From the chronicler’s responsibility, let us remind you that as of May 25, 2018, the GDPR determines the rules concerning the processing, use and storage of personal data. Along with that regulations, new requirements and sanctions have been imposed on entrepreneurs in case of non-compliance with the regulation. Let’s start with the latter.
GDPR and financial penalties
First, a strong blow. A private sector entity that intentionally or negligently fails to comply with the provisions of the GDPR must face a penalty of up to 2% or up to 4% of its turnover.
In the public sector, it is EUR 10 million or EUR 20 million. The Polish law reduces this amount to PLN 100,000 – this is how much a public finance sector entity, the National Bank of Poland or a research institute, and the National Bank of Poland will pay. According to Polish regulations, the fine of PLN 10,000 PLN threatens state and local government cultural institutions.
However, these fines do not come from nowhere. The entity imposing these severe sanctions pays attention to elements such as the nature and duration of the violation, the scope of data processing, the number of affected people, and the seriousness of the damage they have sustained.
A mitigating factor may be the cooperation with the relevant authority, the sincere attempt to remedy the violation and its effects, and the way in which the supervisory authority has become aware of the violation.
GDPR and monitoring at work
The European Data Protection Board addressed the problem of the use of monitoring in the context of the functioning of the GDPR. The record on July 10, 2019 informs that the technologies used for this purpose must not violate the privacy of people. For example, there are outlined solutions that allow for disguising and mixing areas which are irrelevant to the surveillance. The regulation also states that an employer introducing monitoring must explain its purpose to employees. Each of the people working in the company should know about the monitoring – the information should be visible by hanging it on the boards in visible places.
The installation of monitoring must be justified, and thus ensure “the safety of employees or the protection of property or production control or the confidentiality of information, the disclosure of which could expose the employer to damage” (KP, Art. 222). Under no circumstances can the monitoring cover areas such as: cloakroom, smoking room, canteen or sanitary rooms. Rooms belonging to the company trade union organization (unless it is security related) cannot be displayed on the “preview”.
The recorded image may not be stored for more than 3 months from recording, and its processing must only concern the purposes for which it was recorded.
the GDPR and the company phone
Employees using company smartphones continuously receive SMS messages and e-mails containing personal data of contractors, customers and co-workers. It is rare for devices to stay in the office after working hours – they are usually taken home. Meanwhile, the phone, like any mobile item, can be lost or stolen. What does the GDPR say? The employer should determine the extent to which the device can be used, prohibit the use of the company’s equipment for non-professional purposes and install non-work related applications. The employee should also not make the company’s mobile devices available to third parties.
The company is responsible for risk analysis and implementation of adequate security measures, such as anti-virus software or encryption, in line with its results.
the GDPR and the company’s e-mail
When using the company’s e-mail box, the employee must remember that the employer may have access to company correspondence. Even if such monitoring is not only dependent on the boss’s vision, there are circumstances when he is fully allowed.
Since May 2018, Article 22 3 of the Labor Code has been in place to regulate the monitoring of company e-mails. According to the rule introduced two years ago, the employer may control an employee’s e-mail box only when it is absolutely necessary to ensure proper use of it and to maintain proper use of the work tools provided to the employee. The employer must remember not to breach the confidentiality of the employee’s correspondence.
According to the law, the scope and objectives of introducing monitoring should be strictly defined in the work regulations, collective agreement or in an appropriate notice. Moreover, the employee must be informed in writing about such monitoring before he is even allowed to work.
The employer monitoring the e-mail automatically becomes the administrator of personal data not only of the employee, but also of persons or companies with whom the employee corresponds.
Therefore, it is important not to store data longer than necessary to achieve the purpose of monitoring.
GDPR and database retrieval
There are several ways for companies to obtain data:
– Data obtained directly from contact forms placed on websites or questionnaires filled in by participants of competitions, events or webinars. Processing of such information may continue until the participant withdraws their consent (please note that they may do so at any time).
– Data acquired by the company from other entities. In this case, the new owner of the database is obliged to carry out the record from article 14 in GDPR (Information provided in the case of obtaining personal data in a way other than from the person to whom the data refers). An entrepreneur who comes into possession of such data is responsible for the proper use of it. Therefore, before making a transaction, it is worthwhile to carefully verify the purchased database for any irregularities (in the case of a “mistake” there is no possibility to blame the former owner of the database).
– The license to use the information obtained from the administrator. In this case – contrary to the purchase – the entrepreneur does not become an administrator, but a processor (the so-called processor). Such a license is granted for a limited period of time with a strict indication of the purpose for which the data will be used.
There are also databases available to the public (entries in the National Court Register, CEIDG, Land and Mortgage Register, on companies’ websites). It is worthwhile to be particularly careful when using the data obtained in this way.
This is not the last article about GDPR on the DaVinci Studio blog. We are aware that despite two years of the regulation’s functioning, it is still a hot topic. Therefore, in the following articles we are going to look at further issues related to data processing.