„We completed the implementation of the GDPR a couple of years ago."
Are you sure about that?
DODO document templates
Data processing agreement under the DODO Act
A data processing agreement is a mechanism that allows the controller to commission a specialised entity to provide services related to the processing of personal data (including document archiving, IT support, and destruction of data carriers). The document prepared for you contains all the elements referred to in Article 34 of the DODO Act, supplemented by a number of practical, business-friendly provisions.
Authorisation to process personal data
An authorisation to process personal data expresses the controller's will to define the scope of data to which a given person may have access, and confirms that they ensure the security of the processed personal data.
Declaration on keeping data confidential
The declaration is a tool by which a person authorised to process personal data declares that they will keep confidential both the personal data to which they gained access while performing duties for the controller, and the safeguards known to them (at technical and organisational level).
Protocol for destruction of IT data carriers
The protocol for destruction of IT data carriers documents the process of their disposal. It indicates the devices that were destroyed, the method of their disintegration or erasure of information, and the persons who took part in it.
Register of persons authorised to process personal data under the DODO Act
The register of persons authorised to process personal data is an organisational safeguard that allows control over the personal data processing process. The register includes the following information fields:
- name and surname of the authorised person,
- date of granting and cessation and scope of authorisation to process personal data,
- identifier, if data are processed in an IT system.
Joint controllership agreement
A joint controllership agreement is a written agreement between individual joint controllers defining the division of responsibilities between them to the extent required by Article 33 of the DODO Act.
Register of categories of processing activities
The register of categories of processing activities is a document that helps the data controller systematise data processing processes in the organisation and exercise control over their course. Article 35 of the DODO Act specifies that such a register should indicate, among other things, the purposes of processing, categories of recipients to whom personal data have been or will be disclosed, a description of categories of data subjects and categories of personal data, and the legal basis for the processing operation. The register must be made available upon any request from the President of the Personal Data Protection Office, and unofficially it is said to be the first document that the supervisory authority will certainly ask for when conducting an inspection in the organisation.
Register of categories of processing activities carried out on behalf of the controller
The processor is obliged to maintain a register of categories of processing activities carried out on behalf of the controller. The document organises processing operations performed on behalf of individual controllers, which allows effective management of them, including in the event of a personal data breach.
Register of requests for the exercise of data subject rights under the DODO Act
The register is a document that allows efficient management of the process of exercising data subject rights and demonstrates the controller's fulfilment of obligations in this regard (e.g. for the purposes of an inspection by the President of the Personal Data Protection Office).
