Procedure for Drawing up and Submitting a Conformity Assessment of a Processing of Personal Data

Similar documents
On Data Protection and the Detailed and Uniform Data Management Regulation

Decision on adequate information system management. (Official Gazette 37/2010)

Electronic Documents Law

Code of Conduct For Subscribers

RS Official Gazette, No 23/2013 and 113/2013

Regulation for Establishing the Internal Control System of an Investment Management Company

2) applied methods and means of authorisation and procedures connected with their management and use;

ACT. of 22 May on insurance mediation 1. Chapter 1. General Provisions

CONTENT OF THE AUDIT LAW

Network Resource Management Directive

GOVERNMENT OF THE REPUBLIC OF LITHUANIA

University of Limerick Data Protection Compliance Regulations June 2015

LEGISLATION COMMITTEE OF THE CROATIAN PARLIAMENT

Resources Based, Manufacturing and Consumer Goods Industries Chemicals Industry

Data Compliance. And. Your Obligations

Institutional Certified Evaluation and Accreditation of Universities General Principles:

PRESIDENT S DECISION No. 40. of 27 August Regarding Data Protection at the European University Institute. (EUI Data Protection Policy)

AS DnB NORD Banka REPORT ON CORPORATE GOVERNANCE for the year ending on 31 December 2008

INFORMATION TECHNOLOGY MANAGEMENT CONTENTS. CHAPTER C RISKS Risk Assessment 357-7

Policy and Procedure Title: Maintaining Secure Learner Records Policy No: CCTP1001 Version: 1.0

Protection. Code of Practice. of Personal Data RPC001147_EN_D_19

Act on Insurance Mediation and Reinsurance Mediation

LAW. ON ELECTRONIC SIGNATURE (Official Gazette of the Republic of Montenegro 55/03 and 31/05)

Service Schedule for CLOUD SERVICES

Procedure for Registration, Notification and Investigation of Occupational Accidents and Diseases

on reporting by payment institutions, small-scale payment service providers and electronic money institutions to the Czech National Bank

Credit Information Business Act B.E. 2545

AIRBUS GROUP BINDING CORPORATE RULES

The primary responsibility for the data processing lies within the Administration Department, which the FINCOP Unit is part of.

Law On State Funded Pensions

CROATIAN PARLIAMENT Pursuant to Article 88 of the Constitution of the Republic of Croatia, I hereby pass the

CROATIAN PARLIAMENT 1364

LAW FOR PROTECTION OF PERSONAL DATA

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

COUNCIL OF THE EUROPEAN UNION. Brussels, 29 September /09 LIMITE PI 93

INFORMATION SECURITY POLICY. Contents. Introduction 2. Policy Statement 3. Information Security at RCA 5. Annexes

ELECTRONIC COMMERCE AND ELECTRONIC SIGNATURE ACT (ZEPEP-UPB1) (Official consolidated text)

NOTICE ON OUTSOURCING

Regulations on Information Systems Security. I. General Provisions

Act on the Supervision of Credit Institutions, Insurance Companies and Securities Trading etc. (Financial Supervision Act)

Protection. Code of Practice. of Personal Data RPC001147_EN_WB_L_1

[Translation] 1. Audit Practice Standards for Internal Control Systems

CZECH REPUBLIC ACT ON BONDS

Government Decree No. 29/2008. (II. 19.) on the Powers and Competences of the Minister Heading the Prime Minister s Office

Smart Meters Programme Schedule 2.5. (Security Management Plan) (CSP South version)

LAW ON THE PROTECTOR OF HUMAN RIGHTS AND FREEDOMS

(Legislative acts) DECISIONS

KINGDOM OF SAUDI ARABIA. Capital Market Authority CREDIT RATING AGENCIES REGULATIONS

SUPPORT TO KOSOVO INSTITUTIONS IN THE FIELD OF FOR PROTECTION OF PERSONAL DATA

Data Protection in Ireland

Overview of the national laws on electronic health records in the EU Member States National Report for Lithuania

Privacy and Electronic Communications Regulations

NOTICE 104 OF 2015 DEPARTMENT OF HIGHER EDUCATION AND TRAINING

ORDER OF THE DIRECTOR OF THE COMMUNICATIONS REGULATORY AUTHORITY OF THE REPUBLIC OF LITHUANIA

(type A2) (hereinafter: Agreement )

COUNCIL OF EUROPE COMMITTEE OF MINISTERS. RECOMMENDATION No. R (90) 19 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES

DIFC LAW NO. 1 OF 2007

(Unofficial translation by the Financial and Capital Market Commission)

CorporateGuard Comprehensive Crime Insurance

Amendments and Modifications to Internal Procedure Rules of AS Talveaed.

