RODO – everybody has heard, everybody knows, nevertheless not everybody understands. It is really hard to find particular information about proper documents storing in accordance to the RODO/GDPR requirements. That is why, to dispel all your doubts we invited an expert at RODO/GDPR, Data Protection Supervisor, Tomasz Suliński, who told us everything we should know about the RODO/GDPR.
1. What determines level of documents’ confidentiality?
It depends on category of personal data which are included in such documents. RODO/GDPR refers to categories of personal data, which can be divided into:
- Personal data - RODO doesn’t specify directly personal data catalogue but article 4 point 1 indicates: "an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person".
- Special categories of personal data - article 9 "personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited."
- Data concerning criminal convictions and offences.
- How to prepare your company to follow RODO/GDPR regulations in practice?
RODO was done at Brussel, 27 April 2016. Each EU country, including Poland had 2 years transitional period to adapt to RODO/GDPR regulations and from 25th of May 2018 RODO/GDPR entered into force. Nowadays, each public or private institution processing personal data of natural person has to comply with RODO/GDPR regulations. The public and private institutions adapting to RODO/GDPR had to implement all appropriate organizational measures such as personal data policy, procedures and staff training. Simultaneously, technological protection was also demanded. Personal data in the traditional form (in paper) required to be stored in enclosed space or locked lockers. Sensitive data in electronic form have to be protected by IT security measures. RODO/GDPR doesn’t impose any guidelines how to protect personal data however, imposes the controller (e.g. business owner) an obligation to protect and process them in accordance with the law. That is stated in Article 24 Section 1 "Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary"
- Where documents should be stored? Are there any official regulations?
In RODO there are no official regulations determining how documents with personal data should be stored, however controller – e.g. business owner is responsible for their appropriate protection, what proceeds from Article 24 mentioned above.
- What is the penalty for non-compliance with the RODO requirements?
For non-compliance with the RODO requirements there is a risk of administrative penalty up to the sum of 20 0000 0000 EUR but in the case of companies – up to 4% of their total worldwide annual turnover from the previous financial year, whereby the larger amount shall apply.
- Is it common that RODO isn’t respected? What kind of breaches are these? Why does it happen?
It is hard to give an answer in a few words. UODO i.e. Personal Data Protection Office has already imposed many administrative fines. The reasons of these fines were very different. Protection of personal data is a very complex process – starting from natural persons safety e.g. using proper furniture, where are stored personal data and finishing with securing the servers which store data in Cloud.
- What kind of furniture fulfil the RODO conditions in terms of storage?
RODO doesn’t specify particular guidelines, however, without any doubt, reliable and solid furniture with appropriate closures are much more better and what is more important – much more safer. It is the controller who decides about protection of the documents with personal data, so if the documents will be stolen, the responsibility is also on the controllers side. In the case of data stealing, UODO in its procedures can conduct that the locker where the documents were stored was insufficiently secured and in connection with this some fines can be imposed. MALOW'S lockers meet RODO requirements An expert’s statement, clearly indicates that the controller is responsible for safety of stored data. Regulation doesn’t specify type of security but meanwhile imposes on the controller the duty of storing documents in a restricted area. The security measures applied by the controllers are examined and all breaches are severely punished. Prevention is better than cure, isn’t it? It is worth to use the expert advises and equip yourself with Malow’s metal furniture which meet all RODO requirements. Our furniture are welded, and therefore form a continuous, solid block. Additionally, they are more resistant and safer than furniture for self-assembly. Malow’s filling cabinets are equipped with patent lock with keys, in this way creating in your workplace perfect area for storing confidential documents and ensuring the safety. You can be sure that sensitive data will be properly secured!