Data protection is a concept that, as an entrepreneur, you’ve probably encountered more than once. At least you should, if only in the process of recruiting new employees and gathering documents. RODO (Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation))revolutionizes the existing system of personal data protection.
In particular, the obligation to proactively protect personal data is innovative, to be based on two pillars: privacy by design and privacy by default. Their main idea is to point out that every data controller is obliged to take into account, as well as plan for, the protection of personal data in its operations, and is responsible for establishing a viable and effective system of such protection. In addition, it must provide the maximum level of this protection.
You can pay heavily for non-compliance….
To pique your interest in the topic of data protection, I will start my discussion of the notorious RODO from the end. I’ll start with what sanctions are in place in case RODO is not properly implemented into your business, and you, as an entrepreneur (controller or processor) more or less knowingly commit a violation of the new regulation.
The regulation provides for various types of sanctions for violations of personal data protection obligations. Among them are both criminal provisions and financial administrative sanctions.
The preamble to the RODO postulates that the administrative fines applied for violations of this regulation, should be effective, proportionate and dissuasive in each individual case. Effective, proportionate and deterrent. It’s starting to get serious and interesting, isn’t it?
An administrative fine can be imposed on both the controller (the controller is you, dear Entrepreneur, if at least you hire employees or enter into contracts with contractors) and the processor , whether they are natural persons, legal entities, or other entities and units.
Violations of the first category of regulations are subject to an administrative fine of up to €10,000,000, and in the case of a company, up to 2% of its total annual worldwide turnover from the previous fiscal year, with the higher amount applying. Violations of the second category are subject to an administrative fine of up to EUR 20,000,000, and in the case of a company, up to 4% of its total annual worldwide turnover from the previous fiscal year, with the higher amount applying.
Taking the postulate and the “deterrent” function of the administrative penalty as a determinant, the authority’s response to a violation can be realistically severe for you. Certainly, the amount of the financial threat works on the imagination and makes every entrepreneur nervously perform a calculus of conscience- regarding the introduction of new regulations.
If your examination of conscience has led you to conclude that you are not ready for RODO (or RODO is not ready for you) I invite you to contact our law firm. Our lawyers offer a comprehensive introduction of RODO to your business, including. Preparation of a package of required documentation and training for you and your employees. We will explain, instruct, train, so that you, dear entrepreneur, can conduct your business with peace of mind and in compliance with applicable regulations, respecting data protection laws.
The text presented is just the tip of the RODOw mountain. In my next post I will try to address the formal issues of the new regulations.
apl. Adv. Małgorzata Dobrakowska