LAW NO: 5549 ON PREVENTION OF LAUNDERING PROCEEDS OF CRIME

SECURITY MEASURES RELATED WITH DATA PROTECTION. A PRACTICAL APPROACH: THE IMPORTANCE OF THE ORGANIZATIONAL MEASURES

Criminal Procedure Law

DECISION PROMULGATING THE PAYMENT SYSTEM ACT

LAW ON THE BASES REGULATING SECURITY SERVICES OF THE REPUBLIC OF SERBIA. ( Official Gazette of the RS, Nos. 116/2007, 72/2012) I GENERAL PROVISIONS

Air Traffic Service Providers Entry Control Procedures Manual 2. Approval Procedures for ATS Providers

CONSELHO SUPERIOR DE ESTATÍSTICA

The Manitowoc Company, Inc.

Advertising Law. Chapter I General Provisions

THE CORPORATE GOVERNANCE CODE FOR THE COMPANIES LISTED ON THE NATIONAL STOCK EXCHANGE OF LITHUANIA

ACT ON LIABILITY FOR NUCLEAR DAMAGE

Personal Data Act (1998:204);

ADMINISTRATIVE MANUAL Policy and Procedure

COUNCIL OF EUROPE COMMITTEE OF MINISTERS. RECOMMENDATION No. R (95) 4 OF THE COMMITTEE OF MINISTERS TO MEMBER STATES

COUNCIL OF THE EUROPEAN UNION. Brussels, 22 November /06 DATAPROTECT 45 EDPS 3

REGULATION (EEC) No 2309/93

COUNCIL OF THE EUROPEAN UNION. Brussels, 4 May /12 Interinstitutional File: 2008/0090 (COD) LIMITE INF 75 API 56 JUR 253 CODEC 1153

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

Estonie Loi sur la signature électronique Entrée en vigueur le 15 décembre 2000

THE GOVERNMENT OF THE REPUBLIC OF CROATIA

INTRODUCTION... 3 OVERSEA COMPANIES... 9

OBJECTS AND REASONS

Spillemyndigheden s Certification Programme Information Security Management System

ON MUTUAL COOPERATION AND THE EXCHANGE OF INFORMATION RELATED TO THE OVERSIGHT OF AUDITORS

STANDARDS OF PRACTICE (2013)

UNIPOLSAI ASSICURAZIONI S.p.A. Ordinary and Extraordinary Meeting of 26 January 2015 Proxy form and Voting instructions to Computershare S.p.A.

APES 310 Dealing with Client Monies

WHISTLEBLOWER PROTECTION

THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC DOCUMENTS ACT (PIPEDA) PERSONAL INFORMATION POLICY & PROCEDURE HANDBOOK

In force as of 15 March 2005 based on decision by the President of NIB ARBITRATION REGULATIONS

(Legislative acts) DIRECTIVES

Health insurance terms and conditions No. VA 13/1

This Amendment consists of two parts. This is part 1 of 2 and must be accompanied by and signed with part 2 of 2 (Annex 1) to be valid.

Law on the Deposit Insurance Agency (Official Gazette of the Republic of Serbia, No. 14/2015) (Unofficial Translation)

the Government Gazette [Staatscourant] Complimentary English Translation of the Authentic Dutch text, adjustments included, 10 th July 2012

STATE OF OREGON DEPARTMENT OF CONSUMER AND BUSINESS SERVICES INSURANCE DIVISION

COMMISSION DIRECTIVE 2003/94/EC

Office 365 Data Processing Agreement with Model Clauses

CODE GOVERNANCE COMMITTEE CHARTER. 1 Functions and responsibilities of the Code Governance Committee

23. The quality management system

Transcription:

