WHAT ARE THE OBLIGATIONS OF UNDERTAKINGS REGARDING TO THE GDPR?
Who is the controller of personal data processing?
Natural or legal person, public authority, agency or other body which, alone or together with others, determines the purposes and means of processing of personal data.
Examples of controllers: companies or crafts processing the data of their employees; financial institutions processing personal data of their parties/clients; associations processing the data of their members; schools or faculties processing personal data of pupils, students or teachers/their employees; hospitals processing personal data of their patients; state bodies or bodies of local/regional self-government units processing personal data of citizens.
Who is the processor?
Natural or legal person, public authority, agency or other body processing personal data on behalf of the controller. The processing carried out by the processor shall be governed by a contract or other legal act.
Examples of processors: accountancy service that processes data on salaries of workers for employers; companies authorised to carry out private protection; collection agencies based on a concluded contract on business cooperation.
- the controller IS NOT obliged TO have a processor;
- the GDPR gives the controller the possibility to entrust the processor with the performance of only some exactly agreed tasks on behalf and on behalf of the controller;
- the contract or other legal act should regulate in detail the mutual rights and obligations between the controller and the processor;
- the processor must guarantee the protection and confidentiality of the processing of personal data;
- the processor shall implement appropriate safeguards in order to ensure and prove that the processing is carried out in accordance with the GDPR;
What steps must be fulfilled for controllers and processors to comply with the General Data Protection Regulation?
- PROVISION OF INFORMATION TO DATA SUBJECTS for THE PURPOSE OF EXERCISING THEIR RIGHTS (Art. 12-21 General Regulations)
- IMPLEMENTATION OF APPROPRIATE TECHNICAL and ORGANISATIONAL MEASURES FOR THE PROTECTION OF PERSONAL DATA (Art. 25 and 32 General Regulations)
- KEEPING RECORDS OF PROCESSING ACTIVITIES (Art. 30. General Regulations)
- APPOINTMENT OF THE DATA PROTECTION OFFICER (Art. 37. General Regulations)
- ASSESSMENT OF THE IMPACT ON DATA PROTECTION (Art. 35. General Regulations)
- PROVISION OF INFORMATION FOR THE PURPOSE OF EXERCISING THE RIGHTS OF DATA SUBJECTS;
What information and how is the controller obliged to provide the data subject?
At the time of collection of personal data, the controller is obliged to provide information to the data subject:
- on his identity (controller contact details)
- Data Protection Officer (contact details of the official)
- to become acquainted with the purpose and legal basis for processing personal data
- on recipients or categories of recipients of personal data (e.g.: HZZO, HZMO)
- on the transfer of personal data to a third country or international organisation (which are not EU members)
- on the legitimate interest (for example: sending newsletter to service users, monitoring employees’ work through GPS system if work is done outside employer’s premises)
- on the timeline for storing personal data and criteria determining the storage period (for example: the employer keeps records of employees permanently, while the participant’s personal data must be deleted/destroyed after the end of THE same-EXPIRY PURPOSE)
- on the existence of the right to request from the controller access to personal data, rectification, erasure of personal data or restriction of processing relating to him or her, the right to object to the processing of such data and the portability of his or her data to another controller;
- the right to withdraw consent at any time without affecting the lawfulness of the consent-based processing before it was withdrawn;
- on the right to object to the supervisory authority (Agency for the Protection of personal Data)
- whether the provision of personal data is a legal or contractual obligation or a condition necessary for the conclusion of a contract and whether the data subject has the obligation to provide personal data and what are the possible consequences if such data are not provided (e.g.: conclusion of a contract of employment)
- the existence of automated decision-making, which includes profiling and meaningful information on the logic involved, as well as the importance and foreseeable consequences of such processing for the examinee (for example: creation of client profiles by credit institutions for the purpose of determining their creditworthiness or monitoring customer habits and profiling for marketing offers)
Where personal data have not been obtained from the data subject, the controller shall provide the data subject, in addition to the information referred to above, with information on the source of the personal data.
- It is necessary to harmonise internal acts related to employment relations with the provisions of the GDPR;
It is necessary to harmonise internal acts related to labour-legal relations, i.e. to harmonise/provisions of internal acts relating to the protection of personal data in which the information that the controller is obliged to provide at the time of collection of personal data to the data subject will be integrated in a comprehensive and clear manner (standards referred to in Article 13 th and 14 th. Of the general Regulation).
Implementation of appropriate technical and organisational protection measures
The aim of the undertaking and implementation of appropriate technical and organizational protection measures is to ensure the security and confidentiality of the processing of personal data, and to prevent unauthorised access or unauthorised use of personal data, as well as technical equipment used by controllers and processors. The implementation of appropriate safeguards ensures that personal data are not automatically available to an unlimited number of persons who are not authorised to process them. At the time of determining the means of processing and at the time of the processing itself, it is the obligation of each controller to determine, depending on the nature/nature, scope and purpose of the processing of personal data, protection measures guaranteeing the safe, fair and lawful processing of personal data and the effective application of the data protection principles (taking into account in particular the necessity of data processing for each specific purpose, the reduction of the quantity of data collected and the scope of data during processing, the determination of data retention deadlines, their availability, etc.).
