• •Principles of data processing – how to collect, store and use personal data in accordance with the law.
• •Types of personal data – how ordinary data differ from sensitive data (e.g. health-related data).
• •Rights of data subjects – how to handle requests for access, rectification or erasure of data.
• •Data security – how to prevent leaks and how to respond in the event of a data breach.
• •Procedures and implementation – how to develop and apply internal policies compliant with RODO.

• •For all employees – even those who only have indirect contact with data (e.g. administrative staff, reception staff, HR department employees).
• •For Data Protection Officers (DPO) – specialised trainings are organised for them, covering, among others, risk analysis and compliance audits.

• •Basic and advanced – from simple introductions to courses with case analyses and workshops.
• •Sector-specific – tailored to the specifics of, for example, public administration, IT companies or the healthcare sector.
• •Online or on-site – traditional classroom training or e-learning available from any location.
• •Cyclical and micro-trainings – short thematic modules (e.g. e-learning) that can be repeated at regular intervals.

• •You reduce the risk of errors and breaches.
• •You have proof that the company takes RODO compliance seriously.
• •You build the team's awareness and responsibility.

RODO, i.e. the General Data Protection Regulation (English: GDPR – General Data Protection Regulation) came into force in the European Union on 25 May 2018. In this article you will learn what RODO is, what personal data are, what personal data protection involves, what obligations entrepreneurs (organisations) have under RODO, what the role of the Data Protection Officer (DPO) is, and which RODO trainings and accredited (certified) DPO courses to take in order to meet RODO requirements, prevent personal data security breaches and avoid severe sanctions: administrative and financial penalties.

Remember: in the age of digitisation the implementation of RODO is currently a key action ensuring the secure conduct of business in terms of data protection. If you want to be sure that your organisation meets RODO standards, use consultancy and training services from external experts who will help you with the implementation of RODO and ensure the protection of the personal data you process.

The aim of RODO is to adapt EU rules on personal data to the challenges of the 21st century, to harmonise them and to ensure free yet secure processing of personal data.

The principles of personal data processing introduced by RODO are intended, among other things, to enable easier access to data, a new right to data portability, an effective right to erasure ('the right to be forgotten'), the right to be promptly informed of attempted unauthorised access to data, and to ensure adequate but also flexible security measures using new technologies, such as pseudonymisation or encryption.

Since 4 May 2019 the Act amending certain acts in connection with ensuring the application of the General Data Protection Regulation (Journal of Laws item 730; hereinafter: the amendment) has been in force, the aim of which was to adapt Polish sectoral provisions to RODO. The new provisions in the field of personal data protection refer directly to RODO, such as Art. 4 of the Act on the Provision of Electronic Services. The amendment regulates, among other things, entrepreneurs' information obligations towards consumers, issues concerning the protection of job applicants' personal data, the obligation to introduce organisational and technical measures to protect personal data, and indicates the consequences of breaching personal data protection provisions.

An entrepreneur who has discovered a personal data breach is obliged to inform the competent supervisory authority, i.e. the President of the Personal Data Protection Office (UODO), within 72 hours of becoming aware of the breach, and may be required to notify the data subjects.

A consequence of breaching obligations under RODO may be the imposition of a financial penalty on the entrepreneur. According to Art. 83 RODO, infringements of personal data protection provisions are subject to an administrative fine of up to EUR 20,000,000, or, in the case of an undertaking, up to 4% of its total annual worldwide turnover of the preceding financial year, whichever is higher.

Personal data are information about a natural person that enable their identification, such as: first and last name, identification number, home address, e-mail address, location data, online identifier, physical, physiological, genetic, mental, cultural or social characteristics. Financial data, such as income or bank details, can also be regarded as personal data.

According to RODO, personal data are protected regardless of how they are used or stored, e.g. using the latest IT systems or paper documents in folders. In any case, the processing of data is subject to RODO requirements.

RODO represents a new approach to personal data protection. Privacy should be applied in practice when carrying out all projects and activities. This is expressed by the principles of data protection by design and data protection by default. Data protection by design means that privacy should be built into every new project. Data protection by default means ensuring the highest possible privacy safeguards in the initial settings of every system or online platform. Safeguards should be set by default, i.e. without any action required on the part of the data subjects. Furthermore, by default only those data necessary to achieve the purpose for which they were collected should be processed (the data minimisation principle).

The starting point for the detailed provisions of RODO are the principles of personal data processing: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality, and accountability.

Processing of personal data can be any operation performed on them, such as collection, recording, organising, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Under RODO, the controller is not only responsible for complying with the rules, but must also be able to demonstrate such compliance. In other words, the controller should be able to document and prove that data processing in their organisation is lawful, fair and transparent.

RODO therefore imposes on controllers (organisations) the obligation to implement appropriate technical and organisational measures to protect personal data. Controllers must demonstrate compliance with RODO in relation to the risks to the rights and freedoms of natural persons.

RODO does not specify concrete solutions that must be implemented to secure personal data. It only indicates the objective the controller should aim for, without prescribing the method of achieving it (the so‑called technological neutrality).

Pursuant to Article 2 of RODO, the provisions of this Regulation do not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of penalties, including the protection against threats to public security and the prevention of such threats.

In this connection, a separate legal act was adopted, Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, referred to as the DODO Directive. On its basis Poland, as an EU Member State, implemented the relevant provisions through the Act of 14 December 2018 on the protection of personal data in relation to the prevention and combating of crime, referred to as the DODO Act.

