ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
Documentation and Procedures

How should the GDPR be implemented in a medical facility with a main headquarters in one location and a branch in another — as two separate sites with separate documentation, or as one unit?

ANSWER

If the medical facility has one data controller (one and the same entity), both places of business (i.e. the main headquarters and the branch) are treated as falling under one controller. One set of personal data protection documentation should therefore be prepared. Policies should reflect that activity is conducted in two locations (main headquarters and branch) — including, among other things, a register of processing locations/areas — and should also cover all persons authorised on behalf of the controller to process personal data in both locations.

Policies and implemented security measures should also cover infrastructure from both places of business. Nevertheless, the documentation as a whole should be single for the given controller. It should also be remembered that employee training should cover staff from both the main headquarters and the branch where the training topic applies to them.

Show all
PreviousNext

Read also:

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

29 May 2026

Kontrola służbowej poczty e-mail pracownika a tajemnica przedsiębiorstwa - kiedy pracodawca może legalnie przejrzeć skrzynkę?

14 May 2026

Czy pracodawca może opublikować zdjęcie pracownika? Wykorzystanie wizerunku pracownika na gruncie RODO i prawa autorskiego

Przejęcie funkcji IOD

Bezpieczeństwo klienta to dla nas priorytet

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
Implementing the GDPR in a medical facility with a branch | ODO 24 | ODO 24