{"id":9019,"date":"2022-02-13T20:38:38","date_gmt":"2022-02-13T19:38:38","guid":{"rendered":"https:\/\/korolko.pl\/?p=9019"},"modified":"2022-04-03T20:22:56","modified_gmt":"2022-04-03T18:22:56","slug":"when-you-have-to-apply-gdpr","status":"publish","type":"post","link":"https:\/\/korolko.pl\/en\/blog\/when-you-have-to-apply-gdpr\/","title":{"rendered":"When you have to apply GDPR?"},"content":{"rendered":"<div class=\"nolwrap\"><p style=\"text-align: justify;\">If data coming to your company are <a href=\"https:\/\/korolko.pl\/en\/blog\/what-are-personal-data\/\">personal data<\/a>, and what you do with them is <a href=\"https:\/\/korolko.pl\/en\/blog\/personal-data-processing-definition-in-gdpr\/\">processing<\/a>, be aware that the President of the Personal Data Protection Office may get interested in you. In most of such cases the famous GDPR<span class=\"footnote_referrer\"><a role=\"button\" tabindex=\"0\" onclick=\"footnote_moveToReference_9019_1('footnote_plugin_reference_9019_1_1');\" onkeypress=\"footnote_moveToReference_9019_1('footnote_plugin_reference_9019_1_1');\" ><sup id=\"footnote_plugin_tooltip_9019_1_1\" class=\"footnote_plugin_tooltip_text\">[1]<\/sup><\/a><span id=\"footnote_plugin_tooltip_text_9019_1_1\" class=\"footnote_tooltip\"> Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation)<\/span><\/span><script type=\"text\/javascript\"> jQuery('#footnote_plugin_tooltip_9019_1_1').tooltip({ tip: '#footnote_plugin_tooltip_text_9019_1_1', tipClass: 'footnote_tooltip', effect: 'fade', predelay: 0, fadeInSpeed: 200, delay: 400, fadeOutSpeed: 200, position: 'top center', relative: true, offset: [-7, 0], });<\/script> will be applicable. In most, but not all. Therefore it is worthy to analyze the scope of application of this regulation.<\/p>\n<p style=\"text-align: justify;\">Art. 2 sec. 1 and 2 of GDPR is key in the above aspect:<\/p>\n<blockquote>\n<ol>\n<li style=\"text-align: justify;\">This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.<\/li>\n<li>This Regulation does not apply to the processing of personal data:\n<ol type=\"a\">\n<li style=\"text-align: justify;\">in the course of an activity which falls outside the scope of Union law;<\/li>\n<li style=\"text-align: justify;\">by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;<\/li>\n<li style=\"text-align: justify;\">by a natural person in the course of a purely personal or household activity;<\/li>\n<li style=\"text-align: justify;\">by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/blockquote>\n<p style=\"text-align: justify;\">The above provisions first tell when GDPR applies (rule) and then describe four situations when GDPR doesn\u2019t apply (exceptions).<\/p>\n<h3>When does GDPR apply?<\/h3>\n<p style=\"text-align: justify;\">GDPR shall be applied in all cases of automated personal data processing. Although in GDPR there is no definition of automated processing, it is not hard to identify situations of such kind of processing \u2013 <a href=\"https:\/\/korolko.pl\/en\/blog\/personal-data-processing-definition-in-gdpr\/\">any operations on personal data<\/a> without participation of human (even partly). <strong>Every entrepreneur should assume that if personal data are introduced into it system<\/strong> (e.g. are given by users on the website or collected on paper and subsequently introduced into the computer) <strong>it constitutes automated processing to which GDPR applies in full<\/strong>.<\/p>\n<p style=\"text-align: justify;\">However it is not all. Not always personal data processing in not automated way is excluded from the scope of GDPR. <strong>It is also important whether processed personal data are part of a filing system or will be included into the filing system in the future.<\/strong><\/p>\n<p style=\"text-align: justify;\">Contrary to \u201cautomated processing\u201d GDPR contains definition of \u201cfiling system\u201d. Pursuant to art. 4 p. 6 of GDPR, a \u201cfiling system\u201d means <strong>\u201cany structured set of personal data which are accessible according to specific criteria, whether centralized, decentralized or dispersed on a functional or geographical basis\u201d<\/strong>. In order to assess whether you have to do with a filing system, three elements or the above definition are of the key value:<\/p>\n<ol>\n<li style=\"text-align: justify;\">set of personal data;<\/li>\n<li style=\"text-align: justify;\">structurization;<\/li>\n<li style=\"text-align: justify;\">accessibility according to determined criteria.<\/li>\n<\/ol>\n<p style=\"text-align: justify;\">In order to have a filing system <strong>all three perquisites have to met<\/strong>.<\/p>\n<p style=\"text-align: justify;\">The term \u201cset of personal data\u201d suggests that <strong>more than one information should be in in the filing system<\/strong>. However, it cannot be confused with number of persons which data concern. Even if the controller possesses data concerning only one person, but such data contain more than one information, they constitute set of personal data.