Data Protection Officer service
As a Company that has been operating in the Polish and foreign markets for many years, we have never before observed such an intensity of changes in both the internal and external environment of our customers in the area of personal data protection. We are talking not only about changes in Polish legislation, but also about judgments of the Court of Justice of the European Union (CJEU), decisions and guidelines of the Office for the Protection of Personal Data (UODO) and the European Data Protection Board (EROD). More and more organizations are also being impacted by increasing digitization, the development of cloud technologies or the increasingly bold use of biometrics in everyday life. All of this means that ongoing compliance with legal requirements in the area of data protection requires continuous hard work. This work is specific in that it requires interdisciplinary knowledge of both law and information security or the aforementioned new technologies. Building such competencies in an organization is often impossible, or simply process and economic unviable. Fortunately, Blue Energy’s consultants are eager to take on this challenge and help keep your organization compliant with the requirements of RODO by serving as your IOD.
Professional team and performance standards
The Blue Energy team consists of both legal counsels responsible for formal and legal areas, and auditors with many years of experience in information security management. Thanks to this, we are able to provide a reliable assessment of the fulfillment of legal requirements and the actual security of personal data.
The guarantee of high-quality service is the performance of works with the use of international standards, including:
- ISO 19011 in the area of management systems audit,
- ISO / IEC 27001 in the area of information security system management,
- ISO / IEC 29134 in the area of impact assessment for data processing,
- ISO 22301 in the area of system approach to business continuity management.
and the certificates held by our consultants, which you can find here (LINK TO ABOUT US)
As part of the outsourced IOD service, Blue Energy’s consultant performs not only the tasks indicated in Article 39 of the RODO, but also additional ones based on our experience and best practices in the area of information security.
The scope of tasks performed by the DPO:
As part of the service, the Data Protection Officer monitors the organization’s internal and external context on an ongoing basis and ensures that compliance with legal requirements in the area of data protection is continuously maintained. In addition, it informs the Administrator and its employees of required changes to the data protection system maintained in the organization.
The intricacy of regulations related to the protection of personal data and the fact that this data appears in almost every area of the Organization’s activities generates many doubts. As part of the proposed service, the IOD responds to employees’ questions and concerns on an ongoing basis and helps resolve problems related to the processing of personal data
As part of the service provided, Blue Energy Consultants perform a security audit at least once a year to verify how requirements under applicable legal requirements in the area of personal data protection, internal policies that have been implemented in the Organization, as well as approved codes of conduct and industry requirements are met.
As part of the service provided, the Supervisor is responsible for overseeing the data protection impact assessment process, appointing individuals to carry out the risk analysis, training and awareness building in this area, and aggregating and analyzing the results obtained
The inspector is responsible for analyzing and reporting any data protection violations. The role of the Supervisor is to collect reports, properly manage the incident, ensure internal and external communication, including with data subjects and the supervisory authority.
During the adaptation of the organization to the requirements of RODO, as part of incident handling and as a result of internal audits, improvement measures are formulated that should be implemented. The Data Protection Officer supports you in selecting improvement solutions tailored to your organization’s needs.
It is the responsibility of the Data Protection Officer to continuously and effectively build employee awareness in the area of information security. As part of its service, IOD provides traditional training or e-learning training. The inspector is responsible for preparing training materials and informational brochures for employees beginning employment for whom initial training is being conducted.
All persons whose personal data is processed by the organization have the right to, among other things, obtain a copy of their data, the right to withdraw consent to its processing, or the right to be forgotten (RODO art.15-21) (i.e., to have their data deleted). The realization of the aforementioned rights is a major problem for organizations due to the need for substantive verification of applications, unambiguous confirmation of the identity of applicants or tracing data within the organization. If needed, the DPO provides support in the implementation of the above processes. The Inspector serves as the point of contact between the Organization and the President of the Office of Personal Data Protection.
As part of the service, the IOD supports the review of agreements and provisions in contracts entered into, ensuring the application of appropriate legal constructions in the area of personal data protection.
The Data Protection Authority may conduct inspections to verify compliance with the Act. The audit may also be conducted by parties who provide us with personal data through entrustment of processing. The DPO actively participates in such inspection and implementation of follow-up actions.
Related blog articles
Dyrektywa Parlamentu Europejskiego i Rady (UE) 2019/1937 z dnia 23 października 2019 r. w sprawie ochrony osób zgłaszających naruszenia prawa Unii, obowiązuje już od 17 grudnia 2021 r. Do dziś jednak (25.07.2022) w polskim porządku prawnym nie pojawiła się doprecyzowująca wymagania Dyrektywy ustawa o ochronie osób zgłaszających naruszenia prawa.
11 stycznia pojawiła się kolejna informacja o administracyjnej karze pieniężnej w wysokości 45 tys. złotych. Kara ta po raz kolejny związana jest niezastosowaniem przez Administratora odpowiednich środków technicznych i organizacyjnych mających zapewnić zdolność do ciągłego zapewnienia poufności usług przetwarzania, także za brak regularnego testowania, mierzenia i oceniania skuteczności środków.
28 lutego br. na stronie UODO pojawiła się informacja o administracyjnej karze pieniężnej. Została ona nałożona na Spółkę Fortum Marketing and Sales Polska. Prezes UODO nałożył administracyjną karę pieniężną w wysokości 4 911 732 zł.