The Regulation of 11th May 2015 by the Minister of Administration and Digitalisation on the manner of fulfilment of tasks by data protection officer in order to ensure that data protection provisions are applied
Warsaw, 29 Mai 2015
Regulation of Minister of Administration and Digitalisation
of 11th Mai 2015
on the manner of fulfilment of tasks by data protection officer in order to ensure that data protection provisions are applied
On the basis of art 36 a 9) point 1 of the Act of August 29 1997 on the Protection of Personal Data (Journal of Laws of 2014 item 1182 and 1662) it is hereby ordered:
§ 1. The regulation defines the manner of:
1) checking compliance of personal data processing with the provisions on personal data processing as well as drafting the report to that extent;
2) supervision over:
a) drafting and updating documentation defining the manner of personal data processing, as well as technical and organisational measures ensuring protection of personal data processing, adequate to threats and categories of data, subject to protection;
b) compliance with rules specified in documentation, referred to in letter a);
§ 2. Whenever the regulation brings up:
1) the Act – it refers to the Act of 29 August 1997 on personal data protection;
2) documentation of data processing operations – it refers to the documentation defining the manner of personal data processing as well as technical and organisational measures ensuring protection of personal data processing, adequate to threats and categories of data, subject to protection, described in the provisions adopted pursuant to art 39a of the Act;
3) checking – it refers to the activities aimed at verification of personal data processing compliance with the provisions on personal data protection;
4) report – it refers to a document, referred to in art 36c of the Act, drafted by the data protection officer after checking;
Manner of checking of personal data processing compliance with the provisions on personal data protection and of drafting the report
§ 3.1 Checking is being made:
1) for the data controller;
2) for the Inspector General for Personal Data Protection, hereinafter referred to as an “General Inspector”, in case referred to in art 19b 1) of the Act.
2. Checking is being performed in the form of:
1) planned check – according to the checking plan, referred to in paragraph 3);
2) ad hoc check – in cases not envisaged in checking plan, when data protection officer finds out of personal data protection breach or has justified suspicion of such
3) art. 19b paragraph 1) of the Act – in case of the General Inspector request for check.
3. Checking plan defines subject, extent as well as date of particular checks as well as manner of their documentation.
4. Data protection officer meets in a checking plan, in particular, personal data filing systems and IT systems used for personal data processing as well as necessity of personal data processing compliance verification with:
1) the rules, referred to in art. 23-27 and 31-35 of the Act;
2) the rules on personal data securing, referred to in art. 36, 37-39 of the Act as well as with provisions adopted pursuant to art. 39a of the Act;
3) the rules of personal data transfers, referred to in art. 47-48 of the Act;
4) with an obligation to notify and up-to-date personal data filing system, if it contains data referred to in art. 27 1) of the Act.
5. Checking pan is drafted by a data protection officer for a period no shorter than three months and not longer than one year. Checking plan is presented to the data controller no later than two weeks before the day of commencement of the plan. Checking plan embraces at least one check.
6. Data filing systems and IT systems used for processing or securing of personal data are being checked at least once for five years.
7. Ad hoc check is being conducted without delay after data protection officer finds out personal data protection breach or has justified suspicion of such a breach.
8. Data protection officer informs the data controller of commencement of ad hoc check or check in the manner referred to in art. 19b 1) of the Act before first action within the procedure is being taken.
§ 4.1 Data protection officer documents actions taken in the course of check, to the extent necessary to assess the compliance of personal data processing with the personal data protection provisions as well as to drafting the report.
2. Documentation of actions taken in the course of check can especially take form of preservation of data from IT system used for processing or securing of personal data on an IT data storage device or taking a print of data, and:
1) taking written record of action, especially of explanations, inspections, as well as actions related to access to devices, IT data storage devices as well as IT systems used for personal data processing;
2) taking the explanations from a person, the actions of which have been checked;
3) making a copy of obtained document;
4) making a copy of image displayed on a screen of a device being part of an IT system used for processing and securing of personal data;
5) making a copy of log registers of an IT system used for personal data processing or registers of technical security measures of this system.
3. Actions of data protection officer performed on an IT system used for personal data processing or securing can be conducted at presence of persons authorised to personal data processing, especially the person managing this system.
4. Materials are being made in written or electronic form.
§ 5. 1. A person responsible for personal data processing, subject to checking procedure, take part in checking procedure or allows data protection officer taking of actions in the course of a check.
2. Data protection officer informs the head of organisational unit subject to checking procedure on planned extent of actions at least 7 days before the commencement of an action.
3. Information is not required in case of:
1) ad hoc check if commencement of procedure without delay is necessary in order to restore the proper legal state or verify whether breach has occurred;
2) check initiated by a request of the Inspector General, if the information cannot be submitted within the deadline indicated by the latter;
3) if the head of organisational unit subject to checking procedure already has the information referred to in paragraph 2).
§ 6. 1. After finishing of checking procedure data protection officer drafts a report.
2. The Report is drafted in paper or electronic form.
3. Data protection officer presents the report to the data controller:
1) in case of planned check – no later than 30 days after finishing of check;
2) in case of ad hoc check – without delay after finishing of check;
3) in case of check conducted on a request of the Inspector General – within the date indicated by the Inspector General in line with art. 19b 1) of the Act.
Manner of supervision over data processing documentation
§ 7.1 Exercising the supervision, referred to in § 1 point 2, data protection officer verifies:
1) drafting and completeness of data processing documentation;
2) compliance of data processing documentation with binding legal provisions;
3) factual circumstances as regards personal data processing;
4) compliance with factual circumstances of security and organisational measures envisaged in processing documentation in order to prevent the threats for personal data protection;
5) observance of rules and obligations defined in data processing documentation.
2. Data protection officer verifies:
1) through checking procedure, referred to in § 3;
2) outside checking procedure, on the basis of notification of a person performing duties described in data processing documentation as well as on the basis of personal participation of data protection officer in procedures described in documentation.
3. Data protection officer can perform verification outside checking, on the basis of information of third party.
§ 8. 1. In case of detection of irregularities in the course of check data protection officer:
1) informs data controller of lack or deficiencies in data processing documentation or its parts as well as on actions taken in order to bring the documentation to proper state of art, particularly it can present draft of documents restoring compliance.
2) informs data controller of outdated data processing documentation and can present to the data controller drafts of up-to-dated documents;
3) gives instructions to a person not complying with the rules defined in data processing documentation on proper manner of their execution or informs the data controller, indicating a person responsible for breach of these rules, as well as its extent;
2. Information can be contained in report or in separate document.
3. Instructions are contained in a separate document addressed to a person non complying with the rules defined in a data processing documentation.
4. Documents referred to in paragraphs 2 and 3, are being drafted in a paper or electronic form.
§ 9. Regulation enters into force the day after its publishing.