GDPR

• Servizza status
• Documentation
• Implementation of obligations
• Guidelines for ADOs – Servizza clients

Servizza has two roles under the GDPR regulations:

• Personal Data Administrator (ADO) – in the scope of data administration related to the current operating activity.
• Processor – in the scope of data entrusted by Contractors in order to provide the provided services, e.g. hosting.

1. ADO documentation. All information on this subject, which is not related to the internal operational activities of the company (e.g. HR), i.e. which is important for the Contractors, is described in detail in the following documents: Privacy Policy and Regulations.
2. Processor documentation for entrusted data. According to GDPR, each ADO (that is also you – our Contractor), must conclude with the processor of data (that is, for example, with Servizza) Data Assignment Agreement (DPA). This is an important document, in which all important issues concerning data security are regulated. A template of the DPA can be downloaded from this page (available after logging in). The contract can be concluded in two ways:
   • in writing – print out the template, fill in your details and send it to our address, after signing we will send it to the address registered in our system;
   • in electronic form – log in to the Customer Panel (zone), where you will find the relevant procedure under the name 'RODO/GDPR’.

The Processor (i.e. in this case Servizza), is obliged to ensure the highest possible level of data security. The processing of personal data at Servizza is based on the law, in particular on Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and other specific legislation. In accordance with the applicable legislation, relating to the protection of personal data, Servizza applies appropriate physical and organizational safeguards, protection measures within software tools and hardware measures of the IT and telecommunications infrastructure. As part of the activities and procedures carried out, Servizza ensures:

1. The technical solutions used shall ensure the confidentiality, integrity, availability and resilience of the processing systems and services.
2. In case of so-called random events, the system provides the possibility of quick restoration of personal data and access to it.
3. All confidential information, including personal data, is transmitted in an encrypted manner using appropriate certificates and cryptographic methods.
4. The effectiveness of the technical and organisational measures to ensure security of processing shall be tested, measured and evaluated on a regular or ongoing (automated) basis.
5. Additional security is available, related to choosing and changing the password to the Client Area (Panel).
6. Each Contractor is guaranteed the right to „be forgotten”, unless the obligation to process the data arises from other regulations, e.g. tax regulations (in accordance with the RODO guidelines). Identical procedures ensure the possibility of exercising the right to rectify or restrict processing, the right to data portability, the right to object, or finally the right not to be subject to profiling.
7. Each Contractor is entitled to make a request in order to obtain information whether his personal data are processed. If so, you may request access to information about, among other things:
   • the purpose of the processing of personal data,
   • the categories of data processed,
   • Servizza’s partners who process data,
   • the source of the personal data.
8. The registration forms provided provide an opportunity for consent, and the consents meet the conditions:
   • accessible, unambiguous and concrete,
   • expressed knowingly and voluntarily,
   • specifying the nature of the action,
   • written in a clear and simple manner,
   • limited to necessary data only.
9. All Servizza employees have been trained and have signed a statement of personal and professional confidentiality.
10. All Servizza employees who have access to personal data in the performance of their duties have written, named authorisations and have been made aware of data protection legislation.
11. Media containing personal data shall be stored in places where they cannot be accessed by unauthorised persons.
12. Procedures for making back-up copies and access to these copies have been developed and implemented. Only authorized persons have access to the backups.
13. Physical security of the buildings where data is processed and access to the premises is controlled by monitoring systems with the use of CCTV cameras, protected by anti-burglary alarm systems and access systems. Access to the rooms is supervised by security service during the absence of employees working there, and in case of server rooms – by armed security service. The rooms are protected against the effects of fire. The server room is fully and in at least duplicated manner protected against power cuts, against the effects of possible natural disasters and against unauthorised interference of third parties. Only trained administrators have access to the equipment and databases.
14. Only authorised users have access to ICT systems. Granting rights and methods of user authentication used are compliant with the requirements of the Regulation. There are devices protecting the IT system against effects of power supply failure. Means of cryptographic protection of data transmitted by means of teletransmission are applied. In order to protect data against harmful software, deluxe versions of anti-virus and anti-spam software are used, as well as hardware and software firewall systems. Data are processed in appropriate disk arrays, which protect against disk memory failure. Only Enterprise version components are used.
15. Servizza only works with trusted partners. Their business and social credibility is verified, as well as whether they operate in compliance with GDPR regulations.

Dear Contractor. You, as the Administrator of Personal Data (ADO), are responsible for the data processed in the course of your business.

Additional information can also be found in the publications:

• on our Blog: https://blog.servizza.com
• in our Knowledge Base: https://pomoc.servizza.com
• In external studies, e.g.: ‘Czy jesteś gotowy na RODO?’.

We provide our customers with a fairly detailed 'Step by Step’ manual free of charge RODO/GDPR – The ABC for SMEs and templates for most of the required documents. The documentation has been developed by a team with many years of competence in all relevant areas (IT, legal, business). We are confident that it will help the majority of SMEs meet their GDPR obligations. At the same time, we would like to point out that each case is different and there is no such thing as a universal solution. The information and templates provided should be treated only as a guideline and starting material.

The implementation of GDPR does not have to cost a fortune and does not have to involve some special, expensive solutions ensuring technical security. The GDPR mandates that the situation and activities of each entity be looked at individually. Security solutions must be selected in accordance with the scale of activity and the risk involved in that activity. Certainly the GDPR cannot be disregarded and completely ignored. However, the new rules can be implemented with as little effort as possible.

