In our opinion, the starting point for implementing the procedures required by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC^[1] (hereinafter “GDPR”) is to determine by each implementing entity what personal data, for what purpose, in which scope, for what period and on what basis are processed by this entity, and to verify to whom the data are transferred, who has access to them and how they are secured.

In some cases, the implementing body is obliged to carry out an assessment of the impact of planned processing operations on the protection of personal data.

Indeed, pursuant to Article 35(1) of the GDPR, where a given type of processing – in particular with the use of new technologies – due to its nature, scope, context and purposes is likely to cause a high risk of infringement of the rights or freedoms of natural persons, the controller shall, before beginning the processing, assess the effects of the intended processing operations on the protection of personal data. A single assessment may be carried out for similar processing operations involving similarly high risks. Therefore, as can be seen from the above, the controller of personal data is obliged to assess the impact of the planned processing operations on the protection of personal data if, as a result of the risk assessment, its level has been defined as high.

It should be pointed out that such an assessment, in the light of Article 35(7) of the GDPR, must include at least:
a) a systematic description of the intended processing operations and purposes of the processing, including, where applicable, the legitimate interests pursued by the controller;
b) an assessment of whether processing operations are necessary and proportionate to the objectives;
c) an assessment of the risk of infringement of the rights or freedoms of data subjects;
d) the measures planned to address the risks, including safeguards and security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR, taking into account the rights and legitimate interests of data subjects and other persons concerned.

However, where necessary, in particular where the risks arising from processing operations change, the controller of personal data should carry out a review to verify that the processing is carried out in accordance with the data protection impact assessment.
In accordance with the guidelines of the Article 29 Working Party on data protection impact assessment and helping to determine whether processing “may cause high risks” for the purposes of the GDPR (hereinafter: “WP 29“;), a data protection impact assessment is a process to describe the processing and to assess its necessity and proportionality, and to help manage the risks to individuals’; rights and freedoms arising from the processing of personal data by assessing the risks and identifying measures to address these risks. Data protection impact assessments are an important accountability tool as they make it easier for controllers not only to comply with the requirements set out in the GDPR, but also to demonstrate that appropriate measures have been taken to ensure compliance with the provisions of the GDPR (. . . ). In other words, data protection impact assessment is a process of building and demonstrating compliance^[2].

Importantly, the GDPR sets out examples of situations in which it is mandatory to assess the impact of planned processing operations on the protection of personal data. Thus, in accordance with Article 35(3) of the GDPR, a data protection impact assessment is required in particular in the case of:

a) a systematic, comprehensive assessment of personal factors relating to natural persons, which is based on automated processing, including profiling, and is the basis for decisions having legal effects toward a natural person or similarly significantly affecting a natural person;

b) the large-scale processing of special categories of personal data as referred to in Article 9(1) or of personal data relating to convictions and criminal offences as referred to in Article 10;

c) systematic large-scale monitoring of publicly accessible places.

Moreover, a draft list of types of processing for which a data protection impact assessment is required^[3] was also published by the GIODO. For the purposes of this report, the following items from this list deserve attention:

Types/criteria for processing operations for which an assessment is required	Examples of operations / data range / conditions in which a high risk of infringement may occur for a given type of processing operation	Potential areas of occurrence/ existing areas of application
Systematic large-scale monitoring of publicly accessible places using elements of recognition of features or properties of objects that will be included in the monitored space. This group of systems does not include video surveillance systems, in which the image is recorded and used only in the case of the need to analyze incidents of violation of law.	Systems for monitoring working time and information flow in the tools used by employees (e. g. e-mail, Internet).	Workplaces (monitoring of IT systems). Unawareness of employees that their use of e-mail, applications, access cards is monitored.
Processing of special categories of personal data and data concerning convictions and infringements of the law (sensitive data according to the guidelines of WP 29).	Processing of biometric data of customers or employees to identify or verify a person in access control systems, e. g. entry to specific areas, premises.	Working time control systems. Entry control systems for specific rooms. Entrance control systems for fitness clubs, hotels, etc.

In the previous legal status, i. e. before the entry into force of the GDPR, each personal data controller was obliged to keep documentation of personal data processing, including, among others, security policy, management instructions for the IT system used for personal data processing and records of persons authorised to process such data. After the entry into force of the GDPR, personal data controllers are no longer obliged to do so. It should be noted that, in this scope, the GDPR grants them a certain freedom, as it does not generally specify which documents in the scope of personal data protection should be possessed and of what content. However, in accordance with the principle of accountability provided for in the GDPR, the controller of personal data should document all activities related to the processing of personal data in order to be able to demonstrate compliance with the provisions of the GDPR, in particular those defining basic principles for the processing of personal data. In any case, such documentation should take into account the following issues: the purpose, scope and basis of the personal data processing operation, their storage period, access to personal data, persons authorised to process them, the safeguards applied and the level of risk associated with the processing of personal data.

