GDPR Security Documentation

Our role in the provision of services is also developing a full set of security-related documentation tailor-made for each client containing all the information required in accordance with the Regulation of the European Parliament and the EU Council 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and with the Act No. 18/2018 Z. z. on Personal Data Protection and on Amendments to Certain Acts.  An all-inclusive and high-quality documentation requires:

1) An analysis of the state of protection of personal data and identification of all operations of personal data, which is the basis for correct setting of processes to ensure compliance with GDPR. Based on a thorough analysis we will know how to:

  • map the flow of personal data,
  • identify the categories of personal data you handle (normal or sensitive personal data),
  • define all operations performed upon personal data,
  • define third parties to whom personal data is provided, whether by contract or under a legal obligation.
  • determine whether you have adequate personal data protection in place in terms of security of personnel, buildings/facilities, and IT.

2) Preparation of all necessary documents to ensure compliance with GDPR defining all processes for handling personal data and processes designed to ensure the security of personal data. The documentation shall include the following:

  • Risk Analysis containing quantification of any potential threats and impacts on the protection of personal data,
  • Security Policy describing the basic safety precautions necessary to maintain the integrity of personal data,
  • Guidelines serving to guide people who work with personal data,  containing a description of procedures to handle personal data in different situations (provision of information to data subjects, or in the event of security incidents),
  • Information obligation, customised for you to use it to inform all data subjects of which personal data concerning them you process, to whom you provide the data, and of the rights of the data subjects,
  • Contracts of processing used to ensure the protection of personal data when providing data for processing to another controller. These model contracts are prepared individually for each processor, based on the type of service that the processor renders to the controller.
  • All necessary forms customised to the purpose and the processing of personal data (consents, authorisations, records, etc.).
GDPR Security Documentation

Are you interested in this service?

GDPR Data Protection Officer

With our own professional team and we will provide you with all-inclusive service of a data protection officer who is fully qualified to perform such role under the conditions laid down in Article 37 of GDPR. Under the Regulation, controllers are required to mandate a data protection officer. However, controllers who do not meet such conditions may decide to designate a data protection officer.

The data protection officer will help controllers constantly monitor the compliance of the procedures in the handling of personal data in their organisation. This service includes the performance of all legal obligations as imposed on the data protection officer by GDPR and the Act No. 18/2018 Z. z. on Personal Data Protection. We have extended the DPO service to include inspection activities and regular supervision of personal data protection. Put simply, we can say that the data protection officer ensures regular monitoring of the compliance of the processing of personal data.

This service includes a process set up to achieve our client's compliance with the GDPR and the Act No. 18/2018 Z. z. on Personal Data Protection. Thanks to the steps below the processes and matters of personal data protection in your company will be provided in a simpler and easier way:

1) An analysis of the state of personal data protection and identification of all operations concerning personal data.

Such an analysis of the state of personal data protection with respect to GDPR is essential in order for processes to be set correctly. Based on a thorough analysis we will be able to:

  • map the flow of personal data and define all operations performed upon personal data,
  • define third parties to whom personal data is provided (under a contract or under a legal obligation).
  • identify the categories of personal data you handle (normal personal data or sensitive personal data),
  • determine whether you have adequate personal data protection in place in terms of security of personnel, buildings/facilities, and IT.

2) Developing a full set of all necessary documents to ensure compliance with GDPR.

After the initial analysis, it is necessary to prepare all documents and forms defining all flows of personal data and processes designed to ensure the protection of personal data. The documentation shall include the following:

  • Risk Analysis that contains a quantification of all possible threats and impacts on personal data processing.
  • Security Policy that describes the basic safety precautions necessary to maintain the integrity of personal data.
  • Guidelines that serve to guide people who work with personal data,  containing a description of procedures to handle personal data or to act in different situations, when providing information to data subjects or in the event of security incidents.
  • Processing contracts for processors, which are used to ensure the protection of personal data when providing data for processing to another controller. These model contracts are prepared separately for each processor, based on the type of service that the processor renders to the controller.
  • Information obligation for you to inform all data subjects of which personal data concerning them you process, to whom you provide the data, and of the rights of the data subjects.
  • All necessary forms – consents, authorisations, records, etc. These documents are tailored for each client depending on the purpose and processing of personal data.

3. Implementing GDPR, which we consider one of the most important activities in the provision of our services. We will help you put the analysis and all the documents into practice.  Setting up the protection of personal data is not just writing down the steps on paper, but mainly configuring the personal data protection system by adoption of certain security measures within the framework of:

  • Building security – we can help you with designing a solution to improve the protection of personal data exactly for the categories the processed data (payroll, accounting, medical records, video surveillance system, registry etc.),
  • Personnel Security – we will train all your employees on how to proceed with the processing of personal data, how to protect such data and how to prevent security incidents, or on the proper procedures in collecting and providing information on the processing of personal data,
  • IT security – we will help you with the design of safety measures in cyberspace and educate authorised persons in the field of social engineering so that personal data of data subjects are protected in this area, too.

