After 3 years since RODO (personal data protection regulation) started to apply, controllers have developed a number of incorrect practices. This period is also the time of a number of publications of the UODO (DPA - data protection authority) which provide guidance on how to process data. 

A significant problem in terms of practical aspects of the application of RODO is the so-called background check. The UODO's guidelines on its applicability by employers do not make the task easier for them. The issue of processing of employees' criminal records is not as obvious as it may seem; surely Article 10 of RODO prohibits the processing of such data? An incorrect and common practice is the so-called "consent-o-mania", i.e. the collection by controllers of consents for data processing "in reserve". Data processors also like to enter into entrustment agreements "in advance", even in situations where the processing is performed by two independent controllers.

Among good practices the following should be pointed out: appropriate mapping of personal data, especially in big organisations, including personal data protection as an element of compliance in the organisation, or developing personal data protection documents by companies belonging to the group of enterprises also in Polish and in a simple and transparent way.

Read more in Michalina Kaczmarczyk's article "Personal data protection in HR - selected mistakes and good practices" for ODO Magazine (Issue 17 October - December 2021).