Templates of the RODO documentation for the IOD Practical Course

This document, taking into account all the circumstances indicated in Article 37 of the GDPR, allows an assessment of whether the appointment of a DPO in the organization is mandatory. In addition to the analysis of the justification for appointing a DPO, it contains key guidelines on the DPO obligations and the requirements that the person appointed to this role must meet.

The controller may entrust data for processing only to entities that meet the GDPR requirements (i.e. provide sufficient guarantees for implementing appropriate technical and organizational measures), and it is the controller's obligation to verify the processor. As an alternative to a burdensome audit, we have prepared a form that can be sent to a potential processor, enabling a thorough assessment of whether the entity applies appropriate safeguards, has implemented the necessary solutions and procedures, and guarantees the security of personal data entrusted to it.

It is a ready-made tool for conducting an audit of the protection of personal data.Going through a checklist of requirements set by the GDPR will allow you to determine the level of compliance of the organisation with EU rules.

• compliance with the general rules and principles concerning the processing of personal data,
• the exercise of the rights of data subjects,
• the status of the data controller, processor and data protection officer and their responsibilities, including general security of processing, reporting of data breaches to the supervisory authority and to the data subject,
• the transfer of data to third countries,

A form to prepare a risk analysis and data protection impact assessment (DPIA) in accordance with the procedure and methodology presented during the training and based on the Data protection impact assessment procedure.

Ten basic principles and practical guidelines that employees should keep in mind when dealing with personal data on a daily basis.

The data controller is obliged to document all personal data breaches, including the circumstances in which they occurred, their effects and the remedial actions taken. The prepared form includes all information required by law, and its proper completion each time an incident is detected ensures the organization's compliance with Article 33(5) of the GDPR.

It lays down uniform rules on the technical and organisational security of personal data in the organisation (in accordance with the requirements of Article 32 of the GDPR).

• the procedure for conducting inspections and maintenance,
• monitoring of the risk of computer system failure,
• the mechanisms for ensuring the continuity of resources,
• the general rules for the granting of authorisations in IT systems,
• granting/revoking/modifying rights,
• use of computer equipment,
• the use of mobile data carriers,
• the rules for the use of e-mail,
• remote access management,
• security requirements for mobile devices,
• remote work rules,
• physical and environmental safety,
• selection and configuration of telecommunications infrastructure components,
• the acquisition or development of IT systems,
• network security,
• verification of control mechanisms, feasibility study,
• the rules for managing electronic copies of personal data,
• protection against malware,
• the procedures for starting, suspending and terminating work.

It enables verification of key functionalities used by the data controller (processor) when processing data – from the perspective of data processing and exercise of data subject rights – such as the ability to set permission levels or configure password policies.

Rather, a timetable for the audit of personal data protection, on the basis of which audit activities can be planned.

Defining processing activities is the starting point for implementing and maintaining a personal data protection system in an organization. The term "processing activity", although seemingly simple, presents many challenges. To help address these needs, we have created a list of the most common processing activities, from which the controller can select those that actually occur in their organization.

A short record of the observations made during the personal data protection system audit.

A description of the activities and organisational arrangements related to the audit, including the audit criteria, the composition of the audit team, the scope of the audit and the manner and scope of the documentation of the activities.

The fundamental document of the personal data protection system, defining the key aspects of processing. The policy includes provisions on the tasks of the data controller, the data protection officer (DPO), and the IT systems administrator. It also describes the ways of fulfilling the controller's obligations, such as maintaining a register of processing activities, conducting inspections, authorizing employees, or signing data processing agreements. The document also describes the technical and organizational measures applied to ensure an appropriate level of security for the processed personal data. The policy is also the central document to which all data protection documentation is linked.

It concerns the obligations to take data protection into account in the design phase (privacy by design) and the default data protection (privacy by default) referred to in Article 25 of the Regulation.

