{"id":1521,"date":"2021-04-01T13:45:31","date_gmt":"2021-04-01T11:45:31","guid":{"rendered":"http:\/\/i360.trejka05.pl\/?p=1521"},"modified":"2021-06-15T15:24:33","modified_gmt":"2021-06-15T13:24:33","slug":"transposition-of-the-gdpr-in-relation-to-loyalty-schemes","status":"publish","type":"post","link":"https:\/\/i360.com.pl\/en\/transkrypcja-rodo-w-aspekcie-programow-lojalnosciowych\/","title":{"rendered":"Transcript \u2013 The GDPR in relation to loyalty schemes"},"content":{"rendered":"<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: Katarzyna Nawrocka, On loyalty schemes at night. My guest today is Dr Maciej Kawecki, and we\u2019ll be discussing the GDPR.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: A very warm welcome to you all.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: Maciej, I\u2019d like to start by introducing you properly and in detail. I know you\u2019re the Dean of the Faculty of Innovation and Entrepreneurship at the School<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: The Warsaw School of Banking, that\u2019s exactly right.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>KN<\/strong>: I\u2019ve already sorted that out, but you\u2019re also the director of the Lem Institute.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: Exactly, and it\u2019s particularly important right now, because we\u2019re coordinating the celebrations for the Year of Lem. 2021 is the Year of Lem to mark the centenary of his birth, so it\u2019s a very important part of my life story today.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>KN<\/strong>: And here\u2019s a bit of trivia for today.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>MK<\/strong>: And here\u2019s a bit of trivia for today.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: I\u2019d like us to base our conversation on your professional experience. I know that between 2017 and 2019 you were the coordinator of the National Data Protection Reform, but I also know that you worked at the Ministry of Digital Affairs, didn\u2019t you?<\/p>\n\n\n\n<p class=\"has-text-align-justify has-ek-indent wp-block-paragraph\" style=\"--ek-indent:20px\"><strong>MK<\/strong>: Yes, whilst at the Ministry of Digital Affairs, heading the data management department, I was indeed responsible in Poland for the implementation of the GDPR, for drafting both the national legislation transposing these regulations within the meaning of the Personal Data Protection Act, and also the entire body of legal acts. As a point of interest, it is worth noting that this was the largest legal change \u2013 an amendment \u2013 in the history of Polish legislation; we amended nearly 180 Acts, so it really was a huge challenge.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: Well, it\u2019s actually your professional experience that I\u2019m most interested in, because organisers of loyalty programmes face the challenge of protecting personal data and processing it appropriately when it comes to programme participants. And here, we\u2019ll be focusing on loyalty programmes in our discussion, drawing on your professional experience and the GDPR. So, shall we get started?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>MK<\/strong>: I'm at your disposal.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: The GDPR emphasises that each data controller must independently assess the level of risk associated with data processing and determine appropriate data security measures in line with that risk. Right from the start, we face a number of challenges, and the first question is one of the most fundamental: on what legal basis should the personal data of loyalty scheme participants be processed?<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: Pytanie, tak naprawd\u0119 dotyczy tego co jest podstaw\u0105 przetwarzania danych przez, w ramach szeroko rozumianych program\u00f3w lojalno\u015bciowych. Tak naprawd\u0119 mamy dwie mo\u017cliwe sytuacje, albo odbieramy zgod\u0119 os\u00f3b, kt\u00f3rych dane przetwarzamy pami\u0119taj\u0105c, \u017ce taka zgoda musi by\u0107 zawsze wyra\u017ana. Zgoda jest o\u015bwiadczeniem woli, w zwi\u0105zku z tym zawsze odbieraj\u0105c j\u0105 musimy j\u0105 odbiera\u0107 wyra\u017anie, albo podpisujemy umow\u0119. Pami\u0119tajmy, \u017ce je\u017celi jeste\u015bmy programem lojalno\u015bciowym, kt\u00f3ry tworzy regulamin i przyst\u0105pienie do programu wymaga akceptacji takiego regulaminu, to regulamin \u015bwiadczenia us\u0142ug drog\u0105 elektroniczn\u0105 jest zawsze umow\u0105 w zwi\u0105zku z tym w momencie kiedy klient akceptuje regulamin, kiedy na stronie internetowej dostarczamy taki check box z okienkiem &#8222;zaakceptuj regulamin \u015bwiadczenia us\u0142ug drog\u0105 elektroniczn\u0105&#8221; nie odbieramy ju\u017c zgody na przetwarzanie danych, dlatego ten regulamin, ta umowa jest podstaw\u0105 do tego, \u017ce mo\u017cemy gromadzi\u0107 dane, mo\u017cemy gromadzi\u0107 informacje, mo\u017cemy je przetwarza\u0107.