RODO services for the common service centre
This is how we designed ODO 24 services to meet the most demanding expectations of companies and institutions by tailoring solutions to the individual needs of customers.
ODO 24 services – our mission
Our mission is to build safe working environments that ensure full compliance with regulations and cyber resilience. By choosing ODO 24, your organisation gains not only professional support, but also peace of mind that challenging topics are in the best hands.
The scope of the services provided under the General Data Protection Regulation (GDPR) in the Common Service Centre
Data security in shared service centres (SSC/BPO) - a business case
The shared service centre industry faces unique challenges in relation to RODO, mainly due to the scale and complexity of the processes. SSCs and BPOs process personal data on behalf of multiple entities, often operating in different countries and jurisdictions. Problems arise where automation in ERP systems clashes with the principle of minimisation, and a lack of consistent accountability between operational, HR, IT and legal departments leads to uncontrolled access to data. At this scale, even minor errors can result in the violation of thousands of people's rights and serious legal consequences.
ODO 24 has implemented projects for shared service centres providing HR, accounting and IT services to large capital groups. As part of the implementations, we developed uniform standards for data processing entrustment, prepared responsibility matrices and conducted multilingual training tailored to different organisational levels. We also handled 'group' breaches, which required the collection of information and the coordination of activities sometimes of several group companies. We also established consistent data retention rules for the various systems used to process data 'owned' by different controllers. More than once we also regulated the principles of transferring data between individual group companies, which previously flowed "freely" without any analysis of the existence of legal grounds for doing so. We handled joint group projects, such as events involving filming / photography. On a number of occasions, we have also analysed the consistency of policies applied by the company we support with those of the 'parent company' located in another country, including outside the European Union. This is because we realise that sometimes servicing a CUW means de facto servicing the entire group. Thanks to our actions, our SSC clients have gained full control over their data processing, compliance with RODO and organisational resilience in the event of an audit or incident. At times, we also had to somewhat 'brake' the expectations of other group companies with regard to the SSC, e.g. when they demanded verification of job candidates and employees working in the IT Security department by means of KRK certificates, but also by contacting the entities where the education was acquired, as well as their former employers. We prepared a recommendation explaining why a company in Poland, according to Polish law, cannot carry out such activities.
We serve or have served, among others, ENERGA Centrum Usług Wspólnych Sp. z o.o., Veolia Centrum Usług Wspólnych Sp. z o.o., CENTRUM INFORMATYCZNYCH SERVICES COMMON OLSZTYNA or CUW of IGLOTEX Capital Group.
The shared service centre industry faces unique challenges in relation to RODO, mainly due to the scale and complexity of the processes. SSCs and BPOs process personal data on behalf of multiple entities, often operating in different countries and jurisdictions. Problems arise where automation in ERP systems clashes with the principle of minimisation, and a lack of consistent accountability between operational, HR, IT and legal departments leads to uncontrolled access to data. At this scale, even minor errors can result in the violation of thousands of people's rights and serious legal consequences.
ODO 24 has implemented projects for shared service centres providing HR, accounting and IT services to large capital groups. As part of the implementations, we developed uniform standards for data processing entrustment, prepared responsibility matrices and conducted multilingual training tailored to different organisational levels. We also handled 'group' breaches, which required the collection of information and the coordination of activities sometimes of several group companies. We also established consistent data retention rules for the various systems used to process data 'owned' by different controllers. More than once we also regulated the principles of transferring data between individual group companies, which previously flowed "freely" without any analysis of the existence of legal grounds for doing so. We handled joint group projects, such as events involving filming / photography. On a number of occasions, we have also analysed the consistency of policies applied by the company we support with those of the 'parent company' located in another country, including outside the European Union. This is because we realise that sometimes servicing a CUW means de facto servicing the entire group. Thanks to our actions, our SSC clients have gained full control over their data processing, compliance with RODO and organisational resilience in the event of an audit or incident. At times, we also had to somewhat 'brake' the expectations of other group companies with regard to the SSC, e.g. when they demanded verification of job candidates and employees working in the IT Security department by means of KRK certificates, but also by contacting the entities where the education was acquired, as well as their former employers. We prepared a recommendation explaining why a company in Poland, according to Polish law, cannot carry out such activities.
