Cross-border data privacy and data protection consulting is one of the leading specializations of KIELTYKA GLADKOWSKI KG LEGAL.
For many years, our law firm has been ranked as top tier law firm with expertise in data protection.
This is the result of not only an objective verification of our competences and qualifications checked directly with our existing Clients. This is primarily the result of the satisfaction of our foreign corporate Clients with cross-border legal structures and contractual structures protecting data created as part of the business activities of our foreign corporate Clients, including primarily those operating globally.
A representative example of our capabilities and a very high level of trust of our Clients is the provided legal assistance and securing cooperation of one of the key American companies dealing with the audit and certification of Polish entities in the field of data correctness and security for the purposes of cooperation with arms suppliers and business projects for the Department of Defense (DoD).
As part of global advice to key American law firms, our law firm advised on data protection provisions on such complex issues as mass data collection for the purpose of business and economic analyzes in the global banking sector on a macro scale.
Advice in this regard covers complex multi-jurisdictional issues. It forces an interdisciplinary approach in the area of Polish and European Union legislation and jurisprudence.
In providing legal assistance KIELTYKA GLADKOWSKI lawyers take into account not only the data processing processes but also the end goal of this process and the possibility of risks involved, such as:
– use and processing of data contrary to legal requirements;
– legal liability of third parties access to data in internal circulation;
– issues of anti-monopoly protection and information advantage in terms of competition;
– potential infringements from a copyright and database protection perspective.
Our lawyers are members of organizations associating lawyers specializing in handling personal data protection issues in all jurisdictions around the world (IEEE, ITECH-law and others).
KIELTYKA GLADKOWSKI KG LEGAL represents Clients before regulatory authorities and business partners in the scope of documentation of the so-called Processing Impact Assessment and proper data circulation. We conduct or cooperate in conducting an assessment of the effects of data processing for Clients’ business operations; we advise when such an assessment is required and what its scope should be in accordance with data protection law.
Our law firm creates all corporate documents required by law in the field of information on data processing and templates of all consents to the processing of data circulation information.
KIELTYKA GLADKOWSKI has extensive experience in designing and modeling the structure and system of the cross-border legal environment for intra-corporate transfer and transfer of data to third countries. In particular, we have ready-made proprietary solutions for cross-border data processing from the European Union to the United States, taking into account the jurisprudence of the Courts of the European Union, the Schrems II Judgment and the Contractual Standard Clauses in the context of the invalidated EU-US Privacy Shield.
Our lawyers deal with all issues of securing legal data processing in connection with data relocation in the UK after Brexit.
Other topics of our specialization in data include:
– data policy developments;
– transfer of data to third countries on the basis of Binding Corporate Rules;
– reporting infringements; in this regard, KIELTYKA GLADKOWSKI analyzes potential threats to legal liability for data breaches and leaks and represents its Clients in specific cases of violations by creating an appropriate corrective strategy for the proper legal environment of data circulation;
– all aspects of data in IT services, applications and software; we advise on matters related to the processing of personal data in the most modern IT applications;
– advice on the use of cookies and privacy policy used in applications;
– internet tracking technology;
– data in cloud services;
– employee data in circulation in large corporate entities;
– regulatory issues, controls and data procedures;
– processing of personal data;
– webscraping, data scraping, data extraction and legality and risks involved;
– big data, including data in mergers and acquisitions;
– representation of Clients at all stages of the proceedings before the Inspector General for Personal Data Protection.
The authorities appointed in Poland to supervise compliance with the principles and implementation of the provisions of the GDPR are: at the European level, the European Data Protection Supervisor; and in Poland, the Office for Personal Data Protection. This Office is headed by the President. Incidents of personal data breaches are reported to the President of the Personal Data Protection Office.
KIELTYKA GLADKOWSKI represents Clients at all stages of proceedings before the President of the Office for Personal Data Protection and in European proceedings, including European courts.
