Rules on the obligation to notify and processing which requires a permit
Rules no. 698/2004 on the obligation to notify
and processing which requires a permit
Art. 1
Scope
These rules apply to the processing of personal data, subject to mandatory notification according to Act No. 77/2000; to exemptions from that obligation; and to the processing of personal data which requires a permit.
The rules do not apply to the processing of personal data by an individual, relating solely to himself, or intended for personal use only; nor do they apply to processing carried out in the course of a research or a study, where recorded data do not contain any personal characteristics, numbers, or other information traceable to a specific individual.
Obligation to notify personal data processing by the police is subject to regulation no. 322/2001.
Art. 2
Obligation to Notify
A controller, according to Art. 2, para. 1(4) of Act no. 77/2000, shall notify the Data Protection Authority of all electronic processing of personal data carried out by him, or on his behalf. He is responsible by law for the processing to be in compliance with the contents of the notification and the provisions of Act no. 77/2000.
The notification shall be sent at the beginning of a processing operation, but not each time the data are processed. If processing, which has been notified, is subject to change, e.g. if different categories of data are to be processed; the data are to be disclosed to or made available to other recipients than specified in the original notification; or the data are to be used in a different way, e.g. aligned with other data, or processed for other purposes than originally intended; a new notification shall be sent to the Data Protection Authority, so that the Authority will, at each time, have accurate information on the processing
Art. 3
The Form and Contents of Notification
Notification to the Data Protection Authority can be sent on a form, intended for that purpose, available on the Data Protection Authority website, or on a printed form, available at the Data Protection Authority secretariat.
A notification shall contain all the items specified in Art. 32, para. 1. of Act no. 77/2000. It shall also specify whether it is a new notification, or a notification of an amendment of a processing operation. If it is a notification of an amendment, the serial number of the older notification shall be specified. The personal identification number of the controller shall also be specified. If processing will, wholly or partially, be entrusted to a processor, his personal identification number and his contractual duties towards the controller shall be specified.
Art. 4
The point, at which processing of personal data may commence
Personal data may only be processed according to Art. 8 or 9 of Act no. 77/2000. The point, at which processing may commence, is determined by whether it is subject to obligation to notify or whether it requires a permit.
Processing, which requires a permit, may commence when the controller has received a written authorisation from the Data Protection Authority.
Processing, subject to obligation to notify, may commence when the controller has received a confirmation on the receipt of notification from the Data Protection Authority. He can always commence the processing if 15 days have passed since the notification was sent. However, he can not commence the processing, if he has, within the aforementioned time limit, received instructions from the Data Protection Authority not to do so.
The Data Protection Authority can, at any time, order the cessation of processing, which the Authority considers to be illegitimate, or set condition for its continuance, cf. Art. 40 and Art. 35 of Act no. 77/2000.
The processing of personal data, which is neither subject to obligation to notify, nor requires a permit, may commence at any time.
Exemptions from obligation to notify, applying to the processing of personal data,
not considered to be sensitive
The following categories of data processing are exempted from obligation to notify:
1. Data processing, carried out in the regular or standard course of activities, relating solely to those who have a connection to the activities or the relevant field of work, e.g. business associates, employees, members.
2. Data processing, necessary to fulfil legal obligations of the controller
3. Data processing, necessary to fulfil a contract, to which the data subject is a party, or an agreement between labour market organizations.
4. Data processing, extending only to data that have been and are accessible to the public, provided that they are not aligned or combined with other personal data which have not been made accessible.
5. Data processing, resulting from electronic surveillance, conducted for the purposes of security and property protection only, provided that legal obligations regarding duty of information and warning have been fulfilled.
6. Data processing, manual in its whole.
[Exemptions according to para. 1 do not apply to the following categories of electronic processing of personal data:
1. Data processing, regarding conduct and individual evaluation, e.g. of grades and the performance of employees
2. Data processing, for the purposes of aligning individuals to personal profiles, cf. Art. 23 of Act no. 77/2000.
3. The processing of data collected by means of electronic surveillance for the purpose of monitoring employee efficiency
4. Data processing, involving the transfer of uncoded personal data abroad
5. Data processing, involving systematic recording of telephone calls.]1)
1) Rules no. 836/2006
Obligation to notify the processing
of sensitive personal data
The processing of sensitive personal data, which does not require a permit, is subject to obligation to notify.
The following categories of data processing may not commence until the Data Protection Authority, having received an application from the controller, has issued a written permit:
1. The combination of a file containing sensitive personal data, to another file containing personal data, whether the data in the latter file is regarded sensitive or not. However, such combination does not require a permit if it is provided for by law, or if the data are only combined with data from the national register regarding name, personal identification number, address, residence and postal code. The same applies to combination of files belonging to the same controller or combination based on informed consent of the data subject.
2. Data processing in relation to genetic research. This does not apply if the processing only extends to parts of genetic data, that can not be traced to a specific individual.
3. Data processing regarding criminal offences and criminal records; the use of medical drugs, alcohol and narcotics; sex-life and sexual behaviour; unless the processing is a necessary part of the regular or standard course of activities of the controller, or based on informed consent of the data subject.
4. The collection and disclosure of financial and credit standing data of individuals.
5. Data processing regarding social problems of individuals and other private information, e.g. divorce, separation, adoption, and foster care, unless the processing is a necessary part of the regular or standard course of activities of the controller, or based on informed consent of the data subject.
Despite para. 1, such processing of personal data does not require a permit, if it is based on provisions of law.