With the introduction of RODO on 25 May 2018, the role of the information security administrator (ABI) was replaced by the role of the Data Protection Officer (DPO) — Eng. DPO — Data Protection Officer.

RODO does not impose an obligation to appoint a Data Protection Officer (DPO) on all employers. Public authorities and bodies, and entities whose core activities, by reason of their nature, scope or purposes, require large‑scale processing, must designate one. It is the controller (organisation) that must determine whether it has this obligation and justify, i.e. document, its position, taking into account the EU guidelines in this respect.

The function of Data Protection Officer (DPO) may be carried out by a person employed by the controller, including one who performs other tasks within the organisation, or by an external expert. The controller or processor publishes the contact details of the Data Protection Officer and notifies them to the supervisory authority.

The DPO is obliged to maintain secrecy or confidentiality in respect of the tasks performed. The DPO provides the organisation with substantive support on personal data protection, assists in preparing RODO documentation and ensures ongoing contact with the supervisory authority. It should be remembered that the Data Protection Officer should be informed of all matters relating to personal data and should have influence over the decisions and actions taken in this area.

In the era of digitisation and diverse information security threats, the Data Protection Officer (DPO) is therefore one of the most important roles in an organisation. Possessing professional knowledge of the legal provisions and RODO tools, the Data Protection Officer informs, advises and trains organisational management and employees, conducts audits and continuously assesses the organisation's compliance with personal data protection regulations, indicating areas for improvement. Where necessary, the DPO acts as a point of contact — both for the supervisory authority and for the data subjects whose data the controller processes. The Data Protection Officer should participate in the planning and modification of any processes that are related to personal data.

The role of the Data Protection Officer (DPO) requires knowledge and experience in the application of law, risk management and IT security, as well as availability and continuous professional development. Therefore outsourcing the Data Protection Officer (DPO), i.e. the takeover of the DPO function by external experts, is a proven way to optimise processes and costs. Outsourcing the Data Protection Officer (DPO) brings a range of other benefits: constant access to experienced consultants in law, network and IT systems security, risk management and physical security, access to IT tools enabling demonstration of compliance with RODO, including an e-learning platform, execution of or support in executing many duties resting directly with the organisation, a sense of security resulting from cooperation with an experienced and competent partner in data protection and full support in breach management, and during UODO inspections, the physical on-site presence of experts – a lawyer and an IT specialist.

RODO training increases awareness and reduces the risk of mistakes that employees may make, exposing the organisation to serious consequences, including very high financial penalties.

During RODO training employees will learn what personal data is and how to process it securely, how to operate within a modern IT ecosystem, what data protection breaches are and how to prevent them, and what rights individuals have in respect of personal data protection.

Training employees in personal data protection and information security is crucial for preventing and mitigating risk, as it helps to understand the important role employees can play in combating breaches. Such training significantly increases information security at a relatively low cost. Employees of the organisation should be aware that everyone is responsible for the security of personal data.

Through information security training employees will learn the principles of cyber hygiene in the workplace, find out how to operate in a modern IT ecosystem (hybrid working, use of e-mail and social media), gain awareness of the existence of social engineering techniques and the associated threats, and understand what data protection breaches are and how to prevent them.

The Data Protection Officer (DPO) in practice training is intended for people who want to tackle the duties and specifics of the Data Protection Officer (DPO) role. DPIA workshops and risk analysis are a good solution for those wishing to acquire knowledge on carrying out impact assessments and risk analysis. RODO training in HR is useful for those who want to understand what data protection entails in the context of HR data and how to apply legal requirements practically in this area. RODO training in IT is intended for Data Protection Officers (DPOs), managers and IT staff. At basic DODO trainings you can learn the obligations regulated by the DODO Act. Free webinars are an opportunity to meet experts in data protection who explain current interpretations of the regulations and the latest market trends in a straightforward way.

Remote RODO training in the form of e-learning is a simple and cost-effective way to deliver training to most employees, including those in managerial positions, such as security staff, salespeople, telemarketers, call centre staff, reception staff or bank cashiers.

The aim of the e-learning is to familiarise the employee with the basic information necessary for the secure and RODO-compliant processing of personal data.

Thanks to this training, the organisation's employees will gain knowledge of what an inspection by the President of UODO may look like and what information inspectors may request from them.

After training on preparation for a UODO inspection, employees gain awareness of what personal data are and what to pay attention to in their daily processing, how a UODO inspection proceeds, including the rights and obligations of the inspector and the inspected party, how to behave during an inspection and how to adjust the processing area so that its course is as favourable as possible, and how to prepare the organisation step by step for a notified inspection.

Explore our wide range of affordably priced, recurring training sessions, courses and workshops dedicated to RODO, available on-site and online, for beginners and advanced participants. Find the programme that best suits your needs. Through RODO trainings, courses and workshops you will learn, among other things, how to build a personal data protection system step by step, how to fulfil your assigned duties effectively and reliably, how to conduct a compliance audit with data protection regulations, which personal data protection policies your organisation should apply, how to secure an IT system, how to assess risk and carry out a data protection impact assessment, how to implement and apply RODO to enhance your organisation's reputation through the care and protection your organisation provides for the personal data of its prospective, current and former clients and contractors.