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: Another important issue is determining who the data controller is. Please could you tell me whether it is the client \u2013 that is, the programme sponsor \u2013 or the contractor, namely the agency organising the comprehensive management of the programme.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: This is very complicated, because in a great many cases we are talking about what we call \u2013 we are talking about an arrangement which, under the GDPR, is referred to as \u2018joint controllership\u2019, meaning that both the sponsor and the contractor, that is, the agency that actually carries out the task relating to loyalty programmes. They are joint controllers, meaning they share common objectives in the collection and processing of information. This is a very common situation, but not the only one. It may be the case that the agency acts as a typical subcontractor, in which case full responsibility for data processing lies with the sponsor \u2013 that is, the company that commissions the organisation of such a loyalty programme. In that case, the company is the controller and the contractor is the subcontractor; it is therefore very important we must remember that a data processing agreement must be signed between the sponsor and the agency, or subcontractor, in which we explicitly instruct the agency to process information and personal data on our behalf.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: Now that we have covered the basics of data processing and the data controller, let\u2019s move on to the issue of the information notice. Under the GDPR, the data controller is obliged to provide the data subject with a range of information. This usually amounts to a dozen or so lines of text in very small print. What is the purpose of the privacy notice? Does it really need to be as long as it is in most loyalty schemes? Is it necessary to display the entire text, or are the first two lines sufficient, with the option to expand the text?<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: We must always fulfil our duty to provide information, and this is very important. However, we can indeed make use of technical possibilities; we have mobile apps, for example. Today, a vast number of services are provided electronically via mobile apps, and mobile apps, technically speaking, are limited in terms of space. It is hard to imagine the entire screen of a mobile phone being used to fulfil the information obligation. Consequently, we can indeed make use of a \u2018collapse\/expand\u2019 feature in this case, allowing the text to be expanded, and I have no doubt whatsoever about that. However, we must ensure that this mechanism is simple. We don\u2019t want a situation where, by default, only a single line of text is displayed, whilst the option to expand this information clause is hidden away somewhere in the technical intricacies, do we? We cannot allow that; the GDPR is very strict in this regard. However, we must also bear in mind one important thing: when fulfilling our information obligation, we must provide the information in a form tailored to the recipient\u2019s profile. And we very often forget this. Whenever we visit any website, we see lengthy legal texts with content that is very difficult to understand and which is completely unsuitable for the recipient. If our recipient is not a lawyer, if our recipient is someone the profile of the average online consumer \u2013 who is inattentive, because that\u2019s how we are; our attention span online wanes very quickly \u2013 therefore, this profile of the average online consumer is that of an inattentive, careless consumer.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: I\u2019m just asking to clarify, because the point is that we very often accept something we haven\u2019t read, don\u2019t we?