|
POLAND
The Generalny Inspektor Ochrony Danych Osobowych website:
http://www.giodo.gov.pl/168/j/en
The Act of 29 August 1997 on the Protection of Personal Data (as
amended in 2002, 2004, 2006 and 2007):
http://www.giodo.gov.pl/144/id_art/171/j/en/
What needs to be done prior to collection?
NOTIFY THE GENERALNY INSPEKTOR OCHRONY DANYCH OSOBOWYCH
Registration of Personal Data Filing Systems
Article 40 – Notify the Inspector General for Registration
The controller shall be obliged to notify a data filing system to
registration by the Inspector General. The above shall not apply in
cases referred to in Article 43 Paragraph 1.
Article 41 – Information to be provided for Registration
-
The
notification, concerning the data filing system submitted for
registration, should contain the following:
1)
An application for entering the personal data filing system into the
register of filing systems,
2)
An indication of the subject running the filing system and the
address of its seat or place of residence, including the
identification number in the register of enterprises setting up in
business, if applicable, and the legal grounds on which he/she is
authorised to run the data filing system, and in case of the subject
referred to in Article 31a, indication of this subject and the
address of its seat or place of residence
3)
The purpose of processing the data
3a) Description of the categories of data subjects and the scope of
the processed data
4)
Information on the ways and means of data collection and disclosure
4a) Information on the recipients or categories of recipients to
whom the data may be transferred
5)
Description of technical and organisational measures applied for the
purposes referred to in Articles 36 to 39
6)
Information on the ways and means of fulfilling technical and
organisational conditions specified in the provisions referred to by
Article 39a
7)
Information relating to possible data transfer to a third country
-
The
controller shall be obliged to inform the Inspector General
about any changes affecting the information referred to within
paragraph 1, within 30 days following the date of the change
introduced to the filing system. The provisions on registration
of personal data filing systems shall apply respectively to
notifications about changes
Article 43 – Exceptions to the obligation of Registration
-
The
obligation to register data filing systems shall not apply to
the controllers of such data which:
1)
Constitute a state secrecy due to the reasons of state defence or
security, protection of human life and health, property, security or
public order
1a) were collected as a result of inquiry procedures held by
officers of the bodies authorised to conduct such
enquiries
2)
Are processed by relevant bodies for the purpose of court
proceedings and on the basis of the provisions on National Criminal
Register
2a) Are processed by the Inspector General of Financial
Information
2b) Are processed by relevant bodies for the purposes of the
participation of the Republic of Poland in the Schengen Information
System and the Visa Information System
3)
Relate to the members of churches or other religious unions with an
established legal status, being processed for the purposes of these
churches or religious unions
4)
Are processed in connection with the employment by the controller or
providing services for the controller on the grounds of civil law
contracts, and also refer to the controller’s members and trainees
5)
Refer to the persons availing themselves of their health care
services, notarial or legal advice, patent agent, tax consultant or
auditor services
6)
Are created on the basis of electoral regulations concerning the
Diet, Senate, European Parliament, communal councils, poviat
councils, and voivodship regional councils, the President of the
Republic of Poland, head of the commune, major or president of a
city elections, and the acts on referendum and municipal referendum
7)
Refer to persons deprived of freedom under the relevant law within
the scope required for carrying out the provisional detention or
deprivation of freedom
8)
Are processed for the purpose of issuing an invoice, a bill or for
accounting purposes
9)
Are publicly available
10)
Are processed to prepare a thesis required to graduate from
University or be granted a degree
11)
Are processed with regard to minor current everyday affairs
Article 44 – Refusal to Register
-
The
Inspector General shall, by means of an administrative decision
refuse to register the data filing system if:
1)
The requirements specified in Article 41 paragraph 1 have not been
fulfilled
2)
The processing may violate the provisions provided for in Articles
23 to 30
3)
The devices and computer systems used for the processing of the data
filing system submitted for registration do not meet fundamental
technical and organisational conditions defined in Article 39a
NOTIFY THE DATA SUBJECT
Article 24 - Information to be provided to
the Data Subject – Data collected from Data Subject
