Internal regulation on personal data protection
I. Purpose of issuing an internal regulation
The purpose of issuing this internal regulation is to adopt and implement appropriate technical and organizational measures to ensure the protection of personal data in accordance with Article 24 et seq. EU Regulation No. 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation).
II. Interpretation of terms
For the purposes of this Internal Regulation:
GDPR – EU Regulation No. 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), the so-called GDPR (General Data Protection) Regulation).
personal data – all information about an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to a specific identifier, such as name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
sensitive data – data on racial or ethnic origin, political opinions, religion or philosophical beliefs or trade union membership, genetic data, biometric data and data on the state of health or sexual life or sexual orientation of a natural person.
Employer – (description of the employer)
Administrator – employer if: determines the purpose of personal data processing and the means of personal data processing, it is designated as a administrator by a special law
Processor – the employer, if he is entitled to process personal data for another administrator on the basis of a contract, authorization, authorization or legal regulation
Employee – an employee who is employed or similar by the employer
Responsible employee – an employee responsible for the performance of work, which includes the handling of personal data
Scope of personal data processing – means determining the method of personal data processing, retention period, means of processing, determining the categories of recipients, reasons for processing and other data describing the processing of personal data in the Key. Part of determining the scope of personal data processing is also to determine on what legal basis the personal data are processed and, in the case of personal data obtained from the data subject, whether the collection of personal data is a legal or contractual requirement or a requirement to: personal data were part of the contract as well as instructing the data subject on the consequences of not providing personal data.
Key – The key to personal data protection is a tool for defining the purpose of processing and the scope of personal data collection available at oou.cloud
Office – Office for Personal Data Protection
Computer – a personal computer, tablet, telephone or other electronic device in the memory of which personal data can be stored
III. Scope of the internal regulation
This internal regulation applies to all employees of the employer who in any way handle personal data whose controller or processor is the employer.
This internal rule shall apply unless otherwise specified in the GDPR.
IV. Transparency of personal data processing
The controller processes personal data transparently, so that anyone has the opportunity to become acquainted with the processing of personal data that they perform.
As part of transparency, the administrator publishes on the Internet either on its website or on the oou.cloud website in the section Database of information on the processing of personal data, all information on the processing of personal data sorted according to the individual purposes of processing.
This internal rule shall apply unless otherwise specified in the GDPR.
V. Determining the purpose and scope of personal data processing
The Administrator determines the purpose and scope of personal data processing through the Key.
VI. Fulfillment of the duties of the administrator and the processor
The duties of the controller and processor are performed by the responsible employees, unless otherwise specified below.
The statutory body of the employer represents the employer in negotiations with the Office.
The documents for all negotiations with the Office are prepared for the statutory body of the employer by the responsible employee.
VII. Responsibility of employees for the processing of personal data
The employer divides the responsibility for the processing of personal data by individual employees so that the employee is entitled to become acquainted with personal data only to the extent necessary for the performance of the employee’s work and is responsible for the processing of such personal data.
The employee is obliged to get acquainted with the specified purpose and scope of processing the personal data with which he will come into contact during the performance of work.
The employee will get acquainted with the specified purpose and scope of processing personal data through the relevant documents generated by the Key.
Within the scope of employees’ responsibility for the processing of personal data, employees may not exceed the scope of processed personal data, which was determined by the administrator through the Key, when processing personal data.
VIII. Retention of personal data
Personal data shall be kept only for the time necessary for the purpose of their processing. This time is determined by the Key.
Documents and other tangible data carriers that contain personal data may only be stored in lockable rooms.
Documents and other physical data carriers that contain sensitive data may only be stored in lockable cabinets located in lockable rooms.
You can only store personal information on your computer:
if access to files containing personal data is password protected,
if access to use the computer in whose memory the files containing personal data are located is password protected.
IX. Obligations of employees in the processing and security of personal data
The employee is obliged to process personal data only by the methods of processing and to the extent specified by the administrator.
The employee fulfills the obligations of the administrator and the processor through the Key, if the relevant obligation can be fulfilled through the Key.
The employee is obliged not to allow unauthorized persons to get acquainted with personal data. For this purpose, the employee is obliged to follow the so-called clean table rule, especially when leaving the workplace, ie not to leave documents containing personal data on the table and to turn off the personal computer.
The employee is obliged to maintain the confidentiality of personal data and security measures, the disclosure of which would jeopardize the security of personal data.
X. Final provisions
The protection of personal data which has hitherto taken place with the employer shall be brought into line with this Directive within 1 month of the date of entry into force of this Directive.
This Directive shall enter into force on 1.10.2018