<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: Exactly \u2013 we accept something we either haven\u2019t read or haven\u2019t understood. This is because it was presented to us in such difficult language that we were unable to make sense of it. If we are addressing content aimed at children, the language should be even simpler; if we are addressing content aimed at people with disabilities, the blind or the hard of hearing, then the way in which such a requirement is implemented must be adapted to them, whether through the ability to have it read aloud, or by the simplicity of its content. That is why I urge that, when formulating such obligations, we be guided by the principle of plain language. This is always straightforward, because plain language will be understood by both a lawyer and the average online consumer \u2013 that is, the typical inattentive recipient. When we formulate an information requirement, if we draft it in legal jargon, citing an endless number of paragraphs, clauses, paragraphs and articles, there is a very high probability that the message we wish to convey simply will not reach the recipient. And looking back after these three years \u2013 since the GDPR came into force three years ago \u2013 When I look at its implementation, it seems we have, unfortunately, lost our way somewhere along the line. We\u2019re taking this regulation very literally, and these information obligations very often put people off. One important point for all of you: there\u2019s a provision \u2013 which, for some reason I\u2019m completely unaware of, hasn\u2019t really caught on in Poland \u2013 that allows us to supplement these information requirements with graphics, i.e. something that\u2019s actually interesting. We don\u2019t have to bombard people with boring, off-putting content that reduces conversion rates online, because the more text there is \u2013 this sort of text, that is, text which, as a rule, isn\u2019t interesting \u2013 the more interest in a particular page declines. We supplement it with interesting graphics. Let\u2019s make the most of this opportunity and use it to engage people with this content, rather than put them off.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: Should the information clause apply only to individuals who are members of loyalty schemes, or also to individuals acting on behalf of a business that is a member? This question is significant because the number of incentive schemes organised for businesses is just as high as that of loyalty schemes in which individuals take part.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: This is where the key difference lies, because if we obtain information directly from the individuals whose data we are collecting \u2013 that is, from participants in the loyalty scheme \u2013 then, of course, we must fulfil our duty to inform them. We must do so without delay at the stage when we are collecting their personal data. However, when we obtain data about any person without an intermediary \u2013 that is, when their employer provides us with data in a contract, for example by listing them as a contact person in the contract they have entered into \u2013 then we can fulfil this duty to provide information even during our first contact with that person \u2013 perhaps in the footer of an email, or it may also be fulfilled at the reception desk of the organisation that person joins. So, firstly, the timeframe is deferred; in other words, we can fulfil this obligation later \u2013 we do not have to do it straight away. And that\u2019s it, really.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>KN<\/strong>: When replying to an email like this, if there is information in the footer.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>MK<\/strong>: So, that\u2019s the duty to provide information, is it?<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>KN<\/strong>: Does replying to this email mean we\u2019re confirming that we\u2019ve read it? Because I think\u2026.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: Nie musimy potwierdzi\u0107 odbioru obowi\u0105zku informacyjnego. Nie ma takiego obowi\u0105zku, to nie jest zgoda, kt\u00f3ra wymaga jakiej\u015b naszej aktywno\u015bci, czyli jakiego\u015b \u015bwiadomego gestu, dzia\u0142ania, musimy wykaza\u0107 \u017ce taki gest kto\u015b podj\u0105\u0142 i zaakceptowa\u0142 to okienko, ten checkbox. Przy obowi\u0105zku informacyjnym tak nie jest w zwi\u0105zku z tym, je\u017celi obce maila kt\u00f3rego zawsze wysy\u0142amy do osoby kontaktowej danej umowy jest obowi\u0105zek informacyjny, tam gdzie na dole np. piszemy &#8222;nie drukuj&#8221;, prawda, &#8222;dbaj o \u015brodowisko, nie drukuj&#8221; tam spokojnie mo\u017cemy zamie\u015bci\u0107 obowi\u0105zek informacyjny, to jest to wystarczaj\u0105ce.