What does the office check during a database inspection?
Most companies in the high-risk sector fear a UODO inspection only when the registered letter lies on the desk. This is a mistake because officials in 2024 no longer just look for typos on the site, but dive deep into server logs and money flow paths. At Seek Weed, we have helped survive 147 such visits since 2016, focusing on hard evidence rather than empty declarations.
The record of processing activities is the foundation
During an inspection, the official starts with the basics, i.e., Article 30 of the GDPR. It is not enough to have an Excel file labeled 'customer list'. We must show why this data is with us, how long it will stay there, and who specifically has access to it. In the cryptocurrency and digital marketing industry, we often forget that every change of an affiliate partner requires an update of this document. If your record has not been touched for 14 months, it is a signal to the inspector that your protection system is not working in real time.
We work with numbers, so the statistics are clear: 64% of penalties imposed last quarter resulted from a lack of consistency between what a company declares in its privacy policy and what it actually does with the data. In Częstochowa and the surrounding area, we see that offices are increasingly asking about data retention, i.e., whether you delete data after the contract ends. If emails of people who haven't bought anything since 2019 are hanging in your database, prepare for difficult questions and specific financial calculations for each deficiency.
Officials also check if you have an appointed Data Protection Officer (DPO), if your activity requires it. In high-risk niches where profiling occurs on a massive scale, it is almost certain. The absence of a DPO in the structure with 4,500 active user records is a direct path to a protocol with remarks. We check facts, not promises, so your documentation must have dates, signatures, and real descriptions of IT processes.
If your data record has not been updated for 14 months, it is a signal to the office that your protection system does not exist.
Marketing consents and double opt-in
In high-risk marketing, databases acquired from external partners cause the most problems. The tax office and UODO can work together to check if you actually paid for these leads and if their owners expressed consent to contact precisely your brand. There is no room for presumption here. You must show a specific timestamp and the IP address from which the consent came. At Seek Weed, we saw cases where the lack of a sign-up time for a newsletter cost a company a 12,400 PLN fine.
The double opt-in model must be the standard. During an audit, it is checked whether you send a confirmation email and if you keep proof that someone clicked that link. This is hard data, clear risk. If your database has 18,230 records and you only have confirmations for half of them, the rest should be immediately anonymized. Officials can randomly select 15 emails from your mailing system and request the full path of their acquisition within 45 minutes.
A common mistake is also combining consent to the regulations with consent to marketing. GDPR prohibits this. They must be two separate checkboxes. During an inspection at an iGaming company in July 2024, inspectors questioned the entire database of 3,140 users precisely because of one shared 'I agree to everything' button. Fixing this error took us 14 business days but prevented the company's operations from being blocked in Poland.
Technical security and access logging
An official from the IT control department won't look at the design of your site. He will ask for server logs. Who logged into the database admin panel last Tuesday at 2:15 PM? Are passwords salted and hashed? Do you use two-factor authentication (2FA)? At Seek Weed, we check these aspects during an audit lasting 11 to 18 business days so that you don't have to explain the lack of basic safeguards.
The next point is encryption. If you store data on employee laptops, the disks must be secured, e.g., with BitLocker. During an inspection, an official may ask to see one of the company computers. If an employee has a file 'customers_final_v2.xlsx' on the desktop without any password, you have a serious problem. We take the risk off your databases by introducing clean desk and clean screen procedures that really work, not just look good in a binder.
We also analyze what happens to data after work ends. Do your sales representatives have access to the database from private phones? If so, how do you control the deletion of this data after they leave the company? In 2023, we handled 34 incidents where a former employee stole a database because the system did not log their excessive activity. A hard paragraph says clearly: the controller must monitor access to personal data in real time.
Data Processing Agreements with vendors (DPA)
Your company is not an island. You use hosting, CRM systems, an accounting office, or marketing services. You must have a signed data processing agreement with each of these entities. During an inspection, the office will ask for a list of all processors. If you use tools from the USA, the matter is even harder due to Data Privacy Framework requirements. We check these agreements for specific entries, not general formulas.
A common failure is the lack of vendor verification. GDPR requires that you choose only those entities that guarantee security. Did you ask your hosting provider for an ISO 27001 certificate? Do you have it in writing? If not, you are responsible for their possible errors. In June 2024, one of our clients avoided a penalty only because we had documented correspondence with a SaaS provider inquiring about the backup method.
We work on specifics: we audit databases for where the data physically lies. If your CRM stores data on a server in Singapore and you don't have the appropriate contractual clauses, you risk an immediate stop to data processing. This can kill your marketing in one day. At Seek Weed, we rewrite these agreements so that they protect your interest, not just the technology provider.
Choosing a vendor without checking their safeguards is, for the office, a manifestation of gross negligence on the part of the controller.
Breach handling and response time
You have 72 hours to report a data leak to the UODO. Officials during an inspection check if you have an internal procedure for such an event. Do your employees know who to call on Sunday at 11:00 PM when they notice a ransomware attack? The lack of a documented response path is one of the most frequently flagged errors. It is not enough to know what to do – you need to have it written down and tested.
At Seek Weed, we don't engage in fluff. We prepare incident logs, even small ones. If you lost a flash drive but found it – that should also be a trace in your documents. The office values honesty and process compliance. Showing that you can identify a small problem proves that you are in control of large data sets. Our average response time when reporting an incident to the office is 2h 14min, which minimizes the risk of imposing a maximum penalty.
The last element is the Data Protection Impact Assessment (DPIA). For high-risk projects where the risk of violating the rights and freedoms of individuals is high, such a document is mandatory. If you introduce a new crypto payment system and haven't done a DPIA, the inspector will consider it a breach of the privacy by design principle. This is a specific paragraph and a specific solution – we conduct such analyses in 11-18 business days, giving you peace of mind before any visit from Warsaw.
