Guidelines on filling in the notifications of the data filing systems to registration
1 General Information
1. There is a stamp duty collected – paid in (treasury) stamps for:
- notification – 5.00 PLN for an application and 0.50 PLN for each attached document,
- reporting on changes of the information contained in the notification – 5.00 PLN for an application and 0.50 PLN for each attached document,
- request for issuing a certificate of registration of the data filling system – 5.00 PLN,
- certificate issued at the controller’s request – 11.00 PLN.
- The data filling system should be notified with the use of a form a specimen of which is specified by the Regulation by the Minister of the Internal Affairs and Administration of April 29, 2004 as regards specimen for a notification of a data filing system to registration by the Inspector General for Personal Data Protection (Journal of Laws No. 100, item 1025).
- The notification can be sent by post or submitted at the Bureau of the Inspector General for Personal Data Protection (ul. Stawki 2, 00-193 Warsaw).
- The notification does not include particular data processed in a data filing system, i.e. the content of data does not have to be submitted to the Inspector General for Personal Data Protection.
- At the request, the controller may obtain a certificate of registration of the data filing system unless the data filling system contains data mentioned in Article 27 paragraph 1 of the Act on the Protection of Personal Data. Then the Inspector General for Personal Data Protection shall issue to the controller referred to in Article 27 paragraph 1 the certificate of registration of data filing system immediately after the registration.
- The applicant is obliged to inform the Inspector General on any change of information in relation to the information written in the notification of the data filing system, within 30 days since the date on which the change was made. The obligation to inform about the change is applicable for example to the change of the scope of data processed in a data filing system. The provisions on registration of personal data filing systems shall apply respectively to the notification about changes.
2 Prior to starting filling in the notification it is necessary to specify the type of notification by marking a proper field relating to the type of notification.
The first field relates to the case in which a controller notifies a new data filling system in which data indicated in point 9 of the notification are not processed.
The second field refers to notification of changes which came into existence after the data filling system had been notified to registration.
Whereas, the third field covers the cases when a controller notifies a new personal data filling system in which data referred to in point 9 of the notification are processed.
3 Part A. Name of the Data File.
A controller may freely specify the name of the data file. However, it is recommended that the name of the file is concise and adequate to the type of data processed in the data filing system.
4 Part B. The Characteristics of the Controller.
point 1. The applicant (the controller).
This point should contain a description of the controller. The following entities may be controllers:
1)public authorities;
2)bodies of the territorial self-government;
3)state and municipal organisational units;
as well as
1)non-public entities exercising public tasks
2)natural and legal persons and organisational units not being legal persons, if they are involved in the processing of personal data as a part of their business or professional activity or the implementation of statutory objectives
- having the seat or residing in the territory of the Republic of Poland or in a third country, if they are involved in the processing of personal data by means of technical devices located in the territory of the Republic of Poland,
who decide on the purposes and means of the processing of personal data.
The notification should also contain the name of the controller, address of its seat and REGON number (/Polish/ National Business Registry Number) and if a controller is a natural person – his or her surname and first name and address of residence.
point 2. The applicant’s representative referred to in Art. 31a of the Act of August 29, 1997 on the Protection of Personal Data.
In case of processing carried out by entities having their seat or place of residence in a third country the controller is obliged to appoint its representative on the territory of the Republic of Poland.
point 3. The authorisation to carry out the processing of personal data
If the controller intends to authorise another entity to carry out the processing of personal data it should fulfil the conditions specified in Article 31 of the Act on the Protection of Personal Data. In case of granting the authorisation it is necessary to give the name and seat of the authorised entity in this point.
point 4. The way of meeting the general conditions of the legitimacy of personal data processing.
A proper field referring to the legal ground for data processing in the data filling system should be marked. In case where the applicant marked the second field it is necessary to indicate the provisions which allow for personal data processing. In case where the personal data processing is necessary for the applicant to exercise tasks which are specified by law, the applicant should mark the fourth field and describe the task and indicate the legal ground obliging him/her to exercise the task.
5 Part C. The scope and purpose of data processing
Within the meaning of the Act personal data shall mean any information relating to an identified or identifiable natural person. An identifiable person is the one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his/her physical, physiological, mental, economic, cultural or social identity.
A piece of information shall not be regarded as identifying where the identification requires an unreasonable amount of time, cost and manpower.
point 5. The purpose of data processing.
In this point the purpose for which a controller processes data in the data foiling system should be described precisely.
point 6. Description of the categories of data subjects.
point 7. The scope of data processing.
point 8. Other personal data being processed in the data filing system, apart from the data enumerated in point 7.
point 9. Data processed in the data filing system.
In case of processing in the data filling system of the data specified in Article 27 paragraph 1 of the Act on the Protection of the Personal Data (sensitive data) it is required to mark an appropriate field listed in point 9.
point 10. Legal grounds for personal data processing specified in point 9.
Processing of the data specified in Article 27 paragraph 1 of the Act on the Protection of the Personal Data is permissible only in cases enumerated in Article 27 paragraph 2 of the Act on the Protection of Personal Data. Therefore, if the applicant indicated in point 9 that he processes “sensitive data”, he/she should simultaneously mark in point 10 of the notification at least one of the fields referring to the legal ground for sensitive data processing carried out in the data filling system.
