07.02.2023

How to prepare for an audit by the President of the Office of Personal Data Protection in 2023?

Mariusz Purgał
Anna Dąbrowska - Lipka

The President of the Office of Personal Data Protection has approved the sector control plan for 2023. Who is on the list?

Controls will include:

entities that process personal data using mobile applications;
entities processing personal data using online (web) applications;
bodies processing personal data in the Schengen Information System and Visa Information System.

What aspects will the inspections concern?

In the case of the first two audited groups of entities, PUODO will take a closer look at the ways in which personal data processed in connection with the use of applications is secured and shared.

How to prepare for the inspection?

It’s best to start preparing for an audit by conducting a compliance audit, which will verify compliance with internal procedures and policies on personal data protection. This is also a good time to update them. Do not forget to review the records kept: RCP, RKCP, authorization register, etc. It is also a good idea to conduct refresher training for staff, especially if they have not been conducted regularly, and to introduce a schedule in this regard. An important point is to review, and preferably also test, the technical and organizational security measures in place, as well as risk analysis. Due to the principle of accountability, the activities performed should be documented, such as by preparing reports.

Audits, training, updating of existing documentation should take place regularly. It is worth taking care of this before a possible inspection, so as not to expose yourself to, among other things, the imposition of an administrative penalty. Decisions on imposed penalties are published by PUODO and anyone can familiarize themselves with their content. The motivation for taking action should be not only to avoid them, but also to maintain a good reputation. Data controllers should not entrust data to entities that do not guarantee the implementation of adequate safeguards.

Do inspections take place only on the basis of an approved plan?

The PUODO conducts control of compliance with data protection regulations not only in accordance with the approved control plan, but also on the basis of information it obtains, such as violations. The initiation of inspection proceedings may occur as a result of the recognition of a data subject’s complaint. In order to determine whether there has been a violation of the provisions of the RODO, the PUODO may order an inspection at the controller or processor.

What remedial powers does PUODO have?

The PUODO can issue warnings regarding the possibility of violating the provisions of the RODO through the planned processing operations, issue warnings, order compliance with the data subject’s request, order compliance of the processing operations with the provisions of the RODO, impose a restriction or even a ban on processing, and finally – apply an administrative fine.

 

Do you want to be up to date? Sign up for our newsletter

By subscribing to our newsletter, you consent to the sending of information by e-mail on important events in the field of law, legislative changes and the activities of the Law Firm.

read more

The administrator of your personal data is KWKR Konieczny Wierzbicki i Partnerzy S.K.A. with headquarters in Krakow, ul. Kącik 4, 30-549 Krakow. Your data will be processed for the purpose of sending our newsletter. You have the right to request access to your personal data, their copies, rectification, deletion or limitation of processing, as well as the right to object to the processing and to lodge a complaint with the supervisory authority. More details can be found in our Privacy Policy.

Contact

KWKR Konieczny Wierzbicki and Partners Law Firm
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Administratorem Twoich danych osobowych jest KWKR Konieczny Wierzbicki i Partnerzy S.K.A. z siedzibą w Krakowie, ul. Kącik 4, 30-549 Kraków.
Przetwarzamy Twoje dane wyłącznie w celu udzielenia odpowiedzi na wiadomość przesłaną przez formularz kontaktowy i dalszej komunikacji (co stanowi nasz prawnie uzasadniony interes) – przez czas nie dłuższy niż konieczny do udzielenia Ci odpowiedzi, a potem przez okres przedawnienia ewentualnych roszczeń. Masz prawo do żądania dostępu do swoich danych osobowych, ich kopii, sprostowania, usunięcia lub ograniczenia przetwarzania, a także prawo wniesienia sprzeciwu wobec przetwarzania oraz wniesienia skargi do organu nadzorczego. Więcej szczegółów znajdziesz w naszej Polityce Prywatności.
Warszawa

Rondo ONZ 1,

00-124 Warszawa

+48 12 3957161

kontakt@kwkr.pl

Chcesz być na bieżąco? Zapisz się do naszego newslettera

Zapisując się do naszego newslettera wyrażasz zgodę na przesyłanie drogą e-mail informacji na temat istotnych wydarzeń z dziedziny prawa, zmian legislacyjnych oraz działalności Kancelarii.

czytaj więcej

Administratorem Twoich danych osobowych jest KWKR Konieczny Wierzbicki i Partnerzy S.K.A. z siedzibą w Krakowie, ul. Kącik 4, 30-549 Kraków. Twoje dane będą przetwarzane w celu wysyłki naszego newslettera. Masz prawo do żądania dostępu do swoich danych osobowych, ich kopii, sprostowania, usunięcia lub ograniczenia przetwarzania, a także prawo wniesienia sprzeciwu wobec przetwarzania oraz wniesienia skargi do organu nadzorczego. Więcej szczegółów znajdziesz w naszej Polityce Prywatności.

 

Do you want to be up to date? Sign up for our newsletter

By subscribing to our newsletter, you consent to the sending of information by e-mail on important events in the field of law, legislative changes and the activities of the Law Firm.

read more

The administrator of your personal data is KWKR Konieczny Wierzbicki i Partnerzy S.K.A. with headquarters in Krakow, ul. Kącik 4, 30-549 Krakow. Your data will be processed for the purpose of sending our newsletter. You have the right to request access to your personal data, their copies, rectification, deletion or limitation of processing, as well as the right to object to the processing and to lodge a complaint with the supervisory authority. More details can be found in our Privacy Policy.