General data protection regulation (GDPR)

The General Data Protection Regulation (“GDPR”) necessitates a change in the philosophy of personal data protection.

Implementing the GDPR has changed every organisation’s approach to data protection and required businesses to take a risk-based approach.

The GDPR standardises the law throughout the European Union and ensures that individuals’ personal data is protected, regardless of where it is processed.

The GDPR entered into force on 25 May 2018. It applies directly to all entrepreneurs who process personal data within the European Union.

Every entrepreneur is obliged to ensure ongoing compliance with the GDPR. Compliance is a continuous process, not a one-off assessment.

The GDPR requires companies to implement a strategy based on their data processing risk assessment. It also requires existing company documentation and procedures to be updated. The required measures depend on the nature, scope, context and purposes of the data processing and the risk of infringing data subjects’ rights and freedoms.

The GDPR’s accountability principle means that entrepreneurs must demonstrating their compliance with its rules.

The significant fines stipulated in the GDPR mean that personal data should be a key area of your company’s focus. Fines can be imposed of up to 20 million euros or 4% of the company’s annual worldwide turnover.

The GDPR facilitates companies’ operations in many markets if entrepreneurs meet certain requirements.

How can we help?

Data protection services

Auditing your company to ensure compliance with data protection law (inc. compliance with the GDPR and sector-specific legislation). This includes both implementation and post-implementation audits;
Reviewing your new business processes and IT solutions from the perspective of compliance with personal data protection legislation;
Preparing and reviewing internal documentation on personal data processing, including privacy policies, instructions, internal procedures and documentation of GDPR obligations from the perspective of the risk assessment principle and the accountability principle;
Designing data flow structures, including from groups inside and outside the EEA to third countries;
Advising on online data processing (e-commerce, cookies, login platforms, cloud);
Advising on various aspects of personal data security, including data breaches, securing data outsourcing from contract negotiation to information security issues;
Conducting data protection training courses (e.g. data protection in employment, data protection in public procurement, data protection in IT, data protection in marketing);
Preparing manuals on data protection for employees;
Representing clients in proceedings before the President of the Office for Personal Data Protection and in court proceedings;
Preparing a general privacy policy addressed to the data subjects (clients, contractors, contacts and others who cannot be reached directly) ready for posting on the company’s website;
Explaining how to process data for marketing purposes in promotional activities in accordance with the GDPR and other specific legislation;
Assessing the obligation to appoint a DPO;
Preparing your company for inspections and audits – developing procedures and training individuals who will represent your company during inspections and proceedings before the President of the Personal Data Protection Office. To increase the effectiveness of these activities, we carry out “training inspections” to protect the company from the negative effects of inspections, significant fines and – in extreme cases – criminal sanctions.

Data protection services – labour market

Reviewing employee regulations (e.g. whistleblower system) for compliance with data protection principles;
Developing data retention policies in employment;
Reviewing data sharing in the employment context in terms of relations with non-wage benefit providers;
Preparing and reviewing relationships with headhunters and temporary work agencies (entrustment/sharing agreements; deciding when an entity acts as a data controller and when it acts as a processor);
Advising in the employment context on the processing of sensitive personal data, including biometric data and personal data on criminal convictions and offences;
Advising on obtaining data on candidates (recruitment portals, professional social media, online screening, background checks, recruitment agencies);
Assessing the acceptability of using specific forms of monitoring (video, emails, phone records, use of GPS and others);
Creating internal workplace privacy procedures, including policies on using social media at work, BYOD at work;
Creating a handbook on how to recruit effectively and in compliance with GDPR;
Analysing whether personal data of persons employed can be processed in the context of employment;
Adapting existing company regulations and internal documents, including work regulations, to ensure compatibility with the new law (including monitoring).

Personal data protection services – GDPR DEFENCE

Developing and implementing procedures to be followed in the event of inspections and investigations by the President of the Personal Data Protection Office;
Training managers, internal data protection officers and/or dedicated teams within the company to take action in the event of an inspection initiated before the President of the Personal Data Protection Office, including conducting simulated inspections;
Advising on proceedings before the President of the Personal Data Protection Office to reduce the risk of financial penalties being imposed;
Helping to prevent civil claims being brought by individuals;
Mitigating the risk of criminal liability for breaches of data protection legislation by implementing appropriate procedures to protect the company’s decision-makers and others;
Advising and representing clients in any proceedings regarding data protection.

Related services

Labour law

Consumer protection law

Technology, media and telecommunications (TMT)

Cybersecurity

E-commerce

Financial institutions and insurance

FMCG

Awards

Legal 500 EMEA 2024 recognised SSW in fourteen categories: Banking and Finance (Tier 3), Capital Markets (Tier 2), Commercial corporate and M&A (Tier 4), Construction (Tier 1), Data privacy and Data protection (Tier 4), Dispute Resolutions (Tier 3), Energy and Natural Resources (Tier 2), Intellectual Property (Firms to Watch), Investment Funds (Tier 2), Private Client (Tier 1), Private Equity (Tier 2), Public Procurement (Tier 2), Real Estate (Tier 3), Restructuring and Insolvency (Tier 3).