Only 14 months left to the effective date of new regulations on Personal Data Protection,  compliant with EU GDPR directive. With them, high fines are approaching. .


The purpose of the directive is to create new legal regulations, taking into consideration technological progress and growth of the information society. They should provide individuals with better control over their personal data and contribute to development of the digital economy and building of the single market in the European Union.

Legal acts were published in the Official Journal of the European Union no. L 119 of 4th May 2016 that define comprehensive reform of personal data protection, i.e. Resolution of the European Parliament and the European Council no. 2016/679 of 27 April 2016 on the protection of individuals with regard to personal data processing and on free movement of such data and the repeal of Directive no. 95/46/WE (General Data Protection Regulation), hereinafter referred to as “the resolution”.

Another provision is the directive of the European Parliament and European Council no. 2016/680 of 27 April 2016 on the protection of individuals with regard to the processing of personal data by competent authorities for the prevention of crime, conducing preliminary proceedings, detection and prosecution of criminal offences and enforcement of penalties, in the matter of free flow of such data and repealing the Framework Decision of the European Council no. 2008/977/WSiSW, hereinafter referred to as “the directive”;

Future regulations will demand a new approach by entities that process personal data, including local governments, including :

  • analyse all processes related to data processing,
  • implement proper organisational and technical measures, e.g. encryption as a method of data securing,
  • introduce a new function , called “Data Protection Inspector” in place of the current Administrator,
  • implement proper safety measures and assess the legal effects for personal data protection before starting data processing.


The provisions of the Directive point to the necessity of implementing changes to current procedures and IT systems used for personal data processing. The instruction for managing the above procedures and systems should include, among others:

  • procedures of granting authorisations to process data and recording them in the IT system,
  • appointing a responsible person for this activity,
  • apply authorization methods and procedures, as well as  procedures related to their management and use,
  • procedures for starting, suspending and ending of work designated for system users,
  • procedures for creating backup copies,
  • the manner, place and periods of storing both electronic data carriers of information containing personal data, and backup copies,
  • the manner for securing the IT system,
  • procedures for performing inspections and maintenance of systems and information carriers serving to process data.


For “failure to apply sufficient organizational and technical measures pursuant to risks and threats, to secure the processing of data, including the lack of encryption ..” the Inspector General for Personal Data Protection shall be entitled to impose penalties up to 10 000 000 Euro and to 20 000 000 Euro and, in case of enterprises, and in the case of firms up to 4 % of worldwide turnover.  

Seminar and lecture at the Public Procurement Office

5 April 2017 –  IKG seminar and lecture at the Public Procurement Office