Templates of the RODO documentation as part of the RODO training from scratch

This document, taking into account all the circumstances indicated in Article 37 of the GDPR, allows an assessment of whether the appointment of a DPO in the organization is mandatory. In addition to the analysis of the justification for appointing a DPO, it contains key guidelines on the DPO obligations and the requirements that the person appointed to this role must meet.

The controller may entrust data for processing only to entities that meet the GDPR requirements (i.e. provide sufficient guarantees for implementing appropriate technical and organizational measures), and it is the controller's obligation to verify the processor. As an alternative to a burdensome audit, we have prepared a form that can be sent to a potential processor, enabling a thorough assessment of whether the entity applies appropriate safeguards, has implemented the necessary solutions and procedures, and guarantees the security of personal data entrusted to it.

Ten basic principles and practical guidelines that employees should keep in mind when dealing with personal data on a daily basis.

The data controller is obliged to document all personal data breaches, including the circumstances in which they occurred, their effects and the remedial actions taken. The prepared form includes all information required by law, and its proper completion each time an incident is detected ensures the organization's compliance with Article 33(5) of the GDPR.

It lays down uniform rules on the technical and organisational security of personal data in the organisation (in accordance with the requirements of Article 32 of the GDPR).

• the procedure for conducting inspections and maintenance,
• monitoring of the risk of computer system failure,
• the mechanisms for ensuring the continuity of resources,
• the general rules for the granting of authorisations in IT systems,
• granting/revoking/modifying rights,
• use of computer equipment,
• the use of mobile data carriers,
• the rules for the use of e-mail,
• remote access management,
• security requirements for mobile devices,
• remote work rules,
• physical and environmental safety,
• selection and configuration of telecommunications infrastructure components,
• the acquisition or development of IT systems,
• network security,
• verification of control mechanisms, feasibility study,
• the rules for managing electronic copies of personal data,
• protection against malware,
• the procedures for starting, suspending and terminating work.

Defining processing activities is the starting point for implementing and maintaining a personal data protection system in an organization. The term "processing activity", although seemingly simple, presents many challenges. To help address these needs, we have created a list of the most common processing activities, from which the controller can select those that actually occur in their organization.

The fundamental document of the personal data protection system, defining the key aspects of processing. The policy includes provisions on the tasks of the data controller, the data protection officer (DPO), and the IT systems administrator. It also describes the ways of fulfilling the controller's obligations, such as maintaining a register of processing activities, conducting inspections, authorizing employees, or signing data processing agreements. The document also describes the technical and organizational measures applied to ensure an appropriate level of security for the processed personal data. The policy is also the central document to which all data protection documentation is linked.

It concerns the obligations to take data protection into account in the design phase (privacy by design) and the default data protection (privacy by default) referred to in Article 25 of the Regulation.

The policy establishes a framework for achieving GDPR compliance with regard to the exercise of data subject rights, including the right to erasure, restriction of processing, objection, and data portability. It defines roles and responsibilities for handling requests from individuals regarding their rights and describes the process for fulfilling them. The annexes to the document include:

• the information clause template when collecting data from the data subject and in a manner other than the data subject,
• the information clause template for the exercise of the right of access,
• the verification form for requesting the deletion of personal data (right to be forgotten),
• the information clause template for the exercise of the right of access,
• models of consent clauses for the processing of personal data and profiling.
• the information clause template for the exercise of the right of access,

A presentation covering key issues, presented in a transparent and systematic manner, using graphic illustrations, which can successfully help inform data processors of the most important changes and innovations brought about by the GDPR.

A document designed to help the data controller organize data processing activities in the organization and exercise control over their course. Article 30 of the GDPR specifies that such a register should indicate, among other things, the purpose of processing, categories of data processed, categories of data subjects, planned data deletion deadlines, and the security measures applied. The register must be made available at the request of the President of the Office for Personal Data Protection, and is informally referred to as the first document a supervisory authority will request when conducting an inspection.

The obligation to maintain a register covering personal data processing activities also applies to processors – naturally, to the extent that these activities are carried out on behalf of and for the data controller, provided that the analysis of the justification for maintaining a register (see above) established the need to maintain one.

A summary/record of personal data breaches detected in the organization. The GDPR requires controllers to document data processing incidents, including the circumstances of the breach, its effects, and the remedial actions taken, ultimately enabling the supervisory authority to verify whether the controller reports identified breaches in accordance with Article 33 of the GDPR.

The register includes categories such as the backup method, its frequency, retention period and storage location of backup copies. These key pieces of information, assigned to a specific system/application along with the data type and backup type, enable ongoing control over the backup procedure in the organization.

The analysis of the justification for appointing a DPO alone will not ensure the data controller's compliance with the GDPR requirements. Formal appointment of the DPO will only take place when they are appointed in accordance with the company's articles of association (statute or other internal document), depending on the procedure adopted – for example, in the form of a resolution on the appointment of the DPO.

As with the personal data protection documentation as long as it is not formally adopted by the Management Board, it will not be officially valid within the organisation; this means that in the event of a supervisory authority's review, this area will constitute non-compliance with the requirements of the GDPR.

The controller does not perform all personal data operations themselves – they often outsource some to external entities that process the entrusted data on behalf of and for the controller. Such entrustment can only take place under a data processing agreement (or "other legal instrument") containing the elements indicated in Article 28(3) of the GDPR, including in particular the subject matter and duration of processing, its nature and purpose, the type of data and categories of data subjects, and the rights and obligations of both parties.

Within the organization, only persons holding appropriate authorization should be allowed to process data. The scope of authorization to process personal data must be strictly adjusted to the needs related to performing duties at a given position – in accordance with the data minimization principle.

Authorization to process data usually goes hand in hand with granting appropriate IT system access rights. The form we have prepared clearly specifies the applicant's details (including their position and organizational unit), the user whose rights are to be granted/modified/revoked, a description of the scope of IT system access rights, and a list of modules within each system – all in a clear and easy-to-complete format.