IMPORTANT (Agency’s recommendation)!
- paper-based documentation containing personal data must be stored by the controller, for example in cabinets or drawers under a key which will be under the supervision of authorised persons of the controller;
- Access to personal data stored in electronic form should be enabled by using the user name and password;
- Backup by authorized persons
- signing of declarations of confidentiality of persons undergoing processing of personal data;
- pseudonymisation or encryption of personal data, especially in the case of special categories (for example: health data);
- recording access to data;
Keeping records of processing activities
Who is required to keep records of processing activities?
Each of however, irrespective of the number of employees, the controller/processor SHALL keep records of the processing if one of the following conditions is fulfilled:
- if processing is likely to result in a high risk to the rights and freedoms of the data subject (for example: introduction of new technologies such as biometric readers, facial recognition, IT services processing personal data);
- if the processing is not occasional, or if the processing is permanent (for example: processing of employees’ personal data for the purpose of paying salaries by the employer);
- if the processing includes specific categories of data (for example: health data processed by hospitals, biometric data, genetic data);
- if the processing includes personal data relating to criminal convictions and offences;
This obligation does not apply to the controller/processor if it has less than 250 employees and none of the above conditions is applicable.
What is the processing activity record, what must it look like and what must it contain?
The processing activity record is a form (form) that serves as evidence that the processing of personal data is lawful. It shall contain the information referred to in Article 30. The general regulations and must be in writing, including an electronic format. The data contained in the processing records should be adequately protected (e.g. centralised database, introduction of authorization and access control measures).
Content of the records of processing activities (detailed content):
- name and contact details of the controller (for example: name of legal entity and contact)
- purpose of processing (explained in detail)
- description of the category of respondents (for example: data on workers, data on patients) and categories of personal data (for example: name, surname, address of residence, etc.)
- categories of recipients (including those in third countries or international organisations)
- transfer of personal data to third countries or international organisations – deadlines for deletion of different categories of data (deadlines for the retention of personal data, and the name and provisions of the law if regulated by a special law)
- a description of technical and organisational measures for the protection of personal data
According to the General Regulation on Data Protection, controllers are not obliged to submit the aforementioned records of processing of personal data to the Agency for the Protection of personal Data (the former Central Register of records on personal Data collections), but to provide records of water processing activities on them in writing, including electronic form, and they are obliged to make them available to the supervisory authority (the Agency for the Protection of personal Data).
Appointment of the data protection officer
Who is required to appoint a personal Data Protection Officer?
The controller and the processor shall designate a data protection officer in the following cases where:
- Processing is carried out by a public authority or public body, except for courts acting within their jurisdiction
- The core activities of the controller or processor consist of processing operations which, due to their nature, scope or purpose, require regular and systematic monitoring of data subjects to a large extent
- The core activities of the controller or processor consist of a comprehensive processing of specific categories of data (Article 9 EUTMR). Of the Regulation) and of personal data relating to criminal convictions and offences (Article 10 of the Of the Regulation)
- may be an employee of the organisation (controller or processor) in which he is appointed, but an employee may also be appointed as a person who is not an employee of the organisation on the basis of an act contract (external official);
- the controller may appoint one data protection officer provided that it is easily accessible from each establishment;
- When appointing an official, take care that there is no conflict of interest (take care that such person does not participate in decision making which determines the purpose and method of processing personal data);
- the controller/processor shall issue a Decision on the appointment of an official in accordance with the General Regulation taking into account professional qualifications (professional knowledge and practices in the field of personal data protection);
- the controller/processor shall publish contact details of the data protection officer and communicate them to the supervisory authority (Agency for personal Data Protection).
Assessment of the impact on data protection
What is impact assessment?
The assessment of the impact on data protection is one of the procedures for establishing and proving compliance with the General Regulation, that is, it is designed to describe the processing, assess its necessity and proportionality and provide assistance in managing risks to the rights and freedoms of individuals resulting from the processing of personal data.
In which cases should an impact assessment be carried out on data protection?
Where it is likely that a type of processing, in particular through the use of new technologies, taking into account the nature, scope, context and purposes of the processing, will cause a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
The data protection impact assessment shall be mandatory in particular in the case of:
- systematic and comprehensive assessment of personal aspects in relation to individuals based on automated processing, including profiling and based on which decisions are made that produce legal effects concerning the individual or similarly significantly affect the individual;
- comprehensive processing of specific categories of personal data (Article 9(1) EUTMR); Of the Regulation) or of data relating to criminal convictions and offences (Article 10 of the Of the Regulation)
- systematic monitoring of the publicly available area to a large extent;
EXAMPLES OF PROCESSING WHERE AN IMPACT ASSESSMENT IS NECESSARY:
- a hospital that processes the genetic and health data of its patients (hospital information system).
EXAMPLES OF PROCESSING WHERE AN IMPACT ASSESSMENT IS NOT NECESSARY:
- processing of personal data of patients of individual physicians and healthcare professionals.
At what point does the data protection impact assessment have to be carried out?
The assessment of the impact on data protection should be carried out before the processing of personal data in order to respect the principles of technical and integrated data protection. However, if the processing process is dynamic and subject to permanent changes, the data protection impact assessment shall be carried out continuously and not once.