Frequently asked questions about GDPR
Here you can find the most frequently asked questions about GDPR - General Data Protection Regulations.
What is GDPR?
GDPR (General Data Protection Regulation) is an EU regulation that will apply in all European Union countries. In Poland, it will replace the currently applicable Act on the Protection of Personal Data. The regulation will apply to all entities that act as personal data administrators.
Will I have to obtain all consents again?
No, GDPR does not require you to collect consent to store data again. If it was collected properly before, the consent is still valid.
Do I have to include complicated legal language in my communications?
Actually, it’s just the opposite. GDPR requires that all information regarding the protection of personal data be in simple, understandable language.
Do I have to use a lot of checkboxes?
The number of checkboxes used under the new regulations remain unchanged. Also, GDPR does not demand that consent to the processing of personal data take the form of a written message (statement, e-mail, etc.). It is possible to withdraw consent in any unambiguous form. There are multiple possible IT solutions available for conforming to the requirements of GDPR.
Will profiling without consent be forbidden?
Profiling, understood as targeting personalized advertising to customers, will still be possible as an element of marketing products or services. Profiling for purposes of IT security will also be possible. GDPR requires reliable (transparent, comprehensible) user information about profiling. In addition, there will also have to be an opportunity to refuse consent to profiling.
Will I have to make the profiling algorithms that I use accessible?
No. GDPR requires that you provide simple and clear profiling information written in a language that is understandable to users who are not IT specialists. You do not have to get overly technical and complicated, something which is in fact specifically not allowed. A simple explanation is enough to describe what data is collected and specifically for what purposes (displaying advertisements, sending personalized e-mailings, etc.).
Is consent for cookies required?
Will GDPR block my ability to use American-based applications, even with user consent?
GDPR is not intended to block the exchange of data between the EU and the USA.
As an EU entity, you will be able to send personal data to US counterparts (use US applications) if at least one of the following conditions is met:
a) the American entity is registered on the Privacy Shield list
b) transferring data to the USA is necessary for executing a contract between parties
c) the person that the data belongs to must be informed of the risk and consents to their data being transferred (this does not have to be in the form of written consent, it’s enough that it is clear)
Is the right to be forgotten associated with the need to delete data from backups?
The right to be forgotten will not be absolute. The point is to stop processing the data of a given person and, more than anything else, to remove publicly available information about such processing. The right to be forgotten cannot interfere with the security of other personal data. Therefore, there will be no need to intervene in back-ups if the demands would require excessive effort or result in considerable costs.
What are the consequences of failing to meet the standards required by GDPR?
Provisions are made for fines of up to EUR 20,000,000 and, for businesses, up to 4% of its total annual global turnover from the previous financial year, with the higher amount being applied. These are the maximum amounts the regulations provide. The amount of the penalty will be proportional to the scale of the violation.
What changes will take place due to the expanded obligations regarding personal data?
GDPR will introduce significantly expanded documentation obligations. When collecting data, the administrator of the data will have to provide:
a) contact information
b) the purpose of storing the data (this purpose cannot be changed later without informing the owners of the data)
c) the legal basis of the storage of the data
d) the intention of transfering data to another entity, if such an intention exists
e) the time period for which the data will be stored
f) information about the right to:
- view the data
- change the data or delete it from the database
- retract consent for data storage, which must be simple and clear
g) information about the right to transfer the data
h) information about the right to file complaints with the relevant authorities