TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

What Needs to be Done Prior to Collection


Contact the data subject

Contacting the State Data Inspectorate


Section 8


(1) When collecting personal data from a data subject, a system controller has an obligation to provide a data subject with the following information unless it is already available to the data subject:


1) the designation, or name and surname, and address of the system controller and personal data operator;
2) the intended purpose and basis for the personal data processing.


(2) To arequest of the data subject a system controller has an obligation to provide also the following information:


1) the possible recipients of the personal data;
2) the right of the data subject to gain access to his / her personal data and make amendments thereto;
3) whether providing a reply is mandatory or voluntary, as well as possible consequences of failure to reply.


(3) Paragraph one of this Section is not applicable, if the law allows personal data processing without disclosure of its purpose.


Section 9


(1) If personal data has not been obtained from the data subject, a system controller is obliged, when collecting or for the first time disclosing such personal data to third persons, to provide the data subject with the following information:


1) the designation, or name and surname, and address of the system controller and personal data operator;
2) the intended purpose of the personal data processing.


(2) To a request of the data subject a system controller has an obligation to provide also the following information:

1) the possible recipients of the personal data;
2) categories and the source of the personal data;
3) the right of the data subjects to gain access to his / her personal data and make amendments thereto.


(3) Paragraph two of this Section is not applicable if:


1) the law provides for the processing of personal data not informing the data subject thereon;
2) when processing personal data for scientific, historical or statistical research, or establishment of state archives fund the informing of the data subject requires inordinate effort or is impossible., informing the data subject requires unreasonable efforts or is not possible


Contacting the State Data Inspectorate


Registration - Section 21


(1) All State and local government institutions, and other natural persons and legal persons which carry out or wish to commence carrying out personal data processing, and establish systems for personal data processing, shall register such in accordance with the procedures

prescribed in this Law unless otherwise prescribed by law.


(2) Registration procedure specified in the present Law shall not apply to personal data processing for the needs of bookkeeping and registration of staff unless personal data is accumulated in electronic form, as well as to personal data processing systems established by religion organizations of confessions mentioned in the Civil Law.


Section 22


(1) The institutions and persons mentioned in Section 21 of this Law which wish to commence personal data processing and establish a system for personal data processing shall submit an application for registration to the State Data Inspectorate which includes the following information:


1) the designation (name and surname), registration code, address and telephone number of the institution or person (system controller);
2) the name, surname, personal identity number, address and telephone number of a person authorised by the system controller;
3) the legal basis for the operation of the personal data processing system;
4) the type of personal data to be included in the system, the purposes for which it is intended and the scope of personal data to be processed;
5) the categories of data subjects;
6) the categories of recipients of personal data;
7) the intended method of personal data processing;
8) the planned method of obtaining personal data and a mechanism for the control of their quality;
9) other data processing systems which will be connected with the system to be registered;
10) what personal data connected systems will be able to obtain from the system to be registered, and what data the system to be registered will be able to obtain from connected systems;
11) the method for transferring data from the system to be registered to another system;
12) the identification codes of natural persons as will be used by the system to be registered;
13) the method for exchanging information with the data subject;
14) the procedures whereby a personal data subject is entitled to obtain information concerning himself or herself and other information mentioned in Sections 8 and 9 of this Law;
15) the procedures for supplementing and updating of personal data;
16) technical and organizational measures ensuring the protection of personal data; and
17) what personal data will be transferred to other states.


(2) The State Data Inspectorate evaluates and specifies personal data processing systems where a pre-registration examination has to be made.


(3) When registering a personal data processing system, the State Data Inspectorate shall issue a certificate of registration of the personal data processing system to a system controller or to a person authorised by him or her.


(4) Prior to changes being made to the information mentioned in Paragraph one of this Section, they shall be registered in the State Data Inspectorate.
Prior to making amendments to the personal data processing system, such amendments have to be filed with the State Data Inspectorate in cases when changes are made of:


1) the system controller or personal data operator;
2) the location of the personal data processing system;
3) the types of personal data or purpose of the personal data processing;
4) the holder of information resources or technical resources, as well as person-in-charge of security of information system;
5) the data processing systems wherewith the corresponding system is linked;
6) the type of personal data processing;
7) the types of personal data which will be transferred to other countries.


(5) Should changes take place in technical and organizational means for protection of the personal data processing system which essentially influence protection of the system, then information thereon has to be submitted to the State Data Inspectorate within one year.


(6) For each registration of personal data processing system or each registration of amendments mentioned in part four of this Section, astate fee has to be collected in accordance withprocedure and amount established by the Cabinet of Ministers.

© TRILANTIC - All rights reserved. | Disclaimer | Client Login