Republic of Latvia Cabinet Regulation No. 216 Adopted 12 May 2015 Procedure for Drawing up and Submitting a Conformity Assessment of a Processing of Personal Data Issued pursuant to Personal Data Protection Law, Section 26, Paragraph 2 1 1. This Regulation prescribes: 1.1. conditions for a conformity assessment of a processing of personal data (hereinafter - the assessment); 1.2. procedures and time periods for drawing up and submitting the assessment to the Data State Inspectorate. 2. This Regulation shall apply to State and local government institutions and individuals that have been delegated with public administration tasks (hereinafter institution). 3. Drawing up of the assessment shall be a documented process, and its aim is to evaluate the actual conditions for processing of personal data, and conformity thereof with the laws and regulations in the field of personal data protection. By assessing the actual conditions of data processing, the assessor shall interview persons that are involved in processing and protection of personal data, check the internal procedures, carry out visual assessment, and verify documents. 4. The assessment shall be drawn up in accordance with Annex to this Regulation: 4.1. prior to commencement of personal data processing for a new purpose of personal data processing; 4.2. prior to making the changes to the processing of personal data that affect the rights or interests of data subject in the field of personal data protection; 4.4. upon initiative of the institution; 4.4. upon request of the Data State Inspectorate. 5. In case abovementioned in Sub-paragraph 4.2 of this Regulation, the assessment may be drawn up after implementing changes to personal data processing, if: 5.1. any delay to make changes to personal data processing may cause immediate and critical risk to the rights or interests of the data subject; 5.2. any delay to make changes to personal data processing causes risk to information security; 5.3. changes have been made to laws and regulations that apply to processing of personal data. If changes to laws and regulations that apply to processing of personal data, for one data processing purpose are introduced several times during a year, the administrator has the right to perform an assessment once a year, by drawing up the assessment regarding the changes made during the year. 6. For every personal data processing purpose, a separate assessment shall be drawn up. Translation 2016 Valsts valodas centrs (State Language Centre)

7. The assessment shall be drawn up by a personal data protection specialist or a person with a higher secondary level vocational or academic education and who has kwledge in the field of personal data protection, with at least one year of field experience in personal data protection or information techlogies, or audit, or performing equivalent inspections (hereinafter the assessor). 8. Institution shall have the right to invite an assessor who meets the requirements of Paragraph 7 of this Regulation. 9. When performing evaluation, the assessor has the right to invite specialists of the relevant field who do t meet the requirements of Paragraph 7 of this Regulation. 10. The institution shall provide the assessor and the specialist involved in assessment process abovementioned in Paragraph 9 of this Regulation with access to documents, information systems, technical resources, and facilities that are needed for performing the assessment. 11. The assessor and the specialist involved in assessment process in accordance with Paragraph 9 of this Regulation, shall provide a written commitment to t disclosing the information obtained during the assessment process, except in the cases laid down in the laws and regulations. 12. Based on the determined facts and the inspected documents, the assessor shall prepare a draft assessment within the time period laid down by the institution, and the institution, or its authorised official shall provide an opinion within 10 working days. 13. When evaluating the institution's opinion, the assessor, where appropriate, shall adjust the draft assessment and approve the assessment. 14. After approval of the assessment, the assessor shall draw up an assessment summary. The assessment summary shall state the following: 14.1. the name or given name and surname of the manager, and the given name, surname, and contact details of the assessor; 14.2. the basis and extent of the assessment; 14.3. time period the assessment was performed; 14.4. the purpose for personal data processing; 14.5. conclusions and found discrepancies; 14.6. recommendations and the term for rectification of discrepancies. 15. Within 10 working days of drawing up, the institution or its authorised official shall electronically submit the assessment summary to the Data State Inspectorate. 16. If the assessment includes recommendations for rectification of discrepancies, the institution or its authorised official shall tify the assessor after the discrepancies have been rectified. 17. After discrepancies have been rectified, the assessor shall draw up a report, stating information on measures performed for rectification of discrepancies. This report shall be added to the assessment, and it shall be considered an integral part of the assessment. Within 10 working days of drawing up, the institution or its authorised official shall send the report to the Data State Inspectorate. Translation 2016 Valsts valodas centrs (State Language Centre) 2

18. The assessment, report on rectification of discrepancies, and assessment summary are restricted access information. 19. The institution has the obligation to store less than two last assessments per each purpose for personal data processing, summary thereof, and the report abovementioned in Paragraph 17 of this Regulation. Prime Minister Minister for Justice Laimdota Straujuma Dzintars Rasnačs Translation 2016 Valsts valodas centrs (State Language Centre) 3

