For example, the French company Optical Center, which sells glasses through an online store, was forced to pay a fine of 250,000 EUR for insufficient protection of clients’ personal data. The highest penalty of 50,000,000 EUR for the unlawful processing of personal data was recently imposed on Google LLC.
Currently, the widely discussed case concerns the leakage of personal data of people who used the services of the morele.net and Freshmail. The President of the Office for Personal Data Protection (UODO) Edyta Bielak-Jomaa confirmed in one of the press materials that “Many proceedings are underway. Penalties will soon be imposed. They should be severe as is required by GDPR.” In addition to ad hoc inspections that result from complaints filed to the Office, UODO will now systematically control the compliance with the new regulations.
In the inspection plan published by UODO for 2019 intensified inspections of entities from the private sector were announced. The controllers will focus primarily on such areas as telemarketing, data brokers, recruitment and the use of video monitoring. The last two instances, due to their prevalence will concern the majority of entrepreneurs, which means that every employer must analyse the procedures applied in this area with particular diligence.
Important is that since May 2018 UODO has issued numerous guidelines on the application of the GDPR, including guidelines on the use of video monitoring, a guide for employers on the protection of personal data in the workplace and a list of types of operations requiring a Data Protection Impact Assessment. These guidelines did not exist when the GDPR entered into force in May last year, so they were indeed not taken into account while creating and documenting data protection procedures carried out during that time.
For this reason, it would be good, if not crucial, to review the documents and procedures implemented in the company in May 2018 and update them to the necessary extent.