ODO24 Logo
ODO24 Logo
ODO24 Logo

Practical course for DPO (32h)

We will comprehensively prepare you for the role of Data Protection Officer (DPO)

The practical DPO course is designed to provide you with thorough knowledge and practical solutions that will enable you to effectively perform the function of Data Protection Officer. We have designed the schedule so that each day focuses your attention on a different topic.

Register
Practical DPO course – training participant

What knowledge will you gain during the course?

CheckHow can you build a step-by-step system to protect your personal data?
CheckHow can you fulfill your responsibilities effectively and faithfully?
CheckHow can the GDPR be implemented and applied so that data protection legislation contributes to the growth of your organisation?
CheckHow can I carry out a data protection audit?
CheckWhat privacy policies should your organization follow?
CheckHow do I secure the computer system?
CheckHow can we estimate the risk and assess the impact of data protection?
New features for 2025
CheckWhat is the AI Act and when does it apply?
CheckWhat's the relationship between the RODO and the AI Act?
CheckHow do we ensure the quality and security of AI systems?
CheckWhat are the penalties for violating the AI Act?
CheckHow can AI be implemented in practice to protect data case studies from different industries?
CheckHow can data be passed on safely to colleagues and third-party companies?
CheckHow, through workshops and exercises, can we practice conformity assessment, risk analysis in realistic scenarios?

What is the detailed training schedule for the DPO course?

Day 1

GDPR Fundamentals

Goal

The first day of the course provides a dynamic introduction to the world of personal data protection.

During this day, you will learn to "see" personal data in your organisation, understand the principles of processing, discover how to organise effective protection, and which procedures to implement in order to demonstrate GDPR compliance.

Module 1
09:00 - 11:00
I. GDPR compliance – what does it mean?
II. Key definitions explained, including:
personal dataprocessingprofilingpseudonymisationcontrollerprocessorrecipientthird party
III. Data processing principles and how to implement them:
lawfulness, fairness and transparencypurpose limitationdata minimisationaccuracystorage limitationintegrity and confidentialityaccountability
Module 2
11:10 - 13:00
I. Status of the Data Protection Officer:
mandatory designation of a Data Protection Officer (DPO)position of the DPOtasks of the DPOconflict of interests – what tasks the DPO should not performDPO liability
II. Rights of data subjects and how to fulfil them:
right to obtain information (information obligation)right of access to dataright to rectificationright to erasure ("right to be forgotten")right to restriction of processingright to data portabilityright to object
Module 3
13:30 - 15:30
I. Obligations of the data controller:
data protection by design and by defaultstatus and obligations of joint controllersprocessing data under the authority of the controller or processorrecords of processing activitiessecurity of processingnotification of personal data breaches to the supervisory authority, including discussion of the UODO notification formcommunication of personal data breaches to data subjectsData Protection Impact Assessment (DPIA)
Module 4
15:45 - 17:15
I. Obligations of the processor
II. Transfer of data to third countries and international organisations
III. President of the Personal Data Protection Office (UODO)
status of the President of the UODOobligations of the President of the UODOinspection and proceedings in cases of personal data breachescorrective powers of the President of the UODOcertification and accreditationadministrative fines, including criteria for determining the amount of fines
IV. Consultations
Download programmeChoose a date
Day 2

DPO in Practice

Day 3

DPIA and Risk Analysis

Day 4

IT Compliance

Opinion of the participants

Google

Tomasz G.

Google

2 years ago

starstarstarstarstar

I wanted to thank you for the wonderful training I've had at your company, the materials were very well prepared, and the instructor has shown tremendous knowledge and experience.

Google

Aleksandra P.

Google

2 years ago

starstarstarstarstar

Training at a very high level, I highly recommend!!! Training materials very useful in everyday work.

Google

Sławomir M.

Google

2 years ago

starstarstarstarstar

Mrs. Mecenas, it was an honor to be able to take part in this training, and thank you very much for your professional approach and valuable practical guidance.

Google

Wacław T.

Google

3 years ago

starstarstarstarstar

The IOD course organized by ODO24 has met all my expectations, a very practical approach, concrete examples and professional support.

Google

Maria K.

Google

1 year ago

starstarstarstarstar

The training was conducted in a way that was understandable even to those without previous experience in this field.