It should be noted that a violation of the provisions of the GDPR may result in criminal liability. Based on Article 107 of the Polish Act, anyone who processes personal data illegally is subject to a fine, restriction of liberty, and imprisonment for up to 2 years. If the above-mentioned act concerns data revealing particularly sensitive data, such as racial origin, political views, religious or philosophical beliefs, trade union membership, genetic, biometric, health or sexuality data, the person may be punishable by imprisonment of up to 3 years.
Other sanctions are administrative penalties imposed for violations by the President of the Personal Data Protection Office. They can amount to as much as PLN 20 million, and in the case of an enterprise – up to 4% of its entire annual turnover.
Proceedings before the President of the Personal Data Protection Office are administrative in nature. This means that the procedure is regulated by the Polish Code of Administrative Procedure. Such a penalty must be effective, proportionate and dissuasive, and the absence of one of these characteristics may be grounds for challenging the decision. Proceedings before the President of the Personal Data Protection Office do not always have to end with a financial penalty, the President may also issue a warning or oblige to remove the effects of violations.
Processing of personal data
It is the performance of various operations on personal data, such as recording, collecting, organizing. This can be done automatically or not. These operations are the responsibility of the personal data controller, who may be charged with administrative penalties for failure to comply with the obligations. The personal data controller may be a natural person, a legal person, an organizational unit without legal personality. An example of a personal data controller may be a company. By law, the controller is responsible for compliance and must demonstrate compliance where necessary.
The processing of personal data may take place with the consent of the person concerned, or in special cases listed in the Regulation, without the consent of this entity, e.g. in order to protect the vital interests of that person, perform public tasks or perform a contract to which that person is a party. It should be added that only the data that is necessary to achieve the purpose for which the data is collected should be processed.
Information on data processing
If it is necessary to collect personal data, the personal data controller should inform the person concerned.
The information clause should include: organization details, including contact details and information about the representative, if any, data of the data protection officer, purpose and legal basis for their processing. Information on who will be the recipient, whether the data will be transferred to a third country, and the period of data storage should also be included. It is also necessary to inform about the person’s right to request information, the right to withdraw consent and the manner in which it can be done, as well as the right to complain to the President of the Personal Data Protection Office. There must also be information whether the provision of personal data is a statutory or contractual requirement in a given case. It should also be specified what the personal data will be used for.
Consent to the processing of personal data
Consent should be free, specific, informed and unambiguous. It can be withdrawn and it should be easy for the user to do so.
If the data controller plans profiling, i.e. collecting information about the consumer based on his online behavior, explicit consent is also needed. These are the so-called cookies. Profiling in accordance with the GDPR can be ordinary – performed by a human, and automated – by computer programs.
Internal Policies, Records and Documentation
The personal data controller is responsible for the internal policy and procedures for the processing of personal data. In order to operate on the Polish market in accordance with the law, it is necessary to develop a lawful internal policy, register and documentation regarding personal data.
Data controllers or processors are required to keep an internal record of data processing. Such a register should contain information to whom the personal data goes, who may be a joint controller, and who processes the data. There must be information on who has access to the data, through which platform or through which IT systems. If a Personal Data Officer is appointed (see below), his contact details should also be included in the register.
The register must also include the duration of processing and, if applicable, the countries or international organizations to which the data may be transferred.
The register should also contain a description of the security measures taken, a description of the data protection procedure, and the company’s policy. Personal data should be accessed by designated persons under appropriate control. Only designated persons should have access to any encrypted digital databases.
The controller or the Data Protection Officer should keep a register of breaches, including those not reported due to, in the opinion of the above-mentioned entities, the lack of grounds for reporting them to the supervisory authority.
KIELTYKA GLADKOWSKI advises and cooperates in conducting Data Protection Impact Assessment for Clients’ business operations. We advise when such an assessment is required and what its scope should be in accordance with the guidelines of the Regulation, the Act and the President of the Personal Data Protection Office.
Data Protection Impact Assessment
It is an assessment made by the personal data controller as to whether data processing is safe.
It should be carried out if the rights and freedoms of subjects are likely to be violated, if there are no separate laws regulating the processing of personal data in a specific case.
