Maciej Kawecki

KN: Katarzyna Nawrocka, On loyalty schemes at night. My guest today is Dr Maciej Kawecki, and we’ll be discussing the GDPR.

MK: A very warm welcome to you all.

KN: Maciej, I’d like to start by introducing you properly and in detail. I know you’re the Dean of the Faculty of Innovation and Entrepreneurship at the School

MK: The Warsaw School of Banking, that’s exactly right.

KN: I’ve already sorted that out, but you’re also the director of the Lem Institute.

MK: Exactly, and it’s particularly important right now, because we’re coordinating the celebrations for the Year of Lem. 2021 is the Year of Lem to mark the centenary of his birth, so it’s a very important part of my life story today.

KN: And here’s a bit of trivia for today.

MK: And here’s a bit of trivia for today.

KN: I’d like us to base our conversation on your professional experience. I know that between 2017 and 2019 you were the coordinator of the National Data Protection Reform, but I also know that you worked at the Ministry of Digital Affairs, didn’t you?

MK: Yes, whilst at the Ministry of Digital Affairs, heading the data management department, I was indeed responsible in Poland for the implementation of the GDPR, for drafting both the national legislation transposing these regulations within the meaning of the Personal Data Protection Act, and also the entire body of legal acts. As a point of interest, it is worth noting that this was the largest legal change – an amendment – in the history of Polish legislation; we amended nearly 180 Acts, so it really was a huge challenge.

KN: Well, it’s actually your professional experience that I’m most interested in, because organisers of loyalty programmes face the challenge of protecting personal data and processing it appropriately when it comes to programme participants. And here, we’ll be focusing on loyalty programmes in our discussion, drawing on your professional experience and the GDPR. So, shall we get started?

MK: I'm at your disposal.

KN: The GDPR emphasises that each data controller must independently assess the level of risk associated with data processing and determine appropriate data security measures in line with that risk. Right from the start, we face a number of challenges, and the first question is one of the most fundamental: on what legal basis should the personal data of loyalty scheme participants be processed?

MK: The question really concerns the legal basis for data processing within the framework of loyalty programmes in the broadest sense. In reality, there are two possible scenarios: either we obtain consent from the individuals whose data we process, bearing in mind that such consent must always be explicit. Consent is a declaration of intent; therefore, whenever we obtain it, we must do so explicitly, or we enter into a contract. Let us bear in mind that if we operate a loyalty programme which draws up terms and conditions, and joining the programme requires acceptance of those terms and conditions, then the terms and conditions for the provision of electronic services always constitute a contract; consequently, when a customer accepts the terms and conditions – when we provide a tick box on the website with the text „accept the terms and conditions for the provision of electronic services” – we are no longer obtaining consent for data processing, therefore, these terms and conditions, this contract, form the basis on which we may collect data, gather information and process it.

KN: Another important issue is determining who the data controller is. Please could you tell me whether it is the client – that is, the programme sponsor – or the contractor, namely the agency organising the comprehensive management of the programme.

MK: This is very complicated, because in a great many cases we are talking about what we call – we are talking about an arrangement which, under the GDPR, is referred to as ‘joint controllership’, meaning that both the sponsor and the contractor, that is, the agency that actually carries out the task relating to loyalty programmes. They are joint controllers, meaning they share common objectives in the collection and processing of information. This is a very common situation, but not the only one. It may be the case that the agency acts as a typical subcontractor, in which case full responsibility for data processing lies with the sponsor – that is, the company that commissions the organisation of such a loyalty programme. In that case, the company is the controller and the contractor is the subcontractor; it is therefore very important we must remember that a data processing agreement must be signed between the sponsor and the agency, or subcontractor, in which we explicitly instruct the agency to process information and personal data on our behalf.

KN: Now that we have covered the basics of data processing and the data controller, let’s move on to the issue of the information notice. Under the GDPR, the data controller is obliged to provide the data subject with a range of information. This usually amounts to a dozen or so lines of text in very small print. What is the purpose of the privacy notice? Does it really need to be as long as it is in most loyalty schemes? Is it necessary to display the entire text, or are the first two lines sufficient, with the option to expand the text?