<\/p>\n<p style=\"text-align: justify;\">It seems that <strong>\u201cstructurization\u201d and \u201caccessibility\u201d should be understood sorting and filtering personal data contained in the filing system (e.g. by first letter of surname)<\/strong>. Although, theoretically it is possible to differentiate structurization and accessibility according to specific criteria of personal data themselves and carriers on which personal data has been saved (e.g. forms filled in by customers sorted by the date of filling in), however I do not advise doing so. For safety it is better to assume that in every case you deal with a filing system of personal data structured and accessible according to specific criteria \u2013 and therefore with the set of personal data to which the provisions of GDPR shall be applied.<\/p>\n<p style=\"text-align: justify;\"><strong>It seems that use of personal data within some longer texts \u2013 e.g. book, press article or even contract, should not be considered to be a filing system.<\/strong> Such approach was confirmed by the General Inspector of Personal Data Protection, before GDPR came into force, stating on his website, that \u201cpress publications and books, containing personal data in not structured form do not constitute personal data processing in filing system and therefore they are not subject to the Act on Personal Data Protection\u201d (<a href=\"https:\/\/archiwum.giodo.gov.pl\/320\/id_art\/978\/j\/pl\" target=\"_blank\" rel=\"noopener\">https:\/\/archiwum.giodo.gov.pl\/320\/id_art\/978\/j\/pl<\/a>). Previous version of the Act on Personal Data Protection, with respect to the scope of application, had very similar construction and that guidelines may be considered to relevant in the current state of law. Nevertheless, you should approach this issue very carefully \u2013 it is enough that the text containing personal data is saved on computer or sent via e-mail and GDPR applies on the basis of the other premise \u2013 processing by automated means.<\/p>\n<p style=\"text-align: justify;\">Even if data are not included into the filing system, not necessarily it excludes GDPR application. The part of art. 2 sec. 1 of GDPR stipulating about <strong>processing of data intended to form part of a filing system<\/strong>, is very important. If, due to some reasons, collected data are not included into the filing system but they were meant to be included into it, GDPR shall apply in such situation. It was confirmed by the Supreme Court in the decision of 11\/12\/2000 (files no. KKN 438\/00) issued in pre-GDPR times (but \u2013 as I mentioned above \u2013 in this scope similarities between GDPR and the Act on Personal Data Protection that time in force, are very high). In that decision the Supreme Court ruled that <strong>\u201cpersonal data are protected according to the act on personal data protection since it is possible to include them into a filing system, regardless whether finally they were included into it\u201d<\/strong> and also that <strong>\u201ca person whose personal data are collected and therefore processed, cannot be deprived of the protection foreseen in the Act on Personal Data Protection, only because the data were not included into the filing system\u201d<\/strong>. The case was about criminal liability of the personal data controller of persons taking part in the lottery. The defendant defended himself claiming that the way of storing personal data did not allow to considered them to be processed in filing system. <strong>The court applied wide interpretation of what should be understood as part of a filing system<\/strong> and did not agree with the defendant\u2019s argument. Constantly I recommend to all controllers similar, careful, attitude \u2013 in case of personal data it is always better to do too much than too few.<\/p>\n<h3>And when not?<\/h3>\n<p style=\"text-align: justify;\"><strong>In art. 2 sec. 2 of GDPR there are indicated 4 situations in which GDPR does not apply<\/strong> even if personal data are processed by automated means or within filing system. Not all is in that scope completely clear (e.g. frames of activity not covered by the scope of European Union\u2019s law), but there is no sense to concentrate on it. These are specific cases mostly concerning public authorities. <strong>Entrepreneurs operating on the territory of Poland (or of the European Union), almost for sure are not entitled to benefit from these exceptions.<\/strong><\/p>\n<p style=\"text-align: justify;\">Short explanation requires only p. c concerning <strong>processing of personal data by a natural person within activities of strictly personal character<\/strong>. In order to benefit from that exemption, two condition must be met. Firstly, <strong>personal data must be processed by natural person<\/strong>. That exception does not concern legal persons and other entities. Secondly, <strong>personal data must be processed only for personal purposes<\/strong>. What should be meant under that terms? It is not possible to give one universal definition \u2013 each case should be assessed individually. <strong>Starting point of such evaluation should be always determination whether processing is in any way connected with any financial profits (in particular with professional activity).<\/strong> If yes, the premise of personal purpose is not be fulfilled. Data of friends and family in phone can be given as an example of processing within activities of personal character.<\/p>\n<h3>Two very important questions<\/h3>\n<p style=\"text-align: justify;\">From the above analysis it follows that every entrepreneur should ask himself two very important questions:<\/p>\n<ol style=\"text-align: justify;\">\n<li>Whether personal data in his company are processed by automated means?