ODO 24 services – our mission
Our mission is to build safe working environments that ensure full compliance with regulations and cyber resilience. By choosing ODO 24, your organisation gains not only professional support, but also peace of mind that challenging topics are in the best hands.
Scope of GDPR services in the medicine and cosmetics sector
Data security in medicine and cosmetics – business case
The medical and cosmetics sector processes special categories of data – in particular information about health status, treatments undergone and data relating to patients' image and aesthetic preferences. In the context of the GDPR, a key challenge is ensuring compliance in a face-to-face environment, often – especially in the beauty industry – without support from a legal or IT department. The most common problems are unnecessary or incorrectly obtained consents for treatments, inadequate archiving of medical and cosmetic records, and the use of online registration systems and mobile apps without prior risk analysis. Low levels of legal awareness among staff increase the risk of breaches that can lead to serious consequences – both legal and reputational.
ODO 24 has carried out GDPR projects for outpatient clinics, aesthetic medicine clinics and beauty salon chains. As part of our cooperation, we conducted compliance audits, implemented consent templates and information clauses, developed procedures for processing sensitive data and trained staff in the secure collection and storage of records. We also helped adapt online registration systems and treatment forms to current legal requirements. We regulated consents for transferring data to third parties (e.g. medical equipment suppliers and medical entities carrying out medical examinations), as well as obtaining consents from doctors and pharmacists to use private phone numbers and email addresses for day-to-day contact (due to high staff turnover). One challenge was also coordinating cooperation with doctors performing procedures so that no doubt remained as to who is responsible for personal data. Our approach was to analyse the possible scenarios in detail and prepare documentation for every eventuality, including in particular consents and information clauses. We also prepared ready-made documentation for situations where an external entity (usually a doctor) acts as the data controller. We also regulated room monitoring at a private hospital following the amendment of regulations on video monitoring in healthcare entities – advising on how to implement such monitoring lawfully, taking into account, among other things, the guidelines of the Patients' Rights Ombudsman, the GDPR and good industry practices. We also supported the hospital in carrying out a DPIA and prepared accessible information clauses for patients. In the beauty sector, we prepared information clauses for spa and wellness services for a client.
We serve or have served, among others, Braster, Sante, JWC (Hotel Czarny Potok Resort & SPA in Krynica Zdrój), Biobyte (provider of IT systems for medical entities), Polskie Towarzystwo Walki z Mukowiscydozą, Bioton, ITP.
The medical and cosmetics sector processes special categories of data – in particular information about health status, treatments undergone and data relating to patients' image and aesthetic preferences. In the context of the GDPR, a key challenge is ensuring compliance in a face-to-face environment, often – especially in the beauty industry – without support from a legal or IT department. The most common problems are unnecessary or incorrectly obtained consents for treatments, inadequate archiving of medical and cosmetic records, and the use of online registration systems and mobile apps without prior risk analysis. Low levels of legal awareness among staff increase the risk of breaches that can lead to serious consequences – both legal and reputational.
ODO 24 has carried out GDPR projects for outpatient clinics, aesthetic medicine clinics and beauty salon chains. As part of our cooperation, we conducted compliance audits, implemented consent templates and information clauses, developed procedures for processing sensitive data and trained staff in the secure collection and storage of records. We also helped adapt online registration systems and treatment forms to current legal requirements. We regulated consents for transferring data to third parties (e.g. medical equipment suppliers and medical entities carrying out medical examinations), as well as obtaining consents from doctors and pharmacists to use private phone numbers and email addresses for day-to-day contact (due to high staff turnover). One challenge was also coordinating cooperation with doctors performing procedures so that no doubt remained as to who is responsible for personal data. Our approach was to analyse the possible scenarios in detail and prepare documentation for every eventuality, including in particular consents and information clauses. We also prepared ready-made documentation for situations where an external entity (usually a doctor) acts as the data controller. We also regulated room monitoring at a private hospital following the amendment of regulations on video monitoring in healthcare entities – advising on how to implement such monitoring lawfully, taking into account, among other things, the guidelines of the Patients' Rights Ombudsman, the GDPR and good industry practices. We also supported the hospital in carrying out a DPIA and prepared accessible information clauses for patients. In the beauty sector, we prepared information clauses for spa and wellness services for a client.
