Based on national, European and international data protection and privacy regulations, including in particular provisions such as:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (RODO);
• guidelines and documents issued by the European Data Protection Board (EROD);
• Act of 10 May 2018. on the protection of personal data;
• Act of 18 July 2002 on the provision of electronic services;
• Act of 16 April 1993 on combating unfair competition;
• Act of 16 February 2007 on the protection of competition and consumers;
• specific industry regulations, including:
• Act of 16 July 2004 on Telecommunications Law;
• Act of 29 August 1997 on the Banking Law;
• Act of 1 March 2018 on the prevention of money laundering and financing of terrorism;
• Act of 12 May 2011 on consumer credit;
• Act of 19 August 2011 on payment services;
• Act of 9 April 2010 on the disclosure of information economic and exchange of economic data;
• Act of 22 May 2003 on compulsory insurance, the Insurance Guarantee Fund and the Polish Motor Insurers’ Bureau;
• regulations and guidelines of the Banking Supervision Commission;

Our law firm supports companies in the FinTech, LendTech and e-commerce industries, as well as the banking and finance sector, in preparing and implementing an effective and secure strategy for the broad collection, storage and processing of collected personal data.

We start by auditing the ways, procedures and levels of personal data and privacy protection. On this basis, we prepare reports, including practical guidance on the creation and implementation of appropriate data protection and privacy regulations and internal procedures. If necessary, we represent and advise clients in the event of a personal data breach or leakage, as well as control procedures carried out by the relevant authorities.

We answer questions and propose practical, ready-to-implement solutions, taking into account the business realities of clients’ operations. If you are wondering or in doubt:

• what is personal data?
• why is personal data important?
• what data can be collected?
• why do you need to protect personal data?
• how to protect personal data?
• which personal data is sensitive?
• how long can personal data be stored?
• when do we process personal data?
• if and when can personal data be disclosed?
• if and when can or must personal data be deleted?
• if and when must personal data be disclosed?
• what is the processing of personal data on the basis of a legitimate interest pursued by the controller or by a third party?
• is there and how to organise the transfer of personal data to third countries?

contact our lawyers who specialise in data protection, RODO and privacy.

• GDPR audits and surveys, data protection audits, privacy audits (privacy by design and privacy by default).
• Data processing impact assessment for clients’ business operations.
• Data Protection Impact Assessment (DPIA).
• Review and modification of information clauses and consents to comply with the provisions of the GDPR.
• Ongoing consultation on the GDPR, privacy and data protection.
• Privacy compliance – compliance analysis of solutions and products using personal data.
• Creation, development and preparation of policies, registers, Procedures and documentation relating to RODO, privacy and personal data protection, including documents such as information security policy, personal data processing entrustment agreement, policy for permitted use of IT devices or systems, BYOD policy, data processing registers, rules and procedures for dealing with personal data protection breaches, rules for dealing with personal data leaks, cookie policy.
• Development of procedures for the selection of contractors with access to data (processors) and their periodic verification.
• Defining the principles of granting authorisations to process personal data and supervising the process of granting and withdrawing authorisations.
• Defining the principles and legal basis for the acquisition and processing of personal data.
• Developing template responses to clients on issues related to the processing of personal data, consistent with the purposes and categories of personal data processed.
• Developing and maintaining a register of data processing activities and a register of processing categories.
• Developing document templates tailored to the client’s specific business – data processing information and consent templates for personal data processing for marketing purposes.
• Aligning business procedures with requirements in line with the RODO and so-called sector-specific regulations, in particular regulations specific to payment institutions, lending institutions, institutions operating in the insurance sector.
• Assessing data protection breaches – verifying the need to notify the regulator and data subjects of potential remedies.
• Preparation and filing of notifications to regulators and data subject notifications.
• Advising and representing in investigations, control proceedings before public authorities and before the courts on matters relating to the processing of personal data, privacy, as well as breaches of personal data protection and breaches of privacy, complaints and requests from data subjects or questions from regulators.
• Representation and conduct of proceedings before the President of the Personal Data Protection Authority (PUODO).
• Management of risks and incidents of breaches of personal data procedures, identification of appropriate remedies and collection of adequate documentation related to the notification.
• Internal investigations of irregularities in the collection, storage and processing of personal data.
• Advising on issues relating to the processing of personal data in the cloud , covering the nature of processing, access to data and transfer of data to third countries, support in negotiating contracts with service providers.
• Conducting dedicated trainings, seminars and workshops for board members, managers and employees on the collection, storage and processing of personal data, RODO and privacy protection, during which our experts suggest how to meet the requirements arising from Polish, European and international data protection regulations.
• Performing the function of Data Protection Inspector (IOD, former information security administrator – ABI) in companies in the financial sector (payment institutions, lending institutions, consumer credit intermediaries, insurance agents), support during the implementation of tasks by the IODO appointed at the client.
• Proactive response to regulatory changes – ensuring ongoing compliance with the RODO to avoid penalties and liability for company malfunctions.

We advise leading companies in the FinTech, LendTech and e-commerce sectors, as well as entities in the financial sector, IT and startups. We support individuals serving as board members, directors, those responsible for Information Security, Chief Information Officer (CIO) and Compliance Office.

We monitor the legislation and evolving practice of data protection in Poland, the European Union and non-EU countries. We encourage you to read our blog, where we share our practical experience gained during the implementation of projects on data protection, GDPR and privacy protection.

We carry out audits to assess the degree of compliance of a client’s activities with the provisions of the GDPR, in particular in the field of privacy by design and privacy by default, as well as other requirements arising from the GDPR

We adjust our clients’ activities to the requirements of the GDPR and the so-called sectoral regulations, in particular regulations applicable to payment institutions, loan institutions, institutions operating in the insurance sector. As part of implementation activities, we provide support in ensuring compliance with the provisions of the GDPR, in particular:

• We develop procedures for the selection of contractors having access to data (processors) and their periodic verification;
• We define the rules for granting authorization to process personal data and supervise the authorization process;
• We define the principles and legal grounds for obtaining and processing personal data;
• We develop response patterns for clients regarding issues related to the processing of personal data, consistent with the purposes and categories of personal data processed;
• We develop provisions for the personal data processing agreements and adequate security measures for personal data required from our clients’ business partners;
• We prepare and update the data processing activities register and the processing categories register;
• We develop data security policies;
• We develop procedures for reporting personal data breaches;
• We develop data protection impact assessment (DPIA) procedures;
• We carry out impact assessments for the protection of personal data;
• We develop and implement a program to check the adequacy of implementation activities;
• We develop privacy and cookie policies;
• We represent clients in proceedings before the Personal Data Protection Office in matters of complaints and control proceedings.

We advise in the event of an incident of a personal data security breach, we determine appropriate remedies, we take care of collecting adequate documentation related to reporting a data breach and we prepare the content of the notification to the Personal Data Protection Office.

We organize and conduct dedicated trainings in the field of personal data protection and information security.

We act as a data protection officer in enterprises of the financial sector (payment institutions, loan institutions, consumer credit brokers, insurance agents).