Every business processes personal data and must comply with GDPR. Find out how to prepare records of processing activities, information clauses, and basic data protection procedures.
Personal data protection is an obligation that affects almost every entrepreneur – regardless of the size of the business or the industry. GDPR, i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council, has been in force in Poland since May 2018, yet many small and medium-sized businesses have still not implemented even its basic requirements. In this article we explain where to start, which documents are essential, and how to avoid the most common mistakes. We will also show how an accounting firm can support an entrepreneur in the area of HR and financial documentation related to GDPR.
GDPR governs the rules for collecting, storing, and processing personal data – that is, any information that makes it possible to identify a specific natural person. This includes data relating to customers, employees, contractors, and website users, among others. The obligations arising from GDPR apply to: • sole traders (JDG), • sp. z o.o. companies and other commercial law entities, • associations, foundations, and other organisations. There is no minimum employment or turnover threshold – if you process personal data for professional purposes, GDPR applies to you. Failure to implement the regulations may result in a financial penalty of up to €20 million or 4% of total annual global turnover, as well as claims from the individuals whose data is concerned.
Every processing of personal data must have a legal basis. GDPR provides six such bases, of which the most commonly used in business practice are: 1. Performance of a contract – customer data processed for the purpose of fulfilling an order or providing a service. 2. Legal obligation – employee data processed for HR, payroll, and tax purposes. 3. Legitimate interests of the controller – e.g. direct marketing to existing customers. 4. Consent of the individual – required, among other situations, for newsletters or the processing of sensitive data. Choosing the correct legal basis is crucial – it affects the scope of information obligations and the data retention period. Incorrect classification of the legal basis is one of the most common errors identified by the Personal Data Protection Office (UODO).
Records of processing activities (RCP) is an internal document that describes what data the business collects, for what purpose, on what legal basis, and for how long it is retained. Maintaining the records is mandatory for data controllers (and therefore for the vast majority of businesses). The records should include: • the name and contact details of the controller, • the purposes of processing (e.g. customer service, employment, accounting), • categories of data subjects and data (e.g. employees – HR and payroll data), • recipients of the data (e.g. the accounting firm, ZUS, US), • planned data deletion deadlines, • a description of technical and organisational security measures. The records do not need to be complex – a clear table in Excel or a dedicated tool is sufficient. What matters is that they are kept up to date and are available in the event of a UODO inspection.
The information obligation is one of the cornerstones of GDPR. The controller must inform the person whose data it collects about: who the controller is, for what purpose and on what legal basis the data is processed, to whom it is disclosed, and for how long it is retained. Information clauses must be used, among other situations: • on recruitment forms (for job applicants), • in contracts with customers and contractors, • on the website (contact forms, newsletter sign-ups), • when concluding employment contracts or contracts of mandate. The clause should be written in plain language – understandable to the average reader, not only to a lawyer. Avoid copying ready-made templates without adapting them to the specifics of your business, as they are often too general or out of date.
If you transfer personal data to another entity that processes it on your behalf, you must enter into a data processing agreement (UPP). This applies, among other situations, when: • you use the services of an accounting firm (access to employee and customer data), • you use external CRM or HR and payroll software hosted in the cloud, • you outsource IT support to an external company, • you work with a marketing agency that manages your mailing list. The UPP must be concluded in writing (or in electronic form) and must specify, among other things, the subject matter, duration, nature, and purpose of the processing. The absence of such an agreement constitutes a serious GDPR violation – both on the part of the controller and on the part of the processor.
UODO inspections and internal audits most frequently reveal the following shortcomings: 1. Missing or out-of-date records of processing activities. 2. Using a single, general information clause for all purposes. 3. Absence of data processing agreements with the accounting firm, IT providers, or agencies. 4. Retaining data longer than necessary (e.g. CVs of applicants kept for several years). 5. Unsecured paper documents or lack of a clean desk policy. 6. No procedure for responding to personal data breaches. The good news is that most of these mistakes can be eliminated relatively quickly by establishing clear procedures and assigning responsibility to specific individuals within the business. Implementing GDPR does not have to be costly – it requires above all time and consistency.
Implementing GDPR in your business is not a one-off task but an ongoing process – documents must be kept up to date, and employees should be familiar with the basic principles of data protection. If you run a JDG or a company and want to make sure that your HR and payroll documentation and your cooperation with an accounting firm meet GDPR requirements, contact Danexis. Our specialists will help you organise your documentation and identify the first steps to take. Call us at +48 780 760 666 or write to kontakt@danexis.pl.