GDPR

New provisions on the personal data protection apply from May 25, 2018, – General Regulation (EU) 2016/679 of the European Parliament and the Council of April 27, 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (GDPR), according to which expert support for data controllers and processors rests with the Data Protection Officer.

The task of Data Protection Officers (DPOs) – as previously Information Security Administrators (ISAs) – is to act for data processing in accordance with data protection regulations, both in public administration and in the private sector.

In accordance with the new regulations the appointment of a Data Protection Officer becomes in many cases an obligation, not as previously an entitlement of a data controller.

General Data Protection Regulation GDPR in Art. 37 section 1 provides for controllers and processors an obligation to appoint a Data Protection Officer in a situation when:

1. Processing shall be implemented by a public authority or entity, excluding courts acting in their judicial capacity;
2. The main activity of a controller or a processor consists in processing operations which, by nature, scope or purposes, require regular and systematic monitoring of data subjects ;
3. The main activity of a controller or processor is large-scale processing of special categories of personal data referred to in Art. 9 sec. 1, as well as personal data regarding convictions and violations of the law, referred to in Art. 10.

Best practices are when private entities performing tasks in the public interest or exercising public authority appoint a Data Protection Officer. In such a case, the activities of a Data Protection Officer should cover all processing operations carried out by the entity, including those not related to tasks carried out in the public interest.

Basic tasks of a Data Protection Officer, resulting from the General Data Protection Regulation GDPR, include, among others:

1. 1. To provide information and consultation to a controller, a processor and employees who process personal data on obligations incumbent on them under the General Data Protection Regulation GDPR and other European Union or Member States legislation on data protection;
2. 2. Monitoring of compliance with the general regulation on data protection of the GDPR, other European Union or Member States’ data protection legislation and the policies of a controller or a processor on personal data protection, including distribution of responsibilities, awareness-raising activities, training of personnel involved in processing and related audits;
3. 3. To provide, upon request, recommendations on assessment impact for data protection and monitoring an assessment implementation in accordance with Art. 35;
4. 4. Cooperation with the supervisory authority;
5. To act as a liaison for supervisory authority in all issues related to data processing to include prior consultation, referred to in Art. 36, and, where appropriate, consultation on any other issue;
6. 5. To act as a liaison for data subjects regarding all issues of processing of their personal data and exercise of their rights under this Regulation;
7. 6. Keep a register of activities or a register of categories of activities.

 Data Protection Inspector advises the Personal Data Administrator on:

• – what areas should be subject to internal or external audit;
• – what training should be provided for employees or managers responsible for data processing;
• – what processing operations require more time and resources s to allocate.

To download:

The Act on the Protection of Personal Data.

Regulation (EU) 2016/679 of the European Parliament and of the Council.

Directive (EU) 2016/680 of the European Parliament and of the Council.

Regulation on personal data processing documentation and technical and organizational conditions to be met by devices and IT systems used to process personal data.

Regulation on Information Security Administrator (ISA) tasks.

Regulation on the model of Information Security Administrator (ISA) application for registration.

The regulation on keeping a register by Information Security Administrator (ISA).