Yes, after completion of the training each participant receives a personalised certificate confirming their participation in the training.

Yes, it is even recommended. 😊 When conducting our training, we do not want it to be an ex cathedra lecture. We favour a workshop-based approach to prepare our trainees as best as possible for the challenges posed by personal data protection.

Due to the workshop format of our courses we endeavour to keep groups to no more than 12 participants.

If the training is financed at least 70% by public funds, this provides a basis for exemption from VAT. In such a case, in the registration form in the third step (Invoice) we ask you to select the option: "I declare that the training is financed at least 70% by public funds. Consequently, I request exemption from VAT".

In accordance with the regulations of our training courses, the selected service must be paid for no later than two days before the training.

Yes, in such a case please provide this information in the fourth step of our form, in the "Additional remarks" field.

This is not necessary. We conduct online training via the Microsoft Teams application, which also allows us to send a link that can be opened in a web browser.

This is not necessary; however, to facilitate asking questions and exchanging experiences, we recommend using a headset with a microphone.

Yes, in such a case please provide this information in the fourth step of our form, in the "Additional remarks" field.

In most cases we confirm the training course one week before the scheduled start date. We want to ensure that participants in our training courses have the opportunity to familiarise themselves with the materials in advance.

As soon as the training has concluded, the books will be sent by courier to the address provided in the registration.

We are aware that certain documents can sometimes present difficulties, so we will gladly help with completing them. In such cases, please contact our training coordinator.

Our training coordinator is available at the e-mail address: [email protected].

We also invite you to contact us by telephone at: 22 740 99 99 or +48 690 004 852

A Data Protection Officer (DPO) must be appointed, among others, by an organisation whose core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale, or whose core activities consist of large-scale processing of special categories of personal data or of personal data relating to criminal convictions and offences. What is meant by “regular and systematic monitoring”, what constitutes “large scale”, what is meant by “core activities”, and even what “personal data relating to criminal convictions and offences” are, will be explained during the training.

Training participants will receive an audit checklist in which all aspects to be examined by the auditor during the audit will be itemised. The audit checklist will be discussed step by step; practical exercises are also planned in searching for non-compliances in specific provisions or in practices applied in data processing. In addition, participants will receive a ready-made audit report template. Simply paste the findings from the audit checklist into the audit report template and the report is ready!

Frequently (at least once a year – practice makes perfect) and in relation to what they do on a day-to-day basis. Does an employee operate a helpline? You therefore do not need to explain to them in detail how a UODO inspection is conducted; it is better to explain that they should not disclose a customer's data over the phone and should ask the caller to confirm it. Has an incident occurred that was reported too late to the Data Protection Officer (DPO) because the employee did not realise in time that it had taken place? It is best to quickly send examples of breaches to all employees to raise awareness / serve as a reminder.

Absolutely not. Financial liability for breaches of data processing regulations rests with the controller or, as appropriate, the processor. The Data Protection Officer (DPO) is liable only for failure to fulfil their duties, clearly indicated in Article 39 of the GDPR. We will discuss these duties in detail during the training.

The Data Protection Officer (DPO) is appointed on the basis of their professional qualifications. The GDPR cites, as significant examples, expert knowledge of data protection practices and law. Additionally, understanding data flows within the organisation, knowledge of safeguards and cybersecurity, and familiarity with the organisation's business and legal context may be important. The course aims to develop these competencies.

No, the course is attended by people beginning their journey in data protection as well as those with greater experience. The instructors present the material in an accessible way, taking the group's level into account.

No, holding such a role entails making decisions about the purposes and means of processing. That situation gives rise to a conflict of interest.