Documentation is available (after login) on the website: https://servizza.com/download/ -> 'Legal and Formal Documents’. -> 'RODO/GDPR’. Above all, make sure you have taken care of all the above issues:

1. Ask yourself:
   • How do you receive personal information?
   • Who is responsible for this data?
   • What is the physical location of the data?
   • Who (including what software, systems) has access to this information and is this data disclosed to anyone else (e.g.: accounting)?
2. Consider whether it is possible to meet the new requirements on your own, or whether you need to enlist the help of outside experts, and if on your own:
   • Carefully evaluate your data sets, and try to predict how they might evolve.
   • Create your own catalog of threats and how to monitor and respond to them.
   • Check what security measures you currently have in place for access to data, IT systems in use.
   • Verify the extent to which your contractors have access to the data.
   • Identify the tasks you need to complete (e.g., information on forms).
   • Develop procedures for dealing with requests for data portability, exercising the right to be forgotten.
   • Make an assessment of whether IT systems need to be replaced or modified, including protection against cyber-attacks.
   • Plan a scenario to continuously monitor and update any systems and applications that may have access (including not directly) to data or other systems.
   • Find out if your organisation needs to appoint a Data Protection Officer. This includes entities that process sensitive or large-scale data.
   • Sketch out the new security strategy, compare the various points with the mechanisms currently in use, and develop a scenario for adapting to the new regulations.
   • Prepare templates of new documents and contracts for your customers. Provide information obligations regarding the purpose of data processing, data verification methods, data processing period, etc.
   • Make sure your solutions allow for encryption of personal information.
   • Ensure a high level of password security.
   • Remember that people are usually the weakest link in the security chain. Ensure that your employees are trained and knowledgeable about personal data processing.

Finally, a general remark concerning your contractors. Data controllers more and more often decide to entrust the processing of personal data to other entities which perform part of the data operations on their behalf, thus entrusting the data processing process to the service provider providing this kind of service. In such situations, it is important not to lose control over the personal data by signing the entrustment agreement, i.e. not to allow the entrusted data to be used for purposes other than those defined by the controller itself. Therefore, when entrusting a processing entity (processor), remember to use only processors with relevant expertise, credibility and resources. In particular, when it comes to guarantees of the implementation of technical and organizational measures corresponding to the requirements of the General Data Protection Regulation (GDPR/RODO), including the security requirements of the processing, so entities such as Servizza.

The outsourcing of data should be governed by a contract or other legal instrument which determines the subject matter and duration of the processing, the nature and purposes of the processing, the type of personal data and the categories of data subjects. This contract or other legal instrument should also take into account the specific tasks and obligations of the processor in the context of the intended processing, and the risk of a breach of the rights or freedoms of the data subject. Compared to the current regulations, an extremely important change is that the processor has very similar obligations as the controller. First of all, the processor must also implement technical and organisational measures appropriate to the risks of processing – so that the processing complies with the requirements of the Regulation.

We therefore encourage you to review the entrustment agreements you have entered into and ensure that the entity to whom you have entrusted the data will meet all the requirements set out in the regulation and the agreement itself contains all the necessary elements. And finally, we remind you once again that we provide further guidance and templates free of charge to Servizza Contractors. For example, you will find there a list of conditions that should be met by the consent to the processing of personal data according to GDPR. While in the guide you will find answers to the following issues:

1. What is GDPR?
2. When will the GDPR apply?
3. Will there be a Polish law on personal data protection?
4. Should we wait for Polish data protection laws to implement GDPR?
5. Will there be a GIODO equivalent in the new legislation?
6. Who is subject to GDPR? Who should implement GDPR?
7. Which activities are subject to the GDPR?
8. What is personal information?
9. Who can process personal data?

COLLECTION OF PERSONAL DATA.

1. When can personal data be processed?
2. How much personal data can be collected under the GDPR?
3. How to collect consent for processing personal data?
4. What information to provide when collecting consent to process personal data?
5. When is it not necessary to collect consent for data processing?
6. Processing of special categories of personal data.
7. What is profiling?
8. Can consent to data processing be revoked?
9. How long can I keep personal information?

ORGANISATION OF DATA PROCESSING.

1. How should personal information be secured?
2. What will happen to existing data protection documentation?
3. Obligation to register data processing activities.
4. What is the obligation to take data protection into account at the design stage?
5. What is the default data protection?
6. When should a Data Protection Officer be appointed?
7. What is a data protection impact assessment and when should it be conducted?
8. What is prior consultation with the supervisory authority?
9. What is the data breach notification obligation?
10. How to conclude a data processing outsourcing agreement?

THE RIGHT TO BE FORGOTTEN AND THE RIGHT TO DATA PORTABILITY.

1. The right to be forgotten.
2. Right to data portability.

STAGES OF RODO/GDPR IMPLEMENTATION PROCESS IN AN ORGANIZATION.

1. Identification of personal data processing processes.
2. Verification of basic data processing parameters.
3. Implementing a risk-based approach.
4. Conduct a data protection impact assessment procedure.
5. Entrustment of data processing.
6. New rights for data subjects.
7. Security incidents.

USEFUL RESOURCES AND LITERATURE

Documentation is available (after login) on the website: https://servizza.com/download/ -> 'Legal and Formal Documents’. -> 'RODO’ (’RODO’ = 'GDPR’).