Data privacy laws are not the most thrilling read. But if you’re interested in doing business in Poland, RODO can’t be ignored. Suppose you want to run an e-commerce site or even just register a company in Poland and maintain a database of your customers. In that case, RODO is the set of rules that will define how you collect, use, and save personal data on individuals within the country.
And ignoring it? Not an option. However, understanding what it all means — in plain English, without the legalese — is important for maintaining compliance and protecting your company.
RODO is short for Rozporządzenie o Ochronie Danych Osobowych — as we know it in Poland — or the GDPR (General Data Protection Regulation), as we know it from the EU. You could describe RODO as basically the GDPR in Poland.
This piece of legislation became legally enforceable on May 25, 2018, and it involves all companies that process the personal data of individuals in the European Union. So, if you’re based outside of Poland and want to engage Polish customers, RODO is something you’re going to have to keep in mind.
Because data is powerful, with power comes responsibility. RODO ensures people have more power over their personal data — how it’s used, how it’s stored, how it’s shared, and how it’s properly destroyed.
If you’re a company that deals with names, phone numbers, email addresses, or IP addresses, you’re what’s known as a data controller. This means you have a set of responsibilities. If you don’t meet them and follow the relevant RODO requirements, you may face penalties of up to €20 million or 4% of your global turnover.
Like we said, most of it. According to the RODO law in Poland, personal data refers to all information concerning an identified or identifiable natural person.
This includes:
If you process this kind of data relating to your clients, users, or employees, you must comply with RODO.
Let’s make it simple. These are the core RODO principles:
You need to have a clear and legitimate purpose to process data, and you must inform individuals about the specifics of the process.
You can only process personal data for a specific and legitimate purpose. “Just in case” data is not allowed.
You should not collect data if you don’t really need it. Less is more.
You should try to keep your personal data up to date. In short, you should only process relevant data.
Don’t process personal data indefinitely. It’s best to have a clear data-retention policy.
You should secure the personal data that you process, introducing the right technical (such as encryption) and organizational (such as employee procedures and training) measures to protect that data.
Not all data processing requires an individual’s consent, but if it does, it must be:
No more cheeky pre-ticked boxes or jargonised text. Consent must be given in an accessible way and be able to be removed at any time. Using cookies, sending marketing blurbs, and offering people the chance to sign up for your newsletter? It’s nowhere near — get that consent openly, explicitly.
If you form a company in Poland, it is likely that you will be a data controller or a data processor — perhaps even both. As a controller, you determine the data processing manner and goal. You are responsible for:
You need the RODO register. This isn’t an option; this is a must-have.
Have any employees? RODO applies in-house, too. You are responsible for the collection of personal data processed in the company. Employees are to know what data you collect (such as addresses, account numbers, and health data if needed), where it goes, and for how long.
You also need policies in place for:
And yes, even CCTV footage in the office falls under RODO.
RODO is not a tick-list of things to give a thumbs-up to — it’s your reputation. By showing your partners (and clients) that you treat RODO as a part of your business process and not a burden, they will respond in equal measure. Companies that treat data with special care are perceived as more trustworthy. And if you can systematise this data security through RODO’s principles, you get an edge over your competition.
So, whether you are creating a new company or expanding operations, let RODO be part of your business process. It’s ready to help you protect data, protect the brand, and defend your company to the last byte.
