The Regulation of 11th May 2015 by the Minister of Administration and Digitalisation on the manner of keeping the data filing register by the data protection officer
Warsaw, 25 Mai 2015
REGULATION OF MINISTER OF ADMINISTRATION AND DIGITALISATION
of 11th May 2015
on the manner of keeping the data filing register by the data protection officer
According to the art. 36a 9) point 2 of the Act of 29th September 1997 on the protection of personal data (Journal of Laws of 2014 item 1182 and 1662) it is hereby ordered:
§ 1. Regulation defines the manner of keeping the register of data filing system, referred to in art. 36a 2) point 2 of the act of 29th September 1997 on the protection of personal data, hereinafter referred to as an “Act”.
§ 2. 1. Data filing register, referred to in art. 36a 2) of the Act, hereinafter referred to as a “register”, is composed of a list of data filing systems containing information defined in § 3 – separately for each data filing system.
2. Register is kept in paper or electronic form.
§ 3. 1. Register contains following information of each data filing system:
1) the name of a data filing system;
2) indication of a data controller and the address of its establishment or place of residence as well as identification number of National Business Entity Register, if any;
3) indication of a representative of the data controller, referred to in art. 31a of the Act and the address of its establishment or a place of residence – if such representative has been appointed;
4) indication of an entity, to whom data processing from data filing system pursuant to art. 31a of the Act has been subcontracted and the address of its establishment or
a place of residence - in case of subcontracting of data processing to such entity;
5) legal basis enabling the keeping data filing system.;
6) purpose of data processing in data filing system;
7) description of data subjects categories, whose data are being processed in a data filing system;
8) the extent of data processed in a data filing system;
9) the way of collection of data to data filing system, especially information whether data are being collected from data subjects or from different sources;
10) the way of disclosure of data from a data filing system, especially information whether the data from data filing system are being disclosed to entities other than authorised on the basis of law provisions;
11) indication of data recipient or categories of recipients, to whom data can be disclosed;
12) information on possible data transfer to third country.
2. The register indicates the date of entry of each data filing system, as well as the date of last updating of information pertaining to each of the data filing systems.
3. In case of deletion of a data filing system from the register, the name of a data filing system, the date of entry of a data filing system as well as the date of last update of information concerning this data filing system, together with an information stating that this date is a date of deletion of data filing system from the register, are being kept.
4. Information, referred to in paragraph 1 are being disclosed in register in commonly understandable form, in order defined in paragraph 1.
§ 4. 1. Data protection officer as a part of its duty of keeping register:
1) makes an entry of data filing system to the register, before commencement of processing of data in data filing system;
2) updates information concerning data filing system in the register – in case of a change of information contained in data filing system;
3) deletes data filing system from the register – in case of ceasing of processing of data in this data filing system;
4) discloses the register for review.
2. Activities, referred to in paragraph 1 points 2 and 3 are being taken without delay after an event triggering an obligation to perform them has occurred.
§ 5. 1. In case of keeping the register in electronic form data protection officer discloses the register for review:
1) on a data controller website, where at the main site a link allowing direct access to the register is placed, or
2) on access point to an IT system of data controller which is situated at the establishment or place of residence of this controller, or
3) through a print of the register from an IT system of data controller.
2. In case of keeping the register in paper form, data protection officer discloses to any interested person, contain of the register for review at the establishment or place of residence of data controller.
3. In case of keeping the register exclusively in electronic form or in paper and electronic form, data protection officer can decide that in relation to information referred to in § 3 1) point 4 only information on subcontracting of data to other entity is being disclosed in electronic form, and its indication and address of establishment or place of residence are being disclosed for review only in the manner defined in paragraph 2.
§ 6. Data protection officer keeps history of changes in a register containing:
1) information on change type (new entry, updating, deletion);
2) date of introduction of a change;
3) information on extent of a change.
§ 7. Regulation enters into force the day after its publishing.