Personal Data Protection Act brings numerous emotions and doubts in the business. Is an e-mail address a piece of personal data? Who is responsible for personal data protection – the owner of the databases, or the company who processes the data?

In the light of the act, the responsibility for personal data protection lies upon data administrators.
Therefore, let us have a closer look at some basic concepts incorporated in the document. The administrator makes decisions about objectives and means of data processing. The act does also mention processors – i.e. entities who process the data entrusted to them by administrators. The processor may only process these data within the scope and aim established by the administrator (art. 31 clause 2 of the Personal Data Protection Act). Data administrators are most frequently advertisers, whereas the processors are entities who provide various services, and  SARE is one of them.

All duties defined in the act, resulting from personal data processing, rest upon data administrators. The processors are only in charge of properly fulfilling their responsibilities related to the security of  data. An example of such a situation is entering personal data to the SARE system (i.e. data import). Let us use this opportunity to remind you that personal data relates to information about either an identified or identifiable person, e.g. their full name. In that case, what are really the duties of administrators – companies signing a contract of cooperation with SARE?

According to the act, the administrator (company X) entrusting personal data processing to the processor (e.g. SARE)  should sign a written deal with them. The processor (SARE) accepts the responsibility of data processing, with the aim that has been defined by the administrator. The contract for entrusting personal data processing may either be signed as a standalone contract, or it may constitute a part of a trade agreement. The subject of the trade agreement is the performance of specific operations on the data.
Hence, prior to signing the contract, we would like to ask you to verify the contents of your databases, check the type of gathered data, and contact our consultants. Should you have any questions or doubts, we are happy to help.

Tagi: data protection