The UODO joins World Consumer Rights Day
"Consumers include us all" is the slogan for this year's World Consumer Rights Day, which falls on 15 March. Refugees from Ukraine are also consumers. It is with them in mind that the Personal Data Protection Office, together with the Office of Competition and Consumer Protection and other institutions, prepared useful information that will make shopping, travelling and using services in Poland easier.
Due to the difficult situation caused by the attack of the Russian Federation on Ukraine, many refugees came to Poland seeking shelter and help. Many individuals, organizations and institutions are involved in providing assistance, taking care of the most important issues, such as providing accommodation, food or medical care. These people need not only material assistance, a roof over their heads, but also broad legal assistance - also as consumers. That is why the Personal Data Protection Office joined the Office of Competition and Consumer Protection‘s campaign by preparing useful information for newcomers from Ukraine. The information is intended to help refugees learn about their consumer rights, e.g. with respect to shopping, travelling and using services in Poland and other European Union countries. It is very important because consumers in the EU are protected by different regulations than in Ukraine, therefore we want to introduce the most important issues to newcomers from Ukraine in a practical way.
It is also worth bearing in mind in this context that people who are in the territory of the European Union can benefit from the rights given to them by the GDPR. Therefore, the Personal Data Protection Office (UODO) launches a special e-mail address where Ukrainian citizens staying in Poland will be able to obtain any information in this respect - forUkraine@uodo.gov.pl . This e-mail is serviced on weekdays from 8 a.m. to 4 p.m.
At the same time, the DPA has prepared special guidance material that presents Ukrainian refugees information on their rights under the GDPR and explains how to exercise those rights. The guidance has been prepared in Ukrainian and English. The downloadable file can be found under the message below.
The action initiated by the Office of Competition and Consumer Protection was also joined by:
The European Consumer Center Network: If you are planning to travel from Poland to another country, read the basic information about your consumer rights when travelling in the EU, Norway, Iceland and the UK
The Financial Ombudsman: Know your rights when using financial and insurance products and how the Financial Ombudsman can help you
The Polish Financial Supervisory Authority: Information on insurers and banks - entity search engine
Office of Electronic Communications Tips on how to use the services of telecommunications providers
Information on the Office of Rail Transport Information about free rail travel opportunities. Find out about your passenger rights.
And if you are looking for accommodation, humanitarian aid, transport and broadly understood support, go to pomagamukrainie.gov.pl
HOW TO EXERCISE THE RIGHTS GUARANTEED BY THE GDPR?
The General Data Protection Regulation – the act which is directly applicable in all Member States of the European Union, uniformly regulating citizens’ rights and data controllers’ obligations.
Personal data means information that allows your identity to be established. It is your name, surname, place of residence, telephone number or your e-mail address or location data.
Data processing means any activities that make use of personal data, such as collection, recording, structuring, storage, consultation, use or making available of data. The GDPR grants natural persons many rights that allow them to have more control over their personal data.
The Personal Data Protection Office prepared 10 tips on how to exercise the rights guaranteed by the General Data Protection Regulation (GDPR).
You have the right to know what will happen with your data
You should know who, on what ground and why is processing your personal data. The company or institution that has obtained your data should inform you about it. It is also obliged to indicate your GDPR rights. You have the right, among others to: access your data, rectification, erasure, limitation of processing, portability, objection or the right to be informed about automated decision making, including profiling. In performing the information obligation, the controller must indicate how long it will store your data and provide the contact details of the Data Protection Officer (DPO), if the DPO has been designated.
You have the right to withdraw your consent at any time
If the informed and free consent expressed by you is the ground for the processing of your data, you have the right to withdraw it at any time and this cannot entail any negative consequences for you (e.g. increasing the service fee above its standard amount). Remember that withdrawal of consent should be as easy as giving it.
You should be informed in a way that is understandable to you
All information provided to you as regards the processing of your data should be formulated in a clear and plain language that is understandable to you. This also applies to information related to the use of Internet services or mobile applications. If you do not understand it or do not understand it enough, ask the controller for additional explanations. In Poland, the official language is Polish. All information must be in Polish, but it may be additionally translated into other languages.
You have the right to be forgotten, but not always
Although the GDPR has granted you the right to be forgotten (erasure of data), please note that it is not absolute. You can request the exercise of this right, e.g. in case where the data have become unnecessary for the intended purposes, the data have been processed unlawfully or you have withdrawn your consent and there is no other legal ground for their use. Remember that in not every situation you have the right to be forgotten. This happens when a given entity (e.g. a school, a commune or a clinic) must use your data to fulfil the legal obligation which is imposed on the entity.
You have the right to information about data breach
Data leakage, data loss or data disclosure to unauthorised persons – it happens. And this poses a serious threat to you, so do not be surprised that the controller informs you about it - this is the controller’s obligation. Follow its instructions to minimise the threat. Sometimes, e.g. changing the password in the Internet system or putting a hold on the documents will allow you to protect your data and avoid, e.g. the identity theft and the related consequences, such as e.g. incurring loans on your behalf. In case of doubts, contact the controller or Data Protection Officer who is designated by the controller. They should help you in this situation.
