SODO HELP

Quick start

If you are just getting started with SODO, this is the place for you! Find out how to set up your account and start using our system.

Complete the list of collections and processes

  • From the main menu, click on Records-> RoPA and then select Add dataset.
  • Complete the name of the dataset (e.g. Human Resources) and then complete the names of the processes ‘grouped’ under the dataset. If there are several processes under a given dataset (e.g., Social Security, Employment, Recruitment), you can add them using the Add Another Process button.
  • Rest assured that you do not need to enter all the information about newly added processes straight away. At this stage of the configuration, the process names alone will suffice for now.
  • Confirm your changes and click on the button in the bottom right corner Save and close. There you go! The new dataset and its accompanying processes have been added to the system. Repeat this step for all other datasets and processing activities. This will allow you to assign both datasets and processes under specific Profiles.

Add profiles (positions)

  • The profiles functionality will make your life a lot easier! It is what allows you to assign specific training and data sets and processes to profiles (positions). If your organisation is small and not highly structured, you can skip this step.
  • To add a new profile, go to the Profiles functionality in the main menu on the left. Click on the Add button.
  • Enter the name of the profile / position (e.g. HR Manager), select the list of mandatory trainings for employees with this profile (e.g. GDPR basics and GDPR in HR). In the RoPA section, indicate which datasets and processes employees with this profile / position will have access to (e.g. HR -> Pensions + Recruitment). Similarly - in the RCP section, select the relevant entrusted data (e.g. Sports Benefits, Group Insurance). Confirm the changes and click on the button in the bottom right corner Save.

Add branches (organisational units)

  • The branch functionality will be useful to you if you work in a medium or large organisation. It will allow you to group users together (e.g. Kraków branch, Warsaw branch, Gdańsk branch) and to grant managers ‘slice’ access to users from a particular branch. If your organisation is small and does not have an extensive structure, you can skip this step.
  • To add a new branch, go to the Branches functionality in the main menu on the left. Click on the Add button.
  • Obligatorily enter the name of the branch (e.g. Head Office - Warsaw). Optionally, fill in your contact details and e-mail address. We particularly recommend that you complete this last piece of information. It is to the e-mail address provided here that system messages will be sent to users who do not have their own e-mail address (e.g. production staff). Confirm your changes and click on the button in the bottom right-hand corner Save. There you have it! From now on, when adding new users, you can assign them to a particular branch.

Add key users and nominate a DPO

  • You can already add key users. This will primarily be the DPO (if appointed) and the managers of each branch (if you wish to entrust them with access to the user data grouped in those branches). To add a user, go to the functionality in the main menu on the left-hand side of the Users page and then click Add.
  • Go to the functionality in the main menu on the left My ADO -> Users -> Add.To add a new branch, go to the Branches functionality in the main menu on the left. Click on the Add button.
  • Obligatorily enter the name of the branch (e.g. Head Office - Warsaw). Optionally, fill in your contact details and e-mail address. We particularly recommend that you complete this last piece of information. It is to the e-mail address provided here that system messages will be sent to users who do not have their own e-mail address (e.g. production staff). Confirm your changes and click on the button in the bottom right-hand corner Save. There you have it! From now on, when adding new users, you can assign them to a particular branch.

Users

Find out how to manage users in SODO. From the tutorial you will learn how to add new users to the system, how to delete, deactivate, export and how to reset their access passwords.

Adding users

  • To add a user to SODO, click on the tab: Users and then on the Add button.
  • Complete the details on the user you wish to add to the system:
    • Name
    • Surname
    • Login (automatically generated on a first and last name basis) - you do not need to make any changes in this field. Remember that the user will be able to log in to SODO with both his/her login and e-mail address. Therefore, do not attach undue importance to the login you assign to him/her;
    • E-mail - Enter the employee's work e-mail address. It is to the e-mail address indicated in this field that messages from the SODO system will be directed (e.g. about the creation of a user account, about e-learning training courses, about granted / withdrawn authorisations). If you do not enter any e-mail address in this field (because, for example, you are creating an account for an employee from the production department who does not have his own e-mail address), system messages will be sent to the e-mail inbox of the department to which the user is assigned. In most cases, this will be your e-mail inbox. Your task will be to pass on the access link to the employee added in this way;
    • Role - You do not have the option to edit this field. Each user you add will be assigned by default to the primary role (permissions) - Employee (ADO role). This role allows access to the e-learning courses assigned to the profile and the user's own data processing authorisation / certificate;
    • Branch - You do not have the option to edit this field. Each user you add will be assigned by default to the same branch you are assigned to;
    • Profile - select, depending on which position the newly added user has. It is under the profiles that the relevant training courses (e.g. RODO basics, RODO in HR) and authorisation ranges are assigned;
  • Once the information has been completed, click on the Save button at the bottom right of the screen. The user has been added to the system and an activation email has been sent to their email address.

Deleting and deactivating users

  • What is the difference between deactivation and deletion? A deactivated user leaves a ‘footprint’ in the system - you can check the history of their authorisations (once deactivated, the authorisation of such a user is automatically revoked), training courses or activity in SODO. Deleting a user results in the ‘hard’ deletion of all data on that user. It has a permanent and irreversible effect, so only use this functionality as a last resort (e.g. as a result of adding a user by mistake). Both deleted and deactivated users do not count towards the limit of active users.
  • To deactivate/delete a user in SODO, click on the tab: Users, then on the Actions button next to the respective user and select Deactivate or Delete from the drop-down list. Remember to use the Delete action as a last resort!

Generation of a password reset link for the user

  • The function for generating a password reset link will come in handy if someone on your team asks you to resend access to their account. This can be caused, for example, by mistakenly deleting the email with the activation link (as a result of it being treated as a phishing attempt), forgetting the password, expiry of the activation link (for security reasons, the link is for single use only).
  • Remember to get users used to using SODO on their own as much as possible. Anyone can reset their password using the Forget Password functionality available from the SODO login panel (https://v3.sodo.com.pl). The whole procedure is very simple and is described in the user manual, to which every message activating the account of any user links.
  • If, for some reason, this is not possible, each Admin and Manager has the authority to resend the account activation link to the user in question. To do this, go to the Users tab. Then click on Actions and then on Reset password. And there you have it! The new activation link for SODO has just been sent to the user in question.

Export of users

  • You can export all users, e.g. for reports or statements.
  • To export users, click on the tab: Users and then on the Export button. You can now download a list of all users in CSV format. You can easily edit the downloaded file using Microsoft Excel or other spreadsheet software (e.g. Calc or Google Sheets).

Użytkownicy - Działania hurtowe

The bulk actions we can perform on users are:

  • Change profile
  • Change role
  • Change of branch
  • Delete
  • Deactivation

To perform bulk actions, we need to check the box next to the people whose data we want to change. We can also check the checkbox in the column header, this will select all the people we currently display on the page, if we want to select more people, go to the bottom of the table and then select from the drop-down list how many people you want to display.

Important!

In the event of a change of profile, all the authorisations of the persons concerned will be withdrawn and then reassigned under the new scope of authorisation which is assigned to the profile in question.

Dashboard

Funkcjonalność dashboardu pozwala Ci monitorować w prosty i przejrzysty sposób poziom wdrożenia RODO w każdym z pięciu kluczowych obszarów. Zgodnie z naszą autorską koncepcją 5 Filarów RODO (dowiedz się o niej więcej). Z tej sekcji pomocy dowiesz się: jak pobrać raport poziomu wdrożenia RODO, w jaki sposób przydzielane są oceny za poszczególne obszary oraz jak dezaktywować poszczególne kafelki.

How to download the GDPR implementation level report?

  • After logging into SODO, you will immediately reach the Dashboard. If you are currently using some other functionality, you will get to the Dashboard by clicking on the first item in the navigation menu on the left: Dashboard.
  • Click the button located in the first yellow tile: Download report. Done! The PDF report has just been downloaded to your device. For better accountability, we encourage you to download such reports periodically (e.g. monthly or quarterly). In the event of an audit by the DPA or the Administrator, this will be invaluable proof of your ongoing monitoring and improvement of your RODO compliance.

How does SODO assess each area?

  • Ratings in the dashboard are assigned at two levels: global (for each of the 5 Pillars) and local (for the individual areas that make up each Pillar).
  • The global ratings (for each of the 5 Pillars) are derived from the ratings in the individual areas (tiles) that make up the Pillar. SODO adds up the level of compliance with the RODO in all active tiles (green, yellow or red) and then calculates the percentage level of compliance within the respective Pillar. Please note that the following do not count towards the assessment: deactivated (greyed out) tiles and information tiles (marked in blue)
  • Local ratings (for the individual areas that make up a particular pillar) are given according to a criterion adopted by our experts. To find out the evaluation criteria, move the mouse cursor over the top left-hand corner of the respective tile (with an ‘i’ icon). For each tile, the criterion is different and depends on the specifics of the area. For example, to receive a good (green) score for the Training tile, a minimum of 90% of users must be trained.

How do I deactivate a tile in the dashboard?

  • You can deactivate each tile with a detailed RODO compliance assessment in a particular area by clicking on the ‘V’ icon in the top right corner. Deactivation can come in handy if, for example, you do not use a particular SODO functionality and do not want its shortcomings to undermine your level of RODO compliance. As we mentioned in the previous help section - deactivated tiles do not count towards assessments.
  • Remember that the process of deactivating tiles is fully reversible. This means that you can reactivate a tile at any time. The deactivation process also has no effect on the data stored in SODO. So, for example, if you deactivate a tile indicating the value ‘3’, when you reactivate the tile it will also indicate the value ‘3’.

How does SODO assess the different areas in the dashboard?

Ratings in the dashboard are assigned at two levels: global (for each of the V Pillars) and local (for the individual ‘tiles’ that make up the Pillar).

  • Global rating (for each of the V Pillars) are derived from the ratings in the individual areas (tiles) that make up the respective pillar. SODO sums up the level of compliance with RODO in all active tiles (green, yellow or red) and then calculates the percentage level of compliance within the respective Pillar. According to the following algorithm:

    • 3 points for a green tile (high RODO compliance), 1 point for a yellow tile (average RODO compliance), 0 points for a red tile (low or no RODO compliance).

    • Example: in Pillar II (Awareness) we have two tiles: Training and Empowerment. If both tiles are active and one of them is yellow (and thus will receive 1 point) and the other is red (and thus will receive 0 points), this will result in: 1 + 0 = 1. That is to say, out of 6 possible points (2 x 3 maximum points if both tiles were green) in Pillar II, we will have only 2/6 compliance, or 16%. Therefore, this Pillar will receive a red colour indicating a low level of compliance.

    • Remember that the following do not count towards the assessment: deactivated (greyed out) tiles and information tiles (marked in blue)

  • Local rating (for the individual ‘tiles’ that make up a given pillar) are assigned according to a criterion adopted by our experts. To find out the evaluation criteria, move the mouse cursor over the top left-hand corner of the respective tile (with an ‘i’ icon). For each tile, the criterion is different and depends on the specifics of the area. For example, to receive a good (green) score for the Training tile, a minimum of 90% of users must be trained.

Training

Dowiedz się jak zarządzać szkoleniami z zakresu ochrony danych osobowych. Z poradnika dowiesz się jak monitorować progres realizacji szkoleń e-learnigowych, jak wygenerować raport ze szkoleń, jak oznaczyć szkolenie do realizacji lub jako ukończone

Monitoring of training implementation and report generation

  • To access the functionality for monitoring training delivery and generating a report, click on the Training -> Training Reports tab.
  • On the banner at the top you can see the level of training delivery: how many people are trained and how many have not yet completed training.
  • Remember that a user with admin privileges sees the statistics and training delivery of all users of a particular ADO. A user with manager privileges sees the statistics and data associated with his/her department only.
  • For easier data analysis, use the built-in filters. To do this, select the criteria you are interested in (Branch, Status, User, Training Completion Date) and then click on the Filter button.
  • To download the training report in Excel table format, click on the Download Report button.