The GDPR does not specify what technical and organisational measures the controller of personal data should implement in order to ensure the security of personal data. Consequently, the choice of appropriate technical and organisational measures to ensure the security of documentation containing personal data will be the responsibility of the implementing body. The implementing body must always take into account the level of risk associated with the processing of personal data, so that their protection meets the requirements of the GDPR.

In practice, in some cases, it will be sufficient to keep all documentation containing personal data in appropriately secured premises to which only authorised persons will have access. We recommend locking these rooms with a key. If the aforementioned personal data are processed electronically, e. g. on computer disks, access to them must be password-protected. This also applies to computer files containing personal data, such as a table in Microsoft Excel containing personal data of customers or contractors, which must also be password-protected. If the implementing body uses other IT systems to store personal data, such as tablets, access to the personal data contained therein should be secured with a login and password, PIN number or unlock pattern. It is important that the implementing body is technically able to verify who and when logged into the system, so that, if necessary, it is possible to determine who and when accessed or modified the personal data.

In some cases, the implementing entity is obliged to appoint a Data Protection Officer, and in some cases it may do so on a voluntary basis.

The implementing entity is obliged to fulfil the information obligation specified on the grounds of the GDPR, with regard to all persons whose personal data is processed, including:

• employees (regardless of the basis of employment, i. e. whether the person is employed on the basis of an employment contract or on the basis of a civil law contract),
• candidates for employment (in the case of a recruitment process), as well as
• customers and counterparties (suppliers, contractors, performers). However, in the case of counterparties, only if they are natural persons conducting business activity.

First of all, each of the above mentioned persons should be aware who is the administrator of their personal data and for what purpose and to what extent they are processed. We therefore recommend that you prepare an information clause that meets the requirements set out in the GDPR, and subsequently:

• for candidates for employment: inclusion of an information clause in the content of future job offers;
• for employees: submission of an information clause to employees and written confirmation from each of them that the employee is aware of the clause;
• for customers: placing an information clause on the implementing entity’s website and in a visible place where it operates, in the case of service activities in the form of e.g. a shop, restaurant or clinic. In such a case, the customer shall be informed in advance of how to get acquainted with the clause. If the implementing entity sends customers an e-mail confirming the reservation or order, we recommend that its content include an information clause or information about its placement on the website (with the website address). In case of concluding a contract, an information clause may be included in the content of the contract or constitute an appendix to the contract;
• for counterparties (suppliers, contractors): an information clause may be included in the contract or attached to the contract. An alternative solution may also be to send the contractor an e-mail with an information clause or information about its placement on the website (including the website address).

In this range, we recommend verifying the existing authorizations issued by the implementing entity, on the basis of which its employees gained access to personal data and were allowed to process personal data, and then:

• supplementing the abovementioned authorisations with a detailed instruction to perform specific processing operations; such an instruction may constitute an annex to the authorisations issued, or
• issuing new, written authorisations to employees having access to personal data, the content of which will include a detailed order to carry out specific processing activities.

On the grounds of the GDPR, the order of the controller (in this case the implementing entity) should also be the basis for the processing of personal data by entities processing (e.g. entities providing accounting or IT services to the implementing entity) and by all persons authorised by these entities to process personal data and having access to them. It will therefore be necessary to include such an instruction in the content of any entrustment agreement for the processing of personal data as the implementing entity has concluded with the processor referred to above. Such an order given to the processor will be the basis for the processing of personal data by the processor and persons authorised by the processor, and at the same time it will set the processing limits for the aforementioned persons. We would like to point out that in accordance with Article 32(4) of the GDPR, the controller and the processor shall take steps to ensure that any natural person acting under the authority of the controller or the processor who has access to personal data, processes them only on instructions from the controller (…).

Assuming that the implementing entity uses video surveillance and therefore processes personal data in the form of biometric data (facial image) of both its employees and customers, it should take steps to inform the above mentioned persons about the fact of using video surveillance and the place covered by the monitoring. And so:

• in the case of employees: according to the provisions of the Labour Code, the employer is obliged, among other things, to inform employees about the introduction of monitoring;
• in the case of customers, contractors and other persons entering the premises of the implementing entity: we recommend that plates to be placed in a place visible to each visitor, clearly and legibly indicating that the premises are subject to monitoring and, among other things, who is the administrator of their personal data.

Please find attached a draft of one of several documents described by us above and required by the GDPR, namely the Authorisation to process personal data referred to in step 7. If you are interested in receiving drafts of other documents and in case of any questions or doubts, we are at your disposal and please contact us using the contact form available on our website.

Authorisation for processing the personal data
(download .pdf file)

¹ GDPR was published in the Official Journal of the European Union of 04. 05. 2016, L 119/1.
² GIODO. Data protection impact assessment guidelines (WP 248), https://www.giodo.gov.pl/pl/1520344/10393.
³ GIODO. Proposed list of types of processing for which an impact assessment is required, https://giodo.gov.pl/pl/1520281/10430.