+48 22 213 92 81

EN
PL

Our services

Audit (checking for compliance), implementation of personal data protection documentation and staff training are the basic services our company provides to business and public entities. As part of the process aimed at achieving compliance with RODO/GDPR, we adjust the scope of cooperation to the scale of operations and the needs of our clients. While providing audit and implementation services, we operate in accordance with the ISO/IEC 27001 standard.

Audit (compliance verification)

The purpose of the service is to check the compliance of personal data processing with regulations and, in case of ordering a comprehensive service (audit, implementation, training), to obtain information necessary for verification, preparation or updating of personal data protection documentation and training of personnel.

Scope of service:

  • analysis of the categories of personal data and the channels of their acquisition (cards, forms, applications, forms, contracts, websites, etc.),
  • determination of the legal basis, nature, scope, context, purposes and means of data processing (traditional data filing systems, applications, tools, programs or processing systems),
  • identification of personal data exchanged with other entities and definition of the role of these entities (data recipients, processors),
  • gaining information on applied technical and organisational measures to secure data (analysis of existing personal data protection documentation: policies, procedures; analysis of applied physical safeguards),
  • analysis of the website, www,
  • analysis of data retention and deletion principles (processing period, deletion methods),
  • analysis of ways of reacting to incidents (notifying violations, corrective plan after an incident),
  • analysis of entrustment (compliance with legal provisions of contracts or other documents used in the relationship with processors),
  • analysis of areas and ways of fulfilling information obligations and clauses (websites, documents, applications, forms, contracts, etc.),
  • analysis of the ways in which data subjects’ rights are exercised.

The service ends with a discussion of the audit report and, in the case of ordering a comprehensive service (audit, implementation, training), of the draft personal data protection documentation prepared.

At the Customer’s request, the audit may be extended to include:

  • analysis of assumptions and architecture of IT solutions,
  • examination and assessment of the security level of internal components of the IT system and inventorying the problems affecting the security of personal data processing
  • identification of sensitive assets, such as systems, data and processes
  • identification of security gaps and vulnerable areas together with identification and classification of associated potential risks,
  • examination of areas affecting the maintenance of key personal data security attributes, i.e. availability, accountability, integrity and confidentiality
  • examination of network mechanisms (structure, services, physical and logical security, network testing),
  • external and internal penetration tests, audit of applications that process personal data,
  • internal network testing, website security testing, Wi-Fi
  • analysis of network availability and the possibility of access to the network from outside,
  • analysis of backup and archiving systems and securing the recovery of IT systems after a failure.

Implementation of documentation

The purpose of the service is to prepare or update comprehensive personal data protection documentation and other documents adjusting the legal status to the requirements imposed by the GDPR and related sector regulations.

The documentation implementation service includes the preparation or update (verification) of, for example:

  • security policy, personal data protection policy or adequate procedures,
  • policy of managing IT systems used for data processing or adequate procedures,
  • incident response procedure or adequate procedures,
  • procedures for communication with data subjects, or adequate procedures,
  • risk analysis and data protection impact assessment procedure, or adequate procedure,
  • website privacy policy,
  • website cookies policy,
  • procedure communicating basic duties, responsibilities and data protection rules for employees and associates,
  • information clauses,
  • records of processing activities,
  • data processing agreements,
  • personal data processing authorisations and declarations of acquaintance with the implemented procedures,
  • other necessary documents related to personal data protection in each sector.

The service ends with clarifying the principles of implementation and further maintenance of personal data protection documentation by the data controller or data protection officer (DPO), in case of its appointment.

In case AllSafe takes over the DPO service, detailed arrangements are made for the DPO’s further cooperation with the organisation.

General or post-implementation training

The goal of the training is to familiarise the personnel with personal data protection regulations and the implemented personal data protection procedures. The programme of the training is most often built based on the results of the audit and the information gathered during the implementation part of the service, to cover in the best way possible, the personal data protection and the problems resulting from the functioning of a given branch and the specificity of a given organisation.

The training programme most often addresses the following issues:

  • general information on the GDPR and personal data processing,
  • principles of secure personal data processing,
  • duties of the controller and the personnel,
  • personal data protection violations,
  • securing personal data at the workplace and outside the area of data processing,
  • most frequent failures in securing personal data at the workstation and in the IT system,
  • rights of the data subjects,
  • supervisory authority as a personal data protection monitoring body – inspections carried out by the supervisory authority,
  • employee, civil, administrative, and criminal liability in terms of personal data protection.

The service can be carried out independently or as a part of a comprehensive service (audit, implementation, training).

Data Protection Officer

The purpose of the service is to take over the duties of the Data Protection Officer (DPO). The tasks of the DPO shall include the performance of the duties referred to in Article 39 of the GDPR, i.e.:

  • informing and advising the controller and staff who process personal data of their obligations under the GDPR and other EU or member state data protection legislation,
  • monitoring compliance with the GDPR, other EU or member state legislation on data protection and the policies of the controller or processor in the field of personal data protection,
  • awareness raising activities,
  • training of personnel involved in processing operations,
  • audits,
  • providing on request recommendations for a data protection impact assessment and monitoring its implementation in accordance with Article 35 of the DPA,
  • cooperation with the supervisory authority,
  • acting as a contact point for the supervisory authority on issues relating to
  • processing, including the prior consultation referred to in Article 36 of the GDPR, and
  • where appropriate, to carry out consultations on all other matters.

In addition to the tasks of the DPO set out in the GDPR, the service also includes:

  • acting as a point of contact for clients, contractors, partners on matters related to data processing,
  • providing opinions on / preparing personal data protection documentation or documents for the implementation of the GDPR, i.e., policies, regulations, instructions, studies, guides
  • and other documentation solutions,
  • providing opinions on / preparing draft contracts for entrustment of processing,
  • awareness-raising activities,
  • training of personnel involved in processing operations,
  • drafting of clauses,
  • preparation of information obligations,
  • preparation of legal opinions on personal data protection,
  • other ongoing legal advice on personal data protection and related documents, opinions, explanations, instructions.

Data protection consultant

The service includes care and legal support in the field of personal data, in particular:

  • acting as a contact point for clients, contractors, partners on issues related to data processing,
  • providing opinions on / preparing personal data protection documentation or documents for the implementation of the GDPR, i.e., policies, regulations, instructions, studies, guidelines and other documentation solutions,
  • providing opinions on / drafting processing outsourcing agreements,
  • drafting information obligations and clauses,
  • preparing legal opinions on personal data protection,
  • other ongoing legal advice on personal data protection and related documents, opinions, explanations, instructions.

Contact us

Take the first step to achieving GDPR compliance.
Call, come to the office or send a message!

biuro@ochronadanych-as.pl

+48 22 213 92 81

WRITE TO US