GDPR in Poland

in #rodo7 years ago (edited)

e-commerce-1606962_1280.png
Personal Data Protection, and for whom? As it turns out, it is very necessary! Each online store processes personal data and this is a fact that can not be avoided - but how do you legally care for personal data in the online store?

The legal implementation of an online store is not easy, because just like a regular, stationary store, you have to adapt the store to many legal regulations, such as regulations, privacy policy or just personal data protection. Many online stores did not take care of the store's security, and many times it was possible to witness when the personal data of customers, the list of these clients or even card numbers simply leaked.

The shop owner is obliged to inform customers that he processes their personal data. It seems normal, but in my opinion it is something normal, because it is difficult to deliver a package to a client who does not know who he is and where he lives, but the regulations make it necessary to inform about it. Personal data and their processing is necessary in the online store, but it is also not the end of legal obligations of the store owner.

What are personal data and what does it mean to protect personal data?
These are data that will allow you to identify an individual person clearly, such as your name, surname or address.

According to art. 6 par. 1 of the Act of 29 August 1997 on the Protection of Personal Data (Journal of Laws of 2002, No. 101, item 926, as amended), all information regarding an identified or identifiable natural person is considered as personal data. A person identifiable is a person whose identity can be identified directly or indirectly, in particular by reference to an identification number or one or more specific factors determining his physical, physiological, mental, economic, cultural or social characteristics (Article 6 (2) of the Act). According to the paragraph 3 of the referenced provision, information is not considered to enable identification of a person if it would require excessive costs, time and activities. Thus, personal data will be both data that allow to identify the identity of a particular person, as well as those that do not allow for its immediate identification, but are, with a certain amount of costs, time and activities, sufficient to determine it. The personal data will be such information that allows you to determine the identity of a person without extraordinary effort and effort, especially when using easily accessible and widely available sources. Beyond the scope of the present definition, there will be information on the basis of which the identification of a person will require unreasonable, disproportionately large expenditures of costs, time or activities.

As you can see, personal data is something that will allow us to identify a particular person and it will not require a lot of work (whatever that means).

Administrator of personal data
Who therefore is responsible for the beautiful word "Personal Data Protection"? No other than the Personal Data Administrator, i.e. the person / authority who determines the purposes and methods in which personal data are processed. Usually it is the store owner. Of course, the shop owner does not have to deal with this and can transfer the duties to the Information Security Administrator, who can be just an employee or an outside company / specialist. Regardless of who will take care of duties, they are immutable.

Data security administrator
So what activities can be dumped on him?

verifying whether the processing of personal data complies with the provisions of the said Act, as well as creating reports for ADO in this regard,
keeping a register of data sets for which ADO is responsible,
controlling the preparation and updating of documents regarding information security policy or IT system management,
conducting trainings (or supervising them) for employees authorized to process personal data.
ABI itself can in turn use the help of the administrator (IT systems), and its tasks are to supervise the operation of the IT system (system, applications, etc.) directly related to the store.

Authorizations for the processing of personal data
If you need to process data, as you know - you must have permission to do everything. These are mainly any regulations and consents to the processing of personal data. Who of us did not agree to the marketing processing? Or he did not accept the rules to register somewhere? And how is that little print in CV at the end? These are all consents to the processing of personal data! Of course, they must be of a voluntary nature, so that no one will cling - add a checkbox to the selection, instead of the boorish entry "By registering, you agree to the terms and conditions, blah blah blah ..."

Application for #GIODO
And the worst ill in my opinion. What we collect must be categorized, written down, documented and reported. Each data set requires a separate notification to #GIODO, therefore, when processing orders and newsletters, these two sets must be reported separately because they have a different character and purpose. The General Inspectorate itself will answer more questions at theres website.

Contracts for entrusting personal data
Hardly any store owner can afford their own server room, so they rent servers / hosting from another company. In this case, you must sign a contract with this company. Importantly, every entity that processes personal data must meet the conditions set out in the laws and regulations of the Ministry of Interior and Administration, which apply to, among others, technical, organizational and security issues. This information must be included in such a contract.

Personal data is stored by the host (unless you are so rich to have a good connection, aggregate, servers, UPS and all this in the home bunker), who is responsible for providing the server and database. Nevertheless, the contract also applies to marketing services, internet payment services, and delivery service providers. With each such entity you also need to sign a contract to entrust data in terms of their storage.

Internal documentation
Under this enigmatic concept, I mean the security policy and the IT systems management instruction, of course in the context of the processing of personal data. The necessity of such documentation is enforced by the act, and the content of documents is strictly regulated. Although absurd, it is unfortunately necessary.

What's next? #GDPR
Owners of larger stores, with many employees must ensure appropriate contracts with employees, implementation of data processing procedures, conducting training in their scope, or granting authorizations who and what can process. You also have to have a finger on the pulse, because the law is constantly changing, just like the upcoming #RODO. And this is just the beginning of the way to create a store. For now, legal. Next, or how much it costs to create a store you can read in my post.

Sort:  

Congratulations @otlet! You received a personal award!

Happy Birthday! - You are on the Steem blockchain for 1 year!

You can view your badges on your Steem Board and compare to others on the Steem Ranking

Vote for @Steemitboard as a witness to get one more award and increased upvotes!