UWAGA!

Od 25 maja 2018 r. organem właściwym w zakresie ochrony danych osobowych jest Prezes Urzędu Ochrony Danych Osobowych. Nowa strona internetowa urzędu jest dostępna pod adresem: www.uodo.gov.pl.

Materiały zamieszczone na stronie Generalnego Inspektora Ochrony Danych Osobowych (GIODO) dostępnej pod adresem www.giodo.gov.pl mają charakter archiwalny.

POZOSTAŃ NA STRONIE ARCHIWALNEJ (GIODO)

Refusal to register a data filing system

Art. 44 para. 1 of the Act on Personal Data Protection sets forth the prerequisites for refusal to register a personal data filing system. According to this provision the Inspector General for Personal Data Protection shall by means of an administrative decision refuse to register the data filing system if:

  • the requirements specified in Article 41 paragraph 1 have not been fulfilled, i.e. the notification does not contain all necessary information,
  • the processing may violate the provisions provided for by Articles 23 to 30, for example in case of lack of prerequisite of legitimacy of data processing (Art. 23 of the Act) or failure to fulfil the information obligation (Art. 24 and 25 of the Act), or in situation where the processed data are not adequate to the purposes for which they are processed (Art. 26 para. 1 point 3 of the act) or the processing of sensitive data is conducted without a legal basis (Art. 27 of the Act),
  • the devices and computer systems used for the processing of the data filing system submitted for registration do not meet fundamental technical and organisational conditions defined in the Regulation by the Minister of Internal Affairs and Administration of 29 April 2004 as regards personal data processing documentation and technical and organisational conditions which should be fulfilled by devices and computer systems used for the personal data processing (Journal of Laws No. 100, item 1024). The provision of § 6 of this Regulation introduced three security levels of personal data processing within the computer system, depending on the risks and categories of personal data processed in the computer system, i.e.:
    • basic security level – to be applied in companies which do not process sensitive data (e.g. data concerning health, genetic code, addictions or sex life) and in which none of the computer system devices used for personal data processing is connected to the public network,
    • medium security level – to be applied where sensitive data are processed (e.g. data concerning health), but none of the computer system devices used for personal data processing is connected to the public network,
    • high security level – to be applied if at least one of the computer system devices used for personal data processing is connected to the public network.

Should the Inspector General refuse to register a data filing system, he/she shall – pursuant to Art. 44 para. 2 of the Act on Personal Data Protection – order to:

  • limit the processing of all categories or some categories of data only to the storage of data, or
  • apply other measures referred to in Article 18 paragraph 1 of the Act, i.e.:
    • to remedy the negligence,
    • to complete, update, correct, disclose, or not to disclose personal data,
    • to apply additional measures protecting the collected personal data,
    • to suspend the flow of personal data to a third country,
    • to safeguard the data or to transfer them to other subjects,
    • to erase the personal data.

Last news