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: To wrap up the issue of the information clause, please could you tell me whether such a clause should form part of the terms and conditions or be a separate document.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: Nigdy obowi\u0105zek informacyjny nie mo\u017ce by\u0107 zawarty w regulaminie, w umowie w jakimkolwiek innym dokumencie, dlatego bo &#8211; i to nie dotyczy tylko RODO. Wszystkie obowi\u0105zki, kt\u00f3re maj\u0105 charakter, kt\u00f3re musz\u0105 trafi\u0107 bezpo\u015brednio do adresata musz\u0105 by\u0107 zawsze wyci\u0105gni\u0119te z tre\u015bci um\u00f3w. Dlatego bo uwa\u017ca si\u0119, \u017ce w momencie, kiedy chowamy tego typu obowi\u0105zki w umowach, w regulaminach one nie s\u0105 bezpo\u015brednio dostarczane do osoby. Bo my, co do zasady regulamin\u00f3w nie czytamy, um\u00f3w co do zasady nie czytamy i ukrycie tego typu tre\u015bci w takim regulaminie by\u0142oby bardzo proste. W zwi\u0105zku z tym, obowi\u0105zek informacyjny musi by\u0107 zawsze wyci\u0105gni\u0119ty przed nawias.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: Now that we\u2019ve covered the issue of the information clause, let\u2019s move on to the matter of consents. How should the wording of a consent form be phrased, and how many such consents need to be obtained?<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: I won\u2019t answer the question of how many consents we should obtain, because it depends on the specific circumstances and I cannot risk misleading you here, as it may be the case that one of you \u2013 I don\u2019t know \u2013 wishes to use this data for marketing purposes, for example, in addition to the loyalty scheme, and in that case you must obtain separate consent for data processing. However, I will tell you what must always be included in such a clause. Firstly, there must be a single purpose and a single consent; in other words, we cannot, in a single clause, ask for consent to process data for various purposes.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>KN<\/strong>: We need to draw a line between the two.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: We must always make a clear distinction here. Secondly, we must always inform the user of their right to withdraw such consent, and consent must be voluntary; it must not be coerced. This means that, for example, if we are drafting a consent clause, the tick box we provide must not be ticked by default. It must be left blank. Someone gives their consent consciously; therefore, they consciously untick that checkbox. When it is ticked by default, it means that we are, by default, assuming consent, and anyone who does not wish to give consent must un tick it. And this constitutes a defect in the declaration of intent: a lack of full awareness and a risk of error \u2013 and we must bear this in mind.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: You mentioned that it should, above all, be voluntary and independent of anything else. I\u2019d like to ask a follow-up question here as an ordinary consumer. So there shouldn\u2019t be a situation where the information on a website, for example, implies that if I don\u2019t tick a particular consent box, I can\u2019t proceed, I can\u2019t make a purchase, or I can\u2019t find out more.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: Exactly. When we buy something, we enter into a contract of sale; in such a situation, that contract of sale forms the basis for the processing of personal data, and we do not seek consent at all in that instance. Nor can we make the provision of any service conditional on consent being given, because in that case such consent is deemed to have been coerced. I\u2019ll give a very simple example, perhaps straying slightly from the topic of loyalty schemes, but one that\u2019s very illustrative. Let\u2019s imagine we\u2019re in a Polish State Railways (PKP) carriage that provides internet access, and to gain that access we have to agree to a dozen or so terms and conditions. At the same time, the carriage is a space where we very often have no access to our mobile network; we cannot use our mobile data because we have no signal, to put it simply, and this is due to the so-called \u2018dead zones\u2019 in Poland, of which there are, unfortunately, still a great many. So what do we do then? Feeling pressured, we grant this type of consent, and then for months on end we receive thousands of marketing emails from all sorts of organisations, because it\u2019s a whole conglomerate, and this is against the law. But saying that you can use free internet without giving consent, whilst having to pay for fast internet by consenting to the processing of your data for marketing purposes, is now legal. Because today it is said that in 2019, data surpassed the value of crude oil for the first time. Since data is a currency, we can pay with it, but only consciously and voluntarily. And we must always bear in mind this awareness of voluntariness.