Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

guidelines on filling in the notifications of the data filing systems to

advertisement 
Guidelines on filling in the notifications of the data filing systems to registration
1 General Information
1. There is a stamp duty collected – paid in (treasury) stamps for:

notification – 5.00 PLN for an application and 0.50 PLN for each attached document,

reporting on changes of the information contained in the notification – 5.00 PLN for
an application and 0.50 PLN for each attached document,

request for issuing a certificate of registration of the data filling system – 5.00 PLN,

certificate issued at the controller’s request – 11.00 PLN.
2. The data filling system should be notified with the use of a form a specimen of which
is specified by the Regulation by the Minister of the Internal Affairs and
Administration of April 29, 2004 as regards specimen for a notification of a data filing
system to registration by the Inspector General for Personal Data Protection (Journal
of Laws No. 100, item 1025).
3. The notification can be sent by post or submitted at the Bureau of the Inspector
General for Personal Data Protection (ul. Stawki 2, 00-193 Warsaw).
4. The notification does not include particular data processed in a data filing system, i.e.
the content of data does not have to be submitted to the Inspector General for Personal
Data Protection.
5. At the request, the controller may obtain a certificate of registration of the data filing
system unless the data filling system contains data mentioned in Article 27 paragraph
1 of the Act on the Protection of Personal Data. Then the Inspector General for
Personal Data Protection shall issue to the controller referred to in Article 27
paragraph 1 the certificate of registration of data filing system immediately after the
registration.
6. The applicant is obliged to inform the Inspector General on any change of information
in relation to the information written in the notification of the data filing system,
within 30 days since the date on which the change was made. The obligation to
inform about the change is applicable for example to the change of the scope of data
processed in a data filing system. The provisions on registration of personal data filing
systems shall apply respectively to the notification about changes.
2 Prior to starting filling in the notification it is necessary to specify the type of
notification by marking a proper field relating to the type of notification.
The first field relates to the case in which a controller notifies a new data filling system in
which data indicated in point 9 of the notification are not processed.
The second field refers to notification of changes which came into existence after the data
filling system had been notified to registration.
Whereas, the third field covers the cases when a controller notifies a new personal data filling
system in which data referred to in point 9 of the notification are processed.
3 Part A. Name of the Data File.
A controller may freely specify the name of the data file. However, it is recommended that the
name of the file is concise and adequate to the type of data processed in the data filing system.
4 Part B. The Characteristics of the Controller.
point 1. The applicant (the controller).
This point should contain a description of the controller. The following entities may be
controllers:
1) public authorities;
2) bodies of the territorial self-government;
3) state and municipal organisational units;
as well as
1) non-public entities exercising public tasks
2) natural and legal persons and organisational units not being legal persons, if they are
involved in the processing of personal data as a part of their business or professional
activity or the implementation of statutory objectives
- having the seat or residing in the territory of the Republic of Poland or in a third
country, if they are involved in the processing of personal data by means of technical
devices located in the territory of the Republic of Poland,
who decide on the purposes and means of the processing of personal data.
-2-
The notification should also contain the name of the controller, address of its seat and
REGON number (/Polish/ National Business Registry Number) and if a controller is a natural
person – his or her surname and first name and address of residence.
point 2. The applicant’s representative referred to in Art. 31a of the Act of August 29,
1997 on the Protection of Personal Data.
In case of processing carried out by entities having their seat or place of residence in a third
country the controller is obliged to appoint its representative on the territory of the Republic
of Poland.
point 3. The authorisation to carry out the processing of personal data
If the controller intends to authorise another entity to carry out the processing of personal data
it should fulfil the conditions specified in Article 31 of the Act on the Protection of Personal
Data. In case of granting the authorisation it is necessary to give the name and seat of the
authorised entity in this point.