Google

Piotr N.

Google

10 months ago

starstarstarstarstar

Very good training, a lot of practical examples, a little bit too little time to ask questions, but overall I'm satisfied.

Google

Anna W.

Google

8 months ago

starstarstarstarstar

A professional approach, a great atmosphere during the training, the instructor answered all the questions thoroughly, and I highly recommend ODO24!

Google

Jan K.

Google

1 year ago

starstarstarstarstar

It's the best personal data protection training I've ever had, specific examples from real life, not just a dry theory, I recommend it to anyone who works with GDPR.

Google

Katarzyna J.

Google

6 months ago

starstarstarstarstar

The training meets my expectations. A lot of practical knowledge, good materials. The only drawback is too much group, so less time for individual consultations.

Google

Michał L.

Google

4 months ago

starstarstarstarstar

Excellent training! A very competent conductor with vast experience. Everything explained in a clear and understandable way. The training materials are very useful.

Google

Joanna D.

Google

3 months ago

starstarstarstarstar

I recommend ODO24 training to anyone seeking a sound knowledge of the field of ODO: professional service, excellent organisation and excellent teaching facilities.

Google

Andrzej S.

Google

2 months ago

starstarstarstarstar

Sometimes the pace was a little too fast, but the conductor was happy to return to the topics discussed earlier at the request of the participants.

Our greatest value is the trust of our customers.

Maciej Kaczmarski

Join the group of DPO practitioners

In 10 years, we have trained more than 6,500 graduates in Poland. Our courses are attended by both leaders and professionals. Find out their feedback and why ODO 24 training is right for you.

ODO 24 training participants – DPO practitioners

What do you get as part of a certified course?

DPO certificate

DPO
certificate

DPO
certificate
GDPR document templates icon

31 GDPR
document templates

31 GDPR
document templates
Expert support after training

Expert support
after training

Expert support
after training
GDPR guides & presentation scripts

GDPR guides
& presentation scripts

GDPR guides
& presentation scripts
The icon webinar database

Access to the base
webinar library

Access to the base
webinar library
Dr. RODO is an icon app.

90-day access to
Dr RODO app

90-day access to
Dr RODO app
Icon gift – training discounts

To get the best price, take advantage of our discounts:

If you choose the material in the electronic version, you'll save $200.

If you are going to take advantage of this promotion,/strong>, We will offer a discount of £200.

If you participated in our previous training, you will receive 25 posts.

Each subsequent participant from the same organization will receive a 10% discount.

Meet the coaches and instructors of ODO 24

Trainers of the accredited DPO course are practitioners with many years of experience, working on projects on a daily basis. for the largest brands. They share their knowledge in the knowledge base, which is a comprehensive collection of articles, guides, and tools from the world of GDPR.

Tomasz Ochocki

Tomasz Ochocki

Vice President

Katarzyna Szczypińska

Katarzyna
Szczypińska

Data protection expert

Arkadiusz Sadkowski

Arkadiusz Sadkowski

IT Security Specialist

Przemysław Stasiak

Przemysław Stasiak

IT Security Specialist

Radosław Radwan

Radosław Radwan

Data Protection Specialist

Marta Bogusz

Marta Bogusz

Data Protection Specialist

Magdalena Szymczak-Jas

Magdalena
Szymczak-Jas

Data Protection Specialist

Karolina Kukielska

Karolina Kukielska

Data Protection Specialist

Practical DPO Course

Complete preparation for the functions
Data Protection Officer (DPO)

What our customers say about our services

Marcin Wieczorek

Wojas

foto-lizard-media.jpg

I am very impressed with the high level of substantive expertise of the training staff"

From 13 to 17 March I attended the "Course for Information Security Administrators" organized by ODO 24 sp. z o.o. I am very impressed with the high substantive level of the training staff and the comprehensive program. Working as an ABI requires knowledge not only of legal provisions but also of IT matters, which ODO 24 took into account. Noteworthy is the curriculum, which gradually introduces increasingly advanced nuances of personal data protection, starting from the legal basics and ending with practical aspects of auditing and working with documents within a company. The complete set of materials, editable documents and publications I received will facilitate my daily work as an ABI. I can certainly recommend ODO 24 as a reliable partner offering training services of a high standard.