MK: We must always fulfil our duty to provide information, and this is very important. However, we can indeed make use of technical possibilities; we have mobile apps, for example. Today, a vast number of services are provided electronically via mobile apps, and mobile apps, technically speaking, are limited in terms of space. It is hard to imagine the entire screen of a mobile phone being used to fulfil the information obligation. Consequently, we can indeed make use of a ‘collapse/expand’ feature in this case, allowing the text to be expanded, and I have no doubt whatsoever about that. However, we must ensure that this mechanism is simple. We don’t want a situation where, by default, only a single line of text is displayed, whilst the option to expand this information clause is hidden away somewhere in the technical intricacies, do we? We cannot allow that; the GDPR is very strict in this regard. However, we must also bear in mind one important thing: when fulfilling our information obligation, we must provide the information in a form tailored to the recipient’s profile. And we very often forget this. Whenever we visit any website, we see lengthy legal texts with content that is very difficult to understand and which is completely unsuitable for the recipient. If our recipient is not a lawyer, if our recipient is someone the profile of the average online consumer – who is inattentive, because that’s how we are; our attention span online wanes very quickly – therefore, this profile of the average online consumer is that of an inattentive, careless consumer.

KN: I’m just asking to clarify, because the point is that we very often accept something we haven’t read, don’t we?

MK: Exactly – we accept something we either haven’t read or haven’t understood. This is because it was presented to us in such difficult language that we were unable to make sense of it. If we are addressing content aimed at children, the language should be even simpler; if we are addressing content aimed at people with disabilities, the blind or the hard of hearing, then the way in which such a requirement is implemented must be adapted to them, whether through the ability to have it read aloud, or by the simplicity of its content. That is why I urge that, when formulating such obligations, we be guided by the principle of plain language. This is always straightforward, because plain language will be understood by both a lawyer and the average online consumer – that is, the typical inattentive recipient. When we formulate an information requirement, if we draft it in legal jargon, citing an endless number of paragraphs, clauses, paragraphs and articles, there is a very high probability that the message we wish to convey simply will not reach the recipient. And looking back after these three years – since the GDPR came into force three years ago – When I look at its implementation, it seems we have, unfortunately, lost our way somewhere along the line. We’re taking this regulation very literally, and these information obligations very often put people off. One important point for all of you: there’s a provision – which, for some reason I’m completely unaware of, hasn’t really caught on in Poland – that allows us to supplement these information requirements with graphics, i.e. something that’s actually interesting. We don’t have to bombard people with boring, off-putting content that reduces conversion rates online, because the more text there is – this sort of text, that is, text which, as a rule, isn’t interesting – the more interest in a particular page declines. We supplement it with interesting graphics. Let’s make the most of this opportunity and use it to engage people with this content, rather than put them off.

KN: Should the information clause apply only to individuals who are members of loyalty schemes, or also to individuals acting on behalf of a business that is a member? This question is significant because the number of incentive schemes organised for businesses is just as high as that of loyalty schemes in which individuals take part.

MK: This is where the key difference lies, because if we obtain information directly from the individuals whose data we are collecting – that is, from participants in the loyalty scheme – then, of course, we must fulfil our duty to inform them. We must do so without delay at the stage when we are collecting their personal data. However, when we obtain data about any person without an intermediary – that is, when their employer provides us with data in a contract, for example by listing them as a contact person in the contract they have entered into – then we can fulfil this duty to provide information even during our first contact with that person – perhaps in the footer of an email, or it may also be fulfilled at the reception desk of the organisation that person joins. So, firstly, the timeframe is deferred; in other words, we can fulfil this obligation later – we do not have to do it straight away. And that’s it, really.

KN: When replying to an email like this, if there is information in the footer.

MK: So, that’s the duty to provide information, is it?

KN: Does replying to this email mean we’re confirming that we’ve read it? Because I think….

MK: We do not need to confirm receipt of the information requirement. There is no such obligation; this is not a consent that requires any action on our part – that is, some conscious gesture or action – where we have to demonstrate that someone has made such a gesture and accepted this pop-up window, this tick box. This is not the case with the information obligation; therefore, if the standard email we always send to the contact person for a given contract contains an information obligation – where, for example, at the bottom we write „do not print”, right, „Look after the environment, don’t print”, we can easily include the information requirement there; that is sufficient.

KN: To wrap up the issue of the information clause, please could you tell me whether such a clause should form part of the terms and conditions or be a separate document.

MK: An obligation to provide information must never be included in terms and conditions, a contract or any other document, because – and this does not apply solely to the GDPR. All obligations which, by their nature, must be communicated directly to the addressee must always be extracted from the text of contracts. This is because it is considered that when we conceal such obligations within contracts or terms and conditions, they are not directly conveyed to the individual. This is because, as a rule, we do not read terms and conditions, nor do we read contracts, and it would be very easy to conceal such content within such terms and conditions. Consequently, the duty to inform must always be explicitly stated.

