EU Data Protection Regulation (RODO).

RODO - What is it ?

The European Parliament and the Council of the European Union have adopted the GDPR General Data Protection Regulation (RODO). It regulates the protection of individuals in connection with the processing of their personal data, which changes the rules established by current legal acts governing the protection of personal data. The GDPR also changes the rules under the Polish GIODO Act. The rules of the regulation come into force on May 25, 2018.

What changes with the entry into force of RODO?

  1. The general principle of collecting personal data. "Privacy by design" means that any entity that processes individuals' data must take care of both its technical security (protection against destruction, unauthorized alteration or unauthorized access, but also proper authorized access) and the rights of the individual to properly manage their data.
  2. Personal data is treated as an asset of an individual, who has all the rights such as in the case of property rights, and its addition to any database is tantamount to entrusting it to an entity, and that entity bears full responsibility for it.
  3. The financial liability of a data processor increases to €20 million or 4% of the previous year's revenue.
  4. Since every entity is responsible for personal data, no notification is required.
  5.  Each new set of personal data or a currently existing one must be protected and handled in such a way that the data collected there is safe already at the stage of design and implementation of the given database , regardless of whether it was previously notified to GIODO.

What does the RODO mean in practice?

What do you need to do to avoid risking penalties resulting from RODO ?
  1. Identify what personal data we store in our enterprise, website, web portal, or forum.
  2. Verify that the company's obligations to the individuals providing their data as described in regulations and contracts are in compliance with the RODO.
  3. Verify that the individuals whose data we maintain in our collections have given informed consent to maintain their data, and if prior terms and conditions do not comply with the RODO, request renewed consent.
  4. Take care of the physical security of the datasets we maintain at both the application and network levels. so that unauthorized persons do not have access to the data stored there. We offer the necessary measures for this, such as exploit scanners or firewalls to our customers.
  5. Check whether the operator providing connectivity to the servers protects our connection against DDOS attacks, to ensure that users can access and manage their data.
  6. Implement systematic and periodic security monitoring based on a fixed but improved procedure over time.
  7. In the event of a data leak resulting in a high risk of violating the rights or freedoms of individuals, the controller will be required to inform the affected individuals of the threat as well, and in the case of a significant data leak, also through the media.

Whether services meet RODO requirements.

Our many years of experience as both a data center operator and a telecommunications operator have required us to meet the highest standards of data security from the very beginning. All the services we offer fully meet both the current GIODO requirements and the coming into force requirements of RODO. As an operator, we have applied the principle of "privacy by design" from the very beginning. In addition, our offer includes all the technical tools necessary for the proper implementation of RODO principles, such as:
  1. Periodic security surveillance systems.
  2. Business continuity monitoring systems.
  3. Firewall systems at the network and application level
  4. Systems for mitigating DDOS attacks.
  5. Systems for advanced traffic filtering.
  6. Data presentation systems based on "data locks".
  7. We provide physical security at the level of access, power supply, environmental conditions, fire protection.
  8. We provide authorized and cataloged physical access to devices maintaining personal databases.
  9. We provide threat reporting systems.
  10. We provide cryptographic transmission encryption systems.
  11. Remote security copy systems.
All of these are necessary for the proper technical implementation of the requirements of the new RODO regulation.

What personal data is sensitive data under the RODO?

Personal data within the meaning of the RODO (sensitive data) includes the following:

  1.  Basic data : Name, surname, address of residence, identification number (PESEL, NIP, numbers of other personal documents)
  2.  Data on race and religion
  3.  Data identifying the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person
  4.  Data on an individual's current or past geographic location.
  5.  Internet and electronic identifiers of the individual.
  6.  Political views
  7.  Trade union membership
  8.  Data on sexuality and sexual orientation.
  9.  Health data
  10.  Biometric data

RODO a ISO 27001

Is it necessary for an entity to have ISO 27001 certification to comply with RODO?
The answer is simple: neither formally nor technically does RODO obligate an entity to have any certification, including ISO 27001 or ISO 9001. Many companies engaged in such certification bind RODO to these certifications, which has no legal justification, nor is it any requirement. One can, of course, assume that a company that has the mechanisms required for ISO certification in place will easily comply with the requirements of RODO. However, it should be noted that there is little overlap between the requirements of ISO 27001 and those of RODO.

What personal data will cease to be sensitive once the RODO comes into effect?

Once the RODO rules come into effect, information about sensitive data (currently described in the DPA rules) will cease to be sensitive:

  1. Philosophical beliefs,
  2. Religious affiliation ,
  3. Party affiliation,
  4. Convictions,
  5. Judgments of punishment and criminal fines,
  6. Other decisions rendered in judicial or administrative proceedings
  7. Addictions

Will personal databases have to be reported to GIODO after the RODO rules come into force?

Once the RODO rules take effect, personal databases will not be subject to notification, but any personal database must meet the criteria set forth by the RODO regulation, and responsibility for its security rests with the database owner or, in part, the "database processor."

Is the function of the Personal Data Administrator necessary after the entry into force of RODO ?

The RODO does not require and does not define the concept of a Personal Data Controller. Instead, it introduces the mandatory function of Personal Data Inspector.

The duties of the Personal Data Inspector are significantly expanded compared to those of the Personal Data Controller. In particular, it is the Inspector's responsibility to report on incidents of data collection violations, and to resolve requests from people whose data is stored in the database.