Marking training as completed

  • You will find the Mark training as completed functionality useful in two cases. Firstly, if the user in question has already completed the training, but in a different form (e.g. in desktop training). Secondly, if he/she has completed the training in SODO, but for technical reasons (e.g. temporary loss of internet access), the training progression has not been retained.
  • To access the functionality for marking training as completed, click on Training -> Training Reports.
  • Find the user to whom you want to mark the training as completed. The most convenient way to do this is to use the search engine (enter the details of the person you want to mark as completed in the User field and then click Filter). Click on the Actions button next to the user in question and then - Mark as completed.
  • Remember that RODO is about accountability. Therefore, enter the relevant date of completion of the training (e.g. onsite) and an appropriate comment (e.g. User completed onsite training organised by Janina Nowak). Confirm your changes with the Save button
  • And there you have it! The user's training has been marked as completed. This will be accompanied by an appropriate annotation (comment, date and details of the user marking the training as completed). If an action was associated with the completion of a training course (e.g. the awarding of an authorisation or a post-training certificate), these will be automatically generated.

Marking the training for completion

  • The Mark training for completion functionality will come in handy for you in two cases. Firstly, if the user in question has completed the training, but a long time has passed since the incident and you want to re-train him/her. Secondly, if the user in question has, for example, contributed to a data protection breach and you want to re-train him or her as one of the remedies.
  • To access the functionality for marking training for redelivery, click on Training -> Training Reports.
  • Find the user you want to retrain. You will do this most conveniently using the search engine (enter the details of the person you want to re-train in the User field and then click Filter). Click on the Actions button next to the user in question and then - Mark for completion.
  • And now! The user's training has been marked as Not Started. The user will receive an automatic email notification to this effect. The action you take will not affect the authorisations and certificates already granted to this user (they will not be automatically withdrawn).

Training - bulk activities

In the training report we can perform two bulk operations, these are:

  1. "Mark selected for delivery" - this will reset the training status and send an email notification of the training to the user.
  2. "Mark selected as completed" - when we use this function, a window will appear in which we select the date of completion of the training and, if necessary, a comment, e.g. "Training completed in stationary". When we click on the "Save" button, the training changes its status to "Completed".

In order to perform bulk actions, we need to tick the relevant checkboxes next to the trainings you want to change. We can also check the checkbox in the column header which will select all the trainings that are currently displayed on the screen, if we want to select more people we need to go to the very bottom of the table and then select from the drop-down list how many people we want to display.

Risk assessment

Funkcjonalność zarządzania ryzykiem pozwala Ci na realizację i ewidencjonowanie: ocen ryzyka, preDPIA i DPIA, testów równowagi oraz audytów RODO i cyberbezpieczeństwa. Dowiedz się jak w praktyce realizować RODO-wskie „risk based approach”, czyli podejście oparte na ryzyku.

Risk assessments

  • From the main menu, click on Risk Management and then Risk Assessments.
  • The functionality is divided into two sections: For the organisation (here you will carry out a risk assessment for the whole organisation) and For processes or processing methods (here you will carry out a risk assessment for individual processes from RCP or other activities - e.g. remote working). You can switch between the two sections using the TABs at the top of the functionality.
  • The first step to adding a risk assessment is to download our proven template for the implementation of risk assessments. You can, of course, also use your own templates, but our continuously updated template has already passed numerous PUODO and Administrators' inspections and is proven in practice.
  • Complete the downloaded file and then click on the orange button at the top - Add Assessment. Fill in all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

DPIA

  • From the main menu, click on Risk Management and then DPIA.
  • The functionality is divided into two sections: preDPIA (here you will verify for which process a DPIA will be required) and DPIA (here you will carry out a DPIA if it becomes necessary based on the preDPIA analysis you have carried out). You can switch between the two sections using the TABs at the top of the functionality.
  • The first step to adding a preDPIA or DPIA is to download our proven template. You can, of course, also use your own templates, but our continuously updated template has already passed through numerous PUODO and Administrators' checks and is proven to work.
  • Complete the downloaded file and then click on the orange button at the top - Add preDPIA or Add DPIA (depending on which tab you are in). Complete all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

Balance tests

  • In the main menu, click on Risk management and then Balancing tests.
  • The first step to adding a balance test is to download our proven template. You can, of course, also use your own templates, but our continuously updated template has already passed numerous PUODO and Administrators' checks and is proven in practice.
  • Complete the downloaded file and then click on the orange button at the top - Add test. Fill in all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

GDPR and cyber security audits

  • In the main menu, click on Risk Management and then on Audits.
  • The functionality is divided into two sections: RODO compliance audit andDPIA cyber security audit. You can switch between the two sections using the TABs located in the functionality at the top.
  • The first step to adding an audit is to download our proven template. You can, of course, also use your own templates, but our continuously updated template has already passed through numerous PUODO and Administrators' audits and is proven in practice.
  • Complete the downloaded file and then click on the orange button at the top - Add Audit. Fill in all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

Records

W SODO możesz prowadzić wszystkie kluczowe rejestry: Rejestr Czynności Przetwarzania (RCP), Rejestr Kategorii Czynności Przetwarzania (RKCP), rejestr przekazywania danych, rejestr naruszeń oraz rejestr realizacji praw osób. W tej sekcji pomocy dowiesz się jak to zrobić.

RoPA

  • In the main menu on the left, click on Registers and then on RoPA.
  • To facilitate the management of the RoPA, it is divided in layers: into personal data sets and then into the processes (processing activities) that are within those sets. We strongly encourage you to maintain this division - it makes it easier to manage the register. However, if for some reason you want to keep in the Register only a list of processes (processing activities), without assigning them to data sets - nothing simpler! Create one dataset (e.g. named Processing activities), and then add all processes within it.
  • The first step to complete the RoPA is to add all datasets and all processes (processing activities) within each dataset. To add a new dataset - click on the orange button at the top - Add Dataset. Then enter the name of the dataset (avoid ‘/’ characters and long dataset names - SODO will accept them, but you will not be able to export them to Excel) and all the process names within that dataset and click Save.
  • Congratulations! RoPA has been completed to a basic extent. From now on, you can, among other things, grant authorisations and entrustments and releases by linking them to specific collections and processes.
  • The second step to complete the RoPA is to complete the details of each process (processing activity). To do this, click on the grey ‘+’ button to the left of the dataset name to expand the list of all processes assigned to that dataset. Then, click on Actions next to the process you wish to complete and select Complete Details.
  • Practical tip - if you plan to add any entrustment of data processing that is linked to multiple processes (e.g. outsourcing to external IT) - do not do it from the level of completing individual processes. It is much quicker and simpler to add such an entrustment from the Data Transfer -> Entrustment functionality level. In this way you can add one delegation, which you can automatically link to e.g. 30 processes. This will save you a lot of time!
  • To download the RoPA to an Excel file - click on the "Export" button at the top.

Model RoPA

  1. At the very beginning of the creation of the RCP, werecommend the use of the Model RCP, this is a template for processing activities that is found in almost every company. To use it, click the button ‘Modelowy RCP’.
  2. Now we see the model RCP window we have two options either to copy entire collections or to copy specific processes. 
  3. If you want to copy the entire collection: Select the collection you are interested in then click actions -> Copy to your RCP:
  4. Następnie pojawi nam się okno wyboru ADO do którego chcemy skopiować zbiór, wybieramy interesujące nas Ado i klikamy Zatwierdź 
  5.  Każdy skopiowany proces należy zweryfikować czy pokrywa się faktycznie z działalnością naszej firmy. 
  6.  To verify or complete the process, we find it in the selected collection and then click Actions -> Complete Details: 
  7. If we only want to copy one process from the collection of interest, we proceed in a similar way. Click the ‘+’ button next to the collection name.

How to filter and search for unfilled processes in the RoPA Processing Activity Register?

Click in the navigation menu on the left on the tab Records -> RopA

Click on the filter Completion status i wybierz z rozwijanej listy: NieuzupełnioneConfirm your settings with the orange Filter button.

In the list of datasets and processes, you now only see datasets with processes that are not 100% complete. You can check the detailed completion level of a process by clicking on the ‘+’ button to the left of the dataset. The completion level of a given dataset will be located in the ‘Completion status’ column.

If you want to restore the original view of the RoPA (with a view of all collections and processes) - reset the filters by clicking on the button Resetuj.

RoACoPA

  • In the main menu on the left, click on Registers and then on RoACoPA.
  • To add a new entry in the RoACoPA, click on the orange button Add entrustment. Fill in the details of the entrustment and then click on the Save button.
  • To view the details of a particular entrustment - click on the grey ‘+’ button to the left of the processing activity category name.

Register of breaches

  • In the main menu on the left, click on Breaches.
  • To add a new data protection breach, click on the orange Add button. Complete the details of the breach and then click on the Save button.
  • When adding a new entry, remember to use the automatic breach risk assessment functionality. This will make it easier for you to qualify the breach and decide whether to (not) report it to PUODO and (not) notify data subjects. To make such a calculation, click on the orange Add Calculation button located in the INFRINGEMENT ASSESSMENT section.
  • To view the details of a particular breach - click on the grey ‘+’ button to the left of the breach in question.
  • To download the violation register to an Excel file - click on the grey button at the top - Export.

Register of the exercise of the rights of individuals

  • In the main menu on the left, click on Rights of individuals.
  • To add a new request to exercise the rights of data subjects, click on the orange Add button. Fill in the details of the request and then click on the Save button.
  • To view the details of a particular application for the exercise of rights - click on the grey ‘+’ button to the left of the respective application.
  • To download the register of the realisation of people's rights into an Excel file - click on the grey button at the top - Export to XLSX.

Record of data transmission

  • W menu głównym po lewej stronie kliknij w Przekazywanie danych, a następnie Powierzenie (jeśli chcesz przejrzeć rejestr powierzeń) lub Udostępnienie (jeśli chcesz przejrzeć rejestr udostępnień).
  • Remember that both registers are divided into two sections: transferring data BOTH to your organisation (the default section) and transferring data TO your organisation.
  • You can switch between the two sections using the TABs at the top of the register (Entrust / Entrust and Share / Share Data).
  • To add a new request to exercise the rights of data subjects, click on the orange Add button. Fill in the details of the request and then click on the Save button.
  • To add a new transfer entry, click on the orange Add button. Fill in the details and then click on the Save button.
  • To view the details of an entry - click on the grey ‘+’ button on the left.
  • Remember that the Data Transfer registers are bilaterally coupled with RoPA and RoACoPA As a result, all changes made in RoPA will automatically translate in the Data Transfer registers. Conversely, if you add, for example, a new data acceptance in the entrustment, it will automatically appear in the RoACoPA.

Authorizations

Funkcjonalność „Upoważnienia” umożliwia zarządzanie i kontrolę nad nadanymi oraz wycofanymi upoważnieniami do przetwarzania danych osobowych. W tej sekcji pomocy dowiesz się w jaki sposób nadawać, wycofywać, usuwać, a także pobierać upoważnienia do plików PDF.

Where can I find the Authorisation functionality?

  • In the main menu, click on Authorisations.
  • From this level, you can view all granted and withdrawn authorisations using the built-in filters and grant, delete and withdraw authorisations. The following help sections will be dedicated to these functions.

When is authorisation automatically granted?

  • Authorisations are granted automatically once the user has successfully completed all the training required for authorisation.

How do you grant ‘manual’ authorisations?