Annex Cabinet Regulation No. 216 12 May 2015 Conformity Assessment of a Processing of Personal Data I. General Description of Processing of Personal Data Name of the institution Contact details Assessor (given name, surname) Contact details The time period the assessment was performed The basis for performing the assessment: Mark prior to commencement of personal data processing for a new purpose for personal data processing prior to making the changes to the processing of personal data that affect the rights or interests of data subject in the field of personal data protection upon own initiative upon request of the Data State Inspectorate What is the purpose for personal data processing? Is the purpose for personal data processing determined by the laws and regulations? If the answer is state the laws and regulations that stipulate data processing What personal data, e.g., given name, surname, personal identity number, are processed in order to reach the purpose stated in the above paragraph? If sensitive personal data are processed, state them What form of personal data processing takes place manual or automatic? Is sensitive personal data processing separated from processing of other personal data? If the answer is describe the provided procedure. If the answer is state the reasons Are all the processed data required for reaching the purpose for personal data processing? Translation 2016 Valsts valodas centrs (State Language Centre) 4

If the answer is list these data and state the reason why they are required for reaching the purpose for personal data processing. If the answer is state the reasons Can the purpose for personal data processing be can reached by t processing the personal data at all cant or by processing them to a smaller extent? Provide the reason Please state the legal basis for processing of personal data in accordance with Section 7 of the Personal Data Protection Law. If sensitive personal data are processed, state the basis in accordance with Section 11 of the Personal Data Protection Law If the legal basis for processing personal data is a consent of the data subject, state the form (electronic, written, oral) and the time when consent of this data subject was obtained If sensitive personal data are processed, based on a it is drawn up in writing consent of the data subject, state if this consent has it is t drawn up in writing been drawn up in writing. If the answer is negative, provide the reason why the consent of the data subject has t been drawn up in writing Is the processing of personal data entrusted to an personal data processor? If the answer is state the legal basis Is the processing of personal data registered with the Data State Inspectorate? If the answer is state the reason II. Risk Analysis in Relation to the Rights and Freedoms of the Personal Data Subject 1. Personal Data Processing in Accordance with the Purpose for Personal Data Processing How often is the amount of personal data and compliance thereof with the purpose for personal data processing inspected? What are the procedures for periodic evaluation of the amount of personal data to be processed and compliance thereof with the reaching of the purpose for personal data processing? How often are these procedures revised? If there are procedures, please state the reasons and explain how it is ensured that the amount of Translation 2016 Valsts valodas centrs (State Language Centre) 5

processed personal data throughout its procession does t exceed the amount necessary for reaching the purpose for personal data processing What procedures are in place for ensuring that the processing of personal data meets the requirements of personal data protection? Are there procedures in place for identifying the data subject, the information system user, third parties that process the personal data manually or via an information system? If the answer is describe the order or procedures 2. Adequate Processing of Personal Data How is the processing of correct (up-to-date, current) personal data ensured? Please state the document that lays down the procedures for how and how often the personal data are updated (adjusted) How often are checks done to verify if correct (upto-date, current) data are processed? Please state the reason for the selected periodicity and if that ensures processing of only correct (up-to-date, current) personal data Has there been an evaluation of the losses that may be caused by processing data that are t current? How are applications by data subject treated, and what are responses to them if the data subject believes that his/her processed personal data are t current? How are data subject's rights ensured to report processing of data that are t current? 3. Storage of Personal Data in Accordance with the Purpose for Personal Data Processing How are periods determined for storing personal data (e.g., in accordance with the laws and regulations, a contract, data subject's consent)? State the reasons for period selection If the period for storage of personal data is determined by a law or regulation, indicate it If the period for storage of personal data is t determined by an outside law or regulation, please state how often the periods for storage of personal data are revised If processing of personal data is t required for reaching the purpose for personal data processing: 1. How is personal data processing evaluated for 1. determining which data should be deleted? Translation 2016 Valsts valodas centrs (State Language Centre) 6

2. Who is responsible for evaluating personal data 2. for determining which data and when should be deleted? 3. Is there an automated system implemented for 3. receiving reports that indicate the necessity to delete personal data? Are there guidelines in place regarding deletion of personal data? 4. Personal Data Disclosure Are there any internal regulations for regulating the procedures for disclosing personal data within the institution and to third parties? Please state the procedures for ensuring the employees of the institution are informed regarding disclosure of personal data Please state the procedures for determining if the personal data may be disclosed to third parties (e.g., how the requester is identified). What is evaluated when deciding on disclosing personal data? Is and in what form is information stored regarding cases of disclosing personal data? 5. Ensuring the Rights of a Data Subject 5.1. Informing a Data Subject on Processing of the Subject's Personal Data Are the personal data obtained from the data subject? Is the data subject tified regarding processing of the subject's personal data, regardless of whether the personal data are obtained from the data subject? If the answer is please state in what cases the data subject is tified regarding processing of the subject's personal data and what kind of information is provided. If the answer is please state why the data subject is t tified Does the data subject have an opportunity to obtain information regarding the parties that have obtained information regarding the data subject? If the answer is please state the period for which such information is provided. If the answer is please state why the information is t provided Please state how often and within what period the data subject has the right to obtain information Translation 2016 Valsts valodas centrs (State Language Centre) 7

