Changes in the protection of personal data in the EU Member States

Legislate by the European Parliament and the EU Council the General Data Protection Act is designed to unify and harmonize the rules on this issue in the Member States. The implementation is scheduled to take place by May 25, 2018. It is therefore worth noting the new provisions, obligations and sanctions that are associated with the adoption of the new law. Paweł Dyrduł, a lawyer from KG Legal Kiełtyka Gładkowski Sp.p with its registered office in Krakow, analyzes the above issues.

What is the GDPA?

GDPA is an abbreviation of the General Data Protection Act. This is a legal act adopted by the EU legislature, which, as the name implies, is aimed at regulating the issue of broadly defined personal data. The official text of the Regulation was published in the Official Journal of the European Union on 4 May 2016. However, the entry into force of the provisions contained in the Regulation was adopted on 25 May 2018. The Member States of the European Union are obliged to implement the provisions contained in the Regulation by 6 May 2018. The implementation of the provisions of the EU legal act will generally be followed by the adoption of relevant national Legal acts.

Personal data

The definition of personal data in the Polish legal system is contained in the Act of 29 August 1997 on the protection of personal data. Personal data is any information about an individual who has already been identified or identifiable. This definition makes it possible to conclude that personal information is not just information that immediately identifies an individual. That may also be such information that, when appropriate time, actions are spent allow the identification of the person concerned. By analysing the rules, case law and doctrine views, it is possible to construct a personal data directory which is marked as open. Examples of personal data are:

  • Name and surname,
  • Address,
  • PESEL number,
  • ID number,
  • Photography;

The open nature of the catalog allows to add new data that will be considered personal during the development of the technology. For example, given the current state of technology, biometric data can be considered as a personal data (e.g. fingerprints). It is worth noting that information of a high degree of generality (as long as it is not linked to a particular person) cannot be considered as a personal data. They are, for example, the amount of the salary, the house number.

The most important provisions

GDPA is a legal act that is abundant in text and provisions. That is why it is important to list the most important provisions, goals that govern the adoption of this regulation.

First and foremost, the introduced regulations aim is to unify and harmonize the provisions on the protection of personal data in the EU Member States. So far, each Member State has its own privacy laws, which are often differentiated by other states. The development of cross-border business activities, that often collect and process customer personal data, has often encountered difficulties with the various legal standards in force. Foreign entrepreneurs have therefore had to adapt their procedures for the protection and processing of personal data to the national legislation in force. This situation is subject to change due to the entry into force of the said regulation. As of May 2018, the same provisions on protection and processing of personal data will apply in all EU Member States.

The new act aims to impose new obligations on entrepreneurs to inform individuals whose personal data concern them. Entrepreneurs will be obliged to inform customers to whom and for what purpose their personal data are shared. The information given to the entities – the owners of personal data is to be expressed in the easiest possible form, i.e. using a comprehensible language.

The Regulation will grant to entities whose personal data relate to the right to be forgotten. This means that such person will have the right to request the administrator for remove personal data, provided that the data is no longer required for the purposes for which they were given.

Last of the important novelties introduced in the regulation is the limitation of the profiling. This means that the administrator of personal data will not be able to categorize and process personal information without explicit legal basis. The owner of data will have the right to object to the profiling of her personal data.

Practical issues

Having an idea of the novelty proposed by the EU legislator on the protection and processing of personal data, it is worth to pay attention to the practical aspects that will take place after the implementation of the GDPA provisions in national law.

First and foremost, responsibility for violation of the rules on the protection of personal data will be borne by the data processor. This is important because many companies are opting for outsourcing to ensure data security. In case of breach of the provisions of the Regulation, the entity dealing with the data processing company will not be responsible. The responsibility will be – as has already been mentioned – the data processing company. Any infringement of the provisions of the regulation is to be reported to the competent supervisory authority within 72 hours of detection. There may also be an obligation to immediately notify the person whose personal data are involved. In addition, companies that deal with the control or processing of personal data will be obliged to appoint an Inspector of Personal Data Protection in their structure. The person who will hold this position will have to has adequate knowledge and experience in the protection and processing of personal data. All personal data collected by the company will be subject to mandatory inventory. Entities controlling and processing personal data will be required to create and maintain special registries that will take into account data transfers, data processing reasons, data breaches etc.


Penalties – financial fines – for infringement of the provisions of the Regulation will be imposed by the national ombudsmen of personal data. The Regulation provides for severe penalties for infringements. The imposed penalties may be up to EUR 20 000 000 or up to 4% of the total annual worldwide turnover of the preceding financial year.

Abstract: Personal data, Customer protection, European Union law,

The article was prepared by KG LEGAL KIEŁTYKA GŁADKOWSKI based in Cracow, Poland, specialising in cross border cases, with its focus on new technologies, IT and life science. It analyses provisions of the General Data Protection Act.

Paweł Dyrduł, lawyer (specializing in banking law, financial law) from KG LEGAL KIEŁTYKA GŁADKOWSKI – PARTNERSHIP based in Cracow, specializing in cross border issues and servicing life science and IT companies, analyses the GDPA provisions and their impact on the process of collecting and processing personal data.