Personal Data Protection (GDPR)

Adequate protection of personal data is a major challenge for entrepreneurs. The provisions of the EU General Data Protection Regulation (GDPR) and the new Polish Act on Personal Data Protection of 10 May 2018 gave rise to new obligations and triggered numerous questions among employers and data subjects.

During the period of preparation for the GDPR entry into force, we carried out tens of audits and personal data system deployments at clients operating in the IT, automotive, medical, waste management, energy, steel and food sectors, as well as at smaller clients seeking adequate security of the processed data.

The day-to-day practice of the GDPR team includes without limitation: personal data audits comprising:

  • identification of the processed personal data,
  • verification of the processing procedures, which includes checking the legality (legal basis) of data processing,
  • review of personal data protection documentation in terms of its validity and compliance,
  • review of the security procedures in place,
  • verification of contracts under which personal data are made accessible to third parties,
  • evaluation of the need to appoint the data protection officer.

Andersen Tax & Legal professionals advise on adequate data protection measures, including:

  • preparation and update of the internal documentation for personal data processing, including data security policies and IT system management instructions,
  • presentation of solutions for secure and legal transfer of personal data abroad (also to third countries which do not provide adequate data protection level), and for implementation of the Binding Corporate Rules and Standard Contractual Clauses,
  • negotiation, preparation and evaluation of contracts and contractual clauses related to personal data processing,
  • preparation of privacy policies for website service users, as well as notifications, information, draft consents and data processing statements,
  • advice on personal data breaches (data “leaks” and breach notifications to the supervisory authority) and data protection during internal procedures (e.g. FCPA, competition law audits),
  • representation of clients during inspection and audit procedures as well as during court and administrative proceedings,
  • training of personnel responsible for personal data protection in companies.
  • services of the Data Protection Officer (DPO).