6 Part D. Methods of data collection and disclosure.
point 11. Methods of data collection for the data filing system.
The first four fields specify an exclusive or main source of personal data collection. There is a possibility to mark only one field. The other two fields relate to communication of the data by way of teletransmission. Only one field can be marked.
point 12. Disclosure of data from the data filing system.
The first two fields specify to whom the data will be disclosed from the data filling system. Only one field can be marked.
If the personal data are to be disclosed by way of teletransmission refer to the part E point 16 letter c) of the guidelines.
point 13. The recipients or categories of recipients to whom the data can be transferred.
Data recipient is any person to whom the data are disclosed, exclusive of:
- the data subject,
- a person authorised to carry out data processing,
- a representative referred to in point 2 of a notification,
- a subject referred to in point 3 of a notification,
- state authorities or territorial self-government authorities to whom the data are disclosed in connection with the proceedings conducted,
In case of indication of individual recipients it is required to give the name and address of the seat of the entity or the surname, first name and address of place of residence.
point 14. Information relating to a possible data transfer to a third country.
If a controller intends to transfer personal data to a third country he/she should meet the conditions specified in art 47 or 48 of the Act on the Protection of Personal Data.
7 In the part E it is required to enumerate means applied for the purposes referred to in Articles 36 – 39 of the Act on the Protection of Personal Data
point 15. The personal data filing system will be processed within data logging, within bit-sliced architecture.
point 16. Solutions applied as regards:
In point 16 it is required to enumerate the means applied for the purposes of securing personal data filling systems accordingly to the conditions specified in art 36-39 of the Act on the Protection of Personal Data, and in particular:
1)in point 16 letter a) to give information pertaining to the physical safeguard of the premises in which personal data are being processed and archives and back-up copies containing personal data are kept.
2)in point 16 letter b) to specify the type, standard of:
-the hardware applied in the framework of the information (computer) system processing personal data (computers, networks, routers, hubs, hardware scramblers used for disc scrambling, modems, devices eliminating interferences and power surges in the supply network and devices upholding power in case of voltage drop – so called UPS devices),
-the operation system and computer network and their configuration ensuring proper restrictions in access to data.
3)in point 16 letter c) to give information on security for teletransmission (e.g. limitation of access to the teletransmission devices by login and password usage, encryption of data subject to transmission, application of secured protocols, application of “call-back” procedure).
4)in point 16 letter d) to indicate measures in the server operation system limiting access of a user to specific resources exclusively (e.g. users and passwords system, limitation of access to command line level or prohibition of execution of system commands – restricted shell, logging of failed system logins). In case of access to the Internet it is required to give a list of security measures applied, a list of antivirus programs etc.
5)in point 16 letter e) to give information on the database applied (type, standard), specify if database tools were used to:
-limitat and control access to personal data files (logins and passwords, registration of operations carried out on records etc.),
-encrypt the database.
6)in point 16 letter f) to specify how access to applications is secured and what procedures of protection / verification were applied within the system used on the workstations exploited to personal data processing (e.g. access to the system limited with login and password, BIOS password, screensavers installed).
7)in point 16 letter g) to describe organisational measures applied to personal data files processing, indicate rules pertaining to assignment and verification in scope of implemented physical and logical security measures in force.
In particular point 16 letter g) should contain information pertaining to:
-development and implementation of documentation describing the method of data processing and technical and organisational measures ensuring protection of personal data being processed adequate to threats and categories of data being protected, pursuant to the content of Article 36 paragraph 2 of the Act on the Protection of Personal Data [pursuant to § 3 paragraph 1 of the Regulation of April 29, 2004 by the Minister of Internal Affairs and Administration As regards personal data processing documentation and technical and organisational conditions which should be fulfilled by devices and computer systems used for the personal data processing (Journal of Laws No. 100, item 1024) the aforementioned documentation should comprise the security policy and computer system management instruction],
-appointment of administrator of information security supervising the personal data processing rules compliance unless a controller performs these activities by himself (Article 36 paragraph 3 of the Act on the Protection of Personal Data),
-permitting to carry out the processing of data exclusively persons who were granted an authorisation by a controller (Article 37 of the Act on the Protection of Personal Data)
-keeping by a controller a register of persons authorised to carry out the processing of data (Article 39 paragraph 1 of the Act on the Protection of Personal Data).
Caution!
In case of so called manual personal data files processing (files, indexes, books, lists and other registers) it is required to fill in only point 16 letter a) and g).
8 Part F. Information on the way of fulfilling basic technical and organisational requirements defined in the Regulation of April 29, 2004 by the Minister of Internal Affairs and Administration as regards personal data processing documentation and technical and organisational conditions which should be fulfilled by devices and computer systems used for the personal data processing (Journal of Laws No. 100, item 1024)
point 17. Safeguards have been applied at the level:
In this point it is required to indicate the computer data processing security level applied by a controller.
At least the medium security level should be applied if the applicant processes data listed in point 9 of the notification.
High security level should be applied if at least one of the computer system devices used for personal data processing is connected to the public network.
In other cases application of the basic security level should be deemed sufficient.
Caution!
Part F pertains to data files processed in computer systems exclusively.
The notification must be filled in and submitted in Polish.
- 1 -