Internal Privacy Policy
I.
Purpose of internal regulation
The purpose of this internal regulation is to adopt and implement appropriate technical and organizational measures to ensure the protection of personal data in accordance with Article 24 et seq. EU Regulation No 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation).
II.
Interpretation of terms
For the purpose of this internal regulation:
GDPR – EU Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation), General Data Protection Regulation).
personal data – any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as name, identification number, location data, network identifier, or one or more specific physical, physiological, genetic, psychological, economic, cultural or identