What is GDPR? | Guide to data protection in the EU | nFlo

What is GDPR? A complete guide to data protection for companies operating in the European Union

Write to us

In today’s global economy, where data flows freely across borders and business is conducted internationally, the need for a single, strong and consistent data protection standard has become a pressing necessity. This is the role of the General Data Protection Regulation (GDPR). Although it is a European Union law, its reach and impact extend far beyond the continent’s borders, making it the de facto global gold standard for privacy.

For Polish companies that operate in the single European market, offer their goods and services to citizens of other EU countries, or work with international partners, in-depth understanding and rigorous compliance with the GDPR is not an option – it is an absolute necessity. What’s more, in an era of growing awareness among consumers and business partners, the ability to demonstrate GDPR compliance is becoming not only a legal obligation, but also a powerful tool for building trust and a key competitive advantage.

This guide is a comprehensive analysis of GDPR, prepared for leaders and managers of Polish companies with international ambitions. It will explain what exactly this regulation is, how it differs from the colloquial Polish term “RODO,” what obligations it imposes on companies and the financial consequences of ignoring it. It’s a roadmap that will allow you not only to ensure compliance, but also to use GDPR as a foundation for building a transparent and trustworthy brand on the international stage.

What is GDPR (General Data Protection Regulation) and why does it also apply to Polish companies?

The General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council (EU)) is an EU regulation that came into force on May 25, 2018. Its overarching goal was to unify and strengthen the protection of individuals’ personal data across the European Union. The GDPR was designed to give citizens real control over their data, while simplifying the regulatory environment for international business by introducing a single, consistent set of rules applicable across all member states.

A key feature of the GDPR that determines its massive global reach is the principle of extraterritoriality. It means that the regulation applies not only to companies that are based in the European Union, but to any organization in the world that processes the personal data of EU citizens and residents, regardless of where that company is located. This means that an American online store that sells its goods to customers in Germany, or a Japanese SaaS company that offers its services to users in France, must fully comply with the GDPR.

For Polish companies, which by nature operate within the EU single market, the matter is even simpler. The GDPR, as an EU regulation, is a piece of legislation that applies in Poland directly, without the need for implementation into the national legal order. The Polish Data Protection Act of May 10, 2018 only supplements and clarifies certain aspects of the GDPR, but it is the regulation that is the overarching and primary source of law in this regard. Therefore, any Polish company that processes any personal data is directly and fully covered by the GDPR regime.

What are the key differences and similarities between the GDPR and the Polish RODO?

In everyday language in Poland, the acronym RODO, derived from the name “Regulation on the Protection of Personal Data,” has become widely adopted to describe the EU regulation. In practice, when we say “RODO,” 99% of the time we mean exactly the same piece of legislation as our partners in Germany or France do when they say “GDPR.” It is the same, uniform set of regulations for the entire European Union.

The similarities are therefore fundamental – we are talking about the same document. The differences, on the other hand, are subtle and stem from the fact that the GDPR, although a regulation with direct application, leaves some room for member states to clarify the provisions within the framework of national law in certain, strictly defined areas. The Polish Data Protection Act of 2018 is just such an act that takes advantage of these “gateways.”

Examples of such differences or clarifications include:

  • Age of child consent: The GDPR establishes that a child can independently consent to online data processing after the age of 16, but allows member states to lower this threshold to a maximum of 13. Poland has opted for the 13-year threshold.
  • Data processing in the employment context: The GDPR allows for more specific provisions on data processing in employment relationships.
  • Structure and powers of the national supervisory authority: A Polish law details the status, tasks and powers of the President of the Office for Personal Data Protection (DPA).

However, it should be emphasized that these are marginal differences. The core of obligations, rights of persons and rules of data processing, including the mechanism of financial penalties, is fully unified and follows directly from the text of the GDPR. Therefore, in international dealings, the use of the term GDPR is more precise and universal.

Why is non-compliance with GDPR a risk of multi-million dollar fines?

One of the elements that made GDPR the most talked-about piece of legislation in the history of the Internet is its unprecedented and extremely harsh financial penalty mechanism. The EU legislature, learning from the ineffectiveness of previous directives, decided to create a tool with real deterrent power to make privacy a priority at the board level.

The GDPR introduces two thresholds for maximum administrative fines that can be imposed by supervisory authorities for identified violations:

  • Lower threshold: Up to €10 million or, in the case of a company, up to 2% of its total annual worldwide turnover from the previous fiscal year, with the higher amount applying. A penalty of this amount can be imposed for violations of a more technical or organizational nature, such as failing to keep a record of processing activities, failing to report a breach on time, or failing to conduct a data protection impact assessment.
  • Higher threshold: Up to €20 million or, in the case of a company, up to 4% of its total annual worldwide turnover from the previous fiscal year. This higher threshold is reserved for the most serious violations that strike at the very foundations of the regulation, such as processing data without a valid legal basis, violating basic rights of data subjects (such as the right to be forgotten), or failing to comply with orders issued by a supervisory authority.

The value of these penalties is no accident. They are deliberately designed to be severe even for the largest global technology corporations. As of 2018, regulators across Europe are actively using these powers, imposing hundreds of fines, many exceeding the million-euro threshold, with record fines reaching hundreds of millions. This sends a clear signal that the financial risks of not complying with the GDPR are real and must be treated with the utmost seriousness by every board.

What are the fundamental principles of data processing under the GDPR that every business must know?

The entire philosophy of the GDPR is based on seven fundamental principles, enshrined in Article 5 of the regulation. They constitute a kind of “constitution” of data protection, and every company must ensure that its processes comply with them.

  • Principle of lawfulness, fairness and transparency: Data must be processed legally (on one of the six permissible legal bases), in a fair and transparent manner for the subject.
  • Purpose limitation principle: Data may only be collected for specific, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.
  • Data minimization principle: You can only process as much data as is adequate, relevant and absolutely necessary to fulfill the purpose for which it is collected.
  • Correctness principle: Data must be correct and updated as necessary. All reasonable measures must be taken to ensure that incorrect data is promptly deleted or corrected.
  • Storage limitation principle: Data can be kept in personally identifiable form only as long as necessary for the purposes for which it is processed.
  • Principle of integrity and confidentiality: The controller is obliged to process data in a manner that ensures its adequate security, including protection against unauthorized or unlawful processing, accidental loss, destruction or damage, by means of appropriate technical and organizational measures.
  • Accountability principle: This is one of the most important innovations in the GDPR. It says that the administrator is responsible for complying with the above principles and, crucially, must be able to demonstrate compliance. This means keeping detailed records and having evidence of compliance of its actions.

What technical and organizational measures are necessary to ensure GDPR compliance?

GDPR, like ISO 27001, does not impose specific technological solutions. It does, however, require controllers to implement “appropriate technical and organizational measures” to ensure data security at a level commensurate with the assessed risk. Measures that are explicitly suggested in the regulation and considered best practice include pseudonymization and encryption of personal data, the ability to ensure continuous confidentiality, integrity and availability (which is directly related to having backups and business continuity plans), the ability to quickly restore data availability after an incident, and having a process for regularly testing, measuring and evaluating the effectiveness of implemented safeguards.

How does transparency and GDPR compliance build trust with international customers?

In today’s interconnected world, where customers and business partners come from different countries and legal cultures, the ability to demonstrate GDPR compliance is becoming a powerful tool for building trust and international credibility. GDPR is the most recognized and respected data protection standard in the world today. A company that can prove (e.g., through certification or reliable documentation) that it takes these principles seriously sends a clear message to its international partners: “We are a mature, responsible organization. We understand the importance of privacy and you can trust us with the security of your data.” In many international bidding processes and commercial negotiations, especially in regulated sectors, providing evidence of GDPR compliance is today a prerequisite for further discussions.

How to conduct a data protection impact assessment (DPIA) required by the GDPR?

A Data Protection Impact Assessment (DPIA) is a special process required by the GDPR in situations where planned data processing, by its nature, scope or purposes, is likely to result in a high risk of violation of the rights or freedoms of individuals. A DPIA is a detailed risk analysis that aims to identify these risks and plan measures to minimize them, even before processing begins. The obligation to conduct a DPIA arises, among others, in the case of large-scale systematic automated profiling, large-scale processing of sensitive data, or systematic monitoring of publicly accessible places.

When is a company required to appoint a Data Protection Officer (DPO) under the GDPR?

The Data Protection Officer (DPO) is a key role in the GDPR compliance system. He is an independent expert who advises the organization, monitors its compliance and is the point of contact for the supervisory authority. The obligation to appoint a DPO, as in the Polish law, arises in three cases: when the processing is carried out by a public authority, when the company’s main activity involves regular and systematic monitoring of individuals on a large scale, or when the main activity involves large-scale processing of sensitive data.

How to properly manage data processing consents and user rights?

GDPR significantly strengthens the rights of data subjects. Among the most important are the right to access their data, the right to rectification, the right to erasure (the so-called right to be forgotten), the right to restrict processing, the right to data portability and the right to object. The company must implement internal procedures that will allow it to handle these requests efficiently and in a timely manner. Equally important is proper consent management – any consent for data processing (e.g., for marketing purposes) must be voluntary, specific, informed and unambiguous, and the user must have an equally easy opportunity to withdraw it.

What is the procedure for reporting data breaches to the relevant supervisory authorities in the EU?

The breach notification procedure, as already mentioned, is very strict. In the case of a personal data breach, the controller must report it to the competent supervisory authority (in Poland, this is the DPA) within 72 hours of its discovery. If a company has cross-border operations and its main organizational unit is located in Poland, the DPA will be its so-called “lead supervisory authority” under the European Cooperation Mechanism.

What to look for in contracts with subcontractors (processors) outside the European Union?

One of the most complex aspects of the GDPR is the transfer of personal data outside the European Economic Area (EEA). Such transfers are only permitted if an adequate level of data protection is ensured in the destination country. When working with subcontractors (e.g., cloud service providers) from countries such as the US, additional legal mechanisms, such as Standard Contractual Clauses (SCCs) approved by the European Commission, are required, which impose data protection obligations on the data recipient in the third country comparable to those under the GDPR.

How can nFlo’s comprehensive services support your company in achieving GDPR compliance?

Achieving and maintaining GDPR compliance is a complex challenge that requires a synergy between legal expertise and solid technical competence. At nFlo, we specialize in the latter, a key area. We understand that GDPR compliance relies heavily on implementing “appropriate technical and organizational measures” that realistically protect data.

  • Cyber Security Audits and Risk Analysis: We conduct detailed technical audits and risk assessments, which are the foundation for implementing a data protection program and are required by the GDPR. We identify security gaps in your IT infrastructure that could lead to breaches.
  • Security Technology Implementations: We design and implement key technologies to support GDPR compliance, such as data encryption systems, backup solutions, access control mechanisms and security monitoring platforms.
  • Incident Management Support: We help you create and test breach response plans, and in the event of a real incident, our team of experts supports you in its technical analysis, which is key to properly reporting the incident to the supervisory authority.

GDPR compliance is not only a legal obligation, but also a foundation of trust in international business. Contact nFlo experts to discuss how our expertise in cyber security and the design of secure infrastructures can become a pillar of your data protection program and help you safely grow your business in the European market.

About the author:
Przemysław Widomski

Przemysław is an experienced sales professional with a wealth of experience in the IT industry, currently serving as a Key Account Manager at nFlo. His career demonstrates remarkable growth, transitioning from client advisory to managing key accounts in the fields of IT infrastructure and cybersecurity.

In his work, Przemysław is guided by principles of innovation, strategic thinking, and customer focus. His sales approach is rooted in a deep understanding of clients’ business needs and his ability to combine technical expertise with business acumen. He is known for building long-lasting client relationships and effectively identifying new business opportunities.

Przemysław has a particular interest in cybersecurity and innovative cloud solutions. He focuses on delivering advanced IT solutions that support clients’ digital transformation journeys. His specialization includes Network Security, New Business Development, and managing relationships with key accounts.

He is actively committed to personal and professional growth, regularly participating in industry conferences, training sessions, and workshops. Przemysław believes that the key to success in the fast-evolving IT world lies in continuous skill improvement, market trend analysis, and the ability to adapt to changing client needs and technologies.

Other articles by the author