Templates of the RODO documentation as part of the RODO IT training

The data controller is obliged to document all personal data breaches, including the circumstances in which they occurred, their effects and the remedial actions taken. The prepared form includes all information required by law, and its proper completion each time an incident is detected ensures the organization's compliance with Article 33(5) of the GDPR.

It lays down uniform rules on the technical and organisational security of personal data in the organisation (in accordance with the requirements of Article 32 of the GDPR).

• the procedure for conducting inspections and maintenance,
• monitoring of the risk of computer system failure,
• the mechanisms for ensuring the continuity of resources,
• the general rules for the granting of authorisations in IT systems,
• granting/revoking/modifying rights,
• use of computer equipment,
• the use of mobile data carriers,
• the rules for the use of e-mail,
• remote access management,
• security requirements for mobile devices,
• remote work rules,
• physical and environmental safety,
• selection and configuration of telecommunications infrastructure components,
• the acquisition or development of IT systems,
• network security,
• verification of control mechanisms, feasibility study,
• the rules for managing electronic copies of personal data,
• protection against malware,
• the procedures for starting, suspending and terminating work.

It enables verification of key functionalities used by the data controller (processor) when processing data – from the perspective of data processing and exercise of data subject rights – such as the ability to set permission levels or configure password policies.

Defining processing activities is the starting point for implementing and maintaining a personal data protection system in an organization. The term "processing activity", although seemingly simple, presents many challenges. To help address these needs, we have created a list of the most common processing activities, from which the controller can select those that actually occur in their organization.

The fundamental document of the personal data protection system, defining the key aspects of processing. The policy includes provisions on the tasks of the data controller, the data protection officer (DPO), and the IT systems administrator. It also describes the ways of fulfilling the controller's obligations, such as maintaining a register of processing activities, conducting inspections, authorizing employees, or signing data processing agreements. The document also describes the technical and organizational measures applied to ensure an appropriate level of security for the processed personal data. The policy is also the central document to which all data protection documentation is linked.

It concerns the obligations to take data protection into account in the design phase (privacy by design) and the default data protection (privacy by default) referred to in Article 25 of the Regulation.

The policy establishes a framework for achieving GDPR compliance with regard to the exercise of data subject rights, including the right to erasure, restriction of processing, objection, and data portability. It defines roles and responsibilities for handling requests from individuals regarding their rights and describes the process for fulfilling them. The annexes to the document include:

• the information clause template when collecting data from the data subject and in a manner other than the data subject,
• the information clause template for the exercise of the right of access,
• the verification form for requesting the deletion of personal data (right to be forgotten),
• the information clause template for the exercise of the right of access,
• models of consent clauses for the processing of personal data and profiling.
• the information clause template for the exercise of the right of access,

This relates to the obligation imposed on the controller to carry out a data protection impact assessment (DPIA), as referred to in Article 35 of the GDPR. It is a tool that, on one hand, enables the identification of processing activities likely to result in a high risk to the rights and freedoms of individuals requiring a DPIA, and on the other, provides step-by-step guidance on how to conduct a DPIA and define roles and responsibilities for its execution.

A summary/record of personal data breaches detected in the organization. The GDPR requires controllers to document data processing incidents, including the circumstances of the breach, its effects, and the remedial actions taken, ultimately enabling the supervisory authority to verify whether the controller reports identified breaches in accordance with Article 33 of the GDPR.

The register includes categories such as the backup method, its frequency, retention period and storage location of backup copies. These key pieces of information, assigned to a specific system/application along with the data type and backup type, enable ongoing control over the backup procedure in the organization.

Within the organization, only persons holding appropriate authorization should be allowed to process data. The scope of authorization to process personal data must be strictly adjusted to the needs related to performing duties at a given position – in accordance with the data minimization principle.

Authorization to process data usually goes hand in hand with granting appropriate IT system access rights. The form we have prepared clearly specifies the applicant's details (including their position and organizational unit), the user whose rights are to be granted/modified/revoked, a description of the scope of IT system access rights, and a list of modules within each system – all in a clear and easy-to-complete format.

A report containing findings made during the risk analysis and data protection impact assessment, identified levels of risk associated with the processing of personal data, recommendations and a risk management plan.