GDPR

ANNEX NO. 2

GDPR SECURITY DIRECTIVE NO. 1/SK

BINDING PERSONAL DATA PROTECTION RULES - AUTHORIZED PERSONS

Pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and the Act no. 18/2018 Coll. on personal data protection and on the amendment and supplementation of certain acts, as amended.

1. The GDPR Security Directive applies to all employees of the company and others who perform activities related to the information system on behalf of the company, to which they are bound by a written legal act.

2. Failure to comply with these rules by the persons defined in the previous paragraph shall constitute a gross breach of work duties with consequences under the Act no. 311/2001 Coll., the Labour Code, as amended (hereinafter referred to as the "Labour Code" or "LC").

3. Authorized persons shall observe the following rules:

  • to collect personal data solely for a specified or defined purpose; it is inadmissible to collect personal data under the pretence of any other purpose or activity,
  • to process only such personal data that in terms of their scope and content correspond to the purpose of their processing and that are necessary for its fulfilment,
  • to collect personal data for different purposes separately and to ensure that personal data are processed and used exclusively in a manner consistent with the purpose, for which they were collected; it is inadmissible to collect personal data that were obtained for different purposes,
  • authorized persons are responsible for the storage, protection and handling of personal data in case these data are in a text form,
  • are responsible for a verifiable consent to the processing of personal data from data subjects
  • are responsible for tidiness at the workplace and for the storage of all documents containing personal data and other documents that could result in disclosure of personal data in lockers designated for that purpose,
  • to protect personal data from misuse by a third party; unless directly working with personal data, to store them in a safe deposit, locker or otherwise secured room,
  • are responsible for compliance with the principles of work in LAN, WAN according to the guidelines on computer network use rules,
  • to inform a responsible person in a timely manner and, if not authorized, a member of the statutory body about all facts that could lead to the misuse of these data,
  • to process only correct, complete and, where necessary, updated personal data in relation to the purpose of the processing; to block incorrect and incomplete personal data and to correct and supplement them without undue delay; incorrect and incomplete personal data that cannot be corrected or supplemented to be correct and complete, shall be marked and destroyed as soon as possible,
  • authorized persons shall prove their identity upon request to any person, from whom they request personal data of the data subject and to provide them, without notice, with the following information:
    • name and registered office or permanent residence of the data controller; in case the data processor acts on behalf of the data controller, also a name and registered office or permanent residence of the data processor,
    • the purpose of personal data processing determined by the data controller or established by a special law; it is inadmissible to collect personal data under the pretence of any other purpose or activity,
    • a voluntary nature or obligation to provide personal data requested,
    • a group of users, to whom personal data will be provided, if the data subject is obliged to provide personal data pursuant to a special law; the data controller shall notify the data subject of a law that imposes such obligation to them and inform them on the consequences of refusal to provide personal data,
    • legal entities, natural persons or entities abroad to which/whom personal data will be provided,
    • a group of recipients, if it is assumed or obvious that personal data will be disclosed to them.
  • it is not allowed to remain in the workplace after working hours,
  • employees may remain at the workplace outside working hours only with the consent of the data controller or data controller’s representative,
  • unauthorized persons invited for technical assistance in data processing (printing, copying, packaging into envelopes, etc.) will demonstrably be instructed by a person responsible for personal data regarding a prohibition to acquaint themselves with the content of information and an obligation of confidentiality in case of subconscious acquaintance,
  • passwords and administrative accesses shall be documented and stored in a sealed envelope in a safe deposit (locker); an order to their opening may be issued only by an authorized person – opening shall be documented,
  • LAN architecture shall be documented and stored in a safe deposit (locker) in a sealed envelope.

Definition of prohibited personal data procedures or operations

1. Authorized persons shall maintain confidentiality regarding the processed personal data, which they become aware of, shall not use such data for personal use nor disclose it and provide or make it available to anybody without the data controller’s consent.

2. Authorized persons shall not access the data controller’s information system without a good reason. Authorized persons shall not process personal data of the data subjects from the information system for other than the agreed personal data processing purpose.

3. Authorized persons shall protect the keys to the room, in which the IS in a paper form is located and to the room with computers that allow access to the IS in an electronic form, from theft, loss, damage or other restraint of function and shall not provide such keys to any third parties.

4. Authorized persons shall protect access data to the computer that allows access to the IS and access data to the IS itself (login name and password) from theft, loss or other restraint of function and shall not provide such access data to any third parties.

5. Authorized persons shall immediately notify the data controller of theft, loss or other restraint of function of the above keys and access data.

6. An authorized person shall not, in any way, bring any personal data outside the room, where the computer allowing access to the information system is located, nor process personal data in a different room or use a computer other than the designated one.

7. Authorized persons shall not, without the data controller’s consent, change the location of computers that allow access to the information system in a protected room.


4. Definition of liability for the breach of the Personal Data Protection Act:

  • The authorized person may face criminal prosecution in relation to unlawful handling of personal data for criminal offences pursuant to the provisions of section 374 (Unauthorized Handling of Personal Data) of Act no. 300/2005 Coll., the Criminal Code, as amended.