  • If you wish to authorise the processing of personal data "manually" (without waiting for automatic authorisation after training), go to Authorisations in the main menu.
  • Click on the Add button, and then complete all the data: select the user, complete the date of authorisation (by default, this will be the current date) and indicate the scope of authorisation (by default, the scope of authorisation will be linked to the profile associated with the user, but you can also change it individually).
  • Click on the Save button. The data processing authorisation has just been granted.

How do I download the data processing authorisation into a PDF file?

  • If you wish to download a data processing authorisation as a PDF file, go to Authorisations in the main menu.
  • Click on the Actions button and then on Download document. This will download the authorisation into a PDF file.
  • If you wish to download several authorisations - click the white empty square in the top left corner of the table with the list of authorisations. This will cause a new button to appear at the top (directly below the banner with the statistics of the authorisations granted): Download. Click on it and you will download multiple authorisations into a PDF file.

How do I set the terms of reference?

  • In the SODO, there are 2 ways to set authorisation ranges, i.e. the access of a given employee to specific data sets and processing.
  • The first way is to automatically assign authorisations under the profile (position) of a given user. This is the method we recommend most highly - it saves a lot of time and maximises the automation of the authorisation process. How to link employee profiles (positions) is described in detail in the Quick start help section. Click here to go to the relevant help section.
  • The second way is to manually assign authorisations when adding/editing individual authorisations. This is a more time-consuming method and may be particularly useful in the case of, for example, an employee who has a specific job title (e.g. Sales Clerk), but due to additional competences (e.g. sitting on a social committee) gains access to non-standard data sets. The manual granting of authorisations is described in the third section of this help tab.

How to delete and withdraw authorisations?

  • There are 2 ways to delete authorisations in SODO: withdrawal and deletion.
  • Most often you will use the option to withdraw an authorisation. It will come in handy whenever you want to accountably withdraw an authorisation from an employee (e.g. due to an employee's termination or change of position). The withdrawn authorisation remains in the register, but its status is "Withdrawn". To withdraw an authorisation, go to the Authorisations functionality, then click on the Actions button next to the particular authorisation you wish to withdraw and click Withdraw. Note that authorisations are also automatically withdrawn for all users who are deactivated. The process for deactivating employees is described in the Users help section. Click here to go to the relevant help section.
  • In exceptional circumstances, you may wish to delete a given authorisation. This may be useful if, for example, the authorisation in question was granted prematurely or in error. Please note that the process of deleting an authorisation is irreversible and no entry will be left in the authorisation register after the deleted authorisation.

Payments and security

Here you will find questions and answers about payment and the service delivery process.

What forms of payment do you accept?

You can purchase SODO using PAYNOW instant payments (instant transfer, BLIK, credit card). We also allow access to the system on the basis of a standard bank transfer in the order form. Access to the platform and the invoice will be provided as soon as the payment is credited to our account.

What are the conditions for returns?

We do not offer refunds. If you cancel your plan before the next renewal cycle, you will retain access to paid features until the end of your subscription period. Once your subscription expires, you will lose access to paid features and all data associated with those features.

Can I install SODO on a company server?

We are passionate about modern and secure cloud solutions, which is why we do not offer an internally hosted version of SODO.

Where is the SODO data located?

All data used by SODO is located in OVH's server facilities within the EEA and is not transferred to third countries. The main server is located in OVH's data centre in Warsaw, backup data on OVH's server in France.

How long will I have to wait to access the package I have purchased?

In the case of choosing instant payment via PAYNOW - immediately after payment processing. In the case of payment by standard bank transfer - immediately after the transfer is credited to our account. If you wish to speed up the process of accessing SODO - please send the transfer confirmation to the following address kontakt@lex-artist.pl

How are packages for multiple Administrators (e.g. under Multi-DPO) billed?

The packages are billed per organisation (ADO). Thus, if you plan to use SODO within the PREMIUM package for the benefit of 2 ADOs (as Multi-IOD or Capital Group) within which each has up to 10 users, the price of the application will amount to 2×280 = PLN 560 net per month. If you will be handling more than 2 ADOs within SODO - please contact us for indywidualną wycenę.

Rights of individuals

W SODO posiadamy rejestr realizacji praw osób, dodatkowo możemy zintegrować go z własną skrzynką e-mailową.

Konfiguracja skrzynki mailowej do modułu Prawa osób - które maile zostaną zaimportowane do rejestru?

If you configure an email box for People's Rights under ADO Configuration -> Email Inboxes -> People's Rights, only new messages will go into the register. That is, those that have already arrived in the inbox after the inbox has already been "connected" to SODO. SODO will not acquire into the Rights of Persons module any messages that were in the inbox before the moment of configuration.

The same principle will apply whether you set up your mailbox after Gmail, Microsoft or IMAP.

Konfiguracja skrzynki mailowej do modułu Prawa osób - jakie nazwy folderów wskazać?

In order for the SODO system to correctly interpret which folders to retrieve messages from, you must tell it the names of the folders.

Very important! It is best to follow the next steps in your browser in incognito/inprivate mode. This will "hook" your Microsoft/Google email box to SODO according to your preferences. And not the email box you are currently logged into in the browser you use every day.

The standard folder names used by Microsoft Exchange (Outlook) and Google Workspace (Gmail), for example, are:

NOTICE! The names of the above-mentioned folders may differ if you use other language versions of the Microsoft / Google suite or if you have changed the default folder names to your own.

Also bear in mind that other email providers may use different inbox and SPAM folder names. For example:

Folder Otrzymane: inbox / odbiorcze / otrzymane / mailbox / MAILBOX

Folder SPAM: spam / junk / junkbox

For the correct configuration of the mailbox, the character size (lower/upper case) and each character (including invisible SPACE characters) are important.

How do I link two requests for the exercise of RODO rights within the Rights of Persons functionality?

You can make use of the functionality that allows you to combine several requests for the exercise of your RODO rights if, for example, you receive several complaints/requests on the same subject from the same applicant in error.

In this case, you can combine several requests for the exercise of your RODO rights into one request.

To access the functionality for linking applications, click on the Rights of Persons tab.

Then select the redundant application you want to merge with another application, click on Actions -> Merge with another application. Select the application with which you want to merge. As a result, the application on which you have performed the merge action will be 'linked' to the application you indicate in the drop-down list.

Important - if you want to merge requests that have come into the register automatically (from an email inbox connected to SODO), both merged requests must come from the same sender.

File repository

Statistics

In the file repository functionality, we can preview each file by clicking on its name or by clicking "Actions->Preview". Each file has statistics that tell us how many people have viewed the file. To access the statistics, click on "Actions->Statistics".

We will be presented with a window divided into two bars:

  • Users who Have Viewed the File - Here you will see those who have used the preview option directly from the system and those who have received a link to the file and used it.
  • Users who have not Displayed the file - all persons who have received a link to the file but have not yet used it will appear here.

At the top we have information on what percentage of people have read the document.

In addition, at the very bottom we can increase the number of people who appear on our screen at the same time by selecting the appropriate number from a drop-down list.

Sending a mailing with a link to a file

To send a link to a file, use the 'Mailing' functionality.

Go to functionality and then click on the 'Add' button in the top right corner.

We complete the description of the mailing with its subject and the ADO to whom the mailing is to be addressed.

We then indicate the recipients and here a new option has appeared: "

After selecting the file [Important! Only one file can be selected] we will see a new variable to choose from called "Link to file". 

We complete the content of the mailing and insert a variable in the body of the mailing. Finally, click the "Save and send" button at the bottom right of the screen.

Quick start

If you are just getting started with SODO, this is the place for you! Find out how to set up your account and start using our system.

Complete the list of collections and processes

  • From the main menu, click on Records-> RoPA and then select Add dataset.
  • Complete the name of the dataset (e.g. Human Resources) and then complete the names of the processes ‘grouped’ under the dataset. If there are several processes under a given dataset (e.g., Social Security, Employment, Recruitment), you can add them using the Add Another Process button.
  • Rest assured that you do not need to enter all the information about newly added processes straight away. At this stage of the configuration, the process names alone will suffice for now.
  • Confirm your changes and click on the button in the bottom right corner Save and close. There you go! The new dataset and its accompanying processes have been added to the system. Repeat this step for all other datasets and processing activities. This will allow you to assign both datasets and processes under specific Profiles.

Add profiles (positions)

  • The profiles functionality will make your life a lot easier! It is what allows you to assign specific training and data sets and processes to profiles (positions). If your organisation is small and not highly structured, you can skip this step.
  • To add a new profile, go to the Profiles functionality in the main menu on the left. Click on the Add button.
  • Enter the name of the profile / position (e.g. HR Manager), select the list of mandatory trainings for employees with this profile (e.g. GDPR basics and GDPR in HR). In the RoPA section, indicate which datasets and processes employees with this profile / position will have access to (e.g. HR -> Pensions + Recruitment). Similarly - in the RCP section, select the relevant entrusted data (e.g. Sports Benefits, Group Insurance). Confirm the changes and click on the button in the bottom right corner Save.

Add branches (organisational units)

  • The branch functionality will be useful to you if you work in a medium or large organisation. It will allow you to group users together (e.g. Kraków branch, Warsaw branch, Gdańsk branch) and to grant managers ‘slice’ access to users from a particular branch. If your organisation is small and does not have an extensive structure, you can skip this step.
  • To add a new branch, go to the Branches functionality in the main menu on the left. Click on the Add button.
  • Obligatorily enter the name of the branch (e.g. Head Office - Warsaw). Optionally, fill in your contact details and e-mail address. We particularly recommend that you complete this last piece of information. It is to the e-mail address provided here that system messages will be sent to users who do not have their own e-mail address (e.g. production staff). Confirm your changes and click on the button in the bottom right-hand corner Save. There you have it! From now on, when adding new users, you can assign them to a particular branch.

Add key users and nominate a DPO

  • You can already add key users. This will primarily be the DPO (if appointed) and the managers of each branch (if you wish to entrust them with access to the user data grouped in those branches). To add a user, go to the functionality in the main menu on the left-hand side of the Users page and then click Add.
  • Go to the functionality in the main menu on the left My ADO -> Users -> Add.To add a new branch, go to the Branches functionality in the main menu on the left. Click on the Add button.
  • Obligatorily enter the name of the branch (e.g. Head Office - Warsaw). Optionally, fill in your contact details and e-mail address. We particularly recommend that you complete this last piece of information. It is to the e-mail address provided here that system messages will be sent to users who do not have their own e-mail address (e.g. production staff). Confirm your changes and click on the button in the bottom right-hand corner Save. There you have it! From now on, when adding new users, you can assign them to a particular branch.

Complete the list of collections and processes

  • From the main menu, click on Records-> RoPA and then select Add dataset.
  • Complete the name of the dataset (e.g. Human Resources) and then complete the names of the processes ‘grouped’ under the dataset. If there are several processes under a given dataset (e.g., Social Security, Employment, Recruitment), you can add them using the Add Another Process button.
  • Rest assured that you do not need to enter all the information about newly added processes straight away. At this stage of the configuration, the process names alone will suffice for now.
  • Confirm your changes and click on the button in the bottom right corner Save and close. There you go! The new dataset and its accompanying processes have been added to the system. Repeat this step for all other datasets and processing activities. This will allow you to assign both datasets and processes under specific Profiles.

Statistics

In the file repository functionality, we can preview each file by clicking on its name or by clicking "Actions->Preview". Each file has statistics that tell us how many people have viewed the file. To access the statistics, click on "Actions->Statistics".

We will be presented with a window divided into two bars:

  • Users who Have Viewed the File - Here you will see those who have used the preview option directly from the system and those who have received a link to the file and used it.
  • Users who have not Displayed the file - all persons who have received a link to the file but have not yet used it will appear here.

