The personal data protection system is changing. From May 25, 2018, businesses will be subject to the GDPR, the European Union’s General Data Protection Regulation.

The GDPR (European Union General Data Protection Regulation) is the EU’s personal data protection regulation. Adopted by the European Parliament and the Council of the European Union on April 27, 2016, it aims to ensure the safe and free flow of personal data between European Union member states. The GDPR also aims to harmonize the rules for personal data processing within the EU and adapt them to modern times.

The regulation applies to all businesses that process personal data within the EU, and therefore handle the personal data of customers, contractors, and others. This includes information such as first name, last name, address, PESEL (Polish National Identification Number), gender, email address, IP address, purchase history, and location. The legal form of business is irrelevant, and micro-enterprises must also comply with the EU regulation. The GDPR expands the scope of information that customers can receive from personal data controllers.

The EU regulation does not provide specific guidelines on how personal data records should be maintained. Under the GDPR, companies must define their own information resources, assess the risks associated with data processing, and implement appropriate security measures.

The GDPR comes into effect on May 25, 2018. Businesses that fail to comply with the regulations may be fined up to PLN 20 million or 4% of their total annual turnover (from the financial year preceding the violation).