We serve or have served, among others, ENERGA Centrum Usług Wspólnych Sp. z o.o., Veolia Centrum Usług Wspólnych Sp. z o.o., CENTRUM INFORMATYCZNYCH SERVICES COMMON OLSZTYNA or CUW of IGLOTEX Capital Group.
GDPR and cybersecurity – challenges for the automotive sector
Shared service centres today handle key financial, HR and IT processes for entire groups of companies. In practice, this means processing huge amounts of personal data - often in cloud environments, with distributed access and with the cooperation of many entities.
The RODO requires effective privacy protection and compliance with data processing rules. In contrast, the NIS2 directive - which may cover many shared service centres - introduces obligations relating to cyber incident resilience, risk management and breach reporting.
In this context, shared service centres need to think about security comprehensively - not only through the lens of RODO compliance, but also from the perspective of business continuity, technical safeguards and organisational resilience.
Combining the two regulations is not an option it is a necessity to maintain operational stability and customer confidence in the face of increasing digitisation and regulatory pressure.
We use recognized international standards.
This is how you recognize quality
We use recognized international standards. This is how you recognize quality
CIPM
Implementation of privacy and personal data protection system
ISO/IEC 27001
Information technology - Security techniques - Information security management systems
ISO/IEC 29134
Information technology - Security techniques - Guidelines for data protection impact assessment
ISO/IEC 27001
Privacy information management system
ISO 31000
Risk management - Principles and guidelines
PRINCE2 and SMC™
Project management methodologies
ISO 19011
Guidelines for auditing management systems
ISO/IEC 27005
Information technology - Security techniques - Information security risk management
Looking for solutions tailored to shared service centres? We invite you to work with us!
What our customers say about our services
Marcin Wieczorek
„I am very impressed with the high level of substantive expertise of the training staff"
From 13 to 17 March I attended the "Course for Information Security Administrators" organized by ODO 24 sp. z o.o. I am very impressed with the high substantive level of the training staff and the comprehensive program. Working as an ABI requires knowledge not only of legal provisions but also of IT matters, which ODO 24 took into account. Noteworthy is the curriculum, which gradually introduces increasingly advanced nuances of personal data protection, starting from the legal basics and ending with practical aspects of auditing and working with documents within a company. The complete set of materials, editable documents and publications I received will facilitate my daily work as an ABI. I can certainly recommend ODO 24 as a reliable partner offering training services of a high standard.
Magdalena Węglewska
„We can wholeheartedly recommend ODO 24 as a professional and reliable partner"
For many years we have consistently placed great importance on the protection of the personal data of our customers as well as our employees. We took an active part in creating the "Code of Good Practice for the Protection of Personal Data of Customers and Potential Customers,” developed jointly by GIODO and the Polish Automotive Industry Association. Due to the complexity and variability of the rules on personal data protection, as well as Mazda’s dynamic development in Poland and the increasing volume of data we process, we decided to entrust the ABI function to a company specialized in this field. The decision to use the services of ODO 24 was primarily influenced by the experience and competence of the team of experts, the comprehensiveness of the offering and its flexibility in adapting to our organization. After a year of cooperation we can recommend ODO 24 as a professional and reliable partner.
Agnieszka Karłowicz
„A practical approach, continuous advisory availability, and positive working relationships"
We have been working with ODO24 for over a year. For us it has been a year of peaceful breathing and a sense of security: at least regarding personal data protection :-) The people at ODO are professionals who explain matters that are incomprehensible to the average person in an understandable way. They understand not only their profession but, which is very important to us, business and its requirements. A practical approach, constant advisory availability, and great relationships — all of this means I can recommend this Company to anyone who wants to work and sleep peacefully.
