Personal data protection in an accounting office (part 5) - Personal data collection - how to register with GIODO?
The basic duty of each data controller is to designate the personal data files it has in connection with its activities. Some of these collections may be obligatorily registered. According to the wording of Art. 40 of the Act on the Protection of Personal Data (hereinafter: the Act), the data controller is obliged to report the personal data set for registration, which is made by the Inspector General for Personal Data Protection (hereinafter: GIODO). The obligation to register is a response to the need for the GIODO to exercise proper control over the processing of personal data. In this part of the series of articles on the protection of personal data in an accounting office, we write about what the collection of personal data is, when there is an obligation to register and what are the exceptions to the general rule.
Collection of personal data
The collection of personal data is subject to registration with GIODO. Pursuant to the Act on the Protection of Personal Data, a data set should be understood as any structured set of personal data, available according to specific criteria, regardless of whether the set is dispersed or functionally divided.
The structure is the main distinguishing feature of a data set from another information package. It is thanks to this attribute that it is possible to search for specific data according to the desired criterion.
In order to qualify a given set of data as a set under the Act, it is sufficient to find the possibility to search for personal data in the set, according to any personal criteria (name and surname, date of birth, identification number) or non-personal (date of saving, editing data in the set).
Only a structured set of data, which is a set of personal data, should be submitted for registration to the Inspector General by the data administrator who is responsible for this obligation.
Collection of personal data - when is the registration obligation?
The registration obligation arises basically before the first action that the administrator can perform on the data, not counting the acquisition of the first data for the filing system. Therefore, the declaration of the file should be made prior to the commencement of data processing.
Pursuant to Art. 46 of the Act, the data controller may start processing them after submitting this filing system for registration to the Inspector General for Personal Data Protection. In the case of processing sensitive data, their collection is possible only after prior registration of the file.
When is it not necessary to register a personal data filing system?
Exceptions regarding the registration of personal data files to GIODO are included in Art. 43 sec. 1 of the act. Pursuant to this provision, data controllers are exempt from the obligation to register a data set:
1. containing classified information, including those obtained as a result of operational and reconnaissance activities by officers of the authorities authorized to perform these activities,
2. processed by competent authorities for the purposes of court proceedings and on the basis of the provisions on the National Criminal Register,
processed by the General Inspector of Financial Information;
processed by competent authorities for the purposes of the participation of the Republic of Poland in the Schengen Information System and the Visa Information System;
processed by the competent authorities on the basis of the provisions on the exchange of information with law enforcement authorities of the European Union Member States.
3.on the persons belonging to a church or other religious association, with a regulated legal situation, processed for the needs of this church or religious association,
4.processed in connection with employment with them, the provision of services to them on the basis of civil law contracts, as well as related to people associated with them or studying,
5.regarding people using their medical services, notarial services, attorney-at-law, attorney-at-law, patent attorney, tax advisor or statutory auditor,
6.created on the basis of the provisions on elections to the Sejm, the Senate, the European Parliament, municipal councils, poviat councils and voivodship assemblies, elections for the office of the President of the Republic of Poland, as well as for the national referendum and local referendum,
7.on persons deprived of their liberty under the Act, to the extent necessary for the execution of pre-trial detention or imprisonment,
8.processed solely for the purpose of issuing an invoice, bill or financial reporting,
9. widely available,
10. processed in order to prepare the dissertation required to obtain a university diploma or academic degree,
11. processed in the scope of minor current matters of everyday life.
12. revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, religious, party or trade union affiliation, as well as data on health, genetic code, addictions or sexual life as well as data on convictions, sentences and penalties, and also other judgments issued in court or administrative proceedings.
The most significant exemption, however, is the exemption from the obligation to register personal data files, the administrator of which has appointed an information security administrator and reported him to register with the Inspector General for Personal Data Protection. Importantly, this exemption only takes effect after the information security administrator has been entered into the relevant registry, and not from the moment he is submitted for registration.
Registration of the personal data file - what in the application?
The form of the notification is specified in the appendix to the Regulation of the Minister of Interior and Administration of December 11, 2008 on the template for submitting a data filing system for registration to the Inspector General for Personal Data Protection. Pursuant to Art. 41 of the Act, the notification should include, inter alia:
application for entering the file into the register of personal data files;
data of the data controller and its registered office or residence address, including the identification number;
the purpose of data processing, including a description of the categories of data subjects and the scope of data processed;
the method of collecting and sharing data (including information on entities or categories of recipients to whom the data may be transferred);
description of technical and organizational measures that were used for the purposes set out in art. 36-39 of the Act;
information on how to fulfill the technical and organizational conditions referred to in art. 39a;
information on possible onward transfer of data to a third country.
The registration application should be signed by the data controller or an authorized person.
Collection of personal data - traditional application
Registration can be made in writing, by mail or in person at the Office of the Inspector General for Personal Data Protection at 2 Stawki Street, 00-193 Warsaw.
Collection of personal data - electronic submission
Since mid-2006, it is possible to submit a personal data filing system by electronic means with the use of a secure electronic signature.
It is worth paying attention to the additional option of shipping without the aforementioned certification via the e-GIODO electronic platform. After submitting the application, the applicant should additionally sign and stamp the printout, and then send it by post or submit it to the GIODO office.
The application for reporting personal data sets can be found on the e-GIODO website.
The e-GIODO platform is constantly developed in terms of changing regulations, new IT solutions and the expectations of the users themselves.
An interesting solution in the application is the use of support for the applicant. It is based on the active operation of built-in verification rules. In the case of incorrect supplementation or its absence, the program signals errors on a current basis.
Moreover, the e-GIODO platform provides remote access to the content of the Register of Personal Data Sets.
Can you make changes to the personal data filing system?
Pursuant to Art. 41 sec. 2 of the Act, the data controller should notify GIODO of any change to the information contained in the notification.The time for the relevant update is 30 days from the date of the change.
In the event that the change in the information about the description of the categories of persons concerns the extension of the processing of their data by the so-called sensitive personal data, then the administrator is obliged to notify before making changes to the collection.
In practice, the update of the personal data set is carried out on the same form that is used to notify the data sets at the time of their registration (standard) or via the e-GIODO platform in the case of electronic shipment.
Registration of a personal data set - possible fees
Basically, the submission of the data set for registration and its update are not subject to stamp duty. However, the issuance of certificates or the performance of certain official activities by GIODO requires the payment of certain fees - for example, a data administrator who applies for a certificate of registration of a file by GIODO must pay 17 zlotys in cash or by bank transfer.
In principle, any structured data set with a structure of a personal nature, accessible according to specific criteria, whether the set is distributed or functionally partitioned, should be registered before the first action that the controller can perform on the data, not counting the mere acquisition of the first information for the data. harvesting.