Upload
eustacia-doyle
View
214
Download
0
Embed Size (px)
DESCRIPTION
Data Protection Office3 Principles for the Register (1) zWhat is the “Register” of the DPO : yThe collection of all “Notifications” send to the DPO by “Controllers”; zWhy is a “Register” needed? yTo conform to Regulation 45/2001 as defined in article 26 - Register :Regulation 45/2001 x“A register of processing operations notified in accordance with Article 25 shall be kept by each Data Protection Officer”; x“The registers may be inspected by any person”;
Citation preview
Data Protection Office 1
Training Course on Data Protection
Nico HilbertAssistant to the Data Protection Officer
March 9th, 2005 Notification to the Data
Protection Officer (DPO) and Access to the Register
Data Protection Office 2
Objective of the presentation
General principles for the Register General principles for Notifications Principles for Commission specific
aspects on Notifications - The Actors Why is the Notification system
Online? Objective of the IS NDPO&R
Data Protection Office 3
Principles for the Register (1)
What is the “Register” of the DPO : The collection of all “Notifications” send to
the DPO by “Controllers”; Why is a “Register” needed?
To conform to Regulation 45/2001 as defined in article 26 - Register :
“A register of processing operations notified in accordance with Article 25 shall be kept by each Data Protection Officer”;
“The registers may be inspected by any person”;
Data Protection Office 4
Principles for the Register (2)
What is the contents of the “Register”? Article 26 says: “The register shall contain at least the
information referred to in Article 25(2)(a) to (g)”; (a) the name and address of the controller; (b) the purpose of the processing; (c) a description of the categories of data subjects and of the data or categories of data relating to them; (d) the legal basis of the processing; (e) the recipients or categories of recipient disclosed; (f) a general indication of the time limits for blocking and erasure of the different categories of data; (g) proposed transfers of data to third countries or international organisations.
Data Protection Office 5
Principles for Notifications (1)
What is a “Notification” and who is responsible for it? Prior notice of the “Controller” to the DPO
of any processing operation (manual & electronic) in which personal data is involved;
When is a “Notification” needed? If personal data is processed;
Why is a “Notification” needed? To conform to Regulation 45/2001 :
Data Protection Office 6
Principles for Notifications (2)
as defined in article 25 - Notification to the Data Protection Officer;
as defined in articles 24.1(e) - Data Protection Officer + 27 - Prior checking
What is the contents of a “Notification”? Same information as requested by article 26 (Article
25(2)(a) to (g)”) + paragraph (h) of article 25; Article 25 (h) a general description allowing a preliminary
assessment to be made of the appropriateness of the measures taken pursuant to Article 22 to ensure security of processing.
Data Protection Office 7
Principles for Commission specific aspects on Notifications (1)
Actors (Players) in the context of a “Notification” : European Data Protection Supervisor
(EDPS): DPO submits to EDPS Notification for Prior checking;
Data Protection Officer (DPO): receives the Notification in the Register and gives prior-advice on it;
Controller: is responsible for the Notification;
Data Protection Office 8
Principles for Commission specific aspects on Notifications (2)
Delegated Controller: A Delegated Controller may be designated by the Controller to prepare under his/her responsibility the notification to the DPO and to assure all the related co-ordination with the Data Protection Coordinator and others concerned with data protection inside or outside the respective Directorate General.
Data protection Co-ordinator (DPC): gives advice and helps the Controller and Delegated Controller;
Processor(s): process(es) personal data on behalf of the Controller;
Data Protection Office 9
Principles for Commission specific aspects on Notifications (3)
Project leader/Developer/IRM/HU DC: help to fill-in Notification concerning specific aspects related to their implication in the definition resp. execution/operation of the processing.
Data Protection Office 10
Interaction between Main Players
European Data Protection Supervisor (EDPS)
Data Protection Officer (DPO)
Register
DG Data
ProtectionCoordinator
Controller
Controller
ControllerController
Data Subjects
Any body
Data Protection Office 11
The Online Information System NDPO&R
Implements Regulation 45/2001 Browser based (Internet Explorer) Online Notification System and Access
to the Register which translate articles 25+26+
Writes notifications into the DPO’s “Register” - translates article 26
Has a built-in workflow system (see actors)
Data Protection Office 12
Why is the Notification system Online?
To avoid any interaction of the DPO with the content of the final Notification
To avoid that the DPO is involved in the process of writing notifications in the Register
To give an integrated help (legal and question based) To have all legal references needed available online To interact electronically between actors in preparing
notifications To keep independent electronic track of prior advice
by DPO and EDPS for legal reasons To have integrated access of Data Subjects
Data Protection Office 13
Objective of the IS NDPO&R
To implement (parts of) Regulation 45/2001 mainly articles 25 and 26
The prior Notification of Controllers to the DPO of all processing operations performed upon personal data by the institution
The creation of the Register of the DPO The public access to the Register as requested by
article 26
Data Protection Office 14
Notification to the Data Protection Officer (DPO)
Since October 2003 the DPO has also made available on his web site on IntraComm a Simplified Notification System for small adhoc “processing of personal data” this new system is compatible with the
standard online Notification System Any Questions? Thank you for your attention!