regarding processing of the subject's personal data. State the reason for determining the term and frequency Is there a fee for providing information, if the data subject requests the information regarding processing of the subject's personal data more than twice a year? How large is the fee? Does the data subject have the rights to limit the processing of the subject's personal data, including in accordance with Section 16 and 19 of the Personal Data Protection Law? If the answer is please state how the rights of the data subject are ensured. If the answer is state the reasons Is the information regarding the data subject received from third parties? If the answer is please state the procedures for receiving information and the legal basis for receiving such information 5.2. Rights of a Data Subject to Access the Subject's Personal Data Does the data subject have rights to access the subject's personal data? If the answer is please describe the procedures for ensuring the data subject has rights to access the subject's personal data. If the answer is please state why the data subject's access rights are t ensured How is the finding of person's data ensured by the data subject's request? Is information provided to the data subject upon the data subject's request regarding the processing of personal data? If the answer is please state the procedures for providing information Does the administrator have the right to deny access to the personal data for the data subject? If the answer is please state in what cases Is there automatic decision making performed based on the processed personal data? In what cases does the administrator review such decisions? Translation 2016 Valsts valodas centrs (State Language Centre) 8

6. Transferring of Personal Data to Countries that are t Member States of the European Union or European Ecomic Area, or to Countries that have t obtained the Commission's Opinion Regarding an Adequate Level of Data Protection Are personal data transferred to a country that is t a Member State of the European Union or European Ecomic Area, or to an international organisation? If the answer is please state the reason for such processing of personal data, the country to which the data are transferred, and the types of personal data that are transferred Are there internal rules for transferring personal data to countries that are t Member States of the European Union or European Ecomic Area? If the answer is describe the principles of these rules. If the answer is please state why such rules are t developed III. Personal Data Protection and Security Precautions Are there protection provisions for processing personal data? What are procedures for informing the employees on the duty t to disclose personal data (including after ending employment-, service-, or other legal relations)? How is adherence to this duty controlled? The person responsible for information resources, technical resources, and personal data protection What personal data protection measures are taken for the information techlogies? Please describe the protection measures that are implemented after an unauthorised or illegal access to personal data that have been automatically or manually processed Does the processing of sensitive personal data have higher level of data protection? If the answer is describe the laid down level of protection Are there safety rules for the information systems in the institution? Are there responsible persons appointed for security management and implementing of information systems? Translation 2016 Valsts valodas centrs (State Language Centre) 9

Is there risk analysis carried out for information systems in the institution? Does the institution have developed information system access control procedures? If the answer is how does the institution manage the accounts of information system users? What are the requirements for user account passwords and other protection tools? Have any duties been laid down for the information system users? What are they? Does the institution provide safety training to the employees who perform data processing in information systems? How often is the training done, what is its content? Does the institution perform conformity inspection before putting into service an information system? If the answer is please indicate the procedures for performing such inspection Has the institution developed procedures for maintaining its information system? Is the logging and monitoring of events of the information system ensured in the institution? Describe the procedures Does the institution provide data back-up copies and inspection? Describe the procedures Does the institution use external information systems that are connected to the institution's information systems? If the answer is what are the procedures and conditions in accordance with which cooperation with other institutions is established? What techlogies and tools are used for connecting systems? Can the information systems of the institution be accessed remotely? If the answer is what are the procedures and conditions for the remote access? Does the institution have procedures for managing and using external storage devices? Is there data encryption used in the information systems? Translation 2016 Valsts valodas centrs (State Language Centre) 10

If the answer is describe it Are the level of confidentiality and potential risks of information evaluated, before disclosing it to the public? Has the institution developed procedures for managing incidents? Has the institution developed procedures for rectification of detected discrepancies? IV. Recommendations for Rectification of Discrepancies Conclusions and detected discrepancies Recommendations for rectification of discrepancies Time period for rectification of discrepancies Assessor (given name, surname, signature) (date) Minister for Justice Dzintars Rasnačs Translation 2016 Valsts valodas centrs (State Language Centre) 11

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information