|
What Needs to be Done Prior to Collection
Contact the data subject
Contact the Data Protection Inspectorate
12.
Processing of personal data with consent of data subject
(1)
Consent for the processing of personal data means a freely given
specific and informed indication of the wishes of a data subject by
which the data subject signifies his or her agreement to personal
data relating to him or her being processed.
(2)
Before obtaining the consent of a data subject for the processing of
personal data, the chief processor or authorised processor shall
notify the data subject of the following:
1)
the purpose of processing of the personal data;
2)
persons or categories thereof to whom transmission of the personal
data is permitted;
3)
the name of the chief processor or a representative thereof and the
address of the place of business of the chief processor;
4)
the cases when the data subject has the right to demand termination
of processing of the personal data and rectification, blocking or
erasure of the personal data;
5)
the cases when the data subject has the right to obtain access to
the personal data pertaining to him or her.
(3)
The consent of a data subject shall be valid during the life of the
data subject and thirty years after the death of the data subject,
unless the data subject has decided otherwise.
(4) A
data subject may withdraw his or her consent at any time. Withdrawal
of consent has no retroactive effect. The provisions concerning
declarations of intention in the General Part of the Civil Code Act
(RT I 2002, 35, 216; 2003, 13, 64) shall additionally apply to the
consent.
(5)
In the case of a dispute, a data subject is presumed not to have
granted consent for the processing of personal data relating to him
or her.
(6)
This section does not apply if personal data is processed by an
administrative authority, except upon processing of sensitive
personal data specified in subsection 4 (3) of this Act.
Contact the Data Protection Inspectorate
21. Notification obligation
(1) A
chief processor of personal data is required to notify the Data
Protection Inspectorate of processing of private personal data if
the private personal data is processed in digital form with a
computer or in a file of papers where the private persona data is
easily accessible on the basis of certain criteria.
(2)
The notification obligation does not apply if personal data is
processed in a general national register or a state register or if
the personal data is processed pursuant to an Act or Regulation.
22. Notice concerning processing of personal data
(1)
In order to perform a notification obligation specified in
subsection 21 (1) of this Act, a chief processor of personal data
shall submit a notice concerning processing of private personal data
(hereinafter notice).
(2) A
notice concerning processing of personal data shall be submitted as
a digital entry in the register of processors of personal data at
least one month before processing of the personal data commences.
(3) A
notice shall set out:
1)
the name, registry code or personal identification code, place of
business, seat or residence and details (postal address, telephone
number, e-mail address etc) of the chief processor and authorized processor;
2)
the purposes of processing of the personal data;
3)
the categories of the personal data;
4)
the categories of persons whose data are processed;
5)
the sources of the personal data;
6)
persons or categories thereof to whom transmission of the personal
data is permitted;
7)
the conditions for transmission of the personal data to foreign
states;
8)
the conditions for the blocking, erasure and destruction of the
personal data;
9) a
general description of organizational, physical and IT security
measures to protect personal data specified in subsection 19 (2) of
this Act.
(4) A
notification obligation is deemed to be performed as of entry of the
notice in the register of processors of personal data.
|