At the top we have information on what percentage of people have read the document.

In addition, at the very bottom we can increase the number of people who appear on our screen at the same time by selecting the appropriate number from a drop-down list.

Users

Find out how to manage users in SODO. From the tutorial you will learn how to add new users to the system, how to delete, deactivate, export and how to reset their access passwords.

Adding users

  • To add a user to SODO, click on the tab: Users and then on the Add button.
  • Complete the details on the user you wish to add to the system:
    • Name
    • Surname
    • Login (automatically generated on a first and last name basis) - you do not need to make any changes in this field. Remember that the user will be able to log in to SODO with both his/her login and e-mail address. Therefore, do not attach undue importance to the login you assign to him/her;
    • E-mail - Enter the employee's work e-mail address. It is to the e-mail address indicated in this field that messages from the SODO system will be directed (e.g. about the creation of a user account, about e-learning training courses, about granted / withdrawn authorisations). If you do not enter any e-mail address in this field (because, for example, you are creating an account for an employee from the production department who does not have his own e-mail address), system messages will be sent to the e-mail inbox of the department to which the user is assigned. In most cases, this will be your e-mail inbox. Your task will be to pass on the access link to the employee added in this way;
    • Role - You do not have the option to edit this field. Each user you add will be assigned by default to the primary role (permissions) - Employee (ADO role). This role allows access to the e-learning courses assigned to the profile and the user's own data processing authorisation / certificate;
    • Branch - You do not have the option to edit this field. Each user you add will be assigned by default to the same branch you are assigned to;
    • Profile - select, depending on which position the newly added user has. It is under the profiles that the relevant training courses (e.g. RODO basics, RODO in HR) and authorisation ranges are assigned;
  • Once the information has been completed, click on the Save button at the bottom right of the screen. The user has been added to the system and an activation email has been sent to their email address.

Deleting and deactivating users

  • What is the difference between deactivation and deletion? A deactivated user leaves a ‘footprint’ in the system - you can check the history of their authorisations (once deactivated, the authorisation of such a user is automatically revoked), training courses or activity in SODO. Deleting a user results in the ‘hard’ deletion of all data on that user. It has a permanent and irreversible effect, so only use this functionality as a last resort (e.g. as a result of adding a user by mistake). Both deleted and deactivated users do not count towards the limit of active users.
  • To deactivate/delete a user in SODO, click on the tab: Users, then on the Actions button next to the respective user and select Deactivate or Delete from the drop-down list. Remember to use the Delete action as a last resort!

Generation of a password reset link for the user

  • The function for generating a password reset link will come in handy if someone on your team asks you to resend access to their account. This can be caused, for example, by mistakenly deleting the email with the activation link (as a result of it being treated as a phishing attempt), forgetting the password, expiry of the activation link (for security reasons, the link is for single use only).
  • Remember to get users used to using SODO on their own as much as possible. Anyone can reset their password using the Forget Password functionality available from the SODO login panel (https://v3.sodo.com.pl). The whole procedure is very simple and is described in the user manual, to which every message activating the account of any user links.
  • If, for some reason, this is not possible, each Admin and Manager has the authority to resend the account activation link to the user in question. To do this, go to the Users tab. Then click on Actions and then on Reset password. And there you have it! The new activation link for SODO has just been sent to the user in question.

Export of users

  • You can export all users, e.g. for reports or statements.
  • To export users, click on the tab: Users and then on the Export button. You can now download a list of all users in CSV format. You can easily edit the downloaded file using Microsoft Excel or other spreadsheet software (e.g. Calc or Google Sheets).

Użytkownicy - Działania hurtowe

The bulk actions we can perform on users are:

  • Change profile
  • Change role
  • Change of branch
  • Delete
  • Deactivation

To perform bulk actions, we need to check the box next to the people whose data we want to change. We can also check the checkbox in the column header, this will select all the people we currently display on the page, if we want to select more people, go to the bottom of the table and then select from the drop-down list how many people you want to display.

Important!

In the event of a change of profile, all the authorisations of the persons concerned will be withdrawn and then reassigned under the new scope of authorisation which is assigned to the profile in question.

Add profiles (positions)

  • The profiles functionality will make your life a lot easier! It is what allows you to assign specific training and data sets and processes to profiles (positions). If your organisation is small and not highly structured, you can skip this step.
  • To add a new profile, go to the Profiles functionality in the main menu on the left. Click on the Add button.
  • Enter the name of the profile / position (e.g. HR Manager), select the list of mandatory trainings for employees with this profile (e.g. GDPR basics and GDPR in HR). In the RoPA section, indicate which datasets and processes employees with this profile / position will have access to (e.g. HR -> Pensions + Recruitment). Similarly - in the RCP section, select the relevant entrusted data (e.g. Sports Benefits, Group Insurance). Confirm the changes and click on the button in the bottom right corner Save.

Dashboard

Funkcjonalność dashboardu pozwala Ci monitorować w prosty i przejrzysty sposób poziom wdrożenia RODO w każdym z pięciu kluczowych obszarów. Zgodnie z naszą autorską koncepcją 5 Filarów RODO (dowiedz się o niej więcej). Z tej sekcji pomocy dowiesz się: jak pobrać raport poziomu wdrożenia RODO, w jaki sposób przydzielane są oceny za poszczególne obszary oraz jak dezaktywować poszczególne kafelki.

How to download the GDPR implementation level report?

  • After logging into SODO, you will immediately reach the Dashboard. If you are currently using some other functionality, you will get to the Dashboard by clicking on the first item in the navigation menu on the left: Dashboard.
  • Click the button located in the first yellow tile: Download report. Done! The PDF report has just been downloaded to your device. For better accountability, we encourage you to download such reports periodically (e.g. monthly or quarterly). In the event of an audit by the DPA or the Administrator, this will be invaluable proof of your ongoing monitoring and improvement of your RODO compliance.

How does SODO assess each area?

  • Ratings in the dashboard are assigned at two levels: global (for each of the 5 Pillars) and local (for the individual areas that make up each Pillar).
  • The global ratings (for each of the 5 Pillars) are derived from the ratings in the individual areas (tiles) that make up the Pillar. SODO adds up the level of compliance with the RODO in all active tiles (green, yellow or red) and then calculates the percentage level of compliance within the respective Pillar. Please note that the following do not count towards the assessment: deactivated (greyed out) tiles and information tiles (marked in blue)
  • Local ratings (for the individual areas that make up a particular pillar) are given according to a criterion adopted by our experts. To find out the evaluation criteria, move the mouse cursor over the top left-hand corner of the respective tile (with an ‘i’ icon). For each tile, the criterion is different and depends on the specifics of the area. For example, to receive a good (green) score for the Training tile, a minimum of 90% of users must be trained.

How do I deactivate a tile in the dashboard?

  • You can deactivate each tile with a detailed RODO compliance assessment in a particular area by clicking on the ‘V’ icon in the top right corner. Deactivation can come in handy if, for example, you do not use a particular SODO functionality and do not want its shortcomings to undermine your level of RODO compliance. As we mentioned in the previous help section - deactivated tiles do not count towards assessments.
  • Remember that the process of deactivating tiles is fully reversible. This means that you can reactivate a tile at any time. The deactivation process also has no effect on the data stored in SODO. So, for example, if you deactivate a tile indicating the value ‘3’, when you reactivate the tile it will also indicate the value ‘3’.

How does SODO assess the different areas in the dashboard?

Ratings in the dashboard are assigned at two levels: global (for each of the V Pillars) and local (for the individual ‘tiles’ that make up the Pillar).

  • Global rating (for each of the V Pillars) are derived from the ratings in the individual areas (tiles) that make up the respective pillar. SODO sums up the level of compliance with RODO in all active tiles (green, yellow or red) and then calculates the percentage level of compliance within the respective Pillar. According to the following algorithm:

    • 3 points for a green tile (high RODO compliance), 1 point for a yellow tile (average RODO compliance), 0 points for a red tile (low or no RODO compliance).

    • Example: in Pillar II (Awareness) we have two tiles: Training and Empowerment. If both tiles are active and one of them is yellow (and thus will receive 1 point) and the other is red (and thus will receive 0 points), this will result in: 1 + 0 = 1. That is to say, out of 6 possible points (2 x 3 maximum points if both tiles were green) in Pillar II, we will have only 2/6 compliance, or 16%. Therefore, this Pillar will receive a red colour indicating a low level of compliance.

    • Remember that the following do not count towards the assessment: deactivated (greyed out) tiles and information tiles (marked in blue)

  • Local rating (for the individual ‘tiles’ that make up a given pillar) are assigned according to a criterion adopted by our experts. To find out the evaluation criteria, move the mouse cursor over the top left-hand corner of the respective tile (with an ‘i’ icon). For each tile, the criterion is different and depends on the specifics of the area. For example, to receive a good (green) score for the Training tile, a minimum of 90% of users must be trained.

Sending a mailing with a link to a file

To send a link to a file, use the 'Mailing' functionality.

Go to functionality and then click on the 'Add' button in the top right corner.

We complete the description of the mailing with its subject and the ADO to whom the mailing is to be addressed.

We then indicate the recipients and here a new option has appeared: "

After selecting the file [Important! Only one file can be selected] we will see a new variable to choose from called "Link to file". 

We complete the content of the mailing and insert a variable in the body of the mailing. Finally, click the "Save and send" button at the bottom right of the screen.

Updates

September 12, 2024
4.4.3

Bug Fixed a bug that blocked the export of RoPA due to the number of characters being too large.

Function RCP i RKCP - poszerzenie zakresu exportu o pole uwagi + dodanie nowego pola - właściciel procesu.

Function Dodano możliwość exportu w wszystkich tabach przekazywania danych.

September 12, 2024
4.4.1

Bug Fixed a bug that displayed ‘No data’ in the dashboard for training courses.

Bug Fixed a bug that displayed the wrong legal basis in the Sharing module

July 9, 2024
4.4.0

Bug A bug has been fixed which prevented a box from being attached to the Rights of Persons.

Bug Fixed a bug that caused training courses completed more than a year ago not to be reset

Bug Corrected a bug that caused incorrect display of completed processes in the Dashboard

Function Added option to preview a file by clicking directly on its name.

July 2, 2024
4.3.2

Bug Fixed a bug that blocked the ability to log in to some ADOs

June 21, 2024
4.3.1

Bug Data transfer->Entrustment->Entrustment Fixed the "Meeting the requirements of GDPR" filter.

Function The ability to scroll and zoom in on image files during preview has been added.

Function Changed the colours and order of the buttons in the file repository

Bug A bug that incorrectly calculated the % compliance in Pillar 3 has been fixed.

May 24, 2024
4.3.0

Bug A bug preventing more than one authorisation from being downloaded has been fixed.

Function Added description of field in RoPA

Function Swapped awareness tile with security features

Function Unified responses in the RoPA form

Function The heading in the table in the rights of persons has been changed.

Bug Training reset functions have been fixed.

May 17, 2024
4.2.0

Bug File repository: Incorrect message when generating a preview for a file - Fixed

Bug File repository: Unable to use the "Preview" function - Fixed

Bug File repository: The percentage of people who have read the document is rounded down. - Fixed

Bug File repository: Incomplete translation in the interface with English - Fixed

January 31, 2024
4.1.1

Function Improving the generation of logins for new users in a given ADO

Function The default filter in the "Status" field is empty, as a result of which all applications are displayed, including those that have been resolved.

Function Improving the numbering function of Rights of Persons notifications

Function A checkbox has been added to disable email notification when creating a new user.

Function Adding additional fields after exporting RCP and RKCP to Excel [Field UPDATE].