In order to carry out such an assessment, an inventory of the stored personal data and their carriers should be performed; it should be determined whether the data is being processed lawfully; it should be determined what potential risk is posed by a specific method of data processing and how it can be prevented; there should be determined the likelihood of risk and how it can be prevented.
Infringement reports
If the security of personal data has been breached and there is a risk of violating the rights and freedoms of natural persons, the data controller should report this fact to the supervisory body, i.e. the Office for Personal Data Protection, within 72 hours of becoming certain of the breach.
Applications can be made electronically or by traditional mail. In the event of a cross-border breach of personal data, the controller should analyze which national supervisory authority will be the lead authority and report to it.
Regulatory matters, Controls and Proceedings
Proceedings regarding the violation of the GDPR are conducted by the President of the Office. This is essentially an administrative procedure.
Basically, two types of inspections carried out by the supervisory authority can be distinguished – a planned inspection, carried out on the basis of the so-called plan of sectoral inspections of the Office, as well as an ad hoc inspection, which is, as a rule, the result of an infringement complaint filed against the controller. The first control is carried out at the controller’s seat, the second is of a correspondence nature. An ad hoc control may also be the result of reporting a breach by the entity itself which was obliged to administer it.
KIELTYKA GLADKOWSKI represents Clients at every stage of proceedings before the President of the Office for Personal Data Protection; prepares recommendations, strategy and pleadings in administrative procedure.
Data transfers to third countries
A third country is a country that is not in the European Economic Area. In order to transfer information to third countries, the European Commission must issue an adequacy decision.
Transfer of data to third countries based on Binding Corporate Rules
Binding Corporate Rules are an act of internal law approved and announced by the management boards of all companies in the capital group, which should be applied by all employees employed in the structures of the group. BCRs, depending on the decisions of the management boards of companies, may take the form of, for example, an extensive corporate-wide procedure or an agreement, which should be signed by representatives of the entities from the capital group and announced in the manner adopted by each of the entrepreneurs.
The purpose of binding corporate rules is to regulate and unify the most important provisions regarding the protection and transfer of personal data from European companies to companies in third countries within one capital group.
It should also be remembered that Binding Corporate Rules should apply both to data controllers to whom personal data from other companies in the capital group are made available, and to processors who only process data on the basis of an order.
Basic provisions of the BCR
The minimum catalogue of provisions that should be included in this act of internal law is presented in Art. 47 sec. 2 of GDPR. According to this provision, Binding Corporate Rules should regulate:
– the structure and contact details of the group of undertakings or group of entrepreneurs engaged in a joint economic activity and each of its members;
– one or multiple data transfers, including the categories of personal data, the type of processing and its purposes, the types of data subjects and the name of the third country or third countries concerned;
– their legally binding nature, internal and external (i.e. how they are approved in the corporate structure);
– application of general data protection principles – in particular purpose limitation, data minimization, limited storage periods, data quality, taking into account data protection by design and default data protection, legal grounds for processing, processing of special categories of personal data, measures to ensure data security, requirements in the scope of further transfer to entities not bound by binding corporate rules;
– the rights of data subjects in connection with the processing and the methods of exercising these rights, including the right not to be subject to decisions based solely on automated processing, including profiling, the right to lodge complaints with the competent supervisory authority and the competent courts of the Member States and the right to redress and, where applicable, damages for breach of BCRs;
– acceptance by the controller or processor based in a country in the EU of legal liability for violation of binding corporate rules by a company based in a third country; the controller or processor shall be released from this liability, in whole or in part, only if it proves that the company is not responsible for the event giving rise to the damage;
– the manner in which data subjects are provided, in addition to the information contained in the information obligation clauses, with information on binding corporate rules, in particular on the provisions on the rules of processing, the rights of data subjects and the responsibility for compliance with the BCRs;
– the tasks of the data protection officer or the person or entity responsible for monitoring compliance with binding corporate rules within the capital group as well as monitoring training and handling complaints;
– complaints procedures;
– mechanisms used in the capital group to ensure verification of compliance with binding corporate rules. Such mechanisms include data protection audits and methods for ensuring remedial action to protect the rights of data subjects. The results of such verification should be provided to the personal data inspector or the entity performing its function and to the management board of the company exercising control in the group of companies and should be available upon request by the competent supervisory authority;
– mechanisms for reporting and recording changes to the rules and reporting these changes to the supervisory authority;
– a cooperation mechanism with the supervisory authority to ensure compliance by all members of the group of companies, in particular by making available to the supervisory authority the results of the verification of the means to monitor compliance with the rules;
– a mechanism for reporting to the competent supervisory authority any legal requirements to which a member of the group of companies is subject in a third country that may have a material adverse effect on the guarantees provided by the binding corporate rules;
– appropriate data protection training for staff with permanent or regular access to personal data.
