Map of practical GDPR aspects

Controller

  • the obligation to implement technical and organisational measures ensuring compliance with the GDPR and demonstrating that compliance,

  • GDPR: Art. 4 point 7, Art. 24,

  • GDPR preamble: recitals 29, 71, 74, 77 and 156.

Personal data breach notification

  • procedures for detecting, analysing and reporting personal data breaches,

  • procedures for informing data subjects about personal data breaches,

  • a personal data breach register template,

  • GDPR: Art. 33Art. 34,

  • GDPR preamble: recitals 8588.

Data protection officer

  • analysis of the obligation to appoint a data protection officer (DPO),

  • specification of the DPO's qualifications, competencies and tasks,

  • appropriate organisational positioning of the DPO (direct reporting to senior management),

  • involving the DPO in all data processing operations,

  • GDPR: Art. 37Art. 39,

  • GDPR preamble: recital 97.

  • PDPA: Art. 8Art. 11.

Data protection impact assessment (DPIA)

  • analysis of the obligation to carry out an impact assessment of planned processing operations forthe protection of personal data,

  • carrying out an impact assessment of planned processing operations for the protection of personal data, if required,

  • GDPR: Art. 35, Art. 36

  • GDPR preamble: recitals 84 and 8993.

  • PDPA: Art. 57.

Data protection by design and by default

  • establishing a transparency procedure regarding how personal data are processed and used ((enabling the data subject to monitor processing and enabling enabling the controller to create and improve safeguards) and minimising the processing ofpersonal data,

  • establishing procedures so that when developing and designing products, services and applications, the right to the protection of personal data is taken into account,

  • GDPR: Art. 25,

  • GDPR preamble: recitals 26, 28, 29, 71, 75, 78 and 156

Recipient

  • the entity to which personal data are disclosed,

  • identifying recipients or categories of recipients is necessary, inter alia, to fulfil theinformation obligation,

  • the obligation to notify recipients of rectification, erasure or restriction of processing ofpersonal data,

  • GDPR: Art. 4 para. 9, Art. 13, Art. 15, Art. 19.

  • GDPR preamble: recitals 39, 5860, 6264, 66 and 68.

Supervisory authority

Processor

  • analysis of the current personal data processing agreement template used witha processor,

  • a register of processors,

  • verification of whether existing processors can meet the obligations set outin the GDPR,

  • adapting the data processing agreement template to GDPR requirements,

  • GDPR: Art. 28,

  • GDPR preamble: recitals 29, 71, 8183 and 156.

Lawful bases for processing

  • new rules for obtaining consent to process special category personal data,

  • public authorities cannot rely on the legitimate interests pursued by the controller or by a third party,

  • GDPR: Art. 6 and 911,

  • GDPR preamble: recitals 4057.

Rights of the data subject

  • adapting IT systems so that, at the data subject's request, they can,inter alia, fully erase their personal data, transfer data to another provider or generate among other things, generate a file containing all of their personal data,

  • establishing a procedure for responding to data subject requests within one month, in accordance with the transparency principle,

  • GDPR: Art. 12Art. 22,

  • GDPR preamble: recitals 39, 5872, 166 and 167

  • PDPA: Art. 3Art. 5.

Profiling

  • analysis of personal data processing for automated processing of data, including profiling,

  • establishing the lawful basis for processing personal data solely by automated means, without human intervention,

  • drafting consent clauses for profiling that produces legal effects concerning the data subject,

  • GDPR: Art. 4 point 4, Art. 22.

  • GDPR preamble: recitals 24, 60, 63, 7073 75 and 91.

Transfers to third countries and international organisations

  • analysis of whether the controller transfers personal data outside the European Economic Area,

  • establishing the lawful basis for transfers to third countries,

  • adapting the process for transferring data to third countries to GDPR requirements,

  • GDPR: Art. 4449,

  • GDPR preamble: recitals 77, 81 and 101116.

  • PDPA: Art. 56.

Pseudonymisation

  • one of the technical and organisational measures for protecting personal data,

  • it makes it harder to identify the individual but still allows different data to be linked to thatsame individual,

  • a reversible process, unlike anonymisation,

  • GDPR: Art. 4 point 5, Art. 25, Art. 32,

  • GDPR preamble: recitals 26, 28, 29, 71, 75, 78, 85 and 156.

Records of processing activities

  • analysis of the obligation to maintain a record of processing activities,

  • review of processes involving the processing of personal data,

  • creating a record of processing activities template for the identified processing operations,

  • GDPR: Art. 30,

  • GDPR preamble: recital 82 and 89.

Third party processing data on behalf of the controller

  • a natural or legal person, public authority, agency or body other than the data subject, the controller, the processor or persons who — with the authorisation of the controller or processor — may process personal data;

  • the lawful basis for processing personal data may be the necessity for the purposes of legitimate interests pursued by the third party,

  • GDPR: Art. 4 point 10, Art. 6 para. 1,

  • GDPR preamble: recital 32, 3948.

Data security based on assessed risk

  • determining the starting point for implementing safeguards,

  • defining the processes carried out within the organisation,

  • identifying threats, vulnerabilities, likelihood, impact and existing safeguards,

  • developing a risk treatment plan,

  • GDPR: Art. 32,

  • GDPR preamble: recital 26, 28, 29, 75, 78, 83 and 156.

Information society services

  • consent to the processing of a child's personal data, where the child is below 16 years of age, is given by the holder of parental responsibility or thelegal guardian,

  • GDPR: Art. 8,

  • GDPR preamble: recital 38.

Binding corporate rules

  • personal data protection policies applied by a controller or processor, that have an establishment in the territory of a Member State,

  • GDPR: Art. 4 point 20, Art. 46 para. 2 lit. b, Art. 47, Art. 57 para. 1 lit. s.

  • GDPR preamble: 108 and 110.

  • PDPA: Art. 56.

Joint controllers

  • identifying companies forming the corporate group,

  • analysis of data flows between companies and identification of joint controllers,

  • entering into joint arrangements between companies that jointly control personal data,

  • GDPR: Art. 26,

  • GDPR preamble: recital 79 and 146.

Consent

  • one of the lawful bases for processing personal data,

  • consent should be given by a clear affirmative action; it should be a freely given, specific, informed and unambiguous indication of the data subject's wishes in relation to a specific matter, whose data are processed,

  • GDPR: Art. 4 point 11, Art. 7,

  • GDPR preamble: 32, 42, 43 and 65.

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.