On the 25th of May 2018 Regulation (EU), 2016/679 entered into force. In the period from March 2018 until this moment, we have been able to help more than thirty clients in the implementation of Regulation 2016/ 679 (GDPR). The clients who have hired us for the service “Implementing the GDPR” are accounting houses; pharmaceutical companies; a company engaged in the international transport of goods; career media; graphic design agency; manufacturer of cosmetic products; four companies that distribute sports goods, both in physical stores and through online stores; a company which owns an online store for the sale of household goods; insurance broker; confectionery manufacturer; a company that owns an online store for selling coffee and coffee machines; a company providing investment advisory services; a company engaged in building and repair of buildings; a provider of services in the hospitality and tourism sector; a software development company; a company providing design services in the design, construction, maintenance and commissioning of internal electrical installations; a company providing services in the field of construction and repair of roads and streets; a company that distributes heat pump, solar and air conditioning systems; a restaurant company; a company involved in the distribution of building materials; several online stores and more.
All clients were provided with comprehensive information about the scope and nature of the service and were given the opportunity to ask questions. We have also performed the so-called “Gap Analysis” and for that, we provided our clients with a questionnaire to complete so that we can:
- determine what personal data the Controller processes, as well as the various processing operations;
- determine what documentation regarding the processing of personal data has been prepared at the time of the performance of “Gap Analysis”, in order to assess what documentation should be prepared in order to achieve compliance with Regulation (EU) 2016/ 679 (GDPR) on a legal side.
Our complete set of documents for compliance with Regulation (EU) 2016/679 (GDPR) includes the following documents, namely:
- A detailed Privacy policy;
- Instruction for the minimum level of technical and organizational measures and the allowed type of personal data protection;
- Internal Privacy policy;
- Notification of Privacy;
- Internal procedures for fulfilling the obligations of the data controller and the rights of the individuals;
- Agreement between a controller and a processor of personal data;
- Permission for including another processor of personal data;
- Notification to other processors of erasure;
- Consent for the processing of personal data;
- Request for termination of the processing of personal data;
- Request to terminate the processing of personal data for the purpose of direct marketing;
- Statement of consent by an employee for non-disclosure of personal data;
- Record of staff training for reaction to events threatening personal data;
- Training protocol for the personnel;
- Procedures for inspection and control of the processing of personal data;
- Checklist from an inspection in the departments of the controller;
- Checklist from an inspection of personal data processors;
- List of employees familiar with the Instruction on the mechanism of personal data processing and their protection in the maintained registers.
- Declaration of consent to the processing of personal data;
- Request for erasure of personal data;
- Request for rectification of inaccurate personal data;
- Request for restriction of processing;
- Request for confirmation for processing of personal data;
- Request to provide the names of recipients to whom personal data has been disclosed;
- Request for transfer of personal data;
- Confirmation for processing of personal data;
- Register of personal data breaches;
- Consent to processing after a restriction of processing;
- Notification to the Supervisory Authority for a security breach;
- Notification to personal data recipients for the erasure of personal data;
- Notification to personal data recipients for a rectification;
- Notification to personal data recipients for a restriction of processing;
- Notification to the subject for a security breach;
- Notification to the individual for disclosure of personal data to another recipient;
- Notification for non-processing of personal data;
- Notification for non-action;
- Notification for restriction of processing;
- Notification for an extension of a period;
- Notification by the processor to the controller for a security breach;
- Notification about the processing of personal data for another purpose;
- Notification about recipients of personal data;
- Consent from a parent;
- Notification for a withdrawal of consent to the processing of personal data;
- Protocol for the destruction of personal data;
- Declaration of consent by an employee for video surveillance;
- Objection to the processing of personal data based on automated decision making;
- The job description of a Data Protection Officer;
- Order for appointing of a Data Protection Officer;
- Agreement between a controller and a Data Protection Officer;
- Impact assessment.
Of course, not every client has received all these documents. The documents which we have drafted for each client are specifically tailored to the business of the company, as each company’s business has its own specific features.
In addition, we have consulted each client about the need to appoint a Data Protection Officer. Finally, each of our clients was provided with the following useful materials, that we have prepared to facilitate the implementation of the duties of Controllers.
- A manual containing practical steps to implement the General Data Protection Regulation.
- A manual containing a detailed description of the duties of the data controllers.
- A manual containing a detailed description of the rights of the data subjects and the terms and conditions for exercising the rights of data subjects under the Regulation.
- Rules for working with clients and personal data.
- Terms for storing documents.
- How to prepare your website for the GDPR?
In this way we have helped all the clients who have hired us to implement the GDPR legally in order to meet the requirements of the Regulation and thus we were able to provide the best possible and most complete service, completing all of our projects in the agreed period. In September and October we have organized two training sessions to which we invited the clients to whom we have provided the “Implementing the GDPR” service where they were able to ask their questions, concerning personal data protection.