The average person understands the concept of "personal data" quite narrowly, usually limiting it to a first and last name, contact details, PESEL or identity card number. However, the concept is broad and includes any information about an identified or — note — an identifiable natural person. It is precisely the question of whether a person is identifiable, and for whom they must be identifiable, in order for the information to constitute personal data, that causes the most controversy. In the training we will explain in detail the broad and complex definition of personal data, in particular the dependence of the "existence" of personal data on the specific context. We will also explain that court judgments are issued with regard to a particular set of facts and therefore cannot determine once and for all that a given piece of information is or is not personal data.

Deletion of data must take place within the limits of Article 17 of the RODO. You cannot delete client data that are necessary for the performance of an active contract or necessary for the establishment, exercise or defence of claims. In the training we will also explain why the right to be forgotten is not an absolute right and how to correctly understand the cessation of the purpose of processing.

Before any transfer, it is always necessary to verify whether we are dealing with the entrustment of processing (in which case we must conclude a processing agreement), or with the provision of data to a separate controller. That is why correctly identifying the roles of the individual entities in the processing is so important. In the training we will explain how to distinguish a processor from a separate controller and why this is very important.

As a rule – yes. This obligation and the manner of its fulfilment arise from Articles 13 and 14 RODO. However, there are certain situations in which this obligation is excluded, i.e. this applies where and to the extent that the person already possesses that information (this means that, for example, if a new purpose of processing arises, we must inform the data subject of this new purpose, but there is no obligation to re-issue the entire privacy notice if it has already been provided previously – it is sufficient merely to refer to its content in the remaining, unchanged scope). Additionally – where data are obtained from a source other than the data subject, the obligation need not be fulfilled in the situations referred to in Article 14(5) RODO, namely:

• •providing such information proves impossible or would require a disproportionate effort; in particular in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or where the obligation referred to in paragraph 1 of this Article could render impossible or seriously impair the achievement of the purposes of such processing. In such cases the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making the information publicly available;

• •the obtaining or disclosure is expressly laid down by Union law or the law of the Member State to which the controller is subject, and which provides appropriate safeguards for the legitimate interests of the data subject;

• •personal data must remain confidential in compliance with a legal obligation of professional secrecy under Union law or Member State law, including a statutory obligation of secrecy.

Each time, however, before potentially refraining from fulfilling the information duty, an analysis of the specific case should be carried out to determine whether it falls within any of the above situations. For accountability purposes the controller should document such analysis so as to be able, if necessary, to demonstrate and justify its position to the supervisory authority. One should approach refraining from fulfilling the information duty very cautiously, as a penalty was imposed on a controller on this basis (decision UODO ZSPR.421.3.2018).

Transfers of data to the USA have become much easier since the European Commission issued its so‑called adequacy decision regarding that country. This means that personal data can be transferred to all companies listed at https://www.dataprivacyframework.gov/list, however attention should be paid to whether we intend to transfer "HR-data" or "Non-HR-data", because in the case of some companies we may be able to transfer only "Non-HR-data" on that basis. If a given US company is not on the list at all, a transfer of data to such a company will most often require the conclusion of so‑called standard contractual clauses, i.e. an additional transfer agreement with a pre-determined wording.

No. Before transferring personal data to any external entity (note: merely granting access to data also constitutes a transfer) you should determine the role of that entity – whether it will be a separate, independent controller of personal data (it determines the purposes and means of processing itself), or whether it will perform certain processing activities on data only on our instructions, without being decisive in that respect. In practice, before each transfer of data you should establish which situation applies. If we transfer data to a separate controller, we must do so on one of the bases indicated in Articles 6 or 9 RODO; if to a processor – we only need to conclude with it a processing agreement referred to in Article 28 RODO. Note: there are other configurations as well – sometimes we are the processor for another company. The most important thing is to determine the roles before every new flow of data between two separate entities. Clarity in this respect solves many problems in critical situations, such as a personal data breach or a complaint by the data subject.

Yes, this requirement arises directly from Article 28(1) of the RODO, according to which "where processing is to be carried out on behalf of the controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures, in order that processing meets the requirements of this Regulation and ensures the protection of the rights of data subjects". This means that the conclusion of a processing agreement should always be preceded by such verification, e.g. by means of a security questionnaire in which the processor indicates what measures it applies / will apply to protect personal data. Such a questionnaire will enable the controller to assess whether it considers these measures sufficient, or whether it may deem it necessary for the processor to take additional actions to ensure appropriate security of the data. The President of the Personal Data Protection Office has also drawn attention to this issue, for example in decision UODO 5131.31.2021, in which the controller was sanctioned, inter alia, for failing to verify the processor. Equally importantly, such verification should be repeated during the course of the cooperation.

During the training this principle is discussed using a mobile application as an example, but it applies to all processing operations and processes that take place within the organisation.