GDPR modules

"We do not sell ready-made food but rather good quality ingredients together with recipes tested over time. Being said metaphorically, this is exactly what we do with GDPR modules: we teach our clients how to cook. And that is why our GDPR modules are not just another set of sample documentation."

Jakub Berthoty, founder of Dagital Legal 

Instructions for use

Each of our GDPR modules contains instructions for use of all document sets in our offer, even those not included in all document packs.

At a closer look, these instructions for use explain the individual documents, including why and how each of them may be useful from GDPR perspective. In general, however, instructions for use also list and explain the steps that should be taken to correctly customise the given documentation to your specific situation. It draws from our rich experience in data protection due diligence and provides a simplified process that we found most helpful in practice. Surely, there is a large variety of how companies approach due diligence in data protection. We have developed our instructions for use strictly on a legal and “purpose-driven” approach to GDPR compliance that does not burden you with rather technical details of how data is processed, managed and protected.

First, you would be required to answer a set of questions that are distributed into various categories. Based on your answers, you will be then provided with a full list of purposes and various combinations of legal grounds that we came across in our practice, together with a brief explanation. Depending on your responses, you will choose the combinations of purposes and legal grounds for processing. In this way, you will go through the instructions for use to build the elementary building blocks for ensuring your GDPR compliance and, ultimately, for the content that you will then bring on or take into account in your documentation.

These instructions for use are the distillation of many years of experience that the members of our team have in data protection. We made sure it is not burdened with legalese and that it can be easily understood by anyone who typically deals with data protection in an organisation.

ex VAT

Privacy Policy

You will find one on almost every website – but what it should in fact contain and why is it there? Everyone processing personal data must provide certain basic information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language and must correspond to reality. That there should be a privacy policy on a website is dictated not by GDPR but by common sense. By glancing through a website and the quality of information it contains, one can immediately check how data is protected. Your Privacy Policy will be read by the Data Protection Authority, as well as by your customer, employee, data subject or competitor. Our Privacy Policies stand out from the crowd as they are easy to read and have appropriate granularity. They are designed as a series of answers to questions that you, as a controller under GDPR, must give to data subjects. Their actual purpose is to serve as a ‘first line’ of your protection. No one sees your internal policies, contracts or processes. Everyone, however, can see how you have dealt with your privacy policy.

ex VAT

Contractual documents

At least these three contractual arrangements are specific for GDPR: a contract with a processor under Article 28 GDPR, an arrangement between joint controllers under Article 26 GDPR and agreement with a data protection officer even though this is not expressly required. In our contractual documents, you can find all of these.

ex VAT


You will often find certain consents repeated. However, it is always practical to have at hand a list of various alternative wordings that cover a variety of situations.

ex VAT

Internal data protection policy

Everyone processing personal data should have an internal policy in place, where proportionate to the processing activities. If you ask us, it is better to have one when requirements are this vague. But what should it contain? There is a great variety of data protection policies. We don’t think it makes much sense to have ‘static’ policies that merely parrot the wording and requirements set out in legislation. Our internal policy focuses on distribution of tasks and responsibilities for data protection among various persons, description of important processes, such as handling of data subject requests, or documenting and reporting security incidents. It also contains sample answers to data subject requests that are most frequent in practice.

ex VAT

Security policy

This is the least ‘legal’ of all our documents. Its origins can be traced back to the time when ‘security projects’ were mandatory (in Slovakia) and it draws from terminology and principles derived from information security standards. Yet, it is no proper replacement for any sophisticated information risk analysis and should be rather seen as a ‘master form’ to be used as you try to capture your information security in a single policy document.

ex VAT

Tool for documenting instructions

Much has been said about the meaning and form of documented instructions under Article 29 GDPR. At least in Slovakia, we had a history of being perhaps too rigid in observing the written and employee instructions. Even if we have our own opinion of this, at times it might be better to have basic instructions described, documented and undersigned on ‘good old’ paper – well, just to be on the safe side.

Records of processing activities

To us, records of processing activities have the added value of introducing order and easy navigation into internal management of data protection. That’s why we recommend them to every client, whether or not the client meets the requirements under Article 30 GDPR. The records that we draw up follow various samples published by supervisory authorities, if adding to them a lot of additional features, tools and functionalities. One of the best features allows an automatic determination, from data that you enter, what data subject rights and what specific controller obligations will apply to each purpose of processing. Our records not only serve as one-stop shop for data protection in your organisation but are an important tool to help you manage individual processes, in particular from the perspective of notification obligations and handling data subject rights.

ex VAT

Balancing test for legitimate interest

Almost all controllers need to rely on the legal ground of legitimate interest under Article 6(1)(f) GDPR. Yet, very few of them will actually assess whether their legitimate interest overrides the interests and fundamental rights and freedoms of data subjects. Inspired by the recommendations of Article 29 Working Party and the case law of the Court of Justice of the EU and the European Court of Human Rights, we have developed a ‘balancing test’ –  a series of universal questions, scoring system and evaluations of test conclusions that make it possible to empirically prove or disprove the existence of an overriding legitimate interest.

ex VAT

Data protection impact assessment

As lawyers, we interpret Article 35 GDPR in a different light than most IT and information security consultants do. While ISO 27k-based risk analyses typically address the risks posed to an organisation, its assets and operations, the impact assessment should address the risks posed for the rights and freedoms of natural persons. Our proprietary impact assessment documentation is, so far, the most unique and comprehensive solution that has been developed for assessing privacy infringements. It is unique because our impact assessment is done using strictly non-technical and legal means. Our catalogue of rights and freedoms is based on the European Charter for Human Rights, EU Charter of Fundamental Rights and Constitution of the Slovak Republic. The scoring system for risk assessment is built on similar methodology as ISO 27k standards.

ex VAT