Personal data protection policies and procedures
FORMAL ANSWER
Personal data protection policies and procedures are internal documents of an organisation, adopted by an act of its governing body and binding on employees and collaborators, i.e. persons authorised to process personal data. These documents set standards of conduct for meeting individual GDPR requirements. Under Article 24(2) GDPR, implementing appropriate data protection policies is the controller’s obligation where proportionate to the processing activities.
PRACTICAL ANSWER
Policies and procedures for personal data protection are documents that help employees find answers to data protection questions: how to process personal data, how to secure them, whom to report an incident to and what steps to take after it is detected, and how to carry out required analyses. Internal policies and procedures should above all be useful — enabling the most effective GDPR implementation possible. The required list of personal data documentation is published on the Polish DPA website.
MORE
- You can find more information in the article: Applying the GDPR — tips and document templates


