Templates of the RODO documentation as part of the RODO HR training

Information clause enabling the candidate to be provided with all the information required by Article 13 of the GDPR on the processing of his personal data and his rights (possibly applicable in the job advertisement).

Information clause enabling an employee to receive all the information required by Article 13 of the GDPR about the processing of his personal data and his rights (possibly applicable in an employment contract).

A comprehensively prepared register of processing activities for the "recruitment" and "employment" processes (containing all elements referred to in Article 30(1) of the GDPR), resulting from experience gained during GDPR implementation and performance of the DPO function.

A comprehensively prepared register of all categories of processing activities for processes related to employee benefits, group insurance, and headhunting (containing all elements referred to in Article 30(2) of the GDPR), resulting from experience gained during GDPR implementation and performance of the DPO function.

A document allowing for the correct determination of the objectives, scope and method of the application of visual monitoring, which may be incorporated into the rules of procedure (alternatively by collective agreement or in a notice), in accordance with the content of Article 22 (2) (6) of the Labour Code.

Document confirming that the employee has been informed of the purposes, scope and manner of the visual monitoring, ready to be submitted to the employee and archived in personal files (Part B).

A comprehensive documentation of a personal data breach that allows you to track the process of analysing the breach and reporting it to the President of the Office for the Protection of Personal Data and notifying data subjects.

The controller may entrust data for processing only to entities that meet the GDPR requirements (i.e. provide sufficient guarantees for implementing appropriate technical and organizational measures), and it is the controller's obligation to verify the processor. As an alternative to a burdensome audit, we have prepared a form that can be sent to a potential processor, enabling a thorough assessment of whether the entity applies appropriate safeguards, has implemented the necessary solutions and procedures, and guarantees the security of personal data entrusted to it.

It lays down uniform rules on the technical and organisational security of personal data in the organisation (in accordance with the requirements of Article 32 of the GDPR).

• the procedure for conducting inspections and maintenance,
• monitoring of the risk of computer system failure,
• the mechanisms for ensuring the continuity of resources,
• the general rules for the granting of authorisations in IT systems,
• granting/revoking/modifying rights,
• use of computer equipment,
• the use of mobile data carriers,
• the rules for the use of e-mail,
• remote access management,
• security requirements for mobile devices,
• remote work rules,
• physical and environmental safety,
• selection and configuration of telecommunications infrastructure components,
• the acquisition or development of IT systems,
• network security,
• verification of control mechanisms, feasibility study,
• the rules for managing electronic copies of personal data,
• protection against malware,
• the procedures for starting, suspending and terminating work.

Defining processing activities is the starting point for implementing and maintaining a personal data protection system in an organization. The term "processing activity", although seemingly simple, presents many challenges. To help address these needs, we have created a list of the most common processing activities, from which the controller can select those that actually occur in their organization.

The fundamental document of the personal data protection system, defining the key aspects of processing. The policy includes provisions on the tasks of the data controller, the data protection officer (DPO), and the IT systems administrator. It also describes the ways of fulfilling the controller's obligations, such as maintaining a register of processing activities, conducting inspections, authorizing employees, or signing data processing agreements. The document also describes the technical and organizational measures applied to ensure an appropriate level of security for the processed personal data. The policy is also the central document to which all data protection documentation is linked.

It concerns the obligations to take data protection into account in the design phase (privacy by design) and the default data protection (privacy by default) referred to in Article 25 of the Regulation.

The policy establishes a framework for achieving GDPR compliance with regard to the exercise of data subject rights, including the right to erasure, restriction of processing, objection, and data portability. It defines roles and responsibilities for handling requests from individuals regarding their rights and describes the process for fulfilling them. The annexes to the document include:

• the information clause template when collecting data from the data subject and in a manner other than the data subject,
• the information clause template for the exercise of the right of access,
• the verification form for requesting the deletion of personal data (right to be forgotten),
• the information clause template for the exercise of the right of access,
• models of consent clauses for the processing of personal data and profiling.
• the information clause template for the exercise of the right of access,

A presentation covering key issues, presented in a transparent and systematic manner, using graphic illustrations, which can successfully help inform data processors of the most important changes and innovations brought about by the GDPR.

A summary/record of personal data breaches detected in the organization. The GDPR requires controllers to document data processing incidents, including the circumstances of the breach, its effects, and the remedial actions taken, ultimately enabling the supervisory authority to verify whether the controller reports identified breaches in accordance with Article 33 of the GDPR.

The controller does not perform all personal data operations themselves – they often outsource some to external entities that process the entrusted data on behalf of and for the controller. Such entrustment can only take place under a data processing agreement (or "other legal instrument") containing the elements indicated in Article 28(3) of the GDPR, including in particular the subject matter and duration of processing, its nature and purpose, the type of data and categories of data subjects, and the rights and obligations of both parties.