If you object to the processing of your data - marketing cannot be carried out
If your data is used for marketing purposes, i.e. to present you with offers of goods or services, you can object to this at any time. If you do this, your data may no longer be used for such purposes.
Protect children from unfair practices
If you are a parent or a legal guardian of a person under the age of 16, remember that when she or he uses the so-called information society services (provided electronically), e.g. social networks, applications or games, you decide on giving consent to the processing of his/her personal data. This is important, because children are often less aware of the risks and consequences of processing of their personal data. The GDPR indicates that special protection should be provided to them when their data is used for marketing purposes or for the creation of personal profiles. Pay attention to whether the messages addressed to them by the controller are formulated in a language that they can understand.
First request the controller to exercise your rights
If you think that someone is mishandling your data, contact him or her (or the appointed DPO) first and ask for explanations or fulfilment of your request, e.g. rectification of data, recording of objection, erasure of data
You can claim damages before a court
Remember! If the entity which is in possession of your data uses it contrary to the GDPR rules and you have suffered material or non-material damage as a result, you can claim damages from this entity by initiating the proceedings before a court. You have the right to do so regardless of the fact whether you intend to lodge a complaint with the President of Personal Data Protection Office or not.
HOW TO LODGE A COMPLAINT WITH THE PRESIDENT OF THE PERSONAL DATA PROTECTION OFFICE?
Anyone who believes that his or her personal data protection rights have not been respected may lodge a complaint against the controller with the President of the Personal Data Protection Office. Complaints may be submitted in written or electronic form.
The complaint shall be sent by electronic means through the Electronic Inbox of the President of the Office, after completing the FORM – i.e. "General letter to a public body" available on ePUAP2 portal.
Remember that each complaint must contain:
- your name and surname and address of residence;
- indication of the entity against which the complaint is lodged (name/name and surname, and address of the seat/residence);
- a detailed description of the violation;
- your request, i.e. indication of what action you expect from the Personal Data Protection Office (e.g. erasure of data, fulfilment of the information obligation, rectification of data, limitation of data processing, etc.);
- handwritten signature;
Remember to attach evidence confirming the controller's incorrect action (e.g. correspondence with the controller, contracts, certificates). This will make it easier for the Office's staff to assess the case. Complaints which do not contain your name and address will not be further considered due to the impossibility of contacting you.
HOW TO PROTECT PERSONAL DATA?
Personal data are very valuable, as thanks to them you can gain access to many goods. However, they can also be used for marketing and sales purposes or, unfortunately, for criminal purposes. In order to better protect every person's personal data and to process them safely, special legislation which serves this purpose, that is the General Data Protection Regulation (GDPR), applies in the European Union. The Personal Data Protection Office presents some of the most important tips on how to take care of your personal data.
Be careful what and with whom you share about yourself online
It happens that you excessively share information about yourself, and in social media you share information about you, your assets, workplace, events from your everyday life, you share your location and upload photos. This makes the Internet a source of knowledge about your views, consumer behaviour and interests. These data allow, for example, marketing departments of various companies to adjust the offer addressed to you. But also fraudsters may use such information for criminal purposes. In particular, if your profile is fully public, you may be exposed to the risk of your data being used without your knowledge and consent, contrary to the purposes for which you provided the data.
Do not deposit identity documents
Pursuant to the law, retaining your identity card or passport without a legal basis is punishable. If you lose control over your identity card or passport, you are exposed to the possibility that the document may be used without your knowledge and will, which in turn poses the risk of identity theft.
Do not allow to make a photocopy
As a rule, you should not agree to the copying of your identity document. Only in certain situations, it is exceptionally permissible, when the law allows it. When the controller demands a copy of, for example, your ID card, ask him to indicate to you the legal basis that imposes an obligation on it to do so. In other cases, such as renting equipment, this practice still exposes us to the same dangers. Therefore, do not agree to this.
Do not give data over the phone
Avoid providing data over the phone - especially if you are not the one initiating the call, but someone is calling you. Sharing data remotely is fraught with risk, with uncertainty as to whom the data is actually being provided. Make sure to whom you in fact provide data during a phone call, and if necessary verify the contact, e.g. by calling back and checking whether the number and person actually represents the entity being referred to.
Be careful when sharing data through various forms
Be careful when filling out and signing various surveys, forms or contracts. Consider whether you really want to sign up for a shop loyalty card to get discounts or extra promotions. In such situations, you provide the shops with your name, surname, address of residence, date of birth, e-mail address, telephone number, and in return you receive promotions, discount vouchers, additional gifts when shopping.
