UWAGA!

Od 25 maja 2018 r. organem właściwym w zakresie ochrony danych osobowych jest Prezes Urzędu Ochrony Danych Osobowych. Nowa strona internetowa urzędu jest dostępna pod adresem: www.uodo.gov.pl.

Materiały zamieszczone na stronie Generalnego Inspektora Ochrony Danych Osobowych (GIODO) dostępnej pod adresem www.giodo.gov.pl mają charakter archiwalny.

POZOSTAŃ NA STRONIE ARCHIWALNEJ (GIODO)

What does obligation of registration of the data filing systems consist in?

The Inspector General for Personal Data Protection shall keep the national open register of personal data filing systems (rules of the keeping are specified in Art. 42 of the data protection Act). On the grounds of the Act of August 29, 1997 on Personal Data Protection (unified text: Journal of Laws of 2002, No. 101, item 926 with amendments) hereinafter called the Act, any person or an organizational unit which is the controller of personal data (that is: the body that decides on the purposes and means of the processing of personal data) is obliged to notify the data filing system to registration by the Inspector General.

The notification shall be made in writing and submitted to the Inspector General. The notification concerning the data filing system shall contain an identification of the subject running the filing system, the purpose of the processing of the data, the description of the categories of data subjects and the scope of the processed data, the possible recipients, the technical means of protection of the personal data and information relating to a possible transfer to a third country (Article 41 paragraph 1 points 1 -7).

The controller is obliged to inform the Inspector General about any changes affecting the information mentioned above within 30 days following the date of the change. The Inspector General shall issue to the controller the certificate of registration of data filing system immediately after the registration.

The controller may start the processing of the data after the notification of the system by the Inspector General and in case of sensitive data (Art. 27 of the Act) after the registration of the data filing system, unless the controller is exempted from the obligation to submit the system for registration.

There are many prerequisites which exclude the obligation to register data filing system. The obligation shall not apply to the controller of data which for instance: constitute a state secrecy, are publicly available or are processed by relevant bodies for the purpose of court proceedings (full catalogue: Article 43 of the Act).

The Inspector General may refuse to register the data filing system if the requirements concerning the notification application and the technical security measures have not been fulfilled. The Inspector General may, by means of administrative decision order to restore a proper legal state and in particular to remedy the negligence, to apply additional safety measures or erase the personal data (Art. 18 paragraph 1).

The controller has a right to re-submit the data filing system for registration. In such case the controller may start the processing of data after its registration.

Last news