The policy establishes a framework for achieving GDPR compliance with regard to the exercise of data subject rights, including the right to erasure, restriction of processing, objection, and data portability. It defines roles and responsibilities for handling requests from individuals regarding their rights and describes the process for fulfilling them. The annexes to the document include:

• the information clause template when collecting data from the data subject and in a manner other than the data subject,
• the information clause template for the exercise of the right of access,
• the verification form for requesting the deletion of personal data (right to be forgotten),
• the information clause template for the exercise of the right of access,
• models of consent clauses for the processing of personal data and profiling.
• the information clause template for the exercise of the right of access,

A presentation covering key issues, presented in a transparent and systematic manner, using graphic illustrations, which can successfully help inform data processors of the most important changes and innovations brought about by the GDPR.

This relates to the obligation imposed on the controller to carry out a data protection impact assessment (DPIA), as referred to in Article 35 of the GDPR. It is a tool that, on one hand, enables the identification of processing activities likely to result in a high risk to the rights and freedoms of individuals requiring a DPIA, and on the other, provides step-by-step guidance on how to conduct a DPIA and define roles and responsibilities for its execution.

The audit results and findings made in the "GDPR Audit Worksheet" should be reflected in the audit report. The prepared report template includes organizational aspects of the audit, a list of activities carried out during the audit, identified violations of personal data protection regulations, and planned or taken remedial actions.

A document designed to help the data controller organize data processing activities in the organization and exercise control over their course. Article 30 of the GDPR specifies that such a register should indicate, among other things, the purpose of processing, categories of data processed, categories of data subjects, planned data deletion deadlines, and the security measures applied. The register must be made available at the request of the President of the Office for Personal Data Protection, and is informally referred to as the first document a supervisory authority will request when conducting an inspection.

The obligation to maintain a register covering personal data processing activities also applies to processors – naturally, to the extent that these activities are carried out on behalf of and for the data controller, provided that the analysis of the justification for maintaining a register (see above) established the need to maintain one.

A summary/record of personal data breaches detected in the organization. The GDPR requires controllers to document data processing incidents, including the circumstances of the breach, its effects, and the remedial actions taken, ultimately enabling the supervisory authority to verify whether the controller reports identified breaches in accordance with Article 33 of the GDPR.

The register includes categories such as the backup method, its frequency, retention period and storage location of backup copies. These key pieces of information, assigned to a specific system/application along with the data type and backup type, enable ongoing control over the backup procedure in the organization.

The analysis of the justification for appointing a DPO alone will not ensure the data controller's compliance with the GDPR requirements. Formal appointment of the DPO will only take place when they are appointed in accordance with the company's articles of association (statute or other internal document), depending on the procedure adopted – for example, in the form of a resolution on the appointment of the DPO.

As with the personal data protection documentation as long as it is not formally adopted by the Management Board, it will not be officially valid within the organisation; this means that in the event of a supervisory authority's review, this area will constitute non-compliance with the requirements of the GDPR.

The controller does not perform all personal data operations themselves – they often outsource some to external entities that process the entrusted data on behalf of and for the controller. Such entrustment can only take place under a data processing agreement (or "other legal instrument") containing the elements indicated in Article 28(3) of the GDPR, including in particular the subject matter and duration of processing, its nature and purpose, the type of data and categories of data subjects, and the rights and obligations of both parties.

Within the organization, only persons holding appropriate authorization should be allowed to process data. The scope of authorization to process personal data must be strictly adjusted to the needs related to performing duties at a given position – in accordance with the data minimization principle.

Authorization to process data usually goes hand in hand with granting appropriate IT system access rights. The form we have prepared clearly specifies the applicant's details (including their position and organizational unit), the user whose rights are to be granted/modified/revoked, a description of the scope of IT system access rights, and a list of modules within each system – all in a clear and easy-to-complete format.

A report containing findings made during the risk analysis and data protection impact assessment, identified levels of risk associated with the processing of personal data, recommendations and a risk management plan.