This article is not intended to provide legal advice. If you are interested in how the GDPR and other privacy laws apply to your specific situation in Poland or elsewhere, consult an expert law firm.
One of the main obligations imposed on data controllers is the information obligation. The GDPR has significantly expanded the catalogue of information that should be provided to the data subject. Article 13 of the Regulation states that when collecting personal data from the data subject, the controller shall provide, inter alia, such information as their identity and contact details, contact details of the data protection officer, the purposes of processing along with the legal basis, legitimate interests pursued by the controller or a third party (if this is the basis for processing), information about data recipients, and information about the intention to transfer data to a third country or an international organisation. The controller shall also provide other information necessary to ensure the fairness and transparency of processing, including the period of data storage, information on the rights of the data subject, information on whether the provision of data is a statutory or contractual requirement or a condition for entering into a contract, information if the data subject is obliged to provide data and what the consequences of not providing them are, as well as information about any automated decision making, e.g. profiling.
Before the entry into force of the GDPR and just after that date, entrepreneurs rushed to create or update the privacy statements or policies on their websites so as not to be exposed to possible administrative penalties that may be imposed for failure to comply with GDPR obligations. Although penalties are not the only instrument that the authorities can use (warnings and reprimands may also be issued), the astronomically high maximum sanctions effectively “encourage” business owners to take the GDPR seriously (regardless of the criticism this Regulation often comes under). More on this issue can be found on the website of the Polish Office for Personal Data Protection: https://uodo.gov.pl/pl/138/1244.
Any processing of personal data should be lawful and fair. It should be transparent to natural persons that personal data concerning them are collected, used, consulted or otherwise processed and to what extent the personal data are or will be processed. The principle of transparency requires that any information and communication relating to the processing of those personal data be easily accessible and easy to understand, and that clear and plain language be used.[…]
Likewise, Art. 12(1) of the Regulation stipulates that:
The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 and any communication under Articles 15 to 22 and 34 relating to processing to the data subject in a concise, transparent, intelligible and easily accessible form, using clear and plain language, in particular for any information addressed specifically to a child. […]
For non-English-speaking individuals to whom the entrepreneur’s offer is addressed and whose data may therefore be processed, becoming familiar with the mandatory information that the entrepreneur as a data controller is to provide will be rather difficult if the translation is unavailable. It seems that in this case, the GDPR obligation to provide relevant information in a concise, transparent, intelligible and easily accessible form is not met.
Feel free to use our professional certified and ordinary translation services.
Sworn translator of the English language: Ruda Śląska Halemba
Sworn translator of the English language: Gliwice, Katowice, Mikołów, Zabrze and the Upper-Silesian region
Remote and online services around the world