Scope of Services:
checkDPO Course

Magdalena Węglewska

Mazda

foto-mazda.jpg

We can wholeheartedly recommend ODO 24 as a professional and reliable partner"

For many years we have consistently placed great importance on the protection of the personal data of our customers as well as our employees. We took an active part in creating the "Code of Good Practice for the Protection of Personal Data of Customers and Potential Customers,” developed jointly by GIODO and the Polish Automotive Industry Association. Due to the complexity and variability of the rules on personal data protection, as well as Mazda’s dynamic development in Poland and the increasing volume of data we process, we decided to entrust the ABI function to a company specialized in this field. The decision to use the services of ODO 24 was primarily influenced by the experience and competence of the team of experts, the comprehensiveness of the offering and its flexibility in adapting to our organization. After a year of cooperation we can recommend ODO 24 as a professional and reliable partner.

Agnieszka Karłowicz

Spiżarnia

foto-spizarnia.jpg

A practical approach, continuous advisory availability, and positive working relationships"

We have been working with ODO24 for over a year. For us it has been a year of peaceful breathing and a sense of security: at least regarding personal data protection :-) The people at ODO are professionals who explain matters that are incomprehensible to the average person in an understandable way. They understand not only their profession but, which is very important to us, business and its requirements. A practical approach, constant advisory availability, and great relationships — all of this means I can recommend this Company to anyone who wants to work and sleep peacefully.

Tomasz Siwicki

Gefco

foto-gefco.jpg

I recommend the company ODO 24 as a professional partner"

For several years we have been cooperating with ODO 24 in the field of personal data protection. A professional team that efficiently helped us to comply with the requirements of the GDPR. We make use not only of the experts’ knowledge but also of professionally prepared e‑training, thanks to which we were able to train several hundred employees in a very short time. I highly recommend ODO 24 as a professional partner delivering services at the highest level.

See all references
PIOD Icon

Practical DPO Course - questions and answers

What materials will I receive before the training, and which will I receive afterwards?

We want our participants to be able to familiarise themselves with the materials before the training, therefore before it takes place we provide the training presentations and the complete GDPR documentation corresponding to the purchased course.

After the training we want to be a support for our participants, therefore we provide access to legal advice, the ODO Nawigator application, and in the case of the trainings "DPIA and risk analysis" and "Practical DPO course" – 90-day access to the Dr RODO application and, additionally: a complete set of guides, a certificate confirming participation in the training and recommended articles that will help take further steps in personal data protection.

Will I receive a certificate after the training?

Yes, after completion of the training each participant receives a personalised certificate confirming their participation in the training.

Can questions be asked during the training?

Yes, it is even recommended. 😊 When conducting our training, we do not want it to be an ex cathedra lecture. We favour a workshop-based approach to prepare our trainees as best as possible for the challenges posed by personal data protection.

How large are the participant groups?

Due to the workshop format of our courses we endeavour to keep groups to no more than 12 participants.

We are a public institution — can we be exempt from VAT?

If the training is financed at least 70% by public funds, this provides a basis for exemption from VAT. In such a case, in the registration form in the third step (Invoice) we ask you to select the option: "I declare that the training is financed at least 70% by public funds. Consequently, I request exemption from VAT".

What is the payment deadline for the training?

In accordance with the regulations of our training courses, the selected service must be paid for no later than two days before the training.

We are a public institution; can we pay after the training?

Yes, in such a case please provide this information in the fourth step of our form, in the "Additional remarks" field.

As an online training participant, do I need to download any application?

This is not necessary. We conduct online training via the Microsoft Teams application, which also allows us to send a link that can be opened in a web browser.

As an online training participant, do I need to have access to a camera and microphone?

This is not necessary; however, to facilitate asking questions and exchanging experiences, we recommend using a headset with a microphone.

Can the service recipient also be included on the invoice?

Yes, in such a case please provide this information in the fourth step of our form, in the "Additional remarks" field.

When will I receive confirmation of the training date?

In most cases we confirm the training course one week before the scheduled start date. We want to ensure that participants in our training courses have the opportunity to familiarise themselves with the materials in advance.

When will I receive the complimentary books?

As soon as the training has concluded, the books will be sent by courier to the address provided in the registration.

