In September 2017, we were contacted by a metal trading client who hired us to draft an instruction under Ordinance No. 1 of 30 January 2013 for the minimum level of technical and organizational measures and the allowed type of personal data protection. Registers maintained by the personal data controller are “Staff” register as well as “Contractors” register. We were able to prepare the instruction within the agreed time limit and it contained the following information.
- identification of the data controller;
- general description of the registers maintained – categories of personal data and reasons for their processing;
- technological description of maintained registers – data media, processing technology, period of storage life and services rendered;
- determining the positions associated with processing and protection of personal data, their rights and obligations;
- impact assessment and determination of the respective level of protection – extremely high, high, medium, low;
- description of the technical and organizational measures taken;
- actions for protection in case of accidents, incidents and disasters (fire, flood, etc.);
- provision of personal data to third parties – reasons, purposes, categories of personal data;
- time-limit for conducting periodic reviews of the need for data processing and deletion of data;
- determining the procedure for the implementation of the obligations under Article 25 of the Personal Data Protection Act. According to Article 25 of the Personal Data Protection Act after the achievement of the purpose of personal data processing or before the termination of the personal data processing, the data controller shall be required either to destroy the data, or transfer them to another data controller by preliminary notification to the Commission, if such transfer is specified in a law and the purposes of processing are identical.
The information referred to under items 2 to 10 above shall be described for each of the registers maintained by the client in his role as a personal data controller (“Staff” register as well as “Contractors” register).