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>KN<\/strong>: The most important thing is that we have a choice.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>MK: <\/strong>Yes.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: And what should we do if we want to send participants communications other than those relating to the loyalty scheme? After all, since we\u2019ve already collected so many consents, we\u2019re more tempted to use them for other purposes.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: Yes, that is to say, if we obtain explicit consent for data processing and clearly state the specific purpose of the processing, then we may, of course, process that data. If we wish to use the data for marketing purposes, we must obtain consent. This is the first consent. If we wish to be able to transfer this data to entities within the group \u2013 because, for example, we are a group of companies and we want this data to be transferred between entities within the group \u2013 then we need a further consent, namely for the transfer of data between entities within the group. If we wish to use not only electronic marketing \u2013 that is, via email \u2013 but also telephone marketing, we need separate consent for this. That brings us to the third consent. So, as you can see, there can indeed be a great many such consents.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: Most loyalty schemes run for many years. Some are open-ended, whilst others operate on an annual basis. And here, we cannot overlook the issue of minimising the amount of data processed as part of these schemes. Given that we will be issuing PIT 11 forms to some participants next year, should we collect data such as the PESEL number or residential address from all participants upon enrolment, or just before the prize is awarded? After all, we know that many participants are reluctant to provide their details once they have received their prize.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: Yes, definitely. If we know that we are obliged to issue a PIT form, or have any other accounting obligation, we should collect that data at the stage of gathering it, and this will not be considered a breach of the principle of data minimisation, which states that only data necessary to fulfil the purpose should be processed. In this case, the purpose is financial reporting and tax obligations. There is no doubt that we should collect this data.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: The GDPR grants data subjects a number of rights. We will discuss how to correctly process a request from a data subject. How should a subcontractor, known as a data processor, proceed?<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: W momencie, kiedy kto\u015b prosi o wycofanie zgody na przetwarzanie danych osobowych, po pierwsze musimy pami\u0119ta\u0107 o tym, \u017ce nie zawsze to \u017c\u0105danie musimy zrealizowa\u0107. Dlatego, bo mo\u017ce si\u0119 okaza\u0107, \u017ce owszem dosz\u0142o do zaprzestania przetwarzania danych w tym pierwotnym celu, jakim jest \u015bwiadczenie us\u0142ugi lojalno\u015bciowej, ale z drugiej strony mamy obowi\u0105zek wynikaj\u0105cy z ustawy o rachunkowo\u015bci przetwarzania danych przez okres sze\u015bciu lat. Albo mo\u017ce si\u0119 okaza\u0107, \u017ce potrzebujemy te dane po to, \u017ceby ochroni\u0107 si\u0119 przed roszczeniami. Przewidujemy, \u017ce z tytu\u0142u wykonanej umowy mog\u0105 pojawi\u0107 si\u0119 w przysz\u0142o\u015bci roszczenia i wtedy do momentu przedawnienia roszcze\u0144 mamy prawo przetwarza\u0107 dane osobowe dalej. I to jest dla mnie kluczowe w tym przypadku. Czyli musimy sobie za ka\u017cdym razem jak, nie mo\u017cemy tak \u015blepo realizowa\u0107 \u017c\u0105da\u0144 usuni\u0119cia danych, bo prawo do cofni\u0119cia danych oznacza tak naprawd\u0119, \u017ce kto\u015b \u017c\u0105da usuni\u0119cia tych danych naszych system\u00f3w. Nie mo\u017cemy tak \u015blepo