point 4. The way of meeting the general conditions of the legitimacy of personal data
processing.
A proper field referring to the legal ground for data processing in the data filling system
should be marked. In case where the applicant marked the second field it is necessary to
indicate the provisions which allow for personal data processing. In case where the personal
data processing is necessary for the applicant to exercise tasks which are specified by law, the
applicant should mark the fourth field and describe the task and indicate the legal ground
obliging him/her to exercise the task.
5 Part C. The scope and purpose of data processing
Within the meaning of the Act personal data shall mean any information relating to an
identified or identifiable natural person. An identifiable person is the one who can be
identified, directly or indirectly, in particular by reference to an identification number or to
one or more factors specific to his/her physical, physiological, mental, economic, cultural or
social identity.
-3-
A piece of information shall not be regarded as identifying where the identification requires
an unreasonable amount of time, cost and manpower.
point 5. The purpose of data processing.
In this point the purpose for which a controller processes data in the data foiling system
should be described precisely.
point 6. Description of the categories of data subjects.
point 7. The scope of data processing.
point 8. Other personal data being processed in the data filing system, apart from the
data enumerated in point 7.
point 9. Data processed in the data filing system.
In case of processing in the data filling system of the data specified in Article 27 paragraph 1
of the Act on the Protection of the Personal Data (sensitive data) it is required to mark an
appropriate field listed in point 9.
point 10. Legal grounds for personal data processing specified in point 9.
Processing of the data specified in Article 27 paragraph 1 of the Act on the Protection of the
Personal Data is permissible only in cases enumerated in Article 27 paragraph 2 of the Act on
the Protection of Personal Data. Therefore, if the applicant indicated in point 9 that he
processes “sensitive data”, he/she should simultaneously mark in point 10 of the notification
at least one of the fields referring to the legal ground for sensitive data processing carried out
in the data filling system.
6 Part D. Methods of data collection and disclosure.
point 11. Methods of data collection for the data filing system.
The first four fields specify an exclusive or main source of personal data collection. There is a
possibility to mark only one field. The other two fields relate to communication of the data by
way of teletransmission. Only one field can be marked.
point 12. Disclosure of data from the data filing system.
-4-
The first two fields specify to whom the data will be disclosed from the data filling system.
Only one field can be marked.
If the personal data are to be disclosed by way of teletransmission refer to the part E point 16
letter c) of the guidelines.
point 13. The recipients or categories of recipients to whom the data can be transferred.
Data recipient is any person to whom the data are disclosed, exclusive of:
- the data subject,
- a person authorised to carry out data processing,
- a representative referred to in point 2 of a notification,
- a subject referred to in point 3 of a notification,
- state authorities or territorial self-government authorities to whom the data are disclosed in
connection with the proceedings conducted,
In case of indication of individual recipients it is required to give the name and address of the
seat of the entity or the surname, first name and address of place of residence.
point 14. Information relating to a possible data transfer to a third country.
If a controller intends to transfer personal data to a third country he/she should meet the
conditions specified in art 47 or 48 of the Act on the Protection of Personal Data.
7 In the part E it is required to enumerate means applied for the purposes referred to in
Articles 36 – 39 of the Act on the Protection of Personal Data
point 15. The personal data filing system will be processed within data logging, within
bit-sliced architecture.
point 16. Solutions applied as regards:
In point 16 it is required to enumerate the means applied for the purposes of securing personal
data filling systems accordingly to the conditions specified in art 36-39 of the Act on the
Protection of Personal Data, and in particular:
-5-
1) in point 16 letter a) to give information pertaining to the physical safeguard of the
premises in which personal data are being processed and archives and back-up copies
containing personal data are kept.
2) in point 16 letter b) to specify the type, standard of:
-
the hardware applied in the framework of the information (computer) system
processing personal data (computers, networks, routers, hubs, hardware scramblers
used for disc scrambling, modems, devices eliminating interferences and power surges