We serve or have served, among others, Braster, Sante, JWC (Hotel Czarny Potok Resort & SPA in Krynica Zdrój), Biobyte (provider of IT systems for medical entities), Polskie Towarzystwo Walki z Mukowiscydozą, Bioton, ITP.
GDPR and cybersecurity – challenges in medicine and cosmetics
The increasing digitalisation of practices, clinic chains and large medical and cosmetic facilities means that protecting patient data must go far beyond formal GDPR compliance. Electronic medical records, appointment booking systems, online payments and remote consultations are convenient solutions, but at the same time vulnerable to cyber attacks and leaks of special categories of data – including health data.
For larger healthcare entities, the requirements under the NIS2 Directive also apply – including the obligation to implement effective cybersecurity procedures, test system resilience and report serious incidents.
For large medical and beauty chains, combining GDPR compliance with the digital resilience required by NIS2 is now not just a legal obligation, but a key element of strategy – protecting patient data, ensuring business continuity and building lasting brand trust.
We use recognized international standards.
This is how you recognize quality
We use recognized international standards. This is how you recognize quality
CIPM
Implementation of privacy and personal data protection system
ISO/IEC 27001
Information technology - Security techniques - Information security management systems
ISO/IEC 29134
Information technology - Security techniques - Guidelines for data protection impact assessment
ISO/IEC 27001
Privacy information management system
ISO 31000
Risk management - Principles and guidelines
PRINCE2 and SMC™
Project management methodologies
ISO 19011
Guidelines for auditing management systems
ISO/IEC 27005
Information technology - Security techniques - Information security risk management
Looking for solutions tailored to the medicine and cosmetics sector? We invite you to work with us!
What our customers say about our services
Marcin Wieczorek
„I am very impressed with the high level of substantive expertise of the training staff"
From 13 to 17 March I attended the "Course for Information Security Administrators" organized by ODO 24 sp. z o.o. I am very impressed with the high substantive level of the training staff and the comprehensive program. Working as an ABI requires knowledge not only of legal provisions but also of IT matters, which ODO 24 took into account. Noteworthy is the curriculum, which gradually introduces increasingly advanced nuances of personal data protection, starting from the legal basics and ending with practical aspects of auditing and working with documents within a company. The complete set of materials, editable documents and publications I received will facilitate my daily work as an ABI. I can certainly recommend ODO 24 as a reliable partner offering training services of a high standard.
Magdalena Węglewska
„We can wholeheartedly recommend ODO 24 as a professional and reliable partner"
For many years we have consistently placed great importance on the protection of the personal data of our customers as well as our employees. We took an active part in creating the "Code of Good Practice for the Protection of Personal Data of Customers and Potential Customers,” developed jointly by GIODO and the Polish Automotive Industry Association. Due to the complexity and variability of the rules on personal data protection, as well as Mazda’s dynamic development in Poland and the increasing volume of data we process, we decided to entrust the ABI function to a company specialized in this field. The decision to use the services of ODO 24 was primarily influenced by the experience and competence of the team of experts, the comprehensiveness of the offering and its flexibility in adapting to our organization. After a year of cooperation we can recommend ODO 24 as a professional and reliable partner.
Agnieszka Karłowicz
„A practical approach, continuous advisory availability, and positive working relationships"
We have been working with ODO24 for over a year. For us it has been a year of peaceful breathing and a sense of security: at least regarding personal data protection :-) The people at ODO are professionals who explain matters that are incomprehensible to the average person in an understandable way. They understand not only their profession but, which is very important to us, business and its requirements. A practical approach, constant advisory availability, and great relationships — all of this means I can recommend this Company to anyone who wants to work and sleep peacefully.
Tomasz Siwicki
„I recommend the company ODO 24 as a professional partner"
For several years we have been cooperating with ODO 24 in the field of personal data protection. A professional team that efficiently helped us to comply with the requirements of the GDPR. We make use not only of the experts’ knowledge but also of professionally prepared e‑training, thanks to which we were able to train several hundred employees in a very short time. I highly recommend ODO 24 as a professional partner delivering services at the highest level.