As a rule – yes. This obligation and the manner of its fulfilment arise from Articles 13 and 14 of the GDPR. However, there are certain situations in which this obligation is excluded, i.e. this applies where and to the extent that the person already possesses that information (this means that, for example, if a new purpose of processing arises, we must inform the data subject of this new purpose, but there is no obligation to re-issue the entire privacy notice if it has already been provided previously – it is sufficient merely to refer to its content in the remaining, unchanged scope). Additionally – where data are obtained from a source other than the data subject, the obligation need not be fulfilled in the situations referred to in Article 14(5) of the GDPR, namely:

• •providing such information proves impossible or would require a disproportionate effort; in particular in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or where the obligation referred to in paragraph 1 of this Article could render impossible or seriously impair the achievement of the purposes of such processing. In such cases the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making the information publicly available;

• •the obtaining or disclosure is expressly laid down by Union law or the law of the Member State to which the controller is subject, and which provides appropriate safeguards for the legitimate interests of the data subject;

• •personal data must remain confidential in compliance with a legal obligation of professional secrecy under Union law or Member State law, including a statutory obligation of secrecy.

Each time, however, before potentially refraining from fulfilling the information duty, an analysis of the specific case should be carried out to determine whether it falls within any of the above situations. For accountability purposes the controller should document such analysis so as to be able, if necessary, to demonstrate and justify its position to the supervisory authority. One should approach refraining from fulfilling the information duty very cautiously, as a penalty was imposed on a controller on this basis (decision UODO ZSPR.421.3.2018).

Transfers of data to the USA have become much easier since the European Commission issued its so‑called adequacy decision regarding that country. This means that personal data can be transferred to all companies listed at https://www.dataprivacyframework.gov/list, however attention should be paid to whether we intend to transfer "HR-data" or "Non-HR-data", because in the case of some companies we may be able to transfer only "Non-HR-data" on that basis. If a given US company is not on the list at all, a transfer of data to such a company will most often require the conclusion of so‑called standard contractual clauses, i.e. an additional transfer agreement with a pre-determined wording.

No. Before transferring personal data to any external entity (note: merely granting access to data also constitutes a transfer) you should determine the role of that entity – whether it will be a separate, independent controller of personal data (it determines the purposes and means of processing itself), or whether it will perform certain processing activities on data only on our instructions, without being decisive in that respect. In practice, before each transfer of data you should establish which situation applies. If we transfer data to a separate controller, we must do so on one of the bases indicated in Articles 6 or 9 of the GDPR; if to a processor – we only need to conclude with it a processing agreement referred to in Article 28 of the GDPR. Note: there are other configurations as well – sometimes we are the processor for another company. The most important thing is to determine the roles before every new flow of data between two separate entities. Clarity in this respect solves many problems in critical situations, such as a personal data breach or a complaint by the data subject.

Yes, this requirement follows directly from Article 28(1) of the GDPR, according to which “where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” This means that concluding a processing agreement should always be preceded by such verification, for example by means of a security questionnaire in which the processor indicates what measures it applies / will apply to protect personal data. Such a questionnaire will allow the controller to assess whether it considers those measures sufficient or whether it deems it necessary for the processor to undertake additional actions to ensure appropriate protection of the data. The President of the Personal Data Protection Office also draws attention to this issue, for example in decision UODO 5131.31.2021, in which the controller was sanctioned, inter alia, for failing to verify the processor. Equally important – such verification should be repeated throughout the duration of the cooperation.

During the course this principle is discussed using the example of a mobile application, but it applies to all processing operations and processes that take place in the organisation.

Yes, the employer has the right to require a candidate to present employment certificates from previous employers for inspection. Pursuant to Art. 22(1) para. 1 of the Labour Code (KP), the employer requests from the candidate in particular personal data covering the course of previous employment, and para. 3 of that article provides that 'The employer may require documentation of the personal data of the persons referred to in § 1 and 3 to the extent necessary to confirm them.'

A risk analysis is a systematic process for assessing potential threats that may negatively affect the achievement of an organisation’s objectives. This concerns all aspects of activity – from financial to operational, technical and organisational. In the context of personal data protection, a risk analysis includes, among other things:

• •identification of personal data: determining what personal data is processed, where it is stored, and how it is used;

• •assessment of threats and vulnerabilities: establishing what threats may occur to personal data and what weaknesses may be exploited;

• •assessment of impact: determining the potential consequences for the data subjects if a data protection breach were to occur;

• •probability analysis: estimating the likelihood of each identified risk occurring;

• •determination of remedial measures: planning actions aimed at reducing the likelihood of a threat occurring and limiting damage in the event of a breach.