In case where personal data are collected from the data subject, the
controller is obliged to provide a data subject from whom the data
are collected with the following information:
1)
The address of its seat and its full name, and in case the
controller is a natural person about the address of his/her
residence and his/her full name
2)
The purpose of data collection, and, in particular, about the data
recipients or categories or recipients, if known at the date of
collecting
3)
The existence of the data subject’s right of access to his/her data
and the right to rectify this data
4)
Whether the replies to the questions are obligatory and voluntary,
and in case of the existence of the obligation about its legal basis
The above shall not apply if:
1)
Any provision of other law allows for personal data processing
without a disclosure of the real purpose for which the data are
collected
2)
The data subject already has the information referred to above
Article 25 - Information to be provided to the Data Subject –
Data not collected from Data Subject
In case where the data have not been obtained from the data subject,
the controller is obliged to provide the data subject, immediately
after the recording of his/her personal data, with the following
information:
1)
The address of its seat and its full name and in case the controller
is a natural person about the address of his/her residence and
his/her full name
2)
The purpose of data collection, and, in particular, about the data
recipients or categories or recipients, if known at the date of
collecting
3)
The source of the data
4)
The existence of the data subject’s right of access to his/her data
and the right to rectify this data
5)
The powers resulting from Article 32 paragraph 1 point 7 and 8
The provisions above shall not apply where:
1)
The provision of other law provides or allows for personal data
collection without the need to notify the data subject
2)
Deleted
3)
The data are necessary for scientific, didactic, historical,
statistical or public opinion research, the processing of such data
does not violate the rights and freedoms of the data subject, and
the fulfilment of the terms and conditions determined above would
involve disproportionate effects or endanger the success of the
research
4)
Deleted
5)
The data are processed by the controller referred to in Article 3
paragraph 1 and Article 3 paragraph 2 point 1 on the basis of legal
provisions
6)
The data subject already has the information referred to above
What needs to be done prior to shipping?
Article 47 - Transfer of Personal Data to a third country
1.
The transfer of data to a third country may take place only if the
country of destination ensures at least the same level of personal
data protection in its territory as that in force in the territory
of the Republic of Poland
2.
The provision of paragraph 1 above shall not apply to the transfer
of personal data required by legal provisions or by the provisions
of any ratified international agreement
3.
Nevertheless the controller may transfer the personal data to a
third country provided that:
1)
The data subject has given his/her written consent
2)
The transfer is necessary for the performance of a contract between
the data subject and the controller or takes place in response to
the data subject’s request
3)
The transfer is necessary for the performance of a contract
concluded in the interests of the data subject between the
controller and another subject
4)
The transfer is necessary or is required by reasons of public
interest or for the establishment of legal claims
5)
The transfer is necessary in order to protect the vital interests of
the data subject
6)
The transfer relates to data which are publicly available
Article 48 - Transfer of Personal Data to a third country
In cases other than those referred to in Article 47 paragraph 2 and
3 the transfer of personal data to a third country which does not
ensure at least the same level of personal data protection as that
in force in the territory of the Republic of Poland, may take place
subject to a prior consent of the Inspector General, provided that
the controller ensures adequate safeguards with respect to the
protection of privacy, rights and freedoms of the data subject.
What are the sanctions for non-compliance?
See Chapter 8 – Sanctions
Article 53 – Sanctions
A person, who, regardless of the obligation, fails to notify the
data filing system for registration, shall
be liable to a fine, the penalty of restriction of liberty or
deprivation of liberty up to 1 year.
Article 54 - Sanctions
A person who, being the controller, fails to inform the data
subject of its rights or to provide him/her with information
which would enable that person to benefit from the provisions of
this Act, shall be liable to a fine, the penalty of restriction of
liberty or deprivation of liberty up to 1 year.
Please refer to The Generalny Inspektor Ochrony Danych Osobowych
website for more information on the Statute
|