I want to use KFS funding for a training course; do you assist with this?

We are aware that certain documents can sometimes present difficulties, so we will gladly help with completing them. In such cases, please contact our training coordinator.

Who should be contacted, and how, regarding organisational matters?

Our training coordinator is available at the e-mail address: [email protected].

We also invite you to contact us by telephone at: 22 740 99 99 or +48 690 004 852

Does the company I work for have to appoint a Data Protection Officer (DPO)?

A Data Protection Officer (DPO) must be appointed, among others, by an organisation whose core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale, or whose core activities consist of large-scale processing of special categories of personal data or of personal data relating to criminal convictions and offences. What is meant by “regular and systematic monitoring”, what constitutes “large scale”, what is meant by “core activities”, and even what “personal data relating to criminal convictions and offences” are, will be explained during the training.

What do I need to check when conducting an audit, and what should I ask about?

Training participants will receive an audit checklist in which all aspects to be examined by the auditor during the audit will be itemised. The audit checklist will be discussed step by step; practical exercises are also planned in searching for non-compliances in specific provisions or in practices applied in data processing. In addition, participants will receive a ready-made audit report template. Simply paste the findings from the audit checklist into the audit report template and the report is ready!

How to train employees effectively?

Frequently (at least once a year – practice makes perfect) and in relation to what they do on a day-to-day basis. Does an employee operate a helpline? You therefore do not need to explain to them in detail how a UODO inspection is conducted; it is better to explain that they should not disclose a customer's data over the phone and should ask the caller to confirm it. Has an incident occurred that was reported too late to the Data Protection Officer (DPO) because the employee did not realise in time that it had taken place? It is best to quickly send examples of breaches to all employees to raise awareness / serve as a reminder.

As a Data Protection Officer (DPO), am I financially liable for the improper practices of the company I work for?

Absolutely not. Financial liability for breaches of data processing regulations rests with the controller or, as appropriate, the processor. The Data Protection Officer (DPO) is liable only for failure to fulfil their duties, clearly indicated in Article 39 of the GDPR. We will discuss these duties in detail during the training.

What criteria must the Data Protection Officer (DPO) meet?

The Data Protection Officer (DPO) is appointed on the basis of their professional qualifications. The GDPR cites, as significant examples, expert knowledge of data protection practices and law. Additionally, understanding data flows within the organisation, knowledge of safeguards and cybersecurity, and familiarity with the organisation's business and legal context may be important. The course aims to develop these competencies.

Do I need to have any prior experience in data protection to participate in the course?

No, the course is attended by people beginning their journey in data protection as well as those with greater experience. The instructors present the material in an accessible way, taking the group's level into account.

I am a member of the management board. Can I be the DPO?

No, holding such a role entails making decisions about the purposes and means of processing. That situation gives rise to a conflict of interest.

Do I always have to fulfil the information obligation towards the individuals whose data I collect?

As a rule – yes. This obligation and the manner of its fulfilment arise from Articles 13 and 14 of the GDPR. However, there are certain situations in which this obligation is excluded, i.e. this applies where and to the extent that the person already possesses that information (this means that, for example, if a new purpose of processing arises, we must inform the data subject of this new purpose, but there is no obligation to re-issue the entire privacy notice if it has already been provided previously – it is sufficient merely to refer to its content in the remaining, unchanged scope). Additionally – where data are obtained from a source other than the data subject, the obligation need not be fulfilled in the situations referred to in Article 14(5) of the GDPR, namely:

  • providing such information proves impossible or would require a disproportionate effort; in particular in the case of processing for archiving purposes in the public interest, for scientific or historical research purposes, or for statistical purposes, subject to the conditions and safeguards referred to in Article 89(1), or where the obligation referred to in paragraph 1 of this Article could render impossible or seriously impair the achievement of the purposes of such processing. In such cases the controller shall take appropriate measures to protect the rights and freedoms and legitimate interests of the data subject, including making the information publicly available;

  • the obtaining or disclosure is expressly laid down by Union law or the law of the Member State to which the controller is subject, and which provides appropriate safeguards for the legitimate interests of the data subject;

  • personal data must remain confidential in compliance with a legal obligation of professional secrecy under Union law or Member State law, including a statutory obligation of secrecy.

