The topic of GDPR turns up like a bad penny every time media report record-high penalties imposed on companies that fail to comply with personal data protection regulations. High financial penalties are not the only reason to make sure that the data of your clients and business partners is properly secured. Their trust is at stake, as well.
GDPR: penalties running into millions imposed on large companies
Recently, there has been a lot of media coverage with respect to the President of the Polish Personal Data Protection Office imposing a PLN 1.9M penalty on Virgin Mobile. This a warning for everyone that processes personal data incorrectly. Przemysław Juściński, a lawyer at our Law Firm, described this case here: GDPR: Virgin Mobile fined PLN 1.9M for failure to implement proper data protection.
Another example (a penalty in excess of PLN 2.8M) is the sanction imposed on Morele.net. Again, the reason was insufficient data protection. The company filed an appeal, but to no avail. This case was described by Michał Czuryło, attorney-at-law, in this article: Record-high penalty for GDPR violations sustained.
What, then, should be done to protect your organization against such violations? First of all, it’s always good to learn from the errors of others. Virgin Mobile was fined. It had failed to implement comprehensive and regular testing and evaluation with respect to the technical and organizational measures the company used. There being no such supervision resulted in an unauthorized person obtaining access to one of the client databases. A personal data leak is not only a major violation of legal regulations, but also something that undermines the trust from the persons whose data you store.
Cyberthreats and personal data protection
Legal regulations are one aspect. GDPR has to be complied with not only in order to avoid high penalties. But also in order to stay protected against cybercriminals. Hackers take advantage of low vigilance and inadequate tools in terms of personal data protection. This allows them to harvest confidential information.
Failure to check systems in view of potential loopholes and the inability to quickly discover and eliminate threats resulted in a data loss at ID Finance Poland. The President of the Polish Personal Data Protection Office concluded that the company had failed to implement the relevant technical and organizational measures. For this violation of the principle of data confidentiality, a penalty of more than PLN 1M was imposed on the company.
When every item of information is a commodity that provides its owner with certain benefits, you have to be particularly careful. This why it is so important to analyze risks. As this allows for selecting the technical and organizational measures that will ensure the required level of data protection. Identity theft and loss of confidential information or bank account access data become more and more frequent problems for users.
These threats concern us all. Since the chance that the organization you work for will be a victim of a GDPR violation is 65%. If the security measures are insufficient, a major data leak could occur. Notably, data controllers are obliged to carry out risk analyses in accordance with the GDPR.
GDPR: the main rules
To the obligation to inform that data is processed, the purpose for which this processing occurs has to be stated, as well. What is more, only the necessary amount of information may be collected. If additional data is not necessary to carry out the given process, collecting this data is illegal. The data controller is obliged to delete data once the purpose of processing has been achieved. He also has to implement the relevant tools ensuring that data is safely stored while managed by the controller.
Importantly, every case of data processing has to be based on one of the legal bases specified int he GDPR. Choosing the appropriate legal basis for processing is of crucial importance for the data controller. As it determines his further rights and obligations, as well as the rights of data subjects. One example here is consent. If it is withdrawn, the data controller is obliged to delete data. Additionally, consent to personal data processing should be granted before you commence the processing of someone’s data. The consent also has to meet a number of GDPR requirements to be valid and effective. And the person who expressed consent has the right to withdraw it at any time.
GDPR compliance under control
The President of the Polish Data Protection Office has imposed a penalty in excess of PLN 200K for hindering the exercise of the right to withdraw consent. Additionally, you need to remember that consent to personal data processing should be expressed before processing commences. Furthermore, the consent has to meet a number of GDPR requirements to be valid and effective.
Under the GDPR, the data controller is obliged to provide the relevant information to data subjects. A person whose data is processed has the right to know the identity of the entities to which he or she provided his or her data. As well as to be informed about the processing of this data. This also applies if the company acquires filing systems from external sources. A company had to pay a penalty of almost PLN 1M for failure to comply with the obligation. To inform the persons whose data it acquired from another company. More on this case is available in this article: GDPR: a penalty of nearly PLN 1M for non-compliance.
What is more, compliance with the GDPR is verified by the employees of the Polish Personal Data Protection Office. Additionally, there is the concept of “self-supervision”. Data controllers are obliged to report to the supervisory authority most of the personal data breaches. The report has to be filed within a maximum of 72 hours of discovering the breach. Failure to do so may entail a financial penalty. This is what happened e.g. to Towarzystwo Ubezpieczeń i Reasekuracji WARTA S.A., which was fined PLN 85,588.
Liability for incorrect data handling
Currently, a declaration that a company complies with the GDPR is insufficient. Systematic, day-to-day actions are also necessary, and the data controller will be held accountable in this respect.
If the data controller and the processor fail to comply with their obligations, they are subject to an administrative penalty. The amount of this penalty is up to EUR 10M or up to 2% of the company’s total annual turnover in the previous financial year.
Higher penalties are usually imposed on data controllers in the case of a violation of the fundamental principles of processing. The requirements in terms of transferring data to a recipient in a third country or in the event of failure to comply with an order or a temporary. Definitive limitation on processing or the suspension of data flows by the supervisory authority. The penalty may be as high as EUR 20M. This is up to 4% of the company’s total annual turnover in the previous financial year.
Examples of the most frequent non-compliances are discussed here: Most frequent violations of the GDPR.
An aggrieved person also has the right to file a lawsuit against the personal data controller. In accordance with the Polish Civil Code and the Polish Code of Civil Procedure.
Would like to know how to efficiently protect your company and its good name? How to avoid GDPR violations and make sure that data is not captured by unauthorized persons? Contact our lawyers that specialize in GDPR issues.