Samples of the GDPR documentation for the DPIA workshops and risk analysis

This document, taking into account all the circumstances indicated in Article 37 of the GDPR, allows an assessment of whether the appointment of a DPO in the organization is mandatory. In addition to the analysis of the justification for appointing a DPO, it contains key guidelines on the DPO obligations and the requirements that the person appointed to this role must meet.

A form for conducting risk analysis and data protection impact assessment (DPIA) in accordance with the procedure and methodology presented during the training and based on the "Data Protection Impact Assessment Procedure".

The data controller is obliged to document all personal data breaches, including the circumstances in which they occurred, their effects and the remedial actions taken. The prepared form includes all information required by law, and its proper completion each time an incident is detected ensures the organization's compliance with Article 33(5) of the GDPR.

It lays down uniform rules on the technical and organisational security of personal data in the organisation (in accordance with the requirements of Article 32 of the GDPR).

• the procedure for conducting inspections and maintenance,
• monitoring of the risk of computer system failure,
• the mechanisms for ensuring the continuity of resources,
• the general rules for the granting of authorisations in IT systems,
• granting/revoking/modifying rights,
• use of computer equipment,
• the use of mobile data carriers,
• the rules for the use of e-mail,
• remote access management,
• security requirements for mobile devices,
• remote work rules,
• physical and environmental safety,
• selection and configuration of telecommunications infrastructure components,
• the acquisition or development of IT systems,
• network security,
• verification of control mechanisms, feasibility study,
• the rules for managing electronic copies of personal data,
• protection against malware,
• the procedures for starting, suspending and terminating work.

Defining processing activities is the starting point for implementing and maintaining a personal data protection system in an organization. The term "processing activity", although seemingly simple, presents many challenges. To help address these needs, we have created a list of the most common processing activities, from which the controller can select those that actually occur in their organization.

A description of the activities and organisational arrangements related to the audit, including the audit criteria, the composition of the audit team, the scope of the audit and the manner and scope of the documentation of the activities.

The fundamental document of the personal data protection system, defining the key aspects of processing. The policy includes provisions on the tasks of the data controller, the data protection officer (DPO), and the IT systems administrator. It also describes the ways of fulfilling the controller's obligations, such as maintaining a register of processing activities, conducting inspections, authorizing employees, or signing data processing agreements. The document also describes the technical and organizational measures applied to ensure an appropriate level of security for the processed personal data. The policy is also the central document to which all data protection documentation is linked.

This relates to the obligation imposed on the controller to carry out a data protection impact assessment (DPIA), as referred to in Article 35 of the GDPR. It is a tool that, on one hand, enables the identification of processing activities likely to result in a high risk to the rights and freedoms of individuals requiring a DPIA, and on the other, provides step-by-step guidance on how to conduct a DPIA and define roles and responsibilities for its execution.

A document designed to help the data controller organize data processing activities in the organization and exercise control over their course. Article 30 of the GDPR specifies that such a register should indicate, among other things, the purpose of processing, categories of data processed, categories of data subjects, planned data deletion deadlines, and the security measures applied. The register must be made available at the request of the President of the Office for Personal Data Protection, and is informally referred to as the first document a supervisory authority will request when conducting an inspection.

A summary/record of personal data breaches detected in the organization. The GDPR requires controllers to document data processing incidents, including the circumstances of the breach, its effects, and the remedial actions taken, ultimately enabling the supervisory authority to verify whether the controller reports identified breaches in accordance with Article 33 of the GDPR.

The analysis of the justification for appointing a DPO alone will not ensure the data controller's compliance with the GDPR requirements. Formal appointment of the DPO will only take place when they are appointed in accordance with the company's articles of association (statute or other internal document), depending on the procedure adopted – for example, in the form of a resolution on the appointment of the DPO.

The controller does not perform all personal data operations themselves – they often outsource some to external entities that process the entrusted data on behalf of and for the controller. Such entrustment can only take place under a data processing agreement (or "other legal instrument") containing the elements indicated in Article 28(3) of the GDPR, including in particular the subject matter and duration of processing, its nature and purpose, the type of data and categories of data subjects, and the rights and obligations of both parties.

Within the organization, only persons holding appropriate authorization should be allowed to process data. The scope of authorization to process personal data must be strictly adjusted to the needs related to performing duties at a given position – in accordance with the data minimization principle.

A report containing findings made during the risk analysis and data protection impact assessment, identified levels of risk associated with the processing of personal data, recommendations and a risk management plan.