Each time, however, before potentially refraining from fulfilling the information duty, an analysis of the specific case should be carried out to determine whether it falls within any of the above situations. For accountability purposes the controller should document such analysis so as to be able, if necessary, to demonstrate and justify its position to the supervisory authority. One should approach refraining from fulfilling the information duty very cautiously, as a penalty was imposed on a controller on this basis (decision UODO ZSPR.421.3.2018).

What about transfers of data to the USA — are they fully legal?

Transfers of data to the USA have become much easier since the European Commission issued its so‑called adequacy decision regarding that country. This means that personal data can be transferred to all companies listed at https://www.dataprivacyframework.gov/list, however attention should be paid to whether we intend to transfer "HR-data" or "Non-HR-data", because in the case of some companies we may be able to transfer only "Non-HR-data" on that basis. If a given US company is not on the list at all, a transfer of data to such a company will most often require the conclusion of so‑called standard contractual clauses, i.e. an additional transfer agreement with a pre-determined wording.

Do you have to conclude a processing agreement with every company to which you transfer personal data?

No. Before transferring personal data to any external entity (note: merely granting access to data also constitutes a transfer) you should determine the role of that entity – whether it will be a separate, independent controller of personal data (it determines the purposes and means of processing itself), or whether it will perform certain processing activities on data only on our instructions, without being decisive in that respect. In practice, before each transfer of data you should establish which situation applies. If we transfer data to a separate controller, we must do so on one of the bases indicated in Articles 6 or 9 of the GDPR; if to a processor – we only need to conclude with it a processing agreement referred to in Article 28 of the GDPR. Note: there are other configurations as well – sometimes we are the processor for another company. The most important thing is to determine the roles before every new flow of data between two separate entities. Clarity in this respect solves many problems in critical situations, such as a personal data breach or a complaint by the data subject.

Do I always have to verify the processor to whom I entrust data?

Yes, this requirement follows directly from Article 28(1) of the GDPR, according to which “where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.” This means that concluding a processing agreement should always be preceded by such verification, for example by means of a security questionnaire in which the processor indicates what measures it applies / will apply to protect personal data. Such a questionnaire will allow the controller to assess whether it considers those measures sufficient or whether it deems it necessary for the processor to undertake additional actions to ensure appropriate protection of the data. The President of the Personal Data Protection Office also draws attention to this issue, for example in decision UODO 5131.31.2021, in which the controller was sanctioned, inter alia, for failing to verify the processor. Equally important – such verification should be repeated throughout the duration of the cooperation.

Does the principle of privacy by design apply only to computer programs?

During the course this principle is discussed using the example of a mobile application, but it applies to all processing operations and processes that take place in the organisation.

Can we require a candidate to present employment certificates from previous employers for inspection?

Yes, the employer has the right to require a candidate to present employment certificates from previous employers for inspection. Pursuant to Art. 22(1) para. 1 of the Labour Code (KP), the employer requests from the candidate in particular personal data covering the course of previous employment, and para. 3 of that article provides that 'The employer may require documentation of the personal data of the persons referred to in § 1 and 3 to the extent necessary to confirm them.'

What is a risk analysis?

A risk analysis is a systematic process for assessing potential threats that may negatively affect the achievement of an organisation’s objectives. This concerns all aspects of activity – from financial to operational, technical and organisational. In the context of personal data protection, a risk analysis includes, among other things:

  • identification of personal data: determining what personal data is processed, where it is stored, and how it is used;

  • assessment of threats and vulnerabilities: establishing what threats may occur to personal data and what weaknesses may be exploited;

  • assessment of impact: determining the potential consequences for the data subjects if a data protection breach were to occur;

  • probability analysis: estimating the likelihood of each identified risk occurring;

  • determination of remedial measures: planning actions aimed at reducing the likelihood of a threat occurring and limiting damage in the event of a breach.
What technical skills should the Data Protection Officer (DPO) have?
  • Understanding of technology: The Data Protection Officer (DPO) should have a general understanding of IT technologies and information systems used in the organisation, including knowledge of computer networks, databases, operating systems and cloud infrastructure.

  • Incident management skills: The Data Protection Officer (DPO) should be able to effectively manage data security incidents, including responding to data breaches, conducting investigations and taking remedial actions.

