I. Collection of information from the management of the company and its employees about the categories of personal data being processed, the categories of employees who process it. Inspection of processing procedures, incl. input-output data flow.

  1. Working meetings with representatives of the company.
  2. Collection of information by e-mail and telephone conversations with accounting and personnel.

II. Analyze the information received, organize it and prepare an opinion that includes the following minimum content:

  1. Individual categories of personal data and volume of information processed, incl. the number of persons whose data is being processed, as well as an assessment of the processing grounds in accordance with the processing objectives.
  2. Individualized data processing procedures, incl. data processing activities and individualisation of the most commonly used ones by the company, falling within the legal definition of „processing of personal data“ according to LPPD and GDPR.
  3. Individualizing registers of personal data processing activities.
  4. Individualization of the categories of sources of personal data as well as of the categories of persons to whom the data may be disclosed. Suggestions for optimization and synchronization with the current regulatory framework.
  5. Individualized categories of employees processing personal data and proposing to increase expertise.
  6. Individualized flows of personal data, incl. the transfer of personal data to third parties, as well as a proposal for a legitimate reason for the transfer.
  7. Individualization of cases in which a particular company processes data in different qualities, namely: as an administrator or as a personal data processor, in the sense of GDPR. Optimization proposals in line with applicable legislation.
  8. Assessment of the impact of the processing of personal data on each individual register.
  9. Analysis of the conditions of storage of the data in the registers, as well as of the procedures for destruction.
  10. Analysis of the need to designate a Data Protection Officer.
  11. Individualization of the main risks of data processing, incl. transmission, storage and destruction.

III. Proposal for introduction of specific organizational and technical protection measures, in accordance with the defined level of impact and systematic information under item II, as follows:

  1. Proposals for measures for physical, personal and documentary protection.
  2. Proposals for measures for the protection of technical and / or information systems and / or networks, and if necessary, cryptographic protection, prepared with the assistance of an information technology specialist, who maintains the information system of the particular company.

IV. Preparation of documents necessary for the lawful processing of personal data, as well as any other legal services and assistance in this regard, namely:

  1. Develop policies for the protection of personal data in the settlement of relationships with data subjects within the individual processes of the organization (eg customer relationships – legal entities and / or individuals; relationships with users / data processing employees /, relations with employees of employment contracts, relations with subcontractors, relations with administrators who outsource the processing of personal data to the company.
  2. Preparation of Instruction / Internal Rules for the processing and protection of personal data, in accordance with the applicable national and European legislation, incl. Preparation of registers of processing activities under art. 30 of GDPR.
  3. Preparation of application forms and rules for fulfillment of the obligations of the company under LPPD and GDPR for exercising the rights of the data subject, eg. request for deletion, correction, blocking, objection, etc.
  4. Preparation of sample texts to be published on the website of the company, as well as in the general conditions, in fulfillment of the obligations under Art. 13 and Art. 14 of GDPR.
  5. Preparation of supplements to the job descriptions, employment contracts of data processors.
  6. Valid GDPR informed consent – preparation of documents and consultation on appropriate ways of obtaining and proving valid consent for processing personal data.
  7. Preparation of models of protocols for annual checks of the processes for processing of personal data in fulfillment of the obligations imposed by the LPPD on the company as an administrator.
  8. Preparation of blank texts for inclusion in bond contracts / without reviewing the contracts separately /.
  9. Review of specific contracts referred to by the company and preparation of additional texts to them or separate agreements concerning the protection of personal data.
  10. Consulting and assistance as needed to tailor a specific business model to GDPR requirements.
  11. Preparation of protocol samples, etc. documents to be used by the company for the destruction of personal data.
  12. Preparation of other relevant documents and rules, as well as conducting / preparing any other consultations and opinions regarding the processing of personal data in your organization.