TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

What Needs to be Done Prior to Collection


Contact the data subject

Contact the Data Protection Commissioner


Article 6


(1) Prior to the collection of data the data subject shall be informed whether it is voluntary or compulsory to supply the data. In cases of compulsory supply the rule of law ordering data processing shall also be indicated.

(2) The data subject shall be given unambiguous and detailed information on all the facts relating to the processing of his data, in particular on the purposes and legal basis of the data processing, on the person authorised to carry out the data processing and the technical data processing, the duration of data processing, as well as on who is authorised to have access to the data. Information shall also be given on the rights and remedies of data subjects in connection with the data processing.

(3) The information on data processing shall be considered to have been given where a rule of law orders the collection of data from an existing data file by transfer or combination.

(4) If it is impossible to inform each data subject or if it would entail disproportionate expenses, particularly in the case of processing data for statistical or scientific (including historical research) purposes, information may be given by making public, in a way that it will be accessible to all, the fact of data collection, the data subjects concerned, the purpose of the data collection, the duration of the data processing, and the accessibility of the data.


Article 11


(1) The data subject may request

a) information on the processing of his personal data (Articles 12 and 13); as well as

b) the rectification, or – except for data processing ordered by a rule of law – deletion of his personal data (Articles 14 to 16).

(2) Anyone may inspect the Data Protection Register (paragraph (1) of Article 28), and my take notes or request extracts thereof. A fee shall be paid for the extracts.


Article 12


(1) The data controller shall inform the data subject, upon his request, of the data processed by the data controller or technically processed by the technical data processor, of the purpose of the data processing, of its legal basis and duration, of the name, address (seat) and activity of the technical data processor in connection with the data processing, as well as of those who received or will receive data and for what purpose. The duration of records on transfer and, on the basis thereof the obligation to give information, may be limited by rules of law on data processing. The limitation may not be shorter than five years with regard to personal data, or twenty years with regard to special data.

(2) The data controller shall give the information in writing and in an easy to understand way, within the shortest possible time, but not later than within 30 days, of the lodging of the request.

(3) The information referred to in paragraph (2) is free of charge, unless in the given calendar year the person requesting information has already filed a request with the data controller for the same field. In other cases expenses may be charged. Such expenses shall be refunded where the data has been unlawfully processed or where the request for information has resulted in rectification.


Article 13


(1) The data controller shall not deny data subjects the information except where, in cases specified in Article 16, an Act authorizes him to do so.

(2) The data subject shall be informed by the data controller of the grounds for the denial of information.

(3) The data controller shall annually report on requests which have been refused to the Parliamentary Commissioner of Data Protection.


Contact the Data Protection Commissioner


Article 28 - The Data Protection Register


(1) Prior to commencing his activity, the data controller processing personal data shall notify the Data Protection Commissioner of the following to be registered:

a) the purpose of the data processing;
b) the data categories and the legal basis for the processing thereof;
c) the range of data subjects;
d) the source of data;
e) the categories and recipients of transferred data, and the legal basis of the transfer;
f) the time limits for the deletion of certain types of data;
g) the name and address (seat) of the data controller and of the technical data processor, the actual place of data processing or technical data processing, as well as any activity of the technical data processor related to the processing of data; and
h) the name and contact information of the internal data protection officer.

(2) Data processing ordered by a rule of law shall be reported within 15 days of the entry into force of the relevant legislation by the minister or the head of the national organ competent according to the field regulated therein, or by the mayor, Lord Mayor, or president of the county assembly.

(3) National security organs shall report the purpose and legal basis of data processing carried out by them.


Article 29


(1) Upon registration for the first time, each data controller shall receive a registration number. This registration number shall be indicated whenever data is transferred, made public or supplied to the data subject.

(2) Any change in data specified in paragraph (1) of Article 28 shall be reported to the Data Protection Commissioner within 8 days, and the register shall be modified accordingly.


Article 30


Registration in the data protection register shall not be required where data processing operations

a) involve the data of persons having an employment, membership, student or customer relationship with the data controller;
b) are governed by the internal rules of churches, religious denominations or religious communities;
c) involve personal data relating to the diseases or state of health of persons receiving medical care, for purposes of medical treatment or preservation of health or for social insurance claims;
d) involve data collected with the purpose of granting financial or other social assistance to the data subject or data registering such assistance;
e) involve personal data of persons concerned by administrative, prosecutorial or judicial proceedings that are related to the conducting of such proceedings;
f) involve personal data for the purpose of official statistics, provided that the identification of individuals with such data can be finally made impossible in a manner specified by the provisions of a separate Act;
g) involve data of companies or organs under the Press Law that serve solely their own informational activity;
h) serve the purposes of scientific research, provided that the data is not made public;
i) were transferred from the data controller to the archives; or
j) serve a natural person’s own purposes.


Article 31 - Prior Checking


(1) The Data Protection Commissioner may perform prior checking before registration.

(2) The Data Protection Commissioner may perform prior checking before the technical processing of new data files or the application of new technical data processing technologies at data controllers processing the following:

a) data files of national authorities, or national labour or criminal data files;
b) customer files of financial organizations or public utility providers;
c) files of telecommunications service providers relating to the users of their services; or
d) data files containing specific statistical data specified in a separate Act.

(3) The data controller shall notify the Data Protection Commissioner of his intention to technically process new data files or to apply a new technical data processing technology 30 days prior to commencing such activities. The Data Protection Commissioner shall inform, within 8 days of receiving the above notification, the data controller of his intention to perform prior checking, and shall carry out the checking within 30 days. The data controller shall not start to technically process the data until the Data Protection Commissioner has completed his prior checking.

(4) On the basis of the checking the Data Protection Commissioner may call on the data controller to change the range of data to be processed or the method of technical data processing. If the Data Protection Commissioner objects to the rule of law ordering the data processing, he may issue a recommendation for the amendment of that rule of law.
© TRILANTIC - All rights reserved. | Disclaimer | Client Login