Hi, How Can We Help You?

Protection of personal data

Protection of personal data

Internal regulation on personal data protection

I. Purpose of issuing an internal regulation

The purpose of issuing this internal regulation is to adopt and implement appropriate technical and organizational measures to ensure the protection of personal data in accordance with Article 24 et seq. EU Regulation No. 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation).

II. Interpretation of terms

For the purposes of this Internal Regulation:

GDPR – EU Regulation No. 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), the so-called GDPR (General Data Protection) Regulation).

personal data – all information about an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to a specific identifier, such as name, identification number, location data, network identifier or one or more specific physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

sensitive data – data on racial or ethnic origin, political opinions, religion or philosophical beliefs or trade union membership, genetic data, biometric data and data on the state of health or sexual life or sexual orientation of a natural person.

Employer – (description of the employer)

Administrator – employer if: determines the purpose of personal data processing and the means of personal data processing, it is designated as a administrator by a special law

Processor – the employer, if he is entitled to process personal data for another administrator on the basis of a contract, authorization, authorization or legal regulation

Employee – an employee who is employed or similar by the employer

Responsible employee – an employee responsible for the performance of work, which includes the handling of personal data

Scope of personal data processing – means determining the method of personal data processing, retention period, means of processing, determining the categories of recipients, reasons for processing and other data describing the processing of personal data in the Key. Part of determining the scope of personal data processing is also to determine on what legal basis the personal data are processed and, in the case of personal data obtained from the data subject, whether the collection of personal data is a legal or contractual requirement or a requirement to: personal data were part of the contract as well as instructing the data subject on the consequences of not providing personal data.

Key – The key to personal data protection is a tool for defining the purpose of processing and the scope of personal data collection available at oou.cloud

Office – Office for Personal Data Protection

Computer – a personal computer, tablet, telephone or other electronic device in the memory of which personal data can be stored

III. Scope of the internal regulation

This internal regulation applies to all employees of the employer who in any way handle personal data whose controller or processor is the employer.

This internal rule shall apply unless otherwise specified in the GDPR.

IV. Transparency of personal data processing

The controller processes personal data transparently, so that anyone has the opportunity to become acquainted with the processing of personal data that they perform.

As part of transparency, the administrator publishes on the Internet either on its website or on the oou.cloud website in the section Database of information on the processing of personal data, all information on the processing of personal data sorted according to the individual purposes of processing.

This internal rule shall apply unless otherwise specified in the GDPR.

V. Determining the purpose and scope of personal data processing

The Administrator determines the purpose and scope of personal data processing through the Key.

VI. Fulfillment of the duties of the administrator and the processor

The duties of the controller and processor are performed by the responsible employees, unless otherwise specified below.

The statutory body of the employer represents the employer in negotiations with the Office.

The documents for all negotiations with the Office are prepared for the statutory body of the employer by the responsible employee.

VII. Responsibility of employees for the processing of personal data

The employer divides the responsibility for the processing of personal data by individual employees so that the employee is entitled to become acquainted with personal data only to the extent necessary for the performance of the employee’s work and is responsible for the processing of such personal data.

The employee is obliged to get acquainted with the specified purpose and scope of processing the personal data with which he will come into contact during the performance of work.

The employee will get acquainted with the specified purpose and scope of processing personal data through the relevant documents generated by the Key.

Within the scope of employees’ responsibility for the processing of personal data, employees may not exceed the scope of processed personal data, which was determined by the administrator through the Key, when processing personal data.

VIII. Retention of personal data

Personal data shall be kept only for the time necessary for the purpose of their processing. This time is determined by the Key.

Documents and other tangible data carriers that contain personal data may only be stored in lockable rooms.

Documents and other physical data carriers that contain sensitive data may only be stored in lockable cabinets located in lockable rooms.

You can only store personal information on your computer:

if access to files containing personal data is password protected,

if access to use the computer in whose memory the files containing personal data are located is password protected.

IX. Obligations of employees in the processing and security of personal data

The employee is obliged to process personal data only by the methods of processing and to the extent specified by the administrator.

The employee fulfills the obligations of the administrator and the processor through the Key, if the relevant obligation can be fulfilled through the Key.

The employee is obliged not to allow unauthorized persons to get acquainted with personal data. For this purpose, the employee is obliged to follow the so-called clean table rule, especially when leaving the workplace, ie not to leave documents containing personal data on the table and to turn off the personal computer.

The employee is obliged to maintain the confidentiality of personal data and security measures, the disclosure of which would jeopardize the security of personal data.

X. Final provisions

The protection of personal data which has hitherto taken place with the employer shall be brought into line with this Directive within 1 month of the date of entry into force of this Directive.

This Directive shall enter into force on 1.10.2018