Avoid providing excessive data
Do not provide all data which allow for full identification, if it is not necessary in a given situation, i.e. excessive data. If you must use a given service, provide only the data necessary to perform that service - carefully consider providing data that is marked as optional.
I consent to…
Before you tick all the consents allowing for the processing of your personal data, make sure what they relate to. Pay attention to whether they are ticked by default on the consent form.
Also read carefully what the consent clauses refer to. In case of doubts, ask the controllers. They should inform you about the period for which the data will be processed and about your rights, including access to the data, rectification and erasure of data or expressing an objection to the processing, as well as whether your data will be transferred to someone else (other recipients).
Remember that you often give your consent to the use of data for marketing purposes not only of the controller, but also of its business partners. If you can, verify who they are, what companies these are. Consent for third-party marketing should be optional and you should be given a choice as to whether to give your consent or not.
The controller should ensure that the ability to withdraw consent is as easy as giving it and you should be informed of your right to withdraw consent before you give it.
Do not throw data in the rubbish until you have destroyed it
Any documents containing your data constitute another source of knowledge about you, especially if they contain a lot of different information allowing to draw conclusions about you. Therefore - before you throw documents in the rubbish bin - you should destroy them (e.g. invoices, bills, notes, stickers on correspondence packages or delivered goods) in a way that makes it impossible to recover personal data contained therein.
Permanently delete data from media
Huge amounts of data about you may be on your old hard drives, memory cards, memory sticks or other media. Note that more and more information about you is stored on computers, smartphones, cameras or tablets. Before you dispose of such devices or media, permanently delete the data on them. However, simply deleting them will not be enough as much of the data can be recovered. Therefore, before you throw the media away or sell it, delete the data on it using the appropriate software. It is also a good idea to reset your device to factory settings, so that it does not remember logins and passwords to various services and applications you have used, especially those that you are still using.
Use mobile devices protection software
Use software that protects mobile devices, e.g. your smartphone or computer, against unwanted external activities such as malware. In addition to popular anti-virus software, software that protects against external interference called firewall may also be useful. Current updates are important. Malware, against which such tools protect us, is created every day. Therefore, without an up-to-date virus database and malicious applications database, an antivirus program will not fully fulfil its role.
Avoid public hotspots
Avoid "open" hotspots available to everyone in crowded places. If you use the network in a hotel or cafe, make sure that the access point to which you log in for sure belongs to the place where you are currently staying. If you are not sure, limit yourself to searching for information and do not use services that require a password. You should limit yourself to only using websites with HTTPS protocol or using a VPN tunnel.
Take care of passwords
It is a good idea for passwords to have nothing to do with your personal life, place of residence, your name and surname, date of birth, names of your relatives or pets, etc., i.e. information that can easily be associated with you by observing your online behaviour or linked to other information about you.
You should also not write passwords down on a piece of paper or in a notebook. It is best to remember them, which is a challenge when you have to log in to many services. Free password managers can be helpful in this regard, as they not only generate passwords which are difficult to break, but also remember them for us. This makes it easier to change your passwords more often, and reduces the risk of someone learning them.
Regularly change the passwords to your computer, e-mail, e-banking systems, but even online shops where you have a user account. Try to use different passwords.
Use multi-factor authentication
Multi-factor authentication is essential as it provides additional protection when logging in. When gaining access, in addition to entering a password, users must undergo additional identity verification, e.g. by entering a code received on a telephone number.
Be wary of advertisements
An example of a situation in which you are at risk of losing data is when you are looking foconr a job. Unfortunately, among the genuine advertisements there are also those aiming at obtaining as detailed information about you as possible. Therefore, it is worth to analyse such contents very carefully and be especially cautious when a potential employer wants you to provide not only basic information about you and contact details but also, for example, scans of your identity documents, which is not necessary in the recruitment process. It is worth using official job placement services.
Be vigilant
Be cautious, which may prevent your personal data from falling into the hands of unauthorised entities or persons, as they may include those (e.g. criminal groups, thieves, kidnappers) who will use the information obtained in this way illegally.
- Do not reply to emails from people whom you do not know, especially if they ask you for some information about yourself or encourage you to click on a link or open an attachment they have sent you, or suggest you to change your user ID and password.
- Be careful also when using e-banking services and purchasing online.
- Make sure that you log in to your internet banking service from a bank website that has an SSL certificate (visible in the address bar of your browser).
- Verify shops, in which you want to buy something: do they exist at all, do they have opinions, are they identified entities, where are they based, is the contact with their owner given and is the contact limited only to electronic contact? If you have doubts about the security of your data, consider whether you absolutely need to buy from this seller.
- Verify terms and conditions as well as privacy policies - avoid sellers who do not present such documents or who present in them provisions that are too general, unclear or imprecise, grammatically or linguistically incorrect, as this may mean that they are entities not being subject to the Polish or European law.
The protection of personal data is very important. By adequately protecting your personal data, you can limit the risk of them being used by unauthorised persons.