4. Regular care, advice, consulting.

Personal data protection spans across a broad range of issues and advances constantly. Regular advice served by the data protection officer will take away the burden from you to watch out for updates of new guidelines and revision of laws. Your assigned data protection officer will monitor all changes in the area of personal data protection and prepare the necessary forms accordingly, and keep you informed about current events in the area of personal data protection. The data protection officer will also perform periodic inspections and training activities in your organisation at agreed intervals to prevent any potential errors in the processing of personal data.

In the case you decide to expand your portfolio of services, with a data protection officer you can be sure that any new processing of personal data will be compliant with the current legislation.

GDPR Data Protection Officer

Are you interested in this service?

Security Administrator

The security documentation concerning the protection of personal data includes a recommendation to our clients that their organisations appoint a security administrator.

A security administrator in matters of personal data protection ensures safeguarding of automated and non-automated systems in which there is a processing of personal data. The fundamental role of a security administrator is to oversee the processing of personal data contained in automated and non-automated information systems in terms of safety functions and approaches in compliance with all the requirements of the security policy and security guidelines. The focus of this person's activities will consist of managing and monitoring the system's security functions. Such activities will be defined and specified in the security guidelines of the information system, which will be part of the technical and organisational measures. The security administrator is also involved in the investigation of security incidents.

The security administrator must be familiar with every detail of operating systems (including their network features, security settings), computing and technical equipment, communication subsystem, topology of automated information systems, and applications that process personal data in the information systems. At the same time, the security administrator it is required to know and respect the general principles of information system security and compliance with the principles of security of the processing of personal data.

Besides other services, our company provides a security administrator service, with the expertise and qualification to carry out the role. For more information, please contact us at info@topprivacy.sk

Security Administrator

Are you interested in this service?

Industrial Security and Classified Information

We offer a full range of services for obtaining industrial security certificates (clearance of the National Security Authority) for business entities (legal and natural persons) in accordance with the Act No. 215/2004 Z. z. on Protection of Classified Information, as amended.

The service is provided to entrepreneurs who are required to obtain a certificate of industrial security at the appropriate security classification level , in accordance with the Act No. 215/2004 Z. z. on Protection of Classified Information, as amended, and the National Security Authority Decree No. 301/2013 Z. z. if they plan to:

  • provide services to bodies of state administration, in which it will be necessary to transfer classified information to them,
  • trade in military material or,
  • carry out aerial photographing.

The analysis, the recommendations and the basic documents needed for the security clearance include:

  • an analysis of the environment where processing of classified information is to take place,
  • recommendation of security classification level, protected area, method of processing of classified information using a technical device, method of ensuring administrative and personnel security based on the analysis of classified information of the relevant bodies of state administration, and any business interests foreseen by the client,
  • development of a security project according to the National Security Authority Decree No. 301/2013 Z. z.,
  • preparing application for a certificate of industrial security for entrepreneur,
  • processing providing synergies in the processing of applications and statements that are required to carry out the security clearance,
  • development of a personnel security guideline according to the National Security Authority Decree No. 134/2016 Z. z.

Processing of Special Documents

  • processing relevant documentation and administrative security guideline in accordance with the Act No. 215/2004 Z. z. and the National Security Authority Decree No. 48/2019 Coll., Laying down Details of Administrative Security of Classified Information
  • preparing documentation (security project on technical devices, guidelines, relevant forms) required for certification of technical device for the processing of classified information in accordance with the Act No. 215/2004 Z. z. and the National Security Authority Decree No. 339/2004 Z. z. on Security of Technical Devices,
  • configuring and preparing a technical device for certification (security settings),
  • design and optimisation of protected area under the Decree of the National Security Authority No. 336/2004 Z. z. on Physical Security and Building Security as amended by the Decree of the National Security Authority No. 315/2006 Z. z.,
  • development of documentation for physical security and building security,
  • elaboration of check-book, visit book and design of protected area under the Decree of the National Security Authority No. 336/2004 Z. z. on Physical Security and Building Security as amended by the Decree of the National Security Authority No. 315/2006 Z. z.,
  • provision the relevant advice.
Industrial Security and Classified Information

Are you interested in this service?

Cybersecurity

Nowadays, when most data is in digital form, cybersecurity is an integral part of data protection.

Under the Act no. 69/2018 Coll. on Cybersecurity and on Amendments to Certain Acts, an operator of essential services is required to introduce security measures, and is also obliged to verify the effectiveness of the security measures and compliance with the requirements established by this Act. An operator of an essential service is anyone who meets at least one sector-specific criterion and one impact criterion.

As a company specialised in security services we can give you a helping hand and provide you with:

1) Analysis of sector-specific criteria and impact criteria – by means of a detailed analysis we will evaluate compliance with sector-specific and impact criteria to determine the potential impact a cybersecurity incident could have in an information system or a network. The result is a document helping you determine whether you are to be on the list of essential service operators.