<\/li>\n<li>Whether personal data processed in his company constitute or may constitute a part of a filing system.<\/li>\n<\/ol>\n<p style=\"text-align: justify;\"><strong>Positive answer to any of the above questions makes an entrepreneur the data controlled in the meaning of GDPR and obliged to follow all the rules determined therein.<\/strong><\/p>\n<p style=\"text-align: justify;\"><strong>In most of the cases GDPR applies.<\/strong> It is hard to imagine situation in which an entrepreneur does not need to apply GDPR to his actions in connection with personal data. However, I think that such situations are possible \u2013 at least in theory. As an example I can give finding a telephone number to a representative of some company in the internet and calling that person from a land phone. If it is done by human and not by some script, it surely does not constitute automated processing. I did not write that the call is made by land phone, without any reason. In cell phones (and sometimes in land phones as well) there is list of last calls and numbers included in it may be considered to be a filing system.<\/p>\n<\/div><div class=\"speaker-mute footnotes_reference_container\"> <div class=\"footnote_container_prepare\"><p><span role=\"button\" tabindex=\"0\" class=\"footnote_reference_container_label pointer\" onclick=\"footnote_expand_collapse_reference_container_9019_1();\">Przypisy<\/span><span role=\"button\" tabindex=\"0\" class=\"footnote_reference_container_collapse_button\" style=\"display: none;\" onclick=\"footnote_expand_collapse_reference_container_9019_1();\">[<a id=\"footnote_reference_container_collapse_button_9019_1\">+<\/a>]<\/span><\/p><\/div> <div id=\"footnote_references_container_9019_1\" style=\"\"><table class=\"footnotes_table footnote-reference-container\"><caption class=\"accessibility\">Przypisy<\/caption> <tbody> \r\n\r\n<tr class=\"footnotes_plugin_reference_row\"> <th scope=\"row\" class=\"footnote_plugin_index_combi pointer\"  onclick=\"footnote_moveToAnchor_9019_1('footnote_plugin_tooltip_9019_1_1');\"><a id=\"footnote_plugin_reference_9019_1_1\" class=\"footnote_backlink\"><span class=\"footnote_index_arrow\">&#8593;<\/span>1<\/a><\/th> <td class=\"footnote_plugin_text\"> Regulation (EU) 2016\/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95\/46\/EC (General Data Protection Regulation)<\/td><\/tr>\r\n\r\n <\/tbody> <\/table> <\/div><\/div><script type=\"text\/javascript\"> function footnote_expand_reference_container_9019_1() { jQuery('#footnote_references_container_9019_1').show(); jQuery('#footnote_reference_container_collapse_button_9019_1').text('\u2212'); } function footnote_collapse_reference_container_9019_1() { jQuery('#footnote_references_container_9019_1').hide(); jQuery('#footnote_reference_container_collapse_button_9019_1').text('+'); } function footnote_expand_collapse_reference_container_9019_1() { if (jQuery('#footnote_references_container_9019_1').is(':hidden')) { footnote_expand_reference_container_9019_1(); } else { footnote_collapse_reference_container_9019_1(); } } function footnote_moveToReference_9019_1(p_str_TargetID) { footnote_expand_reference_container_9019_1(); var l_obj_Target = jQuery('#' + p_str_TargetID); if (l_obj_Target.length) { jQuery( 'html, body' ).delay( 0 ); jQuery('html, body').animate({ scrollTop: l_obj_Target.offset().top - window.innerHeight * 0.2 }, 380); } } function footnote_moveToAnchor_9019_1(p_str_TargetID) { footnote_expand_reference_container_9019_1(); var l_obj_Target = jQuery('#' + p_str_TargetID); if (l_obj_Target.length) { jQuery( 'html, body' ).delay( 0 ); jQuery('html, body').animate({ scrollTop: l_obj_Target.offset().top - window.innerHeight * 0.2 }, 380); } }<\/script>","protected":false},"excerpt":{"rendered":"<p>If data coming to your company are personal data, and what you do with them is processing, be aware that the President of the Personal Data Protection Office may get interested in you.<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","_wp_rev_ctl_limit":""},"categories":[315],"tags":[769,317],"post_series":[],"class_list":["post-9019","post","type-post","status-publish","format-standard","hentry","category-personal-data-protection","tag-gdpr","tag-personal-data","entry","no-media"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":false,"_links":{"self":[{"href":"https:\/\/korolko.pl\/en\/wp-json\/wp\/v2\/posts\/9019"}],"collection":[{"href":"https:\/\/korolko.pl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/korolko.pl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/korolko.pl\/en\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/korolko.pl\/en\/wp-json\/wp\/v2\/comments?post=9019"}],"version-history":[{"count":0,"href":"https:\/\/korolko.pl\/en\/wp-json\/wp\/v2\/posts\/9019\/revisions"}],"wp:attachment":[{"href":"https:\/\/korolko.pl\/en\/wp-json\/wp\/v2\/media?parent=9019"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/korolko.pl\/en\/wp-json\/wp\/v2\/categories?post=9019"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/korolko.pl\/en\/wp-json\/wp\/v2\/tags?post=9019"},{"taxonomy":"post_series","embeddable":true,"href":"https:\/\/korolko.pl\/en\/wp-json\/wp\/v2\/post_series?post=9019"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}