but also of persons or companies with whom the employee corresponds.
Therefore, it is important not to store data longer than necessary to achieve the purpose of monitoring.
GDPR and database retrieval
There are several ways for companies to obtain data:
– Data obtained directly from contact forms placed on websites or questionnaires filled in by participants of competitions, events or webinars. Processing of such information may continue until the participant withdraws their consent (please note that they may do so at any time).
– Data acquired by the company from other entities. In this case, the new owner of the database is obliged to carry out the record from article 14 in GDPR (Information provided in the case of obtaining personal data in a way other than from the person to whom the data refers). An entrepreneur who comes into possession of such data is responsible for the proper use of it. Therefore, before making a transaction, it is worthwhile to carefully verify the purchased database for any irregularities (in the case of a “mistake” there is no possibility to blame the former owner of the database).
– The license to use the information obtained from the administrator. In this case – contrary to the purchase – the entrepreneur does not become an administrator, but a processor (the so-called processor). Such a license is granted for a limited period of time with a strict indication of the purpose for which the data will be used.
There are also databases available to the public (entries in the National Court Register, CEIDG, Land and Mortgage Register, on companies’ websites). It is worthwhile to be particularly careful when using the data obtained in this way.
This is not the last article about GDPR on the DaVinci Studio blog. We are aware that despite two years of the regulation’s functioning, it is still a hot topic. Therefore, in the following articles we are going to look at further issues related to data processing.
PROGRAMMED INNOVATIONS TO DEVELOP YOUR BUSINESS
Latest posts
- Patient at the Center – The Role of Vinci Medicine in Modern Healthcare
- Strapi Headless CMS – A Modern Platform for Your Business Development
- MedTech: Innovative Digital Health Technologies Serving the Medical Industry
- Validate Your Product’s Potential with Analytical Workshops
- Your Technological Partner for R&D Growth
Your message has been sent. Thank you!
A quick guide to business automation
Interested in an offer?
See also
Latest posts
Patient at the Center – The Role of Vinci Medicine in Modern Healthcare
Vinci Medicine – How does the preliminary medical diagnosis tool work? Faster healthcare for patients. Access to high-quality healthcare is currently a challenge, especially in the context of restrictions caused by the COVID-19 pandemic. In light of these experiences, Da Vinci Studio proposes Vinci Medicine – a modern tool based on systems supporting diagnosis and […]
Strapi Headless CMS – A Modern Platform for Your Business Development
What exactly is Strapi and why is it such a popular Headless CMS? Strapi Headless CMS is a modern content management system that has gained popularity due to its flexibility and modularity. This technology allows for the management of digital content without a direct connection to a specific website or mobile application, which is essential […]
MedTech: Innovative Digital Health Technologies Serving the Medical Industry
In today’s rapidly evolving world of technology, the healthcare sector is undergoing transformations thanks to innovations known as MedTech. What exactly is MedTech, and how does it affect the quality of patient care? In this article, we will look at the latest trends shaping the future of the medical industry and discuss how startups can […]
Validate Your Product’s Potential with Analytical Workshops
Analytical Workshops – The Key to Your Startup’s Success Entrepreneurship is a series of challenges, especially in the dynamic world of startups, where a business idea must quickly transform into a functional product. Analytical workshops are a tool that allows understanding and leveraging the potential of technology to create solutions that meet specific market needs. […]
Your Technological Partner for R&D Growth
The Role of a Technological Partner in R&D Activities The modern economy is based on innovation and continuous development. Research and Development (R&D) activities become a key element of the strategies of companies aiming to strengthen their market position. A technological partner in the R&D process is no longer just a service provider, but […]
Creating MVP for Startups: How to Leverage the Potential of Your Business Idea and Development of Your Product in a Startup
What is an MVP and why is it crucial for your startup? MVP, or Minimum Viable Product, is the basic version of a product that contains only the necessary features that allow it to be tested by users. The concept of MVP is closely related to the Lean Startup methodology, which assumes rapid verification of […]
Finding the Ideal Technology Partner for Your Startup MVP Development
In today’s rapidly changing technology landscape, every startup aspires to make its mark with an innovative product that brings about a revolution. An MVP, or Minimum Viable Product, is a critical step in validating a business idea and catching the attention of investors. However, to achieve this, finding the right technology partner is essential. In […]
Create and Validate Startup Apps Faster with Low-Code Platforms
Code-Free Apps: An Introduction to Low-Code and No-Code Technologies In today’s rapidly evolving business world, startups need to deploy innovations faster than ever before. Low-code and no-code technologies enable the development of apps without deep programming knowledge, opening new possibilities for entrepreneurs. These platforms allow users to program and create advanced applications using visual editors […]
Low-code solutions versus dedicated web applications
Low-code solutions versus dedicated IT solutions is a topic gaining importance in today’s rapidly changing technology world. Both methods have their advantages and disadvantages, and the choice between them depends on many factors, such as the specifics of the project, available resources, as well as time and budget requirements. Low-Code Solutions: Advantages: Speed and flexibility […]