Function Blocking the display (not displaying) of empty collections in the process tree and blocking the possibility of selecting a collection in the entrustment (without selecting a process)

Function Improving the history of changes to entrustments [Showing the original entry as well as the updated one].

Function Addition of a "Technical Access" option which removes users from reports and the users tab.

Function Ability to make wholesale changes to users Change profile Delete Deactivate + add change to the number of rows displayed

Function The creation of a message queuing script.

Function Adding the possibility of logging in via Google and Microsoft accounts

Function A bug causing spaces to be added when creating logins has been fixed.

January 23, 2024
4.1.0

Function Accountability for completed training

Bug The model RoPA was not modelled, depending on the user everyone saw a different RoPA. - Fixed

Bug Improved sorting by application number, with the middle number first and then the first number.

Function Addition of a "Scope of modification" filter in the register of changes

December 12, 2023
4.0.4

Bug Removed bug where SODO always set the language of the login screen to English

Add branches (organisational units)

  • The branch functionality will be useful to you if you work in a medium or large organisation. It will allow you to group users together (e.g. Kraków branch, Warsaw branch, Gdańsk branch) and to grant managers ‘slice’ access to users from a particular branch. If your organisation is small and does not have an extensive structure, you can skip this step.
  • To add a new branch, go to the Branches functionality in the main menu on the left. Click on the Add button.
  • Obligatorily enter the name of the branch (e.g. Head Office - Warsaw). Optionally, fill in your contact details and e-mail address. We particularly recommend that you complete this last piece of information. It is to the e-mail address provided here that system messages will be sent to users who do not have their own e-mail address (e.g. production staff). Confirm your changes and click on the button in the bottom right-hand corner Save. There you have it! From now on, when adding new users, you can assign them to a particular branch.

Add key users and nominate a DPO

  • You can already add key users. This will primarily be the DPO (if appointed) and the managers of each branch (if you wish to entrust them with access to the user data grouped in those branches). To add a user, go to the functionality in the main menu on the left-hand side of the Users page and then click Add.
  • Go to the functionality in the main menu on the left My ADO -> Users -> Add.To add a new branch, go to the Branches functionality in the main menu on the left. Click on the Add button.
  • Obligatorily enter the name of the branch (e.g. Head Office - Warsaw). Optionally, fill in your contact details and e-mail address. We particularly recommend that you complete this last piece of information. It is to the e-mail address provided here that system messages will be sent to users who do not have their own e-mail address (e.g. production staff). Confirm your changes and click on the button in the bottom right-hand corner Save. There you have it! From now on, when adding new users, you can assign them to a particular branch.

Training

Dowiedz się jak zarządzać szkoleniami z zakresu ochrony danych osobowych. Z poradnika dowiesz się jak monitorować progres realizacji szkoleń e-learnigowych, jak wygenerować raport ze szkoleń, jak oznaczyć szkolenie do realizacji lub jako ukończone

Monitoring of training implementation and report generation

  • To access the functionality for monitoring training delivery and generating a report, click on the Training -> Training Reports tab.
  • On the banner at the top you can see the level of training delivery: how many people are trained and how many have not yet completed training.
  • Remember that a user with admin privileges sees the statistics and training delivery of all users of a particular ADO. A user with manager privileges sees the statistics and data associated with his/her department only.
  • For easier data analysis, use the built-in filters. To do this, select the criteria you are interested in (Branch, Status, User, Training Completion Date) and then click on the Filter button.
  • To download the training report in Excel table format, click on the Download Report button.

Marking training as completed

  • You will find the Mark training as completed functionality useful in two cases. Firstly, if the user in question has already completed the training, but in a different form (e.g. in desktop training). Secondly, if he/she has completed the training in SODO, but for technical reasons (e.g. temporary loss of internet access), the training progression has not been retained.
  • To access the functionality for marking training as completed, click on Training -> Training Reports.
  • Find the user to whom you want to mark the training as completed. The most convenient way to do this is to use the search engine (enter the details of the person you want to mark as completed in the User field and then click Filter). Click on the Actions button next to the user in question and then - Mark as completed.
  • Remember that RODO is about accountability. Therefore, enter the relevant date of completion of the training (e.g. onsite) and an appropriate comment (e.g. User completed onsite training organised by Janina Nowak). Confirm your changes with the Save button
  • And there you have it! The user's training has been marked as completed. This will be accompanied by an appropriate annotation (comment, date and details of the user marking the training as completed). If an action was associated with the completion of a training course (e.g. the awarding of an authorisation or a post-training certificate), these will be automatically generated.

Marking the training for completion

  • The Mark training for completion functionality will come in handy for you in two cases. Firstly, if the user in question has completed the training, but a long time has passed since the incident and you want to re-train him/her. Secondly, if the user in question has, for example, contributed to a data protection breach and you want to re-train him or her as one of the remedies.
  • To access the functionality for marking training for redelivery, click on Training -> Training Reports.
  • Find the user you want to retrain. You will do this most conveniently using the search engine (enter the details of the person you want to re-train in the User field and then click Filter). Click on the Actions button next to the user in question and then - Mark for completion.
  • And now! The user's training has been marked as Not Started. The user will receive an automatic email notification to this effect. The action you take will not affect the authorisations and certificates already granted to this user (they will not be automatically withdrawn).

Training - bulk activities

In the training report we can perform two bulk operations, these are:

  1. "Mark selected for delivery" - this will reset the training status and send an email notification of the training to the user.
  2. "Mark selected as completed" - when we use this function, a window will appear in which we select the date of completion of the training and, if necessary, a comment, e.g. "Training completed in stationary". When we click on the "Save" button, the training changes its status to "Completed".

In order to perform bulk actions, we need to tick the relevant checkboxes next to the trainings you want to change. We can also check the checkbox in the column header which will select all the trainings that are currently displayed on the screen, if we want to select more people we need to go to the very bottom of the table and then select from the drop-down list how many people we want to display.

Adding users

  • To add a user to SODO, click on the tab: Users and then on the Add button.
  • Complete the details on the user you wish to add to the system:
    • Name
    • Surname
    • Login (automatically generated on a first and last name basis) - you do not need to make any changes in this field. Remember that the user will be able to log in to SODO with both his/her login and e-mail address. Therefore, do not attach undue importance to the login you assign to him/her;
    • E-mail - Enter the employee's work e-mail address. It is to the e-mail address indicated in this field that messages from the SODO system will be directed (e.g. about the creation of a user account, about e-learning training courses, about granted / withdrawn authorisations). If you do not enter any e-mail address in this field (because, for example, you are creating an account for an employee from the production department who does not have his own e-mail address), system messages will be sent to the e-mail inbox of the department to which the user is assigned. In most cases, this will be your e-mail inbox. Your task will be to pass on the access link to the employee added in this way;
    • Role - You do not have the option to edit this field. Each user you add will be assigned by default to the primary role (permissions) - Employee (ADO role). This role allows access to the e-learning courses assigned to the profile and the user's own data processing authorisation / certificate;
    • Branch - You do not have the option to edit this field. Each user you add will be assigned by default to the same branch you are assigned to;
    • Profile - select, depending on which position the newly added user has. It is under the profiles that the relevant training courses (e.g. RODO basics, RODO in HR) and authorisation ranges are assigned;
  • Once the information has been completed, click on the Save button at the bottom right of the screen. The user has been added to the system and an activation email has been sent to their email address.

Risk assessment

Funkcjonalność zarządzania ryzykiem pozwala Ci na realizację i ewidencjonowanie: ocen ryzyka, preDPIA i DPIA, testów równowagi oraz audytów RODO i cyberbezpieczeństwa. Dowiedz się jak w praktyce realizować RODO-wskie „risk based approach”, czyli podejście oparte na ryzyku.

Risk assessments

  • From the main menu, click on Risk Management and then Risk Assessments.
  • The functionality is divided into two sections: For the organisation (here you will carry out a risk assessment for the whole organisation) and For processes or processing methods (here you will carry out a risk assessment for individual processes from RCP or other activities - e.g. remote working). You can switch between the two sections using the TABs at the top of the functionality.
  • The first step to adding a risk assessment is to download our proven template for the implementation of risk assessments. You can, of course, also use your own templates, but our continuously updated template has already passed numerous PUODO and Administrators' inspections and is proven in practice.
  • Complete the downloaded file and then click on the orange button at the top - Add Assessment. Fill in all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

DPIA

  • From the main menu, click on Risk Management and then DPIA.
  • The functionality is divided into two sections: preDPIA (here you will verify for which process a DPIA will be required) and DPIA (here you will carry out a DPIA if it becomes necessary based on the preDPIA analysis you have carried out). You can switch between the two sections using the TABs at the top of the functionality.
  • The first step to adding a preDPIA or DPIA is to download our proven template. You can, of course, also use your own templates, but our continuously updated template has already passed through numerous PUODO and Administrators' checks and is proven to work.
  • Complete the downloaded file and then click on the orange button at the top - Add preDPIA or Add DPIA (depending on which tab you are in). Complete all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

Balance tests

  • In the main menu, click on Risk management and then Balancing tests.
  • The first step to adding a balance test is to download our proven template. You can, of course, also use your own templates, but our continuously updated template has already passed numerous PUODO and Administrators' checks and is proven in practice.
  • Complete the downloaded file and then click on the orange button at the top - Add test. Fill in all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

GDPR and cyber security audits

  • In the main menu, click on Risk Management and then on Audits.
  • The functionality is divided into two sections: RODO compliance audit andDPIA cyber security audit. You can switch between the two sections using the TABs located in the functionality at the top.
  • The first step to adding an audit is to download our proven template. You can, of course, also use your own templates, but our continuously updated template has already passed through numerous PUODO and Administrators' audits and is proven in practice.
  • Complete the downloaded file and then click on the orange button at the top - Add Audit. Fill in all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

Records

W SODO możesz prowadzić wszystkie kluczowe rejestry: Rejestr Czynności Przetwarzania (RCP), Rejestr Kategorii Czynności Przetwarzania (RKCP), rejestr przekazywania danych, rejestr naruszeń oraz rejestr realizacji praw osób. W tej sekcji pomocy dowiesz się jak to zrobić.

RoPA

  • In the main menu on the left, click on Registers and then on RoPA.
  • To facilitate the management of the RoPA, it is divided in layers: into personal data sets and then into the processes (processing activities) that are within those sets. We strongly encourage you to maintain this division - it makes it easier to manage the register. However, if for some reason you want to keep in the Register only a list of processes (processing activities), without assigning them to data sets - nothing simpler! Create one dataset (e.g. named Processing activities), and then add all processes within it.
  • The first step to complete the RoPA is to add all datasets and all processes (processing activities) within each dataset. To add a new dataset - click on the orange button at the top - Add Dataset. Then enter the name of the dataset (avoid ‘/’ characters and long dataset names - SODO will accept them, but you will not be able to export them to Excel) and all the process names within that dataset and click Save.
  • Congratulations! RoPA has been completed to a basic extent. From now on, you can, among other things, grant authorisations and entrustments and releases by linking them to specific collections and processes.
  • The second step to complete the RoPA is to complete the details of each process (processing activity). To do this, click on the grey ‘+’ button to the left of the dataset name to expand the list of all processes assigned to that dataset. Then, click on Actions next to the process you wish to complete and select Complete Details.
  • Practical tip - if you plan to add any entrustment of data processing that is linked to multiple processes (e.g. outsourcing to external IT) - do not do it from the level of completing individual processes. It is much quicker and simpler to add such an entrustment from the Data Transfer -> Entrustment functionality level. In this way you can add one delegation, which you can automatically link to e.g. 30 processes. This will save you a lot of time!
  • To download the RoPA to an Excel file - click on the "Export" button at the top.

