What kind of documentation must be in every company from 25/05/2018/ RODO
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
From 25/05/2018, every entity that is the administrator of personal data must independently assess the risks associated with the processed personal data and what measures should be taken in this scope. The ordinance of the Minister of Internal Affairs and Administration of 29/04/2004 regarding the documentation of personal data processing and technical and organizational conditions, which should be respected by devices and IT systems used to process personal data, on the basis of which THE companies were obliged to create a security policy and IT system management instructions, is repealed. And these documents were the basis for determining the obligations in the field of personal data for many companies. The RODO introduces a significant change in this matter: it does not specify what documents we have to possess (with small exceptions) or what their content is to be. This means that each entity must decide for himself what documents will be prepared by him and what their content will be. However, such entity must keep in mind that the RODO requires for the content of the documents to be a resultant of the assessment of risks related to the processing of personal data carried out by each entity.
The above does not mean that from 25/05/2018 security policy, instructions for managing the IT system used to process personal data, or records of persons authorized to process data, will not be able to be used. However, in order for these documents to continue to be used, they will require verification and introduction of relevant changes to them in order to meet the requirements of the RODO, i.e. so that they create a proper and adequate to the risk analysis protection of personal data. Of course, there will also be a need to analyze the processing of personal data in your company and inventory of the above-mentioned data. It should be remembered that after the entry into force of the RODO, given organization will not meet statutory requirements if it uses documents that are unsuitable for its individual characteristics and do not respond to the risks related to the processing of personal data by this organization.
In addition, new documents will have to be prepared, so far not required by law, including the register of personal data processing activities (Article 30 of the RODO). This register should be ready as of 25/05/2018. It should be remembered that the data registers required by 25.05.2018 on the basis of the actof 29 August 1997 on Personal Data Protection will not automatically become the above. registers of personal data processing activities referred to in the RODO. It has already been emphasized that the register of personal data processing activities should be a wider scope document, for the reason that it should cover all personal data processing processes that occur with a given personal data administrator.
Thus, even before 25/05/2018, each company should at least:
- Analyze the scope of the company’s operations in terms of the processing of personal data in order to determine the final structure of documentation, which will have to be prepared by 25/05/2018. In this respect, cooperation of lawyers, IT department and all persons supervising the processing of personal data, in particular HR department, will be necessary.
- Carry out an analysis of the documentation already held by the company regarding personal data and their protection.
- Prepare changes to existing documents indicated in point 2, based on the assessment of risks associated with the processing of personal data.
- Prepare new missing documents.
We would like to point out that severe penalties have been provided in the RODO for entities that will not apply to this regulation. Penalties can reach up to 20,000,000 EUR or 4% of the global annual turnover of an entrepreneur in the fiscal year preceding the infringement.