in the supply network and devices upholding power in case of voltage drop – so called
UPS devices),
-
the operation system and computer network and their configuration ensuring proper
restrictions in access to data.
3) in point 16 letter c) to give information on security for teletransmission (e.g. limitation of
access to the teletransmission devices by login and password usage, encryption of data
subject to transmission, application of secured protocols, application of “call-back”
procedure).
4) in point 16 letter d) to indicate measures in the server operation system limiting access of
a user to specific resources exclusively (e.g. users and passwords system, limitation of
access to command line level or prohibition of execution of system commands – restricted
shell, logging of failed system logins). In case of access to the Internet it is required to
give a list of security measures applied, a list of antivirus programs etc.
5) in point 16 letter e) to give information on the database applied (type, standard), specify if
database tools were used to:
-
limitat and control access to personal data files (logins and passwords, registration of
operations carried out on records etc.),
-
encrypt the database.
6) in point 16 letter f) to specify how access to applications is secured and what procedures
of protection / verification were applied within the system used on the workstations
exploited to personal data processing (e.g. access to the system limited with login and
password, BIOS password, screensavers installed).
7) in point 16 letter g) to describe organisational measures applied to personal data files
processing, indicate rules pertaining to assignment and verification in scope of
implemented physical and logical security measures in force.
In particular point 16 letter g) should contain information pertaining to:
-6-
-
development and implementation of documentation describing the method of
data processing and technical and organisational measures ensuring protection of
personal data being processed adequate to threats and categories of data being
protected, pursuant to the content of Article 36 paragraph 2 of the Act on the
Protection of Personal Data [pursuant to § 3 paragraph 1 of the Regulation of April
29, 2004 by the Minister of Internal Affairs and Administration As regards personal
data processing documentation and technical and organisational conditions which
should be fulfilled by devices and computer systems used for the personal data
processing (Journal of Laws No. 100, item 1024) the aforementioned documentation
should comprise the security policy and computer system management instruction],
-
appointment of administrator of information security supervising the personal
data processing rules compliance unless a controller performs these activities by
himself (Article 36 paragraph 3 of the Act on the Protection of Personal Data),
-
permitting to carry out the processing of data exclusively persons who were
granted an authorisation by a controller (Article 37 of the Act on the Protection
of Personal Data)
-
keeping by a controller a register of persons authorised to carry out the
processing of data (Article 39 paragraph 1 of the Act on the Protection of
Personal Data).
Caution!
In case of so called manual personal data files processing (files, indexes, books, lists and
other registers) it is required to fill in only point 16 letter a) and g).
8 Part F. Information on the way of fulfilling basic technical and organisational
requirements defined in the Regulation of April 29, 2004 by the Minister of Internal
Affairs and Administration as regards personal data processing documentation and
technical and organisational conditions which should be fulfilled by devices and
computer systems used for the personal data processing (Journal of Laws No. 100,
item 1024)
point 17. Safeguards have been applied at the level:
-7-
In this point it is required to indicate the computer data processing security level applied by a
controller.
At least the medium security level should be applied if the applicant processes data listed in
point 9 of the notification.
High security level should be applied if at least one of the computer system devices used for
personal data processing is connected to the public network.
In other cases application of the basic security level should be deemed sufficient.
Caution!
Part F pertains to data files processed in computer systems exclusively.
The notification must be filled in and submitted in Polish.
-8-
Related documents
RECHARGE JOURNAL ENTRY DESCRIPTIONS When looking in
RECHARGE JOURNAL ENTRY DESCRIPTIONS When looking in
Application for Land Value Tax Rate Applicable to Land Used for
Application for Land Value Tax Rate Applicable to Land Used for
MVC the concept
MVC the concept
Data Protection Policy
Data Protection Policy
IN THE EVENT OF AN EMERGENCY, PLEASE NOTIFY THE
IN THE EVENT OF AN EMERGENCY, PLEASE NOTIFY THE
Has Miley Cyrus gone to Number 1 in the singles and
Has Miley Cyrus gone to Number 1 in the singles and
Data Protection Policy notes for website
Data Protection Policy notes for website
Download
advertisement