Employee data
The employer may act as the controller in relation to its employees and process their data. However, it may entrust the handling of personal data to external entities. Each employer is obliged to keep an internal register of data processing. Employee data should be confidential, so access to it must be properly secured. Unless the processing of employee data is allowed by the Labor Code, the employee should consent to the handling of personal data.
Also in the case of this data, it is necessary to assess the security, risk related to their processing and the possibility of technical difficulties.
The management and employees of the human resources departments should receive training in the field of personal data protection procedures, and an appropriate internal policy should be implemented.
KIELTYKA GLADKOWSKI advises on matters related to the processing of personal data in companies, analyzes the risks and proposes effective solutions.
The GDPR allows the use of video monitoring in Poland. In order for monitoring to be possible, there must be a legitimate interest pursued by the controller. This can be, for example, the safety of employees, the protection of property or the supervision of the production process.
Employees should be informed about the monitoring. The usual storage period for recordings containing personal data should not exceed 3 months from the date of recording.
A particularly important issue in the sphere of protection and processing of personal data is health protection, medical data and broadly understood life science. This is particularly sensitive data. The processing of personal data by medical facilities may require the appointment of a Data Protection Officer by a given entity. The obligation to appoint a DPO applies to an entity that processes personal data on a large scale, especially sensitive data. It should be noted that the public authority or entity processing personal data is also required to appoint a DPO.
Who is the Data Protection Officer? It is a natural person whose task is to support the personal data controller in performing its tasks. It is independent in its activities.
The GDPR imposes an information obligation on medical facilities. The patient must be informed about the data of the controller or processor, the purpose of collecting and working with data, the storage period, and that the patient can withdraw his consent at any time.
The patient may request confirmation from the facility whether his or her personal data is being processed and obtain a free copy of the data that is being processed.
According to the regulations, patient records may be stored for a period of 20 years from the date of the last entry.
Biometric data may only be used in specific, legally defined situations. They are distinguished from other data, such as the address of residence, by their immutability. These are, for example: fingerprints, iris color, facial image. Therefore, they must be subject to special protection.
In connection with the processing of biometric data, the controller must remember not only to comply with the basic principles of personal data processing under Art. 5 of the GDPR, including the principles of lawfulness of processing, data minimization and integrity and confidentiality of processing, or notifying the data subject about the processing of biometric data and what rights they have in this respect, but also about conducting a risk analysis, and if so necessary – personal data protection impact assessment (DPIA). The controller’s duty is to ensure an appropriate level of security of the processed data, i.e. a degree corresponding to the risk associated with the processing of personal data. Taking into account the nature, scope, context and purposes of processing, as well as the state of the art and costs, the controller implements appropriate technical and organizational measures that will help him ensure a secure environment for the processing of personal data. It should be borne in mind that the processing of sensitive data is associated with a greater risk of violating the rights or freedoms of data subjects, therefore the methods of minimizing this risk may be different than in the case of ordinary data. In addition, it is worth remembering that the processing of biometric data solely for the purpose of identifying a natural person or for the purpose of access control has been recognized by the Polish President of the Office for Personal Data Protection as one of the cases when it is necessary to carry out a data protection impact assessment.