5. When processing personal data by entirely or partially automated means of processing, the authorized person shall, in particular:

  • use Internet services (only public WWW – world wide web and FTP – file transfer protocol services are allowed) to perform work tasks, while observing Safety Measures adopted by the data controller in order to ensure personal data protection,
  • place the information technology devices only in lockable spaces; the room with such devices must be locked upon each leaving by the authorized person and after the end of working hours the authorized person shall quit the operation of the information system and turn off the computer,
  • ensure antivirus protection of workstations by monitoring a proper functioning of the primarily determined software system, which is automatically and regularly updated,
  • observe the prohibition of uninstalling, blocking or changing the antivirus protection configuration,
  • strictly adhere to the rules regulating the protection of access rights.

6. Acquaintance of the authorized persons with the Directive:

  • The data controller ensures training of the authorized persons at the commencement of their assignment, employment or equivalent work relationship, as well as in case of any change to the Directive or other internal regulations of the data controller.

7. Training of the authorized persons (e.g. legal area, IT):

  • The data controller ensures training of the authorized persons at the commencement of their assignment, employment or equivalent work relationship, as well as in case of any change to the Directive, other internal regulations of the data controller or related generally binding legal regulations.

8. Procedure for the termination of employment or equivalent assignment of an authorized person (e.g. handing over of assigned items, cancellation of access rights, instruction on consequences of breaching the legal or contractual confidentiality obligation):

  • At the termination of employment or equivalent assignment of an authorized person or in case an authorized person’s function ceases to exist, an authorized person shall hand over all access data to the information system, keys or other access identifiers enabling them to enter the facility and the room, where the computer allowing access to the information system is located, to the data controller.
  • The person is also instructed on an ongoing obligation of confidentiality and on other obligations related to personal data protection, which they shall confirm by signing a written instruction record.

9. Security incidents:

  • 9.1. The procedure for reporting security incidents and identified vulnerable points of the information system to early adopt preventive or corrective measures:
    the authorized persons shall immediately notify the data controller’s statutory body of the following:
    • a. unauthorized access to the protected room in the facility, where the computer is located that allows access to the information system or to the server room, while this obligation also applies in case such access is suspected,
    • b. any identified failure, damage, partial or complete malfunction of the computer allowing the access to the information system or of the information system itself, while this obligation also applies in case such circumstances are suspected.
  • 9.2. Record of security incidents and solutions:
    The data controller keeps a written record of all security incidents and their solutions, consisting of at least the date and time of an incident (or suspected incident), circumstances in which an incident (suspected incident) was detected, actions taken by the authorized persons and by the data controller, as well as an incident (suspected incident) solution.
  • 9.3. The procedure for resolving individual types of security incidents, identification, recording and rectification of the consequences of security incidents, procedures for accidents, failures and other emergencies (e.g. reporting security incidents), procedure in the event of a failure, maintenance or repair of automated processing means (e.g. protection of personal data on hard drive of a computer being repaired):
    In case a security incident or a potential security incident is detected, an authorized person shall immediately notify the statutory body of the data controller.

10. Inspection activity:

  • 10.1. Inspection activity of the data controller aimed at the compliance with the adopted Security Measures, specifying the method, form and frequency of its performance (e.g. periodic checks of access to the information system):
    • The data controller shall, at regular intervals, at least once per month, perform an inspection of the compliance with this Directive and with the Personal Data Protection Act, in particular the inspection of the information system access log, actions performed in the information system and shall execute a written report on such inspection. The inspection is attended by the data controller’s statutory body and all authorized persons.
    • The data controller has a possibility of echo checking access to the computer, which allows access to the information system and to the data controller’s information system itself to determine which authorized person accessed in the computer and what actions did such person perform in the computer and in the information system.
  • 10.2. Notifying the authorized person of the inspection mechanism, as long as the data controller has implemented one (scope of inspection and methods of its execution):

11. Scope of the authorized persons’ liability:

  • 11.1. Authorized persons shall comply with the security measures adopted by the data controller pursuant to the Directive and its annexes.
  • 11.2. If an authorized person detects any risk of a breach of the obligations arising from this Directive or a risk of breach of the obligations stipulated by the Personal Data Protection Act or by the regulation, they shall immediately notify the data controller (statutory body) in writing so that the data controller can adopt measures to prevent the risk of such breach.
  • 11.3. An authorized person shall ensure compliance with this Directive and report in writing any, even potential, breach of obligations under this Directive and the data controller shall immediately adopt appropriate measures to prevent the occurrence of possible deficiencies in complying with the obligations pursuant to this Directive or generally binding legal regulations.
  • 11.4. Authorized persons shall be liable towards the data controller pursuant to the applicable and effective labour legislation and other generally binding legal regulations for the proper performance of activities that they are authorized to perform and obliged to ensure in personal data processing under this Directive. Authorized persons have strictly defined rights and job duties in the employment agreement or in the performance agreement for work performed outside the employment, in mandate or other written agreement concluded with the data controller.
  • 11.5. An authorized person may face criminal prosecution with regard to unlawful handling of personal data for criminal offences pursuant to the provisions of section 374 (Unauthorized Handling of Personal Data) of the Act no. 300/2005 Coll., the Criminal Code, as amended or disciplinary proceedings may by conducted against them.