Compliance with the GDPR is not just about the external aspect – privacy policies or data transfer agreements. Some entities, especially those acting as processors, unfortunately, forget this, which sometimes leads to unpleasant surprises.

Why? It is a standard nowadays, especially among multinational corporations, that before engaging with an entity that will have access to personal data, a survey of the applied standards and safeguards is conducted.

What are such surveys usually concerned with:
▶ Has each employee or associate been granted the authorisation to process personal data?
▶ Have the persons allowed to process agreed to keep personal data confidential?
▶ Is data transferred outside the EEA, and if so, what mechanisms have been used to legalise such transfer?
▶ Has a risk analysis and, if required, a data protection impact assessment been conducted?
▶ Is a record of breaches maintained and has there been a need to notify the President of the Polish Personal Data Protection Office of any security breach?
▶ Has the Data Protection Officer been appointed, and if not, has the question of the necessity of such appointment been investigated?
▶ What safeguards are in place to ensure the security and integrity of the personal data being processed?

Of course, you can point out that everything has been implemented, even if it is not true. But what if a contractor exercises its right under Article 28(3)(h) of the GDPR and wants to conduct an audit or inspection?