Model RoPA

  1. At the very beginning of the creation of the RCP, werecommend the use of the Model RCP, this is a template for processing activities that is found in almost every company. To use it, click the button ‘Modelowy RCP’.
  2. Now we see the model RCP window we have two options either to copy entire collections or to copy specific processes. 
  3. If you want to copy the entire collection: Select the collection you are interested in then click actions -> Copy to your RCP:
  4. Następnie pojawi nam się okno wyboru ADO do którego chcemy skopiować zbiór, wybieramy interesujące nas Ado i klikamy Zatwierdź 
  5.  Każdy skopiowany proces należy zweryfikować czy pokrywa się faktycznie z działalnością naszej firmy. 
  6.  To verify or complete the process, we find it in the selected collection and then click Actions -> Complete Details: 
  7. If we only want to copy one process from the collection of interest, we proceed in a similar way. Click the ‘+’ button next to the collection name.

How to filter and search for unfilled processes in the RoPA Processing Activity Register?

Click in the navigation menu on the left on the tab Records -> RopA

Click on the filter Completion status i wybierz z rozwijanej listy: NieuzupełnioneConfirm your settings with the orange Filter button.

In the list of datasets and processes, you now only see datasets with processes that are not 100% complete. You can check the detailed completion level of a process by clicking on the ‘+’ button to the left of the dataset. The completion level of a given dataset will be located in the ‘Completion status’ column.

If you want to restore the original view of the RoPA (with a view of all collections and processes) - reset the filters by clicking on the button Resetuj.

RoACoPA

  • In the main menu on the left, click on Registers and then on RoACoPA.
  • To add a new entry in the RoACoPA, click on the orange button Add entrustment. Fill in the details of the entrustment and then click on the Save button.
  • To view the details of a particular entrustment - click on the grey ‘+’ button to the left of the processing activity category name.

Register of breaches

  • In the main menu on the left, click on Breaches.
  • To add a new data protection breach, click on the orange Add button. Complete the details of the breach and then click on the Save button.
  • When adding a new entry, remember to use the automatic breach risk assessment functionality. This will make it easier for you to qualify the breach and decide whether to (not) report it to PUODO and (not) notify data subjects. To make such a calculation, click on the orange Add Calculation button located in the INFRINGEMENT ASSESSMENT section.
  • To view the details of a particular breach - click on the grey ‘+’ button to the left of the breach in question.
  • To download the violation register to an Excel file - click on the grey button at the top - Export.

Register of the exercise of the rights of individuals

  • In the main menu on the left, click on Rights of individuals.
  • To add a new request to exercise the rights of data subjects, click on the orange Add button. Fill in the details of the request and then click on the Save button.
  • To view the details of a particular application for the exercise of rights - click on the grey ‘+’ button to the left of the respective application.
  • To download the register of the realisation of people's rights into an Excel file - click on the grey button at the top - Export to XLSX.

Record of data transmission

  • W menu głównym po lewej stronie kliknij w Przekazywanie danych, a następnie Powierzenie (jeśli chcesz przejrzeć rejestr powierzeń) lub Udostępnienie (jeśli chcesz przejrzeć rejestr udostępnień).
  • Remember that both registers are divided into two sections: transferring data BOTH to your organisation (the default section) and transferring data TO your organisation.
  • You can switch between the two sections using the TABs at the top of the register (Entrust / Entrust and Share / Share Data).
  • To add a new request to exercise the rights of data subjects, click on the orange Add button. Fill in the details of the request and then click on the Save button.
  • To add a new transfer entry, click on the orange Add button. Fill in the details and then click on the Save button.
  • To view the details of an entry - click on the grey ‘+’ button on the left.
  • Remember that the Data Transfer registers are bilaterally coupled with RoPA and RoACoPA As a result, all changes made in RoPA will automatically translate in the Data Transfer registers. Conversely, if you add, for example, a new data acceptance in the entrustment, it will automatically appear in the RoACoPA.

Deleting and deactivating users

  • What is the difference between deactivation and deletion? A deactivated user leaves a ‘footprint’ in the system - you can check the history of their authorisations (once deactivated, the authorisation of such a user is automatically revoked), training courses or activity in SODO. Deleting a user results in the ‘hard’ deletion of all data on that user. It has a permanent and irreversible effect, so only use this functionality as a last resort (e.g. as a result of adding a user by mistake). Both deleted and deactivated users do not count towards the limit of active users.
  • To deactivate/delete a user in SODO, click on the tab: Users, then on the Actions button next to the respective user and select Deactivate or Delete from the drop-down list. Remember to use the Delete action as a last resort!

Authorizations

Funkcjonalność „Upoważnienia” umożliwia zarządzanie i kontrolę nad nadanymi oraz wycofanymi upoważnieniami do przetwarzania danych osobowych. W tej sekcji pomocy dowiesz się w jaki sposób nadawać, wycofywać, usuwać, a także pobierać upoważnienia do plików PDF.

Where can I find the Authorisation functionality?

  • In the main menu, click on Authorisations.
  • From this level, you can view all granted and withdrawn authorisations using the built-in filters and grant, delete and withdraw authorisations. The following help sections will be dedicated to these functions.

When is authorisation automatically granted?

  • Authorisations are granted automatically once the user has successfully completed all the training required for authorisation.

How do you grant ‘manual’ authorisations?

  • If you wish to authorise the processing of personal data "manually" (without waiting for automatic authorisation after training), go to Authorisations in the main menu.
  • Click on the Add button, and then complete all the data: select the user, complete the date of authorisation (by default, this will be the current date) and indicate the scope of authorisation (by default, the scope of authorisation will be linked to the profile associated with the user, but you can also change it individually).
  • Click on the Save button. The data processing authorisation has just been granted.

How do I download the data processing authorisation into a PDF file?

  • If you wish to download a data processing authorisation as a PDF file, go to Authorisations in the main menu.
  • Click on the Actions button and then on Download document. This will download the authorisation into a PDF file.
  • If you wish to download several authorisations - click the white empty square in the top left corner of the table with the list of authorisations. This will cause a new button to appear at the top (directly below the banner with the statistics of the authorisations granted): Download. Click on it and you will download multiple authorisations into a PDF file.

How do I set the terms of reference?

  • In the SODO, there are 2 ways to set authorisation ranges, i.e. the access of a given employee to specific data sets and processing.
  • The first way is to automatically assign authorisations under the profile (position) of a given user. This is the method we recommend most highly - it saves a lot of time and maximises the automation of the authorisation process. How to link employee profiles (positions) is described in detail in the Quick start help section. Click here to go to the relevant help section.
  • The second way is to manually assign authorisations when adding/editing individual authorisations. This is a more time-consuming method and may be particularly useful in the case of, for example, an employee who has a specific job title (e.g. Sales Clerk), but due to additional competences (e.g. sitting on a social committee) gains access to non-standard data sets. The manual granting of authorisations is described in the third section of this help tab.

How to delete and withdraw authorisations?

  • There are 2 ways to delete authorisations in SODO: withdrawal and deletion.
  • Most often you will use the option to withdraw an authorisation. It will come in handy whenever you want to accountably withdraw an authorisation from an employee (e.g. due to an employee's termination or change of position). The withdrawn authorisation remains in the register, but its status is "Withdrawn". To withdraw an authorisation, go to the Authorisations functionality, then click on the Actions button next to the particular authorisation you wish to withdraw and click Withdraw. Note that authorisations are also automatically withdrawn for all users who are deactivated. The process for deactivating employees is described in the Users help section. Click here to go to the relevant help section.
  • In exceptional circumstances, you may wish to delete a given authorisation. This may be useful if, for example, the authorisation in question was granted prematurely or in error. Please note that the process of deleting an authorisation is irreversible and no entry will be left in the authorisation register after the deleted authorisation.

Generation of a password reset link for the user

  • The function for generating a password reset link will come in handy if someone on your team asks you to resend access to their account. This can be caused, for example, by mistakenly deleting the email with the activation link (as a result of it being treated as a phishing attempt), forgetting the password, expiry of the activation link (for security reasons, the link is for single use only).
  • Remember to get users used to using SODO on their own as much as possible. Anyone can reset their password using the Forget Password functionality available from the SODO login panel (https://v3.sodo.com.pl). The whole procedure is very simple and is described in the user manual, to which every message activating the account of any user links.
  • If, for some reason, this is not possible, each Admin and Manager has the authority to resend the account activation link to the user in question. To do this, go to the Users tab. Then click on Actions and then on Reset password. And there you have it! The new activation link for SODO has just been sent to the user in question.

Export of users

  • You can export all users, e.g. for reports or statements.
  • To export users, click on the tab: Users and then on the Export button. You can now download a list of all users in CSV format. You can easily edit the downloaded file using Microsoft Excel or other spreadsheet software (e.g. Calc or Google Sheets).

Payments and security

Here you will find questions and answers about payment and the service delivery process.

What forms of payment do you accept?

You can purchase SODO using PAYNOW instant payments (instant transfer, BLIK, credit card). We also allow access to the system on the basis of a standard bank transfer in the order form. Access to the platform and the invoice will be provided as soon as the payment is credited to our account.

What are the conditions for returns?

We do not offer refunds. If you cancel your plan before the next renewal cycle, you will retain access to paid features until the end of your subscription period. Once your subscription expires, you will lose access to paid features and all data associated with those features.

Can I install SODO on a company server?

We are passionate about modern and secure cloud solutions, which is why we do not offer an internally hosted version of SODO.

Where is the SODO data located?

All data used by SODO is located in OVH's server facilities within the EEA and is not transferred to third countries. The main server is located in OVH's data centre in Warsaw, backup data on OVH's server in France.

How long will I have to wait to access the package I have purchased?

In the case of choosing instant payment via PAYNOW - immediately after payment processing. In the case of payment by standard bank transfer - immediately after the transfer is credited to our account. If you wish to speed up the process of accessing SODO - please send the transfer confirmation to the following address kontakt@lex-artist.pl

How are packages for multiple Administrators (e.g. under Multi-DPO) billed?

The packages are billed per organisation (ADO). Thus, if you plan to use SODO within the PREMIUM package for the benefit of 2 ADOs (as Multi-IOD or Capital Group) within which each has up to 10 users, the price of the application will amount to 2×280 = PLN 560 net per month. If you will be handling more than 2 ADOs within SODO - please contact us for indywidualną wycenę.

Rights of individuals

W SODO posiadamy rejestr realizacji praw osób, dodatkowo możemy zintegrować go z własną skrzynką e-mailową.

Konfiguracja skrzynki mailowej do modułu Prawa osób - które maile zostaną zaimportowane do rejestru?

If you configure an email box for People's Rights under ADO Configuration -> Email Inboxes -> People's Rights, only new messages will go into the register. That is, those that have already arrived in the inbox after the inbox has already been "connected" to SODO. SODO will not acquire into the Rights of Persons module any messages that were in the inbox before the moment of configuration.

The same principle will apply whether you set up your mailbox after Gmail, Microsoft or IMAP.

Konfiguracja skrzynki mailowej do modułu Prawa osób - jakie nazwy folderów wskazać?

In order for the SODO system to correctly interpret which folders to retrieve messages from, you must tell it the names of the folders.

Very important! It is best to follow the next steps in your browser in incognito/inprivate mode. This will "hook" your Microsoft/Google email box to SODO according to your preferences. And not the email box you are currently logged into in the browser you use every day.

The standard folder names used by Microsoft Exchange (Outlook) and Google Workspace (Gmail), for example, are:

NOTICE! The names of the above-mentioned folders may differ if you use other language versions of the Microsoft / Google suite or if you have changed the default folder names to your own.

