Personal Data Protection Reform

Works on extensive personal data protection reform in the EU reflecting the technological development and new market challenges took several years. These works were completed in spring this year. On 4 May 2016, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, GDPR) was published in the Official Journal of the EU. The Regulation will be applied directly in all Member States, including Poland, beginning 25 May 2018.

GDPR provides for many new solutions designed to increase the protection of personal data, including additional obligations of data processors. Extension of the scope of application of the GDPR provisions to include also businesses operating outside the UE that offer goods or services to persons within the territory of the EU (e.g. via the Internet) is of crucial importance. The GDPR considerably strengthens the position of data subjects, among others it extends the scope of the obligation to provide information to data subjects, it introduces the right of the data subjects to transfer personal data, to limit processing of personal data, “the right to be forgotten”, moreover, it provides for specific regulations concerning profiling. Other new obligations include: (i) an obligation to take into account data protection when developing and designing projects (privacy by design), (ii) an obligation to introduce default data protection (privacy by default), (iii) an obligation to assess consequences of planned personal data processing operations, (iv) the obligation to maintain a record of processing activities, (v) an obligation to notify personal data breaches.

Due to the scope of changes introduced by the GDPR, the date of application thereof has been postponed until 25 May 2018. By that time, entities processing personal data should adapt their internal processes and procedures to the new requirements. This is particularly important considering strong sanctions introduced by the GDPR for violation of its provisions. Financial penalties administered by the supervision authority (in Poland – GIODO) can reach up to 4% of the company annual turnover generated in the preceding financial year.

Since the required changes in the scope of personal data protection organization in your company might prove extensive and time-consuming, we already now recommend conducting a personal data protection audit to identify areas requiring development and plan implementation thereof before 25 May 2018. We are ready to assist you with such audit (taking approximately 10 hours), which will result in preparation of a report describing the audit findings, as well as recommending specific actions to be taken in order to implement the required changes and timeframe for implementation.

Should you need more detailed information concerning the personal data protection reform, or if you are interested in carrying out a personal data protection audit, please contact legal adviser Agnieszka Kocon (e-mail: