Digital Care - Personal Data Protection

Personal Data Protection

Introductory training for the employees of Digital Care Sp. z o.o.

The objective is to:
•  familiarize employees with the data protection principles at Digital Care,
•  provide basic information to employees about personal data,
•  inform employees what actions to take in case of doubts about the processing of personal data.

 

Protection of Personal Data at Digital Care

Why does Digital Care protect personal data?

  1. Our clients expect this

Within its business activity, Digital Care receives personal data of their clients. Mainly, these are data of our consumers, whose equipment we repair.

The first aim of this training is to inform you, how to process personal data to fulfil the requirements imposed on Digital Care by its clients.

  1.  This is the law

The Polish law on the Protection of Personal Data imposes some obligations on Digital Care. To make it possible that these obligations are fulfilled, employees must be aware that these obligations exist, must have fundamental knowledge about personal data and be able to identify the occurrence of these obligations.

The other aim of this training is to draw your attention to these obligations and explain your role in the data protection processes.

 

The Act on the Protection of Personal Data

The fundamental Polish legal act that regulates the privacy issue is the Act on the Protection of Personal Data. For example, the Act explains who the Data Controller is, what is the Entrustment Agreement and what is the competence of the Inspector General for the Protection of Personal Data. This legal act also determines basic obligations of all entities that process personal data.

Digital Care does not require that you have a solid knowledge about the Act on the Protection of Personal Data. You should be aware that this Act exists and familiarized with its role.

If needed, as you want to reach to the legal source, the current version of the Act (so called uniform text) can be found in the Online Database of the Polish Legislation under the following link:

http://isip.sejm.gov.pl/DetailsServlet?id=WDU19971330883

The Act on the Protection of Personal Data is shortly called “UODO”.

GDPR - The European Union reform of the Personal Data Protection Law

At present, the European Union structure of the data protection is based on the Directive 95/46/EC and national legal acts that implement it (the Act on the Protection of Personal Data is such an act). The Directive contains general rules concerning processing and protection of personal data and is directed to Member States that create their own national regulations based on the Directive.

The Directive was adopted in 1995. Most of the national implementing acts came into force not long after this date (the Polish Act on the Protection of Personal Data is from the year 1997).

However, for the last 20 years there have been slight changes, for example in the scope of processing and transferring personal data online and modern technologies. Moreover, legal acts of the EU Member States concerning the protection of data differ and – sometimes – differently regulate identical issues. All of this became an impulse to a serious European Union reform of the Personal Data Protection Law.

Current law

Law after 25 May 2018

European Union

 

Directive 95/46/EC on the protection of data

European Union

 

 

Poland

Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)

The Act on the Protection of Personal Data

 

Note: The table is simplified to some extent: in Poland there will still be the legal act titled “The Data Protection Act”, however, its meaning will be much less important than today. The main legal act, that will regulate rights and obligations relating to the personal data processing, will be GDPR.

What are the changes?

The basic change will be the replacement of the Directive and national regulations for a single act, common for all the European Union Member States – Regulation of the European Union and of the Council on the protection of natural persons in the scope of personal data processing, commonly known as GDPR – General Data Protection Regulation. In the European Union law, Regulation is a legal act that is directly in force in the Member States. It means that Sejm will not have to enact any additional acts nor legal acts – the new law will directly bind the entities that process data. There will no longer exist the Act on the Protection of Personal Data in the present shape; for Mrs Kowalska in Poland, Mr Smith in Great Britain, Mrs Garcia in Spain, and Mr Dimitrov in Bulgaria it will be this act that will constitute the basic act that regulates the protection issues concerning his/her personal data.

When will the new law be applied?

GDPR was adopted by the European Union Parliament in April 2016. The new law will be applicable from 25 May 2018.

What does it mean for Digital Care?

A number of changes concerning the protection of personal data has been introduced in GDPR. One of the most important changes for the Polish entrepreneurs is the introduction of financial penalties for infringing obligations arising from this legal act.

What you have to know about GDPR?

You can find the following names of the new legal act:

GDPR

General Data Protection Regulation

RODO, regulation

Regulation on the Protection of Personal Data

Remember that the Regulation will come into force in May 2018.

In further parts of this training you will find more about the new law and the Digital Care expectations concerning you in relation to the introduction of this law.

 

GDPR – Financial penalties

GIODO new entitlements

From 25 May 2018, with the start of applying GDPR, GIODO (Inspector General for the Protection of Personal Data) will be authorized to impose very high financial penalties for infringement when processing personal data.

The maximum ceiling of the penalty is EUR 20 000 000 (twenty million euro) or 4% of the global turnover – depending on which of the above is greater. Thus, infringements will bear a profound financial risk, which Digital Care wants to avoid.

What will be punished?

It will be possible to impose penalties, e.g. for the following infringements:

  • Personal data leaks;
  • Lack of the data adequate protection (even though there was no leak);
  • Failure to fulfil information obligations in relation to persons, whose data are collected.

The type of infringements will only constitute one factor when determining the amount of penalty. GIODO will also have to take other factors under consideration, among others:

  • actions undertaken by the Controller or Data Processor to minimize damage to the data subjects;
  • level of cooperation with a supervisory authority;
  • way of making the supervisory authority familiar with the infringement.

One of the aspects taken under consideration when imposing a penalty will be the measure that the Data Controller (ADO) undertook in order to avoid the infringement. Such a measures is, e.g. a training for employees. For this reason, Digital Care cares that all its employees are aware of their obligations arising from the protection of personal data.

GDPR – Risk-based approach

What does GDPR change?

A fundamental change that will be introduced by GDPR will be the risk-based approach in respect to privacy. In practice, it means that this legal act does not provide any specific guidelines on how to protect data (unlike it was until present), in turn introducing an obligation to apply “proper technical and organisational means”, depending on the category of data that are subject to protection. In other words – the protection measures and means must be adequate to the risk involved in processing of a given set of personal data.


The obligation to assess the risk rests with the Data Controller (in our case – Digital Care). The same case is with the type of penalty to be imposed – it belongs to the Controller, as well.

Such a subjective approach creates a risk on the side of Digital Care. Due to this, we are very much interested in the Digital Care employees being aware that the protection of personal data processed by us is extremely important.

How to assess the risk?

There appears a question – how to fulfil new obligations and avoid exposition to financial penalties?

As a part of preparations on the way to GDPR, you can encounter so called PIA – Privacy Impact Assessment. This is a tool used for assessing the influence of a project on the protection of personal data. Digital Care will use PIA to assess some projects during its preparation to the new law. You will receive further information about this subject from the Data Protection Officer.

Since when the new law on the personal data protection will be applicable (GDPR)?

  • Is already in force
  • 1 January 2017
  • 25 May 2017
  • 25 May 2018

What is the maximum penalty foreseen by GDPR for infringing the personal data protection law?

  • At the maximum PLN 100.000
  • At the maximum EUR 20.000.000
  • GDPR foresees only penal liability
  • At the maximum EUR 1.000.000
  • Each country can individually determine the maximum amount of financial penalties.

Data Protection Officer

Data Protection Officer (DPO)

DPO is a person appointed by the Data Controller, who supervises obeying rules concerning the protection of personal data in the Data Controller’s organizational structure.

DPO will gladly answer to all questions and doubts relating to the protection of personal data. It is also the DPO’s role to assess projects in respect of their influence on the protection of data and handle incidents relating to personal data.

DPO at Digital Care

Mirosław Gomularz – an employee of OMNI MODO that is an advisory company specializing in the protection of information – acts as DPO at Digital Care.

You can get in contact with DPO via email or on the phone:

m.gomularz@omnimodo.com.pl   | 698 892 319



Basic terms

Personal data

What is personal data?

There is no strictly fixed catalogue of information that constitutes personal data. According to the definition provided by the Act, the personal data means

“all information relating to an identified or identifiable natural person”.

Thus, information can be perceived as a personal data by one entity, while it is not seen as such by another entity. The client internal ID number can be an example. If a company assigns the 123456 client number to Adam Kowalski, then this number will be that person for employees of the company, because they can easily check, who is behind that number – for them, this will be “information relating to an identified or identifiable natural person”. For individuals from outside of the company, who are unable to link the client’s number with a specific natural person, this information will not be a personal data, as this is only a string of digits to them.

The following information must ALWAYS be considered personal data:

  • First name and surname;
  • PESEL;
  • ID number and series (passport, identification document).

The following information CAN constitute personal data:

  • appearance, fingerprints, height, weight, age;
  • email address;
  • workstation IP address;
  • mobile device MAC (media access control);
  • wealth status, list of debts.

When is this information a personal data to us? Then, when it relates to an identified or identifiable natural person. Sometimes, it is difficult to determine whether a specific information is a personal data. If you have such a necessity when fulfilling your duties, get in contact with DPO, who will assist you in determining, which data is personal data.


Data processing

Data processing is regarded to be all operations carried out with the use of data. Thus, the processing is the collection, recording, saving, elaborating, updating, removing, and making data available.

Sensitive data

Sensitive data

There exists a special category of personal data that we call sensitive data. Processing data that fall within this category is subject to higher restrictions and requires better protection.

Article 27 of the Act on the Protection of Personal Data:

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade-union membership, as well as the processing of data concerning health, genetic code, addictions or sex life and data relating to convictions, decisions on penalty, fines and other decisions issued in court or administrative proceedings shall be prohibited.

This is a comprehensive list. Due to this, other data such as remuneration or PESEL number do not constitute sensitive data.

 

What to do, when sensitive data occur?

Get in contact with DPO

Data Controller

Data Controller

An entity that takes decision concerning the processing of data. It is extremely important to determine, who is the Data Controller for a given set of data. The Data Controller is obliged to protect interests of the data subjects, whose data he processes. He is responsible for the processing and supervision of the process. The Data Controllers can be governmental and local governmental authorities, business entities, and natural persons, who run their businesses if they take decisions about the purposes and means of the processing. In case of infringements, GIODO will contact the Data Controller for explanations.

Processing entity

In performing its business activity, Digital Care uses external entities that, ordered by us, undertake specified activities. If personal data are processed as a part of these activities, then there exists a situation of so called entrustment of personal data, it means a situation, in which an entity (person), other than the Data Controller, has access to those data. An external entity that is ordered by the Data Controller to processes data is called the Processor.

When entrusting personal data to another entity by Digital Care, the following obligations must be fulfilled:

  • an agreement that regulates the Processor’s duties must be concluded (so called Personal Data Processing Agreement);
  • it must be verified whether the Processor fulfils his duties, i.e. whether the methods used by him in processing personal data are compliant with the law and the Personal Data Processing Agreement.

Remember!

If either you yourself or your department commissions activities, in which the personal data are processed to external entities, then you must take care that the above obligations are met.

You will be given a current template of the Entrustment Agreement and receive answers to all questions from the Compliance Department/DPO (TO BE AGREED)

What is the role of Digital Care?

DC will play both of them. Digital Care will be the Data Controller for the following personal data:

  • Data of employees;
  • Data of individuals visiting the company registered office (provided that their data are registered in the system);
  • Data of contractors or their employees.

However, in some processes Digital Care acts as a Processor and processes personal data as commissioned by its clients. These are, e.g. data of owners of telephones that are repaired by DC.

Obligation of providing information

When we have to inform that the data is processed?

There exist three situations, in which the Data Controller is obliged to pass information to the data subject:

  • obligation of providing information when collecting data directly from the data subject (Art. 24 uodo) 
  • obligation of providing information when collecting data from other sources, than the data subject (Art. 25 uodo) 
  • obligation executed on the data subject’s request (Art. 33 uodo) 

Direct collection of data – Art. 24 uodo

A Data Controller should inform the person, whose data he collects about:

  • the address of its seat and its full name;
  • the purpose of data collection;
  • the data recipients or categories of recipients, if known at the date of providing the information;
  • the existence of the data subject’s right of access to his/her data and the right to rectify these data;
  • whether it is obligatory or voluntary to provide the data and in case of existence of the obligation, about its legal basis.

An example of the obligation to provide information that should be fulfilled when collecting data for marketing purposes:

The Data Controller for the voluntarily provided personal data is Digital Care Sp. z o.o. with its registered office in Warsaw (02-146) at ul. 17 stycznia 48. The personal data will be processed for marketing purposes. The personal data will be made available to the authorized entities in accordance with the provisions of law. You have a right to access your data and rectify them.

Collection of data from other sources – Art. 25 uodo

In case of collecting personal data from other source, than the data subject, it is necessary to provide that person, directly after these data have been recorded, with the following:

  • information required when collecting data directly from the data subject (excluding information concerning a voluntary or obligatory character of providing the data), and
  • information about the data source, range of the collected data and rights arising out of Art. 32(1)(7) and (8) of uodo (right to demand to stop processing personal data and object to the processing of personal data).

An example of the obligation that should be fulfilled in respect to individuals, whose data were given to DC for marketing purposes:

The Data Controller for the voluntarily provided personal data is Digital Care Sp. z o.o. with its registered office in Warsaw (02-146) at ul. 17 stycznia 48. Your personal data consisting of your first name, surname and telephone number were provided by XYZ Sp. z o.o. with its registered office in Warsaw (00-000) at ul. Wróblewskiego 1 (the Contractor) and will be processed for marketing purposes. The personal data will be disclosed to the authorized entities in accordance with the provisions of law. You have a right to access your data and rectify them.

At the same time, we want to inform you about your right to submit a written and justified request to stop the processing of data in cases presented in Art. 23(1)(4) and (5) of the Act, due to a specific situation, and your right to object to the processing of the data in cases listed in Art. 23(1)(4) and (5) of the Act if the Data Controller intends to process them for marketing purposes or transfer your personal data to another Data Controller.

Providing information on an individual’s request

The Data Controller is obliged to provide information on request made by the data subject, in particular to inform about:

  • her rights;
  • the type of data kept in the set;
  • the source, from which the data were collected;
  • the purpose and range of the data processing;
  • the method and to whom the data were made available.

This information must be provided within 30 days. On the request of the data subject, this information is provided in writing. This right to obtain such information can be exercised not more often, than once every 6 months.

Consultations with DPO

The content of clauses with information and responses to the requests made by the data subjects are always subject to consultation with DPO.

Which categories of information can be personal data?

  • First name
  • Email address
  • Information about the status of account
  • Fields of interest
  • IP address

Indicate data that are sensitive data

  • racial or ethnic origin
  • data relating to convictions
  • genetic code
  • religious beliefs
  • PESEL
  • health data
  • data concerning remuneration

Data Controller – indicate a true sentence

  • Every Digital Care employee is a Data Controller.
  • Must ensure that the personal data processing is in compliance with the law
  • Is responsible for infringements of the personal data that he processes
  • This is an entity that decides about the purpose and means for processing the personal data
  • Must always notify GIODO, before he/she commences the processing
  • He/She should conclude the Entrustment Agreements with companies that he/she entrusts with the processing of personal data

What is the personal data processing entrustment?

  • An “external” entity processes personal data for the purpose and in the scope defined by the Data Controller
  • The Data Controller sells the personal data to another entity
  • Entities exchange personal data with each other

Employees’ obligations

Introduction and the employees’ liability

The role of employees in protecting data

As a Data Controller, Digital Care is obliged to ensure an adequate level of protection for the processed personal data. However, it depends on the behaviour of individuals authorized to process personal data that Digital Care fulfils this obligation.

Remember! As a person, who processes personal data, you are also responsible for proper protection of these data.

UODO (Art. 39(2)) obliges individuals, who were authorized to process personal data to keep these personal data and methods of their protection in confidence.

In this part of the training:

  • you will get familiar with internal rules of securing data;
  • you will get to know, what we expect from you as the Digital Care employee;
  • you will get familiar with good practices and tools that will allow you to better protect data at work and at home.

Employees’ responsibility

As a rule, a Data Controller, who is responsible for this data, is liable for infringements relating to the protection of personal data. If it is found that the infringement was caused by an employee (intentional or unintentional), he/she can suffer financial or penal consequences.

Infringement of the protection of personal data by an employee may result in putting charges of committing one of the crimes specified in chapter 8 of uodo or a crime specified in Art. 266 of the Penal Code.

Art. 51 uodo

  • para. 1 ­– A person who, being the controller of a data filing system or being obliged to protect the personal data, discloses them or provides access to unauthorized persons, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to two years.
  • para. 2 – In case of unintentional character of the above offence, the offender shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year.

Art. 52 uodo

  • A person who, being the controller of a data filing system violates, whether intentionally or unintentionally, the obligation to protect the data against unauthorized takeover, damage or destruction, shall be liable to a fine, the penalty of restriction of liberty or deprivation of liberty up to one year.

Additionally, according to Art. 100(2)(5) of the Labour Code, an employee is obliged to observe the secrecy defined in other regulations. Personal data, which are given confidential character by DC, are of that secret character. A disclosure of the business secret, depending on the range of the disclosed personal data and attitude of an employee responsible for such an unauthorized disclosure of data, can be recognized as a violation or serious violation of the employees’ obligations.

Inspector General for the Protection of Personal Data

Inspector General for the Protection of Personal Data keeps guard of personal data. Also, the State Labour Inspection draws attention to abnormalities concerning the compliance of the data processing with the personal data regulations. It notifies the Inspector General for the Protection of Personal Data about the abnormalities found in this regard during inspections.

Internal documents relating to the protection of personal data

Internal policies and procedures

As the DC employee/co-worker you are obliged to get familiar with these documents and obey obligations that arise from them.

  • Policy of Protection
  • Information Technology System Management Instruction
  • Global and local policies and procedures

By using the Digital care duty workstations and telecommunication and information technologies assets you use a duty equipment that can be monitored at all times.

Digital Care can keep record of access and operation reports in the files and online activities of the users in computer networks and on the Internet.

Keeping data secret

Keep the data secret

Do not give personal data to persons, who are not authorized to process personal data (also within Digital Care).