  • Awareness of threats and trends: The Data Protection Officer (DPO) should be aware of current threats to data security and trends in cybersecurity and data protection in order to be able to take appropriate preventive measures.

  • Auditing skills: The Data Protection Officer (DPO) should have the ability to carry out data security audits, including assessing compliance with legal and regulatory requirements and the effectiveness of the data protection measures applied.
Does the Data Protection Officer (DPO) need to have a deputy?

No. According to Article 11a of the Personal Data Protection Act, an entity that has appointed a Data Protection Officer (DPO) may, but is not obliged to, appoint a person to act as a deputy during their absence. It should be remembered that every entity which has appointed a DPO is obliged to provide them with support in performing their tasks, including supplying the resources necessary for their work. Depending on the size and structure of the organisation, it may be useful to appoint not only a deputy for periods of absence but an entire Data Protection Officer team, which may include the person substituting for the DPO during their absence. Please also remember that if you decide to appoint a deputy you are obliged to notify the President of UODO of their appointment.

How often should personnel be trained in personal data protection?

We recommend conducting training regularly, that is at least once a year, for all persons within the organisation who take part in the processing of personal data. It is also advisable to ensure the ability to demonstrate that an individual attended the training (e.g., by downloading the list of participants for an online training) and to provide an evaluation of the training (e.g., in the form of tests at the end of the course).

How to perform a risk analysis under the GDPR?

Carrying out a risk analysis in the context of the GDPR requires understanding the data processing activities in the organisation and identifying potential threats to their security. The process begins with mapping the assets used for processing personal data and the business processes in which they participate. Next, internal and external risks should be identified, their likelihood assessed and their potential impact evaluated. The organisation must determine whether a risk is sufficiently low to be accepted or whether remedial measures are required. In cases of high risk it is necessary to take actions to reduce it. A risk-handling plan should be developed, the required security measures implemented and the steps taken documented. Finally, it is important to monitor and update the risk analysis regularly to adapt to any new threats or changes in data processing activities.

How often should I conduct a risk analysis in accordance with the GDPR?

Risk analysis should be conducted regularly; however, there is no specific schedule that prescribes how often risk analyses must be performed, as this will depend on the characteristics of the organisation, the types of data it processes and the sector in which it operates.

Good practice suggests that risk analyses should be carried out at least once a year or more frequently depending on the nature of the activities. It is also important to carry out a risk analysis when significant changes occur in the organisation, such as the introduction of new systems, changes to data processing procedures, the launch of new products or services that may affect personal data, or the occurrence of an incident related to data protection.

All of this should form part of a continuous risk management process within the organisation.

I hold the position of IT systems administrator in the company. Can I simultaneously assume the role of DPO?

This is not precluded, although it may give rise to a conflict of interest which the data controller is obliged to prevent. Typically, the main duties of the IT systems administrator include administering the servers within which personal data are processed, implementing appropriate IT system safeguards and identifying threats. Consequently, a person responsible for the ongoing processing of personal data and for the security of those data in IT systems would simultaneously supervise the lawfulness of their own actions. Such a situation may lead to an actual lack of oversight over the compliance of data processing with legal provisions and to a clear conflict of interest. According to UODO, in such situations the assessment of whether the above-mentioned conflict of interest does not occur in the case of a particular person and the tasks they perform should always be made individually, taking into account the specific circumstances.

What cybersecurity requirements does the GDPR impose on entities processing personal data?

The GDPR says a lot about cybersecurity, because it aims to protect personal data and ensure that they are processed securely. A few key points regarding cybersecurity in the context of the GDPR are:

  • Appropriate technical and organisational measures: The GDPR requires that entities processing personal data implement appropriate technical and organisational measures to ensure the security of data.

  • Risk assessment: The data controller must carry out a risk assessment related to the processing of personal data, covering potential threats to data security and ways of minimising them.

  • Processing by external entities: The GDPR requires monitoring of entities processing personal data, such as cloud service providers, to ensure that they meet appropriate data security requirements.

Have a question?

My name is Dominic, and I'm coordinating ODO 24 training.
So I'd be happy to answer any questions you might have.

Phone+48 690 004 852
Email[email protected]
Dominik Kantorowicz - Coordinator of training