• •Understanding of technology: The Data Protection Officer (DPO) should have a general understanding of IT technologies and information systems used in the organisation, including knowledge of computer networks, databases, operating systems and cloud infrastructure.

• •Incident management skills: The Data Protection Officer (DPO) should be able to effectively manage data security incidents, including responding to data breaches, conducting investigations and taking remedial actions.

• •Awareness of threats and trends: The Data Protection Officer (DPO) should be aware of current threats to data security and trends in cybersecurity and data protection in order to be able to take appropriate preventive measures.

• •Auditing skills: The Data Protection Officer (DPO) should have the ability to carry out data security audits, including assessing compliance with legal and regulatory requirements and the effectiveness of the data protection measures applied.

No. According to Article 11a of the Personal Data Protection Act, an entity that has appointed a Data Protection Officer (DPO) may, but is not obliged to, appoint a person to act as a deputy during their absence. It should be remembered that every entity which has appointed a DPO is obliged to provide them with support in performing their tasks, including supplying the resources necessary for their work. Depending on the size and structure of the organisation, it may be useful to appoint not only a deputy for periods of absence but an entire Data Protection Officer team, which may include the person substituting for the DPO during their absence. Please also remember that if you decide to appoint a deputy you are obliged to notify the President of UODO of their appointment.

We recommend conducting training regularly, that is at least once a year, for all persons within the organisation who take part in the processing of personal data. It is also advisable to ensure the ability to demonstrate that an individual attended the training (e.g., by downloading the list of participants for an online training) and to provide an evaluation of the training (e.g., in the form of tests at the end of the course).

Carrying out a risk analysis in the context of the GDPR requires understanding the data processing activities in the organisation and identifying potential threats to their security. The process begins with mapping the assets used for processing personal data and the business processes in which they participate. Next, internal and external risks should be identified, their likelihood assessed and their potential impact evaluated. The organisation must determine whether a risk is sufficiently low to be accepted or whether remedial measures are required. In cases of high risk it is necessary to take actions to reduce it. A risk-handling plan should be developed, the required security measures implemented and the steps taken documented. Finally, it is important to monitor and update the risk analysis regularly to adapt to any new threats or changes in data processing activities.

Risk analysis should be conducted regularly; however, there is no specific schedule that prescribes how often risk analyses must be performed, as this will depend on the characteristics of the organisation, the types of data it processes and the sector in which it operates.

Good practice suggests that risk analyses should be carried out at least once a year or more frequently depending on the nature of the activities. It is also important to carry out a risk analysis when significant changes occur in the organisation, such as the introduction of new systems, changes to data processing procedures, the launch of new products or services that may affect personal data, or the occurrence of an incident related to data protection.

All of this should form part of a continuous risk management process within the organisation.

This is not precluded, although it may give rise to a conflict of interest which the data controller is obliged to prevent. Typically, the main duties of the IT systems administrator include administering the servers within which personal data are processed, implementing appropriate IT system safeguards and identifying threats. Consequently, a person responsible for the ongoing processing of personal data and for the security of those data in IT systems would simultaneously supervise the lawfulness of their own actions. Such a situation may lead to an actual lack of oversight over the compliance of data processing with legal provisions and to a clear conflict of interest. According to UODO, in such situations the assessment of whether the above-mentioned conflict of interest does not occur in the case of a particular person and the tasks they perform should always be made individually, taking into account the specific circumstances.

The GDPR says a lot about cybersecurity, because it aims to protect personal data and ensure that they are processed securely. A few key points regarding cybersecurity in the context of the GDPR are:

• •Appropriate technical and organisational measures: The GDPR requires that entities processing personal data implement appropriate technical and organisational measures to ensure the security of data.

• •Risk assessment: The data controller must carry out a risk assessment related to the processing of personal data, covering potential threats to data security and ways of minimising them.

• •Processing by external entities: The GDPR requires monitoring of entities processing personal data, such as cloud service providers, to ensure that they meet appropriate data security requirements.