Data in IT services, applications and software
The administrator of the software, website, application is responsible for personal data breaches in software and other IT services. In its interest, appropriate safeguards should be created using IT tools to reduce the risk of a potential leak. He will be responsible for the leak in the proceedings before the President of the Personal Data Protection Office.
KIELTYKA GLADKOWSKI advises on matters related to the processing of personal data in the most modern IT applications to create the most secure and compliant systems for processing and working with personal data of users.
Advice on the use of cookies and privacy policy used in applications.
Cookies are technologies commonly used around the world and appear on every website (even those purely informational). They are also regulated separately by individual countries / states, as well as entire groups of countries – for example, in the European Union.
In Europe, the use of cookies is primarily regulated by:
the Directive on privacy and electronic communications (ePrivacy) of 2002 – regarding the installation and collection of cookies by website administrators;
GDPR – in the scope of personal data that can be processed via cookies.
In Poland, in turn, when it comes to installing, collecting and using information contained in cookies by website administrators, attention should be paid primarily to the Telecommunication Law and Act of 18 July 2002 on the provision of electronic services.
The regulations provide for two main obligations regarding cookies that must be met:
1. Obligation to inform about cookies – specifies when, how and in what form the user must receive information on the purpose of storing or downloading data from his device (laptop / tablet / telephone). This information should be provided (with some exceptions) prior to the installation of cookies, in a clear and understandable form.
In practice, this obligation can be met:
– in a simplified form, after displaying the website – in the form of a message / notification (cookie bar / banner),
– in the full version, in the form of a cookie policy – posted in a visible place on the website (usually in the footer of the website).
In 2021, the Polish personal data protection authority approved the requirement that the user should actively accept cookies that are installed on the device, i.e. you cannot rely only on the default browser settings – this position is adopted by the so-called actively expressed consent as the default for all website administrators.
Who is responsible for the data stored in the cloud? The entity that has access to these data and could process the data bears responsibility. It should be assumed that this entity will be the cloud provider. Therefore, it must meet the information obligation and ensure the security of the stored data.
Big data, including data in mergers and acquisitions
Big data is the information resources of a given organization. Part of these resources are personal data of natural persons working or cooperating with a given company. This information is also subject to merger and acquisition.
A robust corporate privacy policy is an essential element in ensuring smooth M&A transactions, and the lack of content in such policies can be a critical factor in the negotiation process. The implications range from the valuation of the acquiree and the acquirer’s takeover strategy to a major audit diligence and post-acquisition integration process. A well-drafted M&A agreement should address these privacy concerns and data transfers with comprehensive statements and warranties as well as conditions and exemptions that apply throughout the due diligence process and include post-closing data integration and checks.
KIELTYKA GLADKOWSKI advises Clients at all stages of data transfers and liability for data in mergers and acquisitions. In M&A process, as part of the due diligence, the seller has the option to disclose the extent to which the company complies with GDPR requirements, including details of any known data breaches. Incidentally, many companies will have additional responsibilities under third party commercial agreements with respect to confidential information and it is crucial that such responsibilities are not overlooked, otherwise the seller may be exposed to contractual breach allegations. Buyer representatives will request full disclosure and any privacy concerns may be fully investigated and fully assessed.
KIELTYKA GLADKOWSKI advises on securing liability for data transfers in the process of mergers and acquisitions. Data sharing issues may become a priority when a merger, acquisition or other change in organizational structure means that data needs to be transferred to another organization. For example, as part of an acquisition; or in the event of insolvency, the data may be sold as assets to another legal entity. The issues that need to be taken into account are:
– making sure the party considers data sharing as part of due analysis diligence;
– following data sharing code;
– determining what data is provided;
– identifying the purposes for which the data was originally collected;
– establishing a lawful basis for data sharing;
– making sure that the party complies with the principles of data processing – compliance with the law, reliability and transparency;
– considering liability for data loss;
– preparation of documents for data transfers;
– informing data subjects of the transfers.