Frequently asked questions about GDPR

GDPR (General Data Protection Regulation) is an EU regulation that will apply in all European Union countries. In Poland, it will replace the currently applicable Act on the Protection of Personal Data. The regulation will apply to all entities that act as personal data administrators.

No, GDPR does not require you to collect consent to store data again. If it was collected properly before, the consent is still valid.

Actually, it’s just the opposite. GDPR requires that all information regarding the protection of personal data be in simple, understandable language.

The number of checkboxes used under the new regulations remain unchanged. Also, GDPR does not demand that consent to the processing of personal data take the form of a written message (statement, e-mail, etc.). It is possible to withdraw consent in any unambiguous form. There are multiple possible IT solutions available for conforming to the requirements of GDPR.

Profiling, understood as targeting personalized advertising to customers, will still be possible as an element of marketing products or services. Profiling for purposes of IT security will also be possible. GDPR requires reliable (transparent, comprehensible) user information about profiling. In addition, there will also have to be an opportunity to refuse consent to profiling.

No. GDPR requires that you provide simple and clear profiling information written in a language that is understandable to users who are not IT specialists. You do not have to get overly technical and complicated, something which is in fact specifically not allowed. A simple explanation is enough to describe what data is collected and specifically for what purposes (displaying advertisements, sending personalized e-mailings, etc.).

GDPR does not change existing policies regarding the use of cookies if you use them to identify users. Currently, a draft of one more EU regulation is being created, the so-called the e-Privacy regulation, which provides for even simpler policies related to cookies compared to the current situation. Information about cookies will have to be provided each time the browser is installed, not every time a new web page is displayed.

If you use cookies in combination with other solutions that allow you to identify a specific user and assign particular features, such operations will be treated in the same way as any other processing of personal data.

GDPR is not intended to block the exchange of data between the EU and the USA. As an EU entity, you will be able to send personal data to US counterparts (use US applications) if at least one of the following conditions is met:
a) the American entity is registered on the Privacy Shield list
b) transferring data to the USA is necessary for executing a contract between parties
c) the person that the data belongs to must be informed of the risk and consents to their data being transferred (this does not have to be in the form of written consent, it’s enough that it is clear)

The right to be forgotten will not be absolute. The point is to stop processing the data of a given person and, more than anything else, to remove publicly available information about such processing. The right to be forgotten cannot interfere with the security of other personal data. Therefore, there will be no need to intervene in back-ups if the demands would require excessive effort or result in considerable costs.

Provisions are made for fines of up to EUR 20,000,000 and, for businesses, up to 4% of its total annual global turnover from the previous financial year, with the higher amount being applied. These are the maximum amounts the regulations provide. The amount of the penalty will be proportional to the scale of the violation.

GDPR will introduce significantly expanded documentation obligations. When collecting data, the administrator of the data will have to provide:
a) contact information
b) the purpose of storing the data (this purpose cannot be changed later without informing the owners of the data)
c) the legal basis of the storage of the data
d) the intention of transfering data to another entity, if such an intention exists
e) the time period for which the data will be stored
f) information about the right to:
- view the data
- change the data or delete it from the database
- retract consent for data storage, which must be simple and clear
g) information about the right to transfer the data
h) information about the right to file complaints with the relevant authorities