Tomasz Siwicki
„I recommend the company ODO 24 as a professional partner"
For several years we have been cooperating with ODO 24 in the field of personal data protection. A professional team that efficiently helped us to comply with the requirements of the GDPR. We make use not only of the experts’ knowledge but also of professionally prepared e‑training, thanks to which we were able to train several hundred employees in a very short time. I highly recommend ODO 24 as a professional partner delivering services at the highest level.
Opinion of the participants
Opinions4.9
(173)
(173)
Tomasz G.
2 years ago
I wanted to thank you for the wonderful training I've had at your company, the materials were very well prepared, and the instructor has shown tremendous knowledge and experience.
Aleksandra P.
2 years ago
Training at a very high level, I highly recommend!!! Training materials very useful in everyday work.
Sławomir M.
2 years ago
Mrs. Mecenas, it was an honor to be able to take part in this training, and thank you very much for your professional approach and valuable practical guidance.
Wacław T.
3 years ago
The IOD course organized by ODO24 has met all my expectations, a very practical approach, concrete examples and professional support.
Maria K.
1 year ago
The training was conducted in a way that was understandable even to those without previous experience in this field.
Piotr N.
10 months ago
Very good training, a lot of practical examples, a little bit too little time to ask questions, but overall I'm satisfied.
Anna W.
8 months ago
A professional approach, a great atmosphere during the training, the instructor answered all the questions thoroughly, and I highly recommend ODO24!
Jan K.
1 year ago
It's the best personal data protection training I've ever had, specific examples from real life, not just a dry theory, I recommend it to anyone who works with GDPR.
Katarzyna J.
6 months ago
The training meets my expectations. A lot of practical knowledge, good materials. The only drawback is too much group, so less time for individual consultations.
Michał L.
4 months ago
Excellent training! A very competent conductor with vast experience. Everything explained in a clear and understandable way. The training materials are very useful.
Joanna D.
3 months ago
I recommend ODO24 training to anyone seeking a sound knowledge of the field of ODO: professional service, excellent organisation and excellent teaching facilities.
Andrzej S.
2 months ago
Sometimes the pace was a little too fast, but the conductor was happy to return to the topics discussed earlier at the request of the participants.
RODO in common service centres questions and answers
How much do RODO services cost for a shared service centre?
The price depends on the scale of operations, the number of companies served and the scope of personal data processed. We offer comprehensive packages covering audit, implementation and support for SSC and BPO centres. Contact us to receive an individual offer tailored to your structure.
What RODO issues most commonly occur in SSCs and BPOs?
The most common are inconsistent approaches to data protection across different teams, lack of consistent authorisations and issues with data processing entrustments between group companies. In practice there is also difficulty in determining who is the data controller and who is the data processor.
Does RODO also apply if the centre operates only on behalf of another entity?
Yes — even if the centre acts solely as a processor, it remains subject to the obligations arising from RODO. It is responsible, among other things, for ensuring an appropriate level of data security, compliance of operations with the data processing agreement and maintaining documented processing procedures. In practice this means having appropriate agreements with the data controller and the real implementation of technical and organisational measures protecting personal data.
Which data are most at risk in shared services centres?
Personnel (HR), payroll, financial, recruitment and technical data — often processed automatically and on a large scale. High risk also concerns cross-border data and data originating from corporate clients.
Will the implementation of RODO disrupt the work of our operational teams?
No – we work in stages so as not to disrupt ongoing processes. Our approach takes into account the work schedules of operational teams, HR, payroll and IT.
Does ODO 24 have experience working with SSC/BPO?
Yes – we have carried out RODO implementations for centres serving multiple countries and business units. We understand the specifics of working in dispersed structures, including in international environments.
Can you deliver training in English or for international teams?
Yes – we offer RODO training in several language versions, including online, live and role-based (HR, IT, operations). We tailor the scope and language of the training to the participants’ profile.
Can I take advantage of a free initial consultation?
Yes! We offer a free consultation for SSC and BPO centres – we will help identify key risks and advise on how to effectively implement or organise RODO within a complex shared services structure.
Our greatest value is the trust of our customers.
How can we help you?
Write or call, we will find a solution