KN: Now that we’ve covered the issue of the information clause, let’s move on to the matter of consents. How should the wording of a consent form be phrased, and how many such consents need to be obtained?

MK: I won’t answer the question of how many consents we should obtain, because it depends on the specific circumstances and I cannot risk misleading you here, as it may be the case that one of you – I don’t know – wishes to use this data for marketing purposes, for example, in addition to the loyalty scheme, and in that case you must obtain separate consent for data processing. However, I will tell you what must always be included in such a clause. Firstly, there must be a single purpose and a single consent; in other words, we cannot, in a single clause, ask for consent to process data for various purposes.

KN: We need to draw a line between the two.

MK: We must always make a clear distinction here. Secondly, we must always inform the user of their right to withdraw such consent, and consent must be voluntary; it must not be coerced. This means that, for example, if we are drafting a consent clause, the tick box we provide must not be ticked by default. It must be left blank. Someone gives their consent consciously; therefore, they consciously untick that checkbox. When it is ticked by default, it means that we are, by default, assuming consent, and anyone who does not wish to give consent must un tick it. And this constitutes a defect in the declaration of intent: a lack of full awareness and a risk of error – and we must bear this in mind.

KN: You mentioned that it should, above all, be voluntary and independent of anything else. I’d like to ask a follow-up question here as an ordinary consumer. So there shouldn’t be a situation where the information on a website, for example, implies that if I don’t tick a particular consent box, I can’t proceed, I can’t make a purchase, or I can’t find out more.

MK: Exactly. When we buy something, we enter into a contract of sale; in such a situation, that contract of sale forms the basis for the processing of personal data, and we do not seek consent at all in that instance. Nor can we make the provision of any service conditional on consent being given, because in that case such consent is deemed to have been coerced. I’ll give a very simple example, perhaps straying slightly from the topic of loyalty schemes, but one that’s very illustrative. Let’s imagine we’re in a Polish State Railways (PKP) carriage that provides internet access, and to gain that access we have to agree to a dozen or so terms and conditions. At the same time, the carriage is a space where we very often have no access to our mobile network; we cannot use our mobile data because we have no signal, to put it simply, and this is due to the so-called ‘dead zones’ in Poland, of which there are, unfortunately, still a great many. So what do we do then? Feeling pressured, we grant this type of consent, and then for months on end we receive thousands of marketing emails from all sorts of organisations, because it’s a whole conglomerate, and this is against the law. But saying that you can use free internet without giving consent, whilst having to pay for fast internet by consenting to the processing of your data for marketing purposes, is now legal. Because today it is said that in 2019, data surpassed the value of crude oil for the first time. Since data is a currency, we can pay with it, but only consciously and voluntarily. And we must always bear in mind this awareness of voluntariness.

KN: The most important thing is that we have a choice.

MK: Yes.

KN: And what should we do if we want to send participants communications other than those relating to the loyalty scheme? After all, since we’ve already collected so many consents, we’re more tempted to use them for other purposes.

MK: Yes, that is to say, if we obtain explicit consent for data processing and clearly state the specific purpose of the processing, then we may, of course, process that data. If we wish to use the data for marketing purposes, we must obtain consent. This is the first consent. If we wish to be able to transfer this data to entities within the group – because, for example, we are a group of companies and we want this data to be transferred between entities within the group – then we need a further consent, namely for the transfer of data between entities within the group. If we wish to use not only electronic marketing – that is, via email – but also telephone marketing, we need separate consent for this. That brings us to the third consent. So, as you can see, there can indeed be a great many such consents.

KN: Most loyalty schemes run for many years. Some are open-ended, whilst others operate on an annual basis. And here, we cannot overlook the issue of minimising the amount of data processed as part of these schemes. Given that we will be issuing PIT 11 forms to some participants next year, should we collect data such as the PESEL number or residential address from all participants upon enrolment, or just before the prize is awarded? After all, we know that many participants are reluctant to provide their details once they have received their prize.

MK: Yes, definitely. If we know that we are obliged to issue a PIT form, or have any other accounting obligation, we should collect that data at the stage of gathering it, and this will not be considered a breach of the principle of data minimisation, which states that only data necessary to fulfil the purpose should be processed. In this case, the purpose is financial reporting and tax obligations. There is no doubt that we should collect this data.

KN: The GDPR grants data subjects a number of rights. We will discuss how to correctly process a request from a data subject. How should a subcontractor, known as a data processor, proceed?