Also bear in mind that other email providers may use different inbox and SPAM folder names. For example:

Folder Otrzymane: inbox / odbiorcze / otrzymane / mailbox / MAILBOX

Folder SPAM: spam / junk / junkbox

For the correct configuration of the mailbox, the character size (lower/upper case) and each character (including invisible SPACE characters) are important.

How do I link two requests for the exercise of RODO rights within the Rights of Persons functionality?

You can make use of the functionality that allows you to combine several requests for the exercise of your RODO rights if, for example, you receive several complaints/requests on the same subject from the same applicant in error.

In this case, you can combine several requests for the exercise of your RODO rights into one request.

To access the functionality for linking applications, click on the Rights of Persons tab.

Then select the redundant application you want to merge with another application, click on Actions -> Merge with another application. Select the application with which you want to merge. As a result, the application on which you have performed the merge action will be 'linked' to the application you indicate in the drop-down list.

Important - if you want to merge requests that have come into the register automatically (from an email inbox connected to SODO), both merged requests must come from the same sender.

Użytkownicy - Działania hurtowe

The bulk actions we can perform on users are:

  • Change profile
  • Change role
  • Change of branch
  • Delete
  • Deactivation

To perform bulk actions, we need to check the box next to the people whose data we want to change. We can also check the checkbox in the column header, this will select all the people we currently display on the page, if we want to select more people, go to the bottom of the table and then select from the drop-down list how many people you want to display.

Important!

In the event of a change of profile, all the authorisations of the persons concerned will be withdrawn and then reassigned under the new scope of authorisation which is assigned to the profile in question.

How to download the GDPR implementation level report?

  • After logging into SODO, you will immediately reach the Dashboard. If you are currently using some other functionality, you will get to the Dashboard by clicking on the first item in the navigation menu on the left: Dashboard.
  • Click the button located in the first yellow tile: Download report. Done! The PDF report has just been downloaded to your device. For better accountability, we encourage you to download such reports periodically (e.g. monthly or quarterly). In the event of an audit by the DPA or the Administrator, this will be invaluable proof of your ongoing monitoring and improvement of your RODO compliance.

How does SODO assess each area?

  • Ratings in the dashboard are assigned at two levels: global (for each of the 5 Pillars) and local (for the individual areas that make up each Pillar).
  • The global ratings (for each of the 5 Pillars) are derived from the ratings in the individual areas (tiles) that make up the Pillar. SODO adds up the level of compliance with the RODO in all active tiles (green, yellow or red) and then calculates the percentage level of compliance within the respective Pillar. Please note that the following do not count towards the assessment: deactivated (greyed out) tiles and information tiles (marked in blue)
  • Local ratings (for the individual areas that make up a particular pillar) are given according to a criterion adopted by our experts. To find out the evaluation criteria, move the mouse cursor over the top left-hand corner of the respective tile (with an ‘i’ icon). For each tile, the criterion is different and depends on the specifics of the area. For example, to receive a good (green) score for the Training tile, a minimum of 90% of users must be trained.

File repository

Statistics

In the file repository functionality, we can preview each file by clicking on its name or by clicking "Actions->Preview". Each file has statistics that tell us how many people have viewed the file. To access the statistics, click on "Actions->Statistics".

We will be presented with a window divided into two bars:

  • Users who Have Viewed the File - Here you will see those who have used the preview option directly from the system and those who have received a link to the file and used it.
  • Users who have not Displayed the file - all persons who have received a link to the file but have not yet used it will appear here.

At the top we have information on what percentage of people have read the document.

In addition, at the very bottom we can increase the number of people who appear on our screen at the same time by selecting the appropriate number from a drop-down list.

Sending a mailing with a link to a file

To send a link to a file, use the 'Mailing' functionality.

Go to functionality and then click on the 'Add' button in the top right corner.

We complete the description of the mailing with its subject and the ADO to whom the mailing is to be addressed.

We then indicate the recipients and here a new option has appeared: "

After selecting the file [Important! Only one file can be selected] we will see a new variable to choose from called "Link to file". 

We complete the content of the mailing and insert a variable in the body of the mailing. Finally, click the "Save and send" button at the bottom right of the screen.

How do I deactivate a tile in the dashboard?

  • You can deactivate each tile with a detailed RODO compliance assessment in a particular area by clicking on the ‘V’ icon in the top right corner. Deactivation can come in handy if, for example, you do not use a particular SODO functionality and do not want its shortcomings to undermine your level of RODO compliance. As we mentioned in the previous help section - deactivated tiles do not count towards assessments.
  • Remember that the process of deactivating tiles is fully reversible. This means that you can reactivate a tile at any time. The deactivation process also has no effect on the data stored in SODO. So, for example, if you deactivate a tile indicating the value ‘3’, when you reactivate the tile it will also indicate the value ‘3’.

How does SODO assess the different areas in the dashboard?

Ratings in the dashboard are assigned at two levels: global (for each of the V Pillars) and local (for the individual ‘tiles’ that make up the Pillar).

  • Global rating (for each of the V Pillars) are derived from the ratings in the individual areas (tiles) that make up the respective pillar. SODO sums up the level of compliance with RODO in all active tiles (green, yellow or red) and then calculates the percentage level of compliance within the respective Pillar. According to the following algorithm:

    • 3 points for a green tile (high RODO compliance), 1 point for a yellow tile (average RODO compliance), 0 points for a red tile (low or no RODO compliance).

    • Example: in Pillar II (Awareness) we have two tiles: Training and Empowerment. If both tiles are active and one of them is yellow (and thus will receive 1 point) and the other is red (and thus will receive 0 points), this will result in: 1 + 0 = 1. That is to say, out of 6 possible points (2 x 3 maximum points if both tiles were green) in Pillar II, we will have only 2/6 compliance, or 16%. Therefore, this Pillar will receive a red colour indicating a low level of compliance.

    • Remember that the following do not count towards the assessment: deactivated (greyed out) tiles and information tiles (marked in blue)

  • Local rating (for the individual ‘tiles’ that make up a given pillar) are assigned according to a criterion adopted by our experts. To find out the evaluation criteria, move the mouse cursor over the top left-hand corner of the respective tile (with an ‘i’ icon). For each tile, the criterion is different and depends on the specifics of the area. For example, to receive a good (green) score for the Training tile, a minimum of 90% of users must be trained.

Monitoring of training implementation and report generation

  • To access the functionality for monitoring training delivery and generating a report, click on the Training -> Training Reports tab.
  • On the banner at the top you can see the level of training delivery: how many people are trained and how many have not yet completed training.
  • Remember that a user with admin privileges sees the statistics and training delivery of all users of a particular ADO. A user with manager privileges sees the statistics and data associated with his/her department only.
  • For easier data analysis, use the built-in filters. To do this, select the criteria you are interested in (Branch, Status, User, Training Completion Date) and then click on the Filter button.
  • To download the training report in Excel table format, click on the Download Report button.

Marking training as completed

  • You will find the Mark training as completed functionality useful in two cases. Firstly, if the user in question has already completed the training, but in a different form (e.g. in desktop training). Secondly, if he/she has completed the training in SODO, but for technical reasons (e.g. temporary loss of internet access), the training progression has not been retained.
  • To access the functionality for marking training as completed, click on Training -> Training Reports.
  • Find the user to whom you want to mark the training as completed. The most convenient way to do this is to use the search engine (enter the details of the person you want to mark as completed in the User field and then click Filter). Click on the Actions button next to the user in question and then - Mark as completed.
  • Remember that RODO is about accountability. Therefore, enter the relevant date of completion of the training (e.g. onsite) and an appropriate comment (e.g. User completed onsite training organised by Janina Nowak). Confirm your changes with the Save button
  • And there you have it! The user's training has been marked as completed. This will be accompanied by an appropriate annotation (comment, date and details of the user marking the training as completed). If an action was associated with the completion of a training course (e.g. the awarding of an authorisation or a post-training certificate), these will be automatically generated.

Marking the training for completion

  • The Mark training for completion functionality will come in handy for you in two cases. Firstly, if the user in question has completed the training, but a long time has passed since the incident and you want to re-train him/her. Secondly, if the user in question has, for example, contributed to a data protection breach and you want to re-train him or her as one of the remedies.
  • To access the functionality for marking training for redelivery, click on Training -> Training Reports.
  • Find the user you want to retrain. You will do this most conveniently using the search engine (enter the details of the person you want to re-train in the User field and then click Filter). Click on the Actions button next to the user in question and then - Mark for completion.
  • And now! The user's training has been marked as Not Started. The user will receive an automatic email notification to this effect. The action you take will not affect the authorisations and certificates already granted to this user (they will not be automatically withdrawn).

Training - bulk activities

In the training report we can perform two bulk operations, these are:

  1. "Mark selected for delivery" - this will reset the training status and send an email notification of the training to the user.
  2. "Mark selected as completed" - when we use this function, a window will appear in which we select the date of completion of the training and, if necessary, a comment, e.g. "Training completed in stationary". When we click on the "Save" button, the training changes its status to "Completed".

In order to perform bulk actions, we need to tick the relevant checkboxes next to the trainings you want to change. We can also check the checkbox in the column header which will select all the trainings that are currently displayed on the screen, if we want to select more people we need to go to the very bottom of the table and then select from the drop-down list how many people we want to display.

Risk assessments

  • From the main menu, click on Risk Management and then Risk Assessments.
  • The functionality is divided into two sections: For the organisation (here you will carry out a risk assessment for the whole organisation) and For processes or processing methods (here you will carry out a risk assessment for individual processes from RCP or other activities - e.g. remote working). You can switch between the two sections using the TABs at the top of the functionality.
  • The first step to adding a risk assessment is to download our proven template for the implementation of risk assessments. You can, of course, also use your own templates, but our continuously updated template has already passed numerous PUODO and Administrators' inspections and is proven in practice.
  • Complete the downloaded file and then click on the orange button at the top - Add Assessment. Fill in all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

DPIA

  • From the main menu, click on Risk Management and then DPIA.
  • The functionality is divided into two sections: preDPIA (here you will verify for which process a DPIA will be required) and DPIA (here you will carry out a DPIA if it becomes necessary based on the preDPIA analysis you have carried out). You can switch between the two sections using the TABs at the top of the functionality.
  • The first step to adding a preDPIA or DPIA is to download our proven template. You can, of course, also use your own templates, but our continuously updated template has already passed through numerous PUODO and Administrators' checks and is proven to work.
  • Complete the downloaded file and then click on the orange button at the top - Add preDPIA or Add DPIA (depending on which tab you are in). Complete all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

Balance tests

  • In the main menu, click on Risk management and then Balancing tests.
  • The first step to adding a balance test is to download our proven template. You can, of course, also use your own templates, but our continuously updated template has already passed numerous PUODO and Administrators' checks and is proven in practice.
  • Complete the downloaded file and then click on the orange button at the top - Add test. Fill in all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

GDPR and cyber security audits

  • In the main menu, click on Risk Management and then on Audits.
  • The functionality is divided into two sections: RODO compliance audit andDPIA cyber security audit. You can switch between the two sections using the TABs located in the functionality at the top.
  • The first step to adding an audit is to download our proven template. You can, of course, also use your own templates, but our continuously updated template has already passed through numerous PUODO and Administrators' audits and is proven in practice.
  • Complete the downloaded file and then click on the orange button at the top - Add Audit. Fill in all the information (don't forget to attach the completed template!) and then click Save.
  • To view the details of an entry - click on the grey ‘+’ button on the left.

