We would like to inform you that all services provided by us comply with the requirements of the Personal Data Protection Act of 29 August 1997. (consolidated text: Journal of Laws 2002, No. 101, item 926, as amended).
At the Client's request, we shall confirm this fact in the form of a statement constituting an annex to the Agreement, together with the technical specification necessary to fill in Annex F of the personal database declaration.
In the event that it is necessary to sign a separate Contract in accordance with Art. 31. 1. of the Act, "The data controller may entrust another entity, by means of a contract concluded in writing, with the processing of data." we will be happy to prepare the necessary document adapted to the specifics of the Service.
We would like to point out here that in accordance with the Act and the GIODO guidelines, such an Agreement must clearly define:
- The limits of responsibility,
- The purpose of data processing (in the case of hosting and related services, this is limited to the fact of maintaining the collection on technical resources, or storing backup copies if the Service includes such an option)
In response to frequent inquiries about the 'GIODO certificate', we would like to inform that GIODO does not issue such certificates, and if any entity claims to have such a certificate, it is clearly untrue. The statement issued by GIODO reads:
"In relation to the reference made by some entities to having a 'GIODO certificate', the Office of the Inspector General for the Protection of Personal Data informs that the Inspector General for the Protection of Personal Data, nor any other entity, does not issue certificates the possession of which is a condition for the legality of data processing. Therefore, possible certificates issued by other entities are not relevant from the point of view of admissibility of data processing by the holder of such document."
(Source: http://www.giodo.gov.pl/560/id_art/2652/j/pl/)
We would also like to inform you that according to GIODO guidelines (reproduced below), the mere lease of disk space, a server in its entirety, or a hosting service is not an "Entrustment of data processing", which does not require a separate agreement. The provisions on telecommunications secrecy pursuant to the Telecommunications Act contained in Art. 159 and Art. 14 of the Act of 18 July 2002 on the provision of electronic services shall apply in such case.
Thus, an entrustment agreement for the processing of personal data is entered into by us if it follows from the nature of the service purchased that, as a result of the performance of the service
DataHouse.Pl or his employees
"have knowledge of the type of data processed in the system". This therefore applies to services combined with a server or application administration service.
If you have any questions or are unclear, our legal department will be happy to provide the necessary clarification. Please feel free to contact us.
GIODO guidelines (source
http://www.giodo.gov.pl/) :
"Pursuant to Article 31(1) of the Act, the entrustment of the processing of personal data must be performed in the form of a contract, which shall specify, inter alia, its scope and the tasks and obligations of the entity to which the processing is entrusted. Therefore, not every website hosting contract can be considered a contract of entrustment of personal data processing. We shall be dealing with the situation of entrustment of personal data processing only when the concluded agreement meets the requirements specified in Article 31 of the Act. This means that it has to be drawn up in a written form and indicate the purpose and the scope of processing. If the hosting service is limited to leasing server space, the scope of data processing should at least include the obligation to adequately protect the processed data against unauthorised changes or destruction. Furthermore, if the entrustor of the processing does not back up the processed dataset at its premises, this obligation must be performed by the hosting entity, which should also be included in the contract.
If the entity hosting the system (server) has no knowledge of the type of data processed in the system and has not been entrusted with the data pursuant to Article 31 of the Act, it shall be subject to the provisions of Article 14 of the Act of 18 July 2002 on the provision of services by electronic means and its liability for the processed data shall be limited in accordance with Articles 12-15 of the Act."
Due to many questions and ambiguities, based on the provisions of laws, case law and the interpretation of the GIODO office, we would like to summarise the answer to the question of when it is required to sign a "Personal Data Entrustment Agreement".
The signing of the agreement is necessary :
When it follows from the nature of the service provided by the provider that he will have knowledge of the data collected in the system.
- Administration of a database or an application for data processing.
- Administration of the entire operating system and applications.
- Data recovery.
- Other insofar as it results from the concluded contract for the provision of the service that the service provider is to perform actions on personal data.
The signing of a contract is not necessary:
Where the provider only provides the hardware, or system platform, and the service contract does not define the nature of the data or oblige the provider to act on it.
- Hosting (without administration)
- Dedicated server (without administration)
- Shell accounts
- VPS server (without administration)
That is, the agreement is necessary if the service provider is to perform logical and informed operations on the collected file.
In addition, please note that the signing of the "Personal data processing entrustment agreement" does not diminish either the responsibility or the duties of the "Administrator", which always, by virtue of the Act, remains the contracting entity.
Below, we present a quotation from the questions and answers addressed to the GIODO office, which are the interpretation of the office.
QUESTIONS AND ANSWERS
According to the Act, it is not necessary to register personal data sets that only serve to process data for the purpose of issuing an invoice. Does this exemption also exempt the data controller from the obligation to secure the data in this collection?
The requirements concerning the security of personal data filing systems referred to in Article 36 of the Act shall apply to all filing systems in which personal data are processed. The obligation to secure the data shall not depend on the purpose of the processing, the type of entity which is the controller, as well as on the privileges which include, inter alia, the exemption of the controllers from the obligation to register a given type of sets. The exemption from the obligation to notify the personal data filing system for registration, which concerns the filing systems indicated in Article 43 paragraph 1 of the Act, shall not imply the exemption from other obligations, including the data security referred to in Article 36 of the Act.
If I have customer details such as first name, last name and address in the database, and user A sees his details (e.g. Jan Nowak) when he logs in, should the following information be entered in the event log ("logs") of the system: user A saw customer details at 11:11:12 on 23 July 2006: Jan Nowak?
The obligation to record information on: to whom, when, what data and for what purpose were made available, pursuant to Article 7(1)(4) of the Regulation, shall apply only to the recipients of the data. The user of the system viewing the data of a customer or customers, who, pursuant to Article 7(6)(b) of the Act, must be a person authorised to process the data, is not a data recipient. Hence, it should be concluded that the Act does not impose an obligation to record the fact that the system user has become acquainted with the data of persons who are registered in the system. However, this does not mean that such an obligation, for the purpose of strict control of access to data, cannot be imposed by other, separate provisions.
If the filing system is located on a computer workstation separate from the network and only the collection of personal data is carried out by means of teletransmission over the Internet, is it necessary to apply a high level of security to the computer (computer network) used exclusively for the collection of data? If personal data is collected by email, is a high level of security required?
According to § 6(4) of the Regulation, a high level of security must be applied to a computer or network that is connected to a public network. The fact that data is collected via e-mail, which is not an internal e-mail functioning only within a local computer network, shows that this network and the computers connected to it, including the one receiving the e-mail, are connected to a public network. This computer should therefore be secured at a high level. It should also be noted that personal questionnaires to be sent by e-mail should be secured against disclosure to unauthorised persons - by using appropriate cryptographic means.
If a high level of security is applied to the data set and the collection of data from external parties is carried out by means of teletransmission over the Internet, is it necessary to secure the data transmission process with an encrypted connection using the SSL protocol? Is the application of this instrument affected by the fact that sensitive data is being processed?
Pursuant to Article 36 of the Act, the data controller is obliged to secure the data, inter alia, against unauthorised disclosure.In case of data transmission by means of teletransmission using a public network, there is always a possibility that an unauthorised person may intercept the transmitted data. There is also the danger of unauthorised modification, damage or destruction. It is therefore necessary to apply appropriate safeguards to protect transmitted data. Which measures should be applied should be decided by the data controller itself. This may include the SSL data encryption protocol mentioned in the question, as well as other cryptographic protection measures, such as encryption using e-mail and the recipient's public key.
I am responsible for the creation of documents relating to the Act in a company with approximately 1,000 employees. My question concerns two points that should be described in the security policy: "A list of buildings, rooms or parts of rooms, forming an area where personal data are processed" and "A list of personal data sets with an indication of the programs used to process these data". Should the above-mentioned items include a list of all employees, computers and rooms where personal data are entered and modified, or is it sufficient to indicate only the departments/rooms where data are processed?
The documentation constituting the security policy should include, in particular, a list of buildings, premises or parts of premises, forming the area in which personal data are processed, as well as a list of personal data sets together with an indication of the programs used to process such data. The list of buildings, premises or parts of premises, forming the area where personal data are processed should be understood as listing in a consistent and unambiguous manner the places where personal data are processed both in collections maintained in ordinary (paper) and electronic form. It should be noted that the place referred to above can be both the area of an entire building or buildings, the area of a few selected rooms, as well as an area that is a separate part of a particular room. For example, when an authorized entity carries out personal data processing in all the premises of a building, then the list of the data processing area included in the security policy may be a general statement that the place of personal data processing is all the premises located in the building with a given address. The same is true when data processing is carried out in premises occupying an entire floor of a building - the list can then describe all premises located on a given floor of a building with a given address. Indication in a general way of the data processing area - understood as the premises constituting the entire building, a selected floor of the building, etc. - is possible only if in all the premises of this area the entity processes personal data. The list of personal data sets, together with the indication of the programs used for their processing, should contain information on what sets of personal data are processed by the entity and with what systems the data contained in these sets are processed.
Does a website hosting company (i.e., leasing space on a server and providing services to access these websites from the Internet) become a data processor when the hosted website has personal data and mechanisms to handle it in its structure?
According to Article 31(1) of the Law, the entrustment of the processing of personal data must be made in the form of a contract, which will define, among other things, its scope and the tasks and obligations of the entity to which the processing is entrusted. Therefore, not every website hosting contract can be considered a contract of entrustment of personal data processing. We will deal with the situation of entrustment of personal data processing only if the concluded agreement meets the requirements set forth in Article 31 of the Act. This means that it must be in writing and indicate the purpose and scope of processing. If the hosting service comes down only to the lease of server space, then the scope of data processing should at least include the obligation to adequately secure the processed data against unauthorized alteration or destruction. In addition, if the entrustor of processing does not back up the processed data set at its premises, this duty must be performed by the hosting entity, which should also be included in the contract.
If the entity providing the system (server) has no knowledge of the type of data processed in the system and has not been entrusted with the data in accordance with Article 31 of the Law, it is subject to the provisions of Article 14 of the Law of July 18, 2002 on the Provision of Electronic Services, and its responsibility for the processed data is limited in accordance with Articles 12-15 of the Law.
Does the administrator of a server on which personal data is processed as part of the hosting services provided automatically become the controller of that data?
It follows from Article 31(1) of the Act that a data controller may entrust the performance of activities involving the processing of data, including by means of a computer system, to another entity. This may take place on the basis of a written agreement.
An entity entrusted with the processing of personal data does not become the controller of such data, but it is obliged, before the processing begins, to take the security measures referred to in Articles 36- -39 of the Law, and to meet the requirements, as specified in the regulation to the Law. With regard to compliance with the provisions indicated above, the entity bears the same responsibility as the data controller. This, of course, does not exempt the latter from the obligation to supervise compliance with the provisions of the Act by the entity to which it entrusted data processing. Article 31(4) of the Act explicitly states that the responsibility for compliance with the provisions of this Act rests with the data controller, which does not exclude the responsibility of the contracted entity for processing data in violation of the contract. It follows from the cited provisions that both the entity entrusting data processing (the data controller) and the entity to which the data is entrusted are obliged to comply with the provisions on personal data protection. However, it is up to the data controller to choose such an IT solution (information system) that meets the requirements of the Law and its implementing acts. This involves choosing an ISP that offers an IT system that meets the requirements of the Act. It should also be noted that a data controller entering into a contract for entrustment of personal data processing with an ISP has a say in the content of such a contract, and it is his duty to include in it all aspects concerning the protection of the processed data. In such a contract, the entity to which the processing of personal data is outsourced should be informed, first of all, of the fact that personal data will be processed on its servers and, therefore, it assumes responsibility under the aforementioned regulations. However, there may be a situation in which the entity providing access to the system (server) has no knowledge of the type of data processed in the system (for example, in the case of a shell account). In that case, the entity providing access to the resources of the information system is subject to the provisions of Article 14 of the Law of July 18, 2002 on the provision of electronic services, and its responsibility for the processed data is limited in accordance with Articles 12-15 of the Law.
In conclusion, it should be said that the reasoning that the administrator of the server on which hosting services are provided automatically becomes the controller of personal data is incorrect. When there is an entrustment of data processing, as defined in Article 31 of the Law, which means that the entity providing the IT infrastructure has knowledge of the nature of the data being processed, then it is subject to the provisions of Articles 36-39, even though it is not the controller of personal data. On the other hand, if the entity providing the system has no knowledge of the nature of the data being processed, it is subject to the provisions of Articles 12-15 of the Law on Providing Electronic Services.
What is the role and responsibility of the hosting provider in a situation where, as part of its services, the hosting customer processes a set of personal data for its own purposes? Does the concept of an information system referred to in the regulation and the requirements it should meet then refer only to the part of the system used by the hosting customer?
According to Article 7(2a) of the Law, an information system should be understood as a set of cooperating devices, programs, information processing procedures and software tools used for data processing. Therefore, it should be considered that personal data, are processed both in the IT system of the hosting customer and the IT system of the hosting provider. The process of data teletransmission occurring between these systems is carried out using the ICT infrastructure forming the public Internet network. The host provider's information system should be understood as all devices and programs that make it possible to record, read, delete, store the personal data of the hosting customer. This system also includes devices and programs that protect data from the effects of power failures and the operation of software designed to gain unauthorized access to data. According to the accepted definition, the information system also includes procedures for managing data processing (procedures for granting data processing rights, procedures for making backups, etc.). Due to the fact that there is a teletransmission of data between the IT systems of the hosting provider and the hosting customer using the ICT network infrastructure that is part of the public Internet network, this teletransmission - as one of the elements of the data processing process - should ensure data integrity, non-repudiation and confidentiality. Ensuring such tele-transmission requires the use of an appropriate data encryption mechanism, such as the secure SSL protocol. In addition, both cooperating systems should be adequately protected against threats from the public network - including through the use of specialized firewall devices, devices to detect unauthorized access attempts, anti-virus software, as well as the development and implementation of appropriate management procedures.
Analyzing the hosting issue from an IT point of view, it should be assumed that the IT system for data processing will consist of two parts, one of which will be on the side of the hosting provider and the other on the side of the hosting customer. The detailed specification of the various parts of such a system is individual for each case. Also individual is the division of tasks in ensuring for a given system compliance with the law, including the problem of ensuring the security of data processing and mutual cooperation of the two parties.Thus, it should be considered that both the hosting provider and the hosting customer should adapt their information systems to the conditions required by the regulation. With regard to the host provider's IT system, the conditions referred to in the regulation must be met in particular by that part of the system used by the host customer, which processes personal data. As for the mutual relationship between the two, it should be noted that the conditions relating to the host provider's system and the technical and organizational measures it should apply in connection with the processing of personal data by the hosting customer should be identified and unambiguously specified in the contract between the two entities. The party that decides whether the services of a given hosting provider can be used, whether its system meets the conditions that should be met by the systems used to process personal data, is the personal data controller who intends to use such services.
A database server is itself an information system. Suppose I store personal data in it, such as a list with addresses of people. Manufacturers of such systems do not provide built-in mechanisms for recording operations on records (entries) in individual tables, such as the date of data entry and the ID of the user who entered the data. Therefore, it can be concluded that such a system does not meet the requirements of the law on personal data. How, then, to treat a set of personal data contained in a database, for example, a table with a list of addresses of fi nal persons? How to treat the database server itself - an application that de facto becomes an information system?
The law does not specify what information technologies should be used when processing personal data. However, it obliges their controller to use IT systems that comply with its requirements. Therefore, the decision to use a particular IT system for processing personal data should be determined by the compliance of that system with the applicable regulations (the Law and the Regulation). However, referring to the situation presented in the question, it should be noted that it is always up to the user to decide what information fields will occur in the database being created. In any database where it is possible to create a field for a person's name, it is also possible to create a field for other required information - such as, for example, the date of data entry or the ID of the user who entered the data. In many databases, moreover, it is possible to include a procedure that will perform a given entry automatically (e.g., the action of noting the date on which a new entry was created, as well as the name of the user who entered that entry). On the other hand, if any of the required functionality is not present in the database itself, such a database cannot be used as a stand-alone system for processing personal data. This does not mean, however, that it cannot be used as a component of an information system that, in combination with specific software, will meet all the functionalities required by law.
Can the computer system used to address envelopes in which information about the current activities of our institution (exhibitions, lectures, etc.) is sent be considered a system "for processing personal data and limited only to editing text for the purpose of making it available in writing," as referred to in Section 7 of the Ordinance? The personal data processed in this system consists of fields such as name, position, institution name, address and postal code. These data are printed on envelopes,which are then sent via the Polish Post or distributed to the addresses of the relevant institutions. Is this the only way to use this data?
According to the wording of Section 7 of the Regulation, compliance with the requirements set forth in this paragraph is not required for personal data sets for processing personal data limited solely to editing text for the purpose of making it available in writing. The features of an information system for "processing personal data for the purpose of addressing envelopes" indicated in the question do not fully define the characteristics of this system. The aforementioned description does not indicate whether the personal data processed in this system is immediately deleted from this system after its use (i.e., after the printing of address data on envelopes) or whether it continues to be stored in this system after printing. If the personal data processed in the aforementioned system were immediately deleted after printing (after achieving the purpose for which they were entered), then it should be considered that this collection is only for editing the text in order to make it available in writing. If the aforementioned condition were not met, then the collection in question should then be considered to be exclusively for editing text for the purpose of making it available in writing, and should meet all the requirements set forth in Section 7(1) of the Regulation.