MK: When someone requests the withdrawal of their consent to the processing of personal data, we must first bear in mind that we are not always obliged to comply with this request. This is because, whilst it may be the case that data processing for the original purpose – namely, the provision of a loyalty scheme – has indeed ceased, we are nevertheless obliged under the Accounting Act to retain the data for a period of six years. Or it may turn out that we need this data to protect ourselves against claims. We anticipate that claims may arise in the future in connection with the contract that has been performed, and in that case, until the claims become time-barred, we have the right to continue processing personal data. And that is the key point for me in this case. So we must, each time, not simply comply blindly with requests to delete data, because the right to erasure actually means that someone is requesting the removal of that data from our systems. We cannot simply comply with these requests blindly; instead, in each specific case, we must ask ourselves whether a new purpose for processing the data has arisen. If such a purpose exists, we refuse to delete the data. We say, „Yes, we received your consent to process your personal data and that purpose has ceased to exist, but in connection with that data processing we provided a service to you and we must have proof that we performed that service properly, because you may make a claim against us”. Once I delete this data from my system, I will no longer be able to fulfil this burden of proof – I will not be able to demonstrate, nor will I have been able to demonstrate, that I have performed this contract properly.

KN: I’ll be the perfect example of someone who doesn’t actually read all that information and those terms and conditions properly.

MK: In other words, your average online consumer.

KN: That’s right. I’ll admit it straight away, and I’d like to ask about one thing. So, by consenting to the processing of my personal data, am I consenting to this process for a specific period? Or indefinitely?

MK: It varies. Consent may be indefinite, or it may be for a fixed period. When I obtain consent to process data for a specific period, that consent expires once that period ends. When I obtain consent for an indefinite period – and most consents are obtained for an indefinite period – the consent remains valid until I withdraw it.

KN: Let me ask you one more thing, Maciej, because I’m interested in all this commotion which – excuse the colloquialism – arose when the GDPR came into force in Poland. Everyone was hoping that the consents they’d previously given would be revoked and that they wouldn’t be inundated with thousands of emails full of adverts and offers, but that’s not quite how it turned out.

MK: Absolutely not; consents given before 25 May 2018 – the GDPR came into force on 25 May 2018 – were all perfectly valid. Data controllers were only required to inform us that we had the right to withdraw such consent. There were no such requirements previously, which is why you may not recall this during the month following the GDPR’s entry into force. Our inboxes were full of all sorts of updates – to privacy policies and information obligations – precisely because data controllers were fulfilling their supplementary obligation to inform us that we had the right to withdraw our consent.

KN: The next question concerns lotteries organised as part of loyalty schemes. Does the processing of data for the purposes of such lotteries require separate consents or the invocation of a separate legitimate interest on the part of the controller?

MK: If we organise a prize draw, this is usually preceded by acceptance of the terms and conditions for the provision of electronic services, in which case the basis for data processing is a contract, not consent. It is also often said that a prize draw constitutes a public undertaking from the perspective of civil law. By entering such a lottery or competition, we accept this public promise; this also constitutes a contract within the meaning of the GDPR. Consequently, we do not obtain consent in this context.

KN: Maciej, and to round things off, I wanted to ask you about a topic that’s very topical at the moment, as we’re recording this at a time when news has spread around the world that there was a fire in the OVH server room, and I wanted to ask how one should proceed in such a situation, given the loss of such a vast amount of data.

MK: Such large global organisations as this company usually have backups located in various data centres around the world; therefore, a fire does not necessarily result in the loss or deletion of personal data. We always have the right to ask the organisation that processed the data – and where such an incident occurred – whether there has been any loss of data, any compromise of data integrity, or any interference whatsoever with the content of the data, and we are always entitled to do so. When using the services of external subcontractors, we should always choose reputable providers. OVH is a global company, and this incident demonstrates that such situations can happen to anyone, can’t they? Fires do happen from time to time; they result from force majeure or various circumstances. However, I would urge that, when using such services, we should always be aware that, in fact, during our conversation, somewhere in between the sentences, I mentioned that in 2019 the value of data exceeded that of crude oil, that data is now a currency, that data is, in fact, an equal means of payment, and just as we’re in the habit of looking after our own money – hiding it away and safeguarding it – when choosing, say, a financial institution with which to invest our money, we pay attention to its reputation and brand. Let’s do exactly the same with the organisations to which we entrust our data.

KN: Maciej, in that case, thank you very much for today’s conversation and for sharing so much knowledge.

MK: I hope I have shown you that processing personal data whilst fulfilling the obligations under the GDPR does not have to be as complicated as we might think, and that we have demystified this regulation somewhat.

KN: Thank you very much, and I look forward to seeing you for the next episode.