2) Analysis of cybersecurity – if the analysis of sector-specific criteria and impact criteria proves that you have a legal obligation to be included in the list of operators of essential services, it is necessary to carry out an analysis of cybernetic security under the Act No. 69/2018 Z. z. and the National Security Authority Decree No. 362/2018 Z. z.

3) Proposed cybersecurity measures – based on the analysis of cybersecurity we can prepare tailor-made proposals for security measures (security documentation) in accordance with the National Security Authority Decree no. 362/2018, laying down the Content of Security Measures, the Content and Structure of Security Documentation and The Scope of General Security Measures.

4) Professional personnel training – our experts can give your employees information on social engineering and cybersecurity. The training courses are held in direct interaction with the client and with regard to the general public.

5. Advice and consultation – provided for by our team of experts from the relevant fields. If necessary, we can represent you in proceedings before the National Security Authority.

For purposes of organising cyber security, we can provide a service of designating a cybersecurity manager who:

  • may submit proposals and report the information in the field of cybersecurity directly to the statutory body of the operator of essential services,
  • ensures the application of security measures in the cybersecurity management system,
  • is independent of the operation management and development of information technology services, and
  • meet the knowledge standards for the position of a cybersecurity manager according to a specific legal regulation.
Cybersecurity

Are you interested in this service?

Advisory and Consultancy Activities

Our company provides its clients with expert advice and consultation in the field of personal data protection under the REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (EU) No. 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR") and pursuant to the Act No. 18/2018 on Personal Data Protection and on Amendments to Certain Acts. 

The topic of personal data protection concerns not only GDPR and the Act on Personal Data Protection. When setting up processes, one needs to follow the national legislation, too. Since we work closely with law firm Hronček & Partners s. r. o., we can provide highly professional approach in this area through a team of experts from the relevant fields.

If necessary, we can arrange representation in proceedings before the Office for Personal Data Protection. Each of our clients has the option to arrange a specific time with us during which we will be fully available to cover any questions and requirements. Our advisory activity is aimed at a detailed explanation of data protection issues and the implementation GDPR as needed by the client.

PROFESSIONAL TRAINING

Professional training in the field of protecting personal data and classified information takes place at workshop with the possibility of interactive discussions, addressing specific issues relevant for companies or individuals. Professional training courses are held with a minimum attendance of 5 people. Training is provided at the premises of the company, in direct interaction with the client. We can also organise training courses in other adequate training rooms as necessary.

Advisory and Consultancy Activities

Are you interested in this service?

Representation in Proceedings before the Office

By working closely with law firm Hronček & Partners, s. r. o. that provides legal advice in assessing the lawfulness of personal data processing and has extensive experience in dealing with data protection under the previous legislation, under the new GDPR rules and the Act No. 18/2018 Z. z. on Personal Data Protection, we are able to provide the following services:

  • representation of clients during inspections by the Office for Personal Data Protection,
  • legal analysis and opinion on the protection and processing of personal data.

We monitor the guidelines of the Office for Personal Data Protection on continuous basis in order to adjust the processes set up by clients to the existing practice in the Slovak Republic. 

Representation in Proceedings before the Office

Are you interested in this service?

Cybersecurity Manager

Under the Act no. 69/2018 Coll. on Cybersecurity and on Amendments to Certain Acts, an operator of essential services is required to introduce security measures, and is also obliged to verify the effectiveness of the security measures and compliance with the requirements established by this Act, by carrying out a cybersecurity audit. The audit must be carried out within a period of two years from the date an essential service operator is included in the register of operators of essential services.

For the purposes of organising cybersecurity, the principle of designating a cybersecurity manager is applied who, under the  National Security Authority Decree No. 362/2018 Z. z. Laying down the Content of Security Measures, the Content and Structure of Security Documentation and The Scope of General Security Measures:

1) may submit proposals and report the information in the field of cybersecurity directly to the statutory body of the operator of essential services,

2) ensures the application of security measures in the cybersecurity management system,

3) is independent of the operation management and development of information technology services, and

4) meet the knowledge standards for the position of a cybersecurity manager according to a specific legal regulation.

A designated cybersecurity manager must be a person who is able to give evidence of his or her professional qualification and whose security role includes responsibility for organising the cybersecurity management system.

The cybersecurity manager is a professional management element in cybersecurity of the operator of an essential service who needs to know the internal environment of the organisation and the assets of the essential service operator.

Our company can provide a cybernetic manager service. Our offer includes a full service of a cybersecurity manager who is an expert in the field of information and communication technologies and is qualified to carry out his or her tasks in accordance with special regulation issued by the Office.  Please contact us if you are interested and want more information, at our e-mail address info@topprivacy.sk

 

Cybersecurity Manager

Are you interested in this service?

Do you need professional partner?

Do you need professional partner?

Are you interested in this service?