ich realizowa\u0107, ale w ka\u017cdym konkretnym przypadku musimy sobie odpowiedzie\u0107 na pytanie, czy pojawia si\u0119 nowy cel w ich przetwarzaniu. Je\u017celi mamy taki cel, to odmawia\u0142y usuni\u0119cia danych. M\u00f3wimy &#8222;owszem, odebrali\u015bmy od Ciebie zgod\u0119 na przetwarzanie danych osobowych i ten cel usta\u0142, ale w zwi\u0105zku z tym przetwarzaniem danych \u015bwiadczyli\u015bmy wobec Ciebie us\u0142ug\u0119 i musimy mie\u0107 dow\u00f3d na to, \u017ce t\u0119 us\u0142ug\u0119 wykonali\u015bmy nale\u017cycie, bo Ty mo\u017cesz do nas kierowa\u0107 roszczenia&#8221;. W momencie kiedy ja te dane usun\u0119 ze swojego systemu, to ja nie b\u0119d\u0119 m\u00f3g\u0142 zrealizowa\u0107 tego, czy mog\u0142a zrealizowa\u0107 tego obowi\u0105zku dowodowego, nie b\u0119d\u0119 potrafi\u0142 wykaza\u0107, czy potrafi\u0142a wykaza\u0107, \u017ce wykona\u0142am nale\u017cycie czy wykona\u0142em nale\u017cycie t\u0119 umow\u0119.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: I\u2019ll be the perfect example of someone who doesn\u2019t actually read all that information and those terms and conditions properly.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>MK<\/strong>: In other words, your average online consumer.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: That\u2019s right. I\u2019ll admit it straight away, and I\u2019d like to ask about one thing. So, by consenting to the processing of my personal data, am I consenting to this process for a specific period? Or indefinitely?<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: It varies. Consent may be indefinite, or it may be for a fixed period. When I obtain consent to process data for a specific period, that consent expires once that period ends. When I obtain consent for an indefinite period \u2013 and most consents are obtained for an indefinite period \u2013 the consent remains valid until I withdraw it.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: Let me ask you one more thing, Maciej, because I\u2019m interested in all this commotion which \u2013 excuse the colloquialism \u2013 arose when the GDPR came into force in Poland. Everyone was hoping that the consents they\u2019d previously given would be revoked and that they wouldn\u2019t be inundated with thousands of emails full of adverts and offers, but that\u2019s not quite how it turned out.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: Absolutely not; consents given before 25 May 2018 \u2013 the GDPR came into force on 25 May 2018 \u2013 were all perfectly valid. Data controllers were only required to inform us that we had the right to withdraw such consent. There were no such requirements previously, which is why you may not recall this during the month following the GDPR\u2019s entry into force. Our inboxes were full of all sorts of updates \u2013 to privacy policies and information obligations \u2013 precisely because data controllers were fulfilling their supplementary obligation to inform us that we had the right to withdraw our consent.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: The next question concerns lotteries organised as part of loyalty schemes. Does the processing of data for the purposes of such lotteries require separate consents or the invocation of a separate legitimate interest on the part of the controller?<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: If we organise a prize draw, this is usually preceded by acceptance of the terms and conditions for the provision of electronic services, in which case the basis for data processing is a contract, not consent. It is also often said that a prize draw constitutes a public undertaking from the perspective of civil law. By entering such a lottery or competition, we accept this public promise; this also constitutes a contract within the meaning of the GDPR. Consequently, we do not obtain consent in this context.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: Maciej, and to round things off, I wanted to ask you about a topic that\u2019s very topical at the moment, as we\u2019re recording this at a time when news has spread around the world that there was a fire in the OVH server room, and I wanted to ask how one should proceed in such a situation, given the loss of such a vast amount of data.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: Such large global organisations as this company usually have backups located in various data centres around the world; therefore, a fire does not necessarily result in the loss or deletion of personal data. We always have the right to ask the organisation that processed the data \u2013 and where such an incident occurred \u2013 whether there has been any loss of data, any compromise of data integrity, or any interference whatsoever with the content of the data, and we are always entitled to do so. When using the services of external subcontractors, we should always choose reputable providers. OVH is a global company, and this incident demonstrates that such situations can happen to anyone, can\u2019t they? Fires do happen from time to time; they result from force majeure or various circumstances. However, I would urge that, when using such services, we should always be aware that, in fact, during our conversation, somewhere in between the sentences, I mentioned that in 2019 the value of data exceeded that of crude oil, that data is now a currency, that data is, in fact, an equal means of payment, and just as we\u2019re in the habit of looking after our own money \u2013 hiding it away and safeguarding it \u2013 when choosing, say, a financial institution with which to invest our money, we pay attention to its reputation and brand. Let\u2019s do exactly the same with the organisations to which we entrust our data.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>KN<\/strong>: Maciej, in that case, thank you very much for today\u2019s conversation and for sharing so much knowledge.<\/p>\n\n\n\n<p class=\"has-text-align-justify wp-block-paragraph\"><strong>MK<\/strong>: I hope I have shown you that processing personal data whilst fulfilling the obligations under the GDPR does not have to be as complicated as we might think, and that we have demystified this regulation somewhat.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>KN: <\/strong>Thank you very much, and I look forward to seeing you for the next episode.<\/p>","protected":false},"excerpt":{"rendered":"<p>KN: Katarzyna Nawrocka, O programach lojalno\u015bciowych noc\u0105. Dzisiaj moim go\u015bciem dr Maciej Kawecki i b\u0119dziemy rozmawia\u0107 o RODO. MK: Witam Pa\u0144stwa bardzo serdecznie. KN: Macieju ja chcia\u0142abym na pocz\u0105tku bardzo dobrze i dok\u0142adnie Ci\u0119 przedstawi\u0107. Wiem, \u017ce jeste\u015b dziekanem wydzia\u0142u Innowacji i Przedsi\u0119biorczo\u015bci w Szkole MK: Wy\u017cszej Szkole Bankowej w Warszawie, dok\u0142adnie tak. KN: To&#8230;<\/p>","protected":false},"author":2,"featured_media":1522,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_kad_blocks_custom_css":"","_kad_blocks_head_custom_js":"","_kad_blocks_body_custom_js":"","_kad_blocks_footer_custom_js":"","_kad_post_transparent":"","_kad_post_title":"","_kad_post_layout":"","_kad_post_sidebar_id":"","_kad_post_content_style":"","_kad_post_vertical_padding":"","_kad_post_feature":"","_kad_post_feature_position":"","_kad_post_header":false,"_kad_post_footer":false,"_kad_post_classname":"","footnotes":""},"categories":[67],"tags":[],"class_list":["post-1521","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-o-programach-lojalnosciowych-noca"],"taxonomy_info":{"category":[{"value":67,"label":"O programach lojalno\u015bciowych noc\u0105"}]},"featured_image_src_large":["https:\/\/i360.com.pl\/wp-content\/uploads\/2021\/04\/17_dr_Maciej_Kawecki_RODO_PLANSZA-1024x576.jpg",1024,576,true],"author_info":{"display_name":"Tomasz Makaruk","author_link":"https:\/\/i360.com.pl\/en\/author\/autor\/"},"comment_info":0,"category_info":[{"term_id":67,"name":"O programach lojalno\u015bciowych noc\u0105","slug":"o-programach-lojalnosciowych-noca","term_group":0,"term_taxonomy_id":67,"taxonomy":"category","description":"","parent":0,"count":26,"filter":"raw","term_order":"0","cat_ID":67,"category_count":26,"category_description":"","cat_name":"O programach lojalno\u015bciowych noc\u0105","category_nicename":"o-programach-lojalnosciowych-noca","category_parent":0}],"tag_info":false,"_links":{"self":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/posts\/1521","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/comments?post=1521"}],"version-history":[{"count":0,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/posts\/1521\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/media\/1522"}],"wp:attachment":[{"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/media?parent=1521"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/categories?post=1521"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/i360.com.pl\/en\/wp-json\/wp\/v2\/tags?post=1521"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}