Opinion of the participants
Opinions4.9
(173)
(173)
Tomasz G.
2 years ago
I wanted to thank you for the wonderful training I've had at your company, the materials were very well prepared, and the instructor has shown tremendous knowledge and experience.
Aleksandra P.
2 years ago
Training at a very high level, I highly recommend!!! Training materials very useful in everyday work.
Sławomir M.
2 years ago
Mrs. Mecenas, it was an honor to be able to take part in this training, and thank you very much for your professional approach and valuable practical guidance.
Wacław T.
3 years ago
The IOD course organized by ODO24 has met all my expectations, a very practical approach, concrete examples and professional support.
Maria K.
1 year ago
The training was conducted in a way that was understandable even to those without previous experience in this field.
Piotr N.
10 months ago
Very good training, a lot of practical examples, a little bit too little time to ask questions, but overall I'm satisfied.
Anna W.
8 months ago
A professional approach, a great atmosphere during the training, the instructor answered all the questions thoroughly, and I highly recommend ODO24!
Jan K.
1 year ago
It's the best personal data protection training I've ever had, specific examples from real life, not just a dry theory, I recommend it to anyone who works with GDPR.
Katarzyna J.
6 months ago
The training meets my expectations. A lot of practical knowledge, good materials. The only drawback is too much group, so less time for individual consultations.
Michał L.
4 months ago
Excellent training! A very competent conductor with vast experience. Everything explained in a clear and understandable way. The training materials are very useful.
Joanna D.
3 months ago
I recommend ODO24 training to anyone seeking a sound knowledge of the field of ODO: professional service, excellent organisation and excellent teaching facilities.
Andrzej S.
2 months ago
Sometimes the pace was a little too fast, but the conductor was happy to return to the topics discussed earlier at the request of the participants.
GDPR in medicine and cosmetics – questions and answers
How much do GDPR services cost for the medical and cosmetics sectors?
The cost depends on the size of the facility, the number of employees and the scope of the data processed – including special category data. We offer packages tailored to medical practices, aesthetic medicine clinics, networks of salons and clinics. Quotations are prepared individually after a preliminary analysis.
What GDPR problems most commonly occur in this sector?
The most common problems include outdated forms, a lack of consistent rules for protecting medical and cosmetic records and inadequate data security in registration systems and CRM.
A frequent mistake is also the unjustified reliance on patient consent as the legal basis for processing health data – although, according to the GDPR, the legal basis in this respect is usually the provision of a medical or therapeutic service (Article 9(2)(h)). Misunderstanding the legal bases and the lack of implemented procedures increase the risk of breaches and liability.
Do I need consent to process a patient's health data?
Yes – health-related data are particularly protected and require an explicit legal basis. We help prepare correct consent forms and information clauses tailored to the nature of the services provided.
Which data are most sensitive in medicine and cosmetics?
These are health data, data about procedures, photographs documenting results, and contact details of patients and clients. Special care should be taken with both electronic and paper records.
Does the GDPR also apply to data collected during telephone or online registration?
Yes – data provided by patients at registration, via forms or telephone calls, are also protected. You should ensure their security and provide correct information about processing.
Could the implementation of the GDPR disrupt the work of a practice or clinic?
No – we implement procedures in the least intrusive way possible, taking into account appointment schedules and staff availability. We act to ensure compliance with the GDPR without disrupting patient services.
Does ODO 24 know the specifics of medical and cosmetic practices?
Yes – we have worked with aesthetic medicine clinics, dental clinics, outpatient clinics and beauty salons. We know how to tailor solutions to the requirements of medical professions and commercial beauty services.
Can I take advantage of a free initial consultation?
Yes! We offer a free consultation for practices, clinics and salons – we will discuss your needs and help plan GDPR-compliant solutions without unnecessary formalities.
Our greatest value is the trust of our customers.
How can we help you?
Write or call, we will find a solution