Never send any business information from your private e-mail box.

Individuals, who are not employees nor permanent co-workers of the company, can only walk around in the presence of a guardian. If you meet an unknown person within the office area, do not hesitate to ask him/her if he/she needs any assistance. If needed, see his/her off to the reception room or person he/she wants to talk to.

Data processing authorization

If you process personal data as a part of your professional duties, you have been authorized to process the data. If you have any doubts, check what data you are authorized to process.

Protection of documents

Take care that documents containing personal data (of clients, employees or co-workers) are not left in places of general access, in which it will be possible for unauthorized persons to get familiar with them.

Store electronic documents in places intended for this purpose. If a space within the DC network assets is dedicated to store such files, avoid storing them on the computer or in generally accessible folders.

Remember that the personal data is all information that relates to an identified or identifiable natural person. Thus, not only first name, surname and PESEL, but also information about the place of work, fields of interest, etc.

By protecting personal data, you create good reputation of Digital Care.

Secured password

How to create a good password?

Use the mnemotechnics rules to create passwords that are difficult to break and easy to remember. Build a password using digits, special characters and first letters from a piece of your favourite poem or song, e.g. 100%oLmHYalH (“Oh Lithuania, my homeland, you are like health”) – wherein, nouns are written in capital letters).

Use unique passwords­­­ – it means different in every system.

Protect passwords – do not keep them in places, where other people can see them, e.g. on a sticky note attached to your screen. Do not share passwords with your co-workers.

Attackers are able to check 5m passwords per second. To delay breaking of a password, it should be:

  • out of the dictionary (you must not use the following types of passwords: Qwerty, kate123, sunny, ynnus)
  • unconventional (you must not use the following types of passwords: MySecretFacebookPassword)
  • long and complicated (it should have at least 8 characters, including small and capital letters, digits and special characters).

Managing Password

Saving passwords in a browser is one of the biggest mistakes that a computer user can make. Even if access to your operating system is secured with a password, it is easy to bypass it and get access to the data stored on a drive, including all passwords saved in the browser.

However, it is unwise to demand that users remember all passwords to the accounts and services they use. Setting an identical password is also a very bad idea.

There is one solution – programs for managing passwords. An application stores all your passwords and at the same time restricts access to them with a … password. A single strong password gives access to the saved passwords. In practice, after logging on your workstation you log on to this program and from that moment you have access to the saved passwords. Logging on from a new device requires an additional confirmation –this protects the account from its interception.

Ask the IT department, which password managing program is preferred in your organization.

Protection of personal data

How to protect personal data – practical tips

Below, you will find tips on how to protect your computer, drives and accounts against unauthorized persons and data loss. Information provided in this part can be used by you both at work and when protecting your data on your private devices.

6 fundamental rules in protecting data:

  • Encrypt email or attachments that contain personal data.
  • Lock the workstation, when you leave it.
  • Carefully check, to whom you send messages containing personal data. Watch out for an automatic insertion of addressees from the list of contacts.
  • Do not leave documents on the desk after work nor during longer breaks.
  • Lock rooms and cabinets, in which you store documents, with a key.
  • Do not throw document to the trash can. Use a shredder. Also, immediately destroy workable, faulty and outdated printouts with the use of a shredder or by any other effective means.

Encrypting hard drives and portable drives

Do you use your duty computer outside the office? It is worth to consider to encrypt the drive. This will make it significantly more difficult for the outsiders to access data saved on the device, e.g. if the device is stolen.

NOTE! You cannot encrypt duty devices on your own. Contact the IT department that will help you protect the data.

Notification of infringements

Notification of infringements

If your IT equipment is stolen or lost, notify the IT helpdesk and DPO about this fact.

If you suspect that there has been an infringement of the protection of personal data, inform your supervisor and DPO.

What infringements must be reported?

Examples of infringements that MUST be reported:

  • disappearance of documents with personal data (e.g. from a cabinet, desk);
  • marks of mechanical destruction of the drawer lock;
  • attempts of co-workers to attach private memory drives;

 attempts of swindling the logging data to your business account.

Who supervises the protection of personal data in Poland?

  • Main Inspector for the Protection of Personal Data
  • Inspector General for the Protection of Personal Data
  • State Advocate for the Protection of Personal Data
  • Director General for the Protection of Personal Data

What should an employee do if he/she receives a document with personal data addressed to another employee?

  • Nothing. He/she can leave it on his/her desk.
  • All answers are correct.
  • He/she should immediately pass these documents to the right employee.
  • He/she can leave it in a place, where there is a general access, so that the right employee can find it easily.