Will GDPR compliance inspections affect Polish entrepreneurs?

It has been over nine months since GDPR entered into force. As the experience shows – ignoring new regulations may result in severe financial penalties for entrepreneurs. For example, the French company Optical Center, which sells glasses through an online store, was forced to pay a fine of 250,000 EUR for insufficient protection of clients’ personal data. The highest penalty of 50,000,000 EUR for the unlawful processing of personal data was recently imposed on Google LLC.


The most frequently detected mistakes concern improper personal data acquisition and consents for processing personal data, incorrectly created checkboxes and non-fulfilment of the information obligation.


GDPR compliance inspections of entrepreneurs also take place in Poland. Currently, the widely discussed case concerns the leakage of personal data of people who used the services of the morele.net and Freshmail. The President of the Office for Personal Data Protection (UODO) Edyta Bielak-Jomaa confirmed in one of the press materials that “Many proceedings are underway. Penalties will soon be imposed. They should be severe as is required by GDPR.” In addition to ad hoc inspections that result from complaints filed to the Office, UODO will now systematically control the compliance with the new regulations.


In the inspection plan published by UODO for 2019 intensified inspections of entities from the private sector were announced. The controllers will focus primarily on such areas as telemarketing, data brokers, recruitment and the use of video monitoring. The last two instances, due to their prevalence will concern the majority of entrepreneurs, which means that every employer must analyse the procedures applied in this area with particular diligence.


Important is that since May 2018 UODO has issued numerous guidelines on the application of the GDPR, including guidelines on the use of video monitoring, a guide for employers on the protection of personal data in the workplace and a list of types of operations requiring a Data Protection Impact Assessment. These guidelines did not exist when the GDPR entered into force in May last year, so they were indeed not taken into account while creating and documenting data protection procedures carried out during that time.


For this reason, it would be good, if not crucial, to review the documents and procedures implemented in the company in May 2018 and update them to the necessary extent.


About the Authors: This blog post is written by Jedrzej Brzykcy, Kamil Blicharski and Tomasz Wiese from our highly recommended legal partner JWMS.