RoPA

  • In the main menu on the left, click on Registers and then on RoPA.
  • To facilitate the management of the RoPA, it is divided in layers: into personal data sets and then into the processes (processing activities) that are within those sets. We strongly encourage you to maintain this division - it makes it easier to manage the register. However, if for some reason you want to keep in the Register only a list of processes (processing activities), without assigning them to data sets - nothing simpler! Create one dataset (e.g. named Processing activities), and then add all processes within it.
  • The first step to complete the RoPA is to add all datasets and all processes (processing activities) within each dataset. To add a new dataset - click on the orange button at the top - Add Dataset. Then enter the name of the dataset (avoid ‘/’ characters and long dataset names - SODO will accept them, but you will not be able to export them to Excel) and all the process names within that dataset and click Save.
  • Congratulations! RoPA has been completed to a basic extent. From now on, you can, among other things, grant authorisations and entrustments and releases by linking them to specific collections and processes.
  • The second step to complete the RoPA is to complete the details of each process (processing activity). To do this, click on the grey ‘+’ button to the left of the dataset name to expand the list of all processes assigned to that dataset. Then, click on Actions next to the process you wish to complete and select Complete Details.
  • Practical tip - if you plan to add any entrustment of data processing that is linked to multiple processes (e.g. outsourcing to external IT) - do not do it from the level of completing individual processes. It is much quicker and simpler to add such an entrustment from the Data Transfer -> Entrustment functionality level. In this way you can add one delegation, which you can automatically link to e.g. 30 processes. This will save you a lot of time!
  • To download the RoPA to an Excel file - click on the "Export" button at the top.

Model RoPA

  1. At the very beginning of the creation of the RCP, werecommend the use of the Model RCP, this is a template for processing activities that is found in almost every company. To use it, click the button ‘Modelowy RCP’.
  2. Now we see the model RCP window we have two options either to copy entire collections or to copy specific processes. 
  3. If you want to copy the entire collection: Select the collection you are interested in then click actions -> Copy to your RCP:
  4. Następnie pojawi nam się okno wyboru ADO do którego chcemy skopiować zbiór, wybieramy interesujące nas Ado i klikamy Zatwierdź 
  5.  Każdy skopiowany proces należy zweryfikować czy pokrywa się faktycznie z działalnością naszej firmy. 
  6.  To verify or complete the process, we find it in the selected collection and then click Actions -> Complete Details: 
  7. If we only want to copy one process from the collection of interest, we proceed in a similar way. Click the ‘+’ button next to the collection name.

How to filter and search for unfilled processes in the RoPA Processing Activity Register?

Click in the navigation menu on the left on the tab Records -> RopA

Click on the filter Completion status i wybierz z rozwijanej listy: NieuzupełnioneConfirm your settings with the orange Filter button.

In the list of datasets and processes, you now only see datasets with processes that are not 100% complete. You can check the detailed completion level of a process by clicking on the ‘+’ button to the left of the dataset. The completion level of a given dataset will be located in the ‘Completion status’ column.

If you want to restore the original view of the RoPA (with a view of all collections and processes) - reset the filters by clicking on the button Resetuj.

RoACoPA

  • In the main menu on the left, click on Registers and then on RoACoPA.
  • To add a new entry in the RoACoPA, click on the orange button Add entrustment. Fill in the details of the entrustment and then click on the Save button.
  • To view the details of a particular entrustment - click on the grey ‘+’ button to the left of the processing activity category name.

Register of breaches

  • In the main menu on the left, click on Breaches.
  • To add a new data protection breach, click on the orange Add button. Complete the details of the breach and then click on the Save button.
  • When adding a new entry, remember to use the automatic breach risk assessment functionality. This will make it easier for you to qualify the breach and decide whether to (not) report it to PUODO and (not) notify data subjects. To make such a calculation, click on the orange Add Calculation button located in the INFRINGEMENT ASSESSMENT section.
  • To view the details of a particular breach - click on the grey ‘+’ button to the left of the breach in question.
  • To download the violation register to an Excel file - click on the grey button at the top - Export.

Register of the exercise of the rights of individuals

  • In the main menu on the left, click on Rights of individuals.
  • To add a new request to exercise the rights of data subjects, click on the orange Add button. Fill in the details of the request and then click on the Save button.
  • To view the details of a particular application for the exercise of rights - click on the grey ‘+’ button to the left of the respective application.
  • To download the register of the realisation of people's rights into an Excel file - click on the grey button at the top - Export to XLSX.

Record of data transmission

  • W menu głównym po lewej stronie kliknij w Przekazywanie danych, a następnie Powierzenie (jeśli chcesz przejrzeć rejestr powierzeń) lub Udostępnienie (jeśli chcesz przejrzeć rejestr udostępnień).
  • Remember that both registers are divided into two sections: transferring data BOTH to your organisation (the default section) and transferring data TO your organisation.
  • You can switch between the two sections using the TABs at the top of the register (Entrust / Entrust and Share / Share Data).
  • To add a new request to exercise the rights of data subjects, click on the orange Add button. Fill in the details of the request and then click on the Save button.
  • To add a new transfer entry, click on the orange Add button. Fill in the details and then click on the Save button.
  • To view the details of an entry - click on the grey ‘+’ button on the left.
  • Remember that the Data Transfer registers are bilaterally coupled with RoPA and RoACoPA As a result, all changes made in RoPA will automatically translate in the Data Transfer registers. Conversely, if you add, for example, a new data acceptance in the entrustment, it will automatically appear in the RoACoPA.

Where can I find the Authorisation functionality?

  • In the main menu, click on Authorisations.
  • From this level, you can view all granted and withdrawn authorisations using the built-in filters and grant, delete and withdraw authorisations. The following help sections will be dedicated to these functions.

When is authorisation automatically granted?

  • Authorisations are granted automatically once the user has successfully completed all the training required for authorisation.

How do you grant ‘manual’ authorisations?

  • If you wish to authorise the processing of personal data "manually" (without waiting for automatic authorisation after training), go to Authorisations in the main menu.
  • Click on the Add button, and then complete all the data: select the user, complete the date of authorisation (by default, this will be the current date) and indicate the scope of authorisation (by default, the scope of authorisation will be linked to the profile associated with the user, but you can also change it individually).
  • Click on the Save button. The data processing authorisation has just been granted.

How do I download the data processing authorisation into a PDF file?

  • If you wish to download a data processing authorisation as a PDF file, go to Authorisations in the main menu.
  • Click on the Actions button and then on Download document. This will download the authorisation into a PDF file.
  • If you wish to download several authorisations - click the white empty square in the top left corner of the table with the list of authorisations. This will cause a new button to appear at the top (directly below the banner with the statistics of the authorisations granted): Download. Click on it and you will download multiple authorisations into a PDF file.

How do I set the terms of reference?

  • In the SODO, there are 2 ways to set authorisation ranges, i.e. the access of a given employee to specific data sets and processing.
  • The first way is to automatically assign authorisations under the profile (position) of a given user. This is the method we recommend most highly - it saves a lot of time and maximises the automation of the authorisation process. How to link employee profiles (positions) is described in detail in the Quick start help section. Click here to go to the relevant help section.
  • The second way is to manually assign authorisations when adding/editing individual authorisations. This is a more time-consuming method and may be particularly useful in the case of, for example, an employee who has a specific job title (e.g. Sales Clerk), but due to additional competences (e.g. sitting on a social committee) gains access to non-standard data sets. The manual granting of authorisations is described in the third section of this help tab.

How to delete and withdraw authorisations?

  • There are 2 ways to delete authorisations in SODO: withdrawal and deletion.
  • Most often you will use the option to withdraw an authorisation. It will come in handy whenever you want to accountably withdraw an authorisation from an employee (e.g. due to an employee's termination or change of position). The withdrawn authorisation remains in the register, but its status is "Withdrawn". To withdraw an authorisation, go to the Authorisations functionality, then click on the Actions button next to the particular authorisation you wish to withdraw and click Withdraw. Note that authorisations are also automatically withdrawn for all users who are deactivated. The process for deactivating employees is described in the Users help section. Click here to go to the relevant help section.
  • In exceptional circumstances, you may wish to delete a given authorisation. This may be useful if, for example, the authorisation in question was granted prematurely or in error. Please note that the process of deleting an authorisation is irreversible and no entry will be left in the authorisation register after the deleted authorisation.

What forms of payment do you accept?

You can purchase SODO using PAYNOW instant payments (instant transfer, BLIK, credit card). We also allow access to the system on the basis of a standard bank transfer in the order form. Access to the platform and the invoice will be provided as soon as the payment is credited to our account.

What are the conditions for returns?

We do not offer refunds. If you cancel your plan before the next renewal cycle, you will retain access to paid features until the end of your subscription period. Once your subscription expires, you will lose access to paid features and all data associated with those features.

Can I install SODO on a company server?

We are passionate about modern and secure cloud solutions, which is why we do not offer an internally hosted version of SODO.

Where is the SODO data located?

All data used by SODO is located in OVH's server facilities within the EEA and is not transferred to third countries. The main server is located in OVH's data centre in Warsaw, backup data on OVH's server in France.

How long will I have to wait to access the package I have purchased?

In the case of choosing instant payment via PAYNOW - immediately after payment processing. In the case of payment by standard bank transfer - immediately after the transfer is credited to our account. If you wish to speed up the process of accessing SODO - please send the transfer confirmation to the following address kontakt@lex-artist.pl

How are packages for multiple Administrators (e.g. under Multi-DPO) billed?

The packages are billed per organisation (ADO). Thus, if you plan to use SODO within the PREMIUM package for the benefit of 2 ADOs (as Multi-IOD or Capital Group) within which each has up to 10 users, the price of the application will amount to 2×280 = PLN 560 net per month. If you will be handling more than 2 ADOs within SODO - please contact us for indywidualną wycenę.

Konfiguracja skrzynki mailowej do modułu Prawa osób - które maile zostaną zaimportowane do rejestru?

If you configure an email box for People's Rights under ADO Configuration -> Email Inboxes -> People's Rights, only new messages will go into the register. That is, those that have already arrived in the inbox after the inbox has already been "connected" to SODO. SODO will not acquire into the Rights of Persons module any messages that were in the inbox before the moment of configuration.

The same principle will apply whether you set up your mailbox after Gmail, Microsoft or IMAP.

Konfiguracja skrzynki mailowej do modułu Prawa osób - jakie nazwy folderów wskazać?

In order for the SODO system to correctly interpret which folders to retrieve messages from, you must tell it the names of the folders.

Very important! It is best to follow the next steps in your browser in incognito/inprivate mode. This will "hook" your Microsoft/Google email box to SODO according to your preferences. And not the email box you are currently logged into in the browser you use every day.

The standard folder names used by Microsoft Exchange (Outlook) and Google Workspace (Gmail), for example, are:

NOTICE! The names of the above-mentioned folders may differ if you use other language versions of the Microsoft / Google suite or if you have changed the default folder names to your own.

Also bear in mind that other email providers may use different inbox and SPAM folder names. For example:

Folder Otrzymane: inbox / odbiorcze / otrzymane / mailbox / MAILBOX

Folder SPAM: spam / junk / junkbox

For the correct configuration of the mailbox, the character size (lower/upper case) and each character (including invisible SPACE characters) are important.

How do I link two requests for the exercise of RODO rights within the Rights of Persons functionality?

You can make use of the functionality that allows you to combine several requests for the exercise of your RODO rights if, for example, you receive several complaints/requests on the same subject from the same applicant in error.

In this case, you can combine several requests for the exercise of your RODO rights into one request.

To access the functionality for linking applications, click on the Rights of Persons tab.

Then select the redundant application you want to merge with another application, click on Actions -> Merge with another application. Select the application with which you want to merge. As a result, the application on which you have performed the merge action will be 'linked' to the application you indicate in the drop-down list.

Important - if you want to merge requests that have come into the register automatically (from an email inbox connected to SODO), both merged requests must come from the same sender.

en_GBEnglish