Map of the practical aspects of the GDPR

Controller

• the obligation to implement technical and organisational measures ensuring compliance of the GDPR and allowing it to be demonstrated,

• GDPR: art. 4 point 7, art. 24,

• GDPR preamble: recitals 29, 71, 74, 77 i 156.

Reporting of data protection breaches

• the procedures for the detection, analysis and reporting of data protection breaches,

• procedures for informing data subjects of data breaches,

• the template for the data breach registry,

• GDPR: art. 33–34,

• GDPR preamble: recitals 85–88.

Data protection officer

• an analysis of the obligation to appoint a data protection officer (DPO),

• Indication of the qualifications, competencies and tasks of the IOD,

• appropriate organizational positioning of the DPO (direct reporting to top management),

• the inclusion of the IOD in all data processing processes,

• GDPR: art. 37–39,

• GDPR preamble: recital 97.

• PDPA: art. 8–11.

This appropriation is intended to cover expenditure relating to the implementation of the European Data Protection Supervisor's mandate.

• analysis of the obligation to carry out an impact assessment of planned processing operations forochrony danych osobowych,

• evaluation of the impact of planned data processing operations on data protection personnel, if required,

• GDPR: art. 35, art. 36

• Preamble to the GDPR: the grounds 84 i 89–93.

• PDPA: art. 57.

Data protection in the design phase and security by default

• establishing a transparency procedure for the functioning and processing of personal data(umożliwienie osobie, której dane dotyczą monitorowania przetwarzania danych, umożliwieniethe administrator of creating and improving security) and minimising processingdanych osobowych,

• the establishment of procedures for the development and design of products, services and applications; having regard to the right to the protection of personal data,

• RODO: art. 25,

• Preamble to the GDPR: the grounds 26, 28, 29, 71, 75, 78 i 156

Recipient

• the entity to which personal data are disclosed

• the identification of recipients or categories of recipients is necessary, inter alia, to fulfil the obligationinformacyjnego,

• the obligation to notify the recipient of the rectification, deletion or restriction of the processing;danych osobowych,

• RODO: art. 4 ust. 9, art. 13, art. 15, art. 19.

• Preamble to the GDPR: the grounds 39, 58–60, 62–64, 66 i 68.

Supervisory authority

• more than 20 task categories

• the one-stop-shop cooperation mechanism,

• RODO: art. 51–59,

• Preamble to the GDPR: the grounds 53, 75, 85, 108–110, 117–128, 132, 135–138 i 164.

• UODO: art. 7, art. 34–59 (organizacja), art. 60–74 (postępowanie ws. naruszenia), art. 78–91 (kontrola).

Processing entity (processor)

• Analysis of the current model of the personal data processing agreement concluded withprocesorem,

• a list of processors,

• verification of the ability of existing processors to fulfil specified obligationsw RODO,

• adapting the design of the entrustment agreement to the requirements of the GDPR,

• RODO: art. 28,

• Preamble to the GDPR: the grounds 29, 71, 81–83 i 156.

Legal bases for processing

• new rules for obtaining consent to the processing of personal data of a particular category,

• the inability of public authorities to pursue legitimate interests implemented by the administrator or by a third party,

• GDPR: art. 6 i 9–11,

• Preamble to the GDPR: the grounds 40–57.

Rights of data subject

• adapting IT systems so that they can, at the request of the data subject,m.in.: usuwać całkowicie jej dane osobowe, przenosić dane do innego usługodawcy, wygenerowaća file with all her personal data, etc.,

• establishing a procedure for responding to the data subject's enquiries within the deadline month, in accordance with the principle of transparency,

• GDPR: art. 12–22,

• Preamble to the GDPR: the grounds 39, 58–72, 166 i 167

• PDPA: art. 3–5.

Profiling

• analysis of personal data processing processes for automated processing data, including profiling,

• establishing the basis for the processing of personal data automatically, without interference man,

• the creation of consent clauses for profiling of legal effects on the part of the party the data subject,

• RODO: art. 4 pkt 4, art. 22.

• Preamble to the GDPR: the grounds 24, 60, 63, 70–73 75 i 91.

Transfers of data to third countries and international organisations

• analysis of whether the personal data controller transfers personal data outside the European AreaGospodarczy,

• establishing the basis for the transfer of data to third countries,

• adapting the process of transferring data to third countries to the requirements of the GDPR,

• RODO: art. 44–49,

• Preamble to the GDPR: the grounds 77, 81 i 101–116.

• UODO: art. 56.

Pseudonymisation

• one of the security measures for personal data,

• It makes it difficult to identify the entity but leaves the possibility of assigning different values to the entity.samej osobie,

• reverse process as opposed to anonymisation,

• RODO: art. 4 pkt 5, art. 25, art. 32,

• Preamble to the GDPR: the grounds 26, 28, 29, 71, 75, 78, 85 i 156.

Registration of processing activities

• an analysis of the obligation to keep a register of processing activities,

• verification of processes related to the processing of personal data,

• the establishment of a template for the register of processing activities in the context of the identified processing activities; the processes,

• RODO: art. 30,

• Preamble to the GDPR: reason 82 i 89.

Third party data processor

• natural or legal person, public authority, entity or body other than the person to whom: the data relate to the controller, processor or authorised persons; the controller or processor may process personal data,

• the basis for the processing of personal data may be its necessity for the purposes arising from: the legitimate interests pursued by the third party,

• RODO: art. 4 pkt 10, art. 6 ust. 1,

• Preamble to the GDPR: reason 32, 39–48.

Data protection based on the estimated risk

• determining the starting point for the deployment of safeguards,

• the definition of the processes taking place within the organisation,

• the identification of threats, vulnerabilities, probabilities, effects and existing safeguards,

• the development of a risk management plan,

• RODO: art. 32,

• Preamble to the GDPR: reason 26, 28, 29, 75, 78, 83 i 156.

Information society services

• consent to the processing of personal data on behalf of a child under 16 years of age is given by a parent orprawny opiekun,

• RODO: art. 8,

• Preamble to the GDPR: reason 38.

Binding corporate rules

• the personal data protection policies applied by the controller or processor, who have an organisational unit in the territory of a Member State,

• RODO: art. 4 pkt 20, art. 46 ust. 2 lit. b, art. 47, art. 57 ust. 1 lit. s.

• the preamble to the GDPR: 108 i 110.

• UODO: art. 56.

Co-directors

• the identification of the companies co-creating the group of undertakings,

• the analysis of data flows between companies and the identification of co-administrators,

• the conclusion of joint arrangements between the co-managing companies,

• RODO: art. 26,

• Preamble to the GDPR: reason 79 i 146.

Consent

• one of the possible grounds for legalizing the processing of personal data,

• consent should be expressed by means of a clear affirmative statement that: the person's voluntary, informed and unambiguous consent to a given situation, which data concern,

• RODO: art. 4 pkt 11, art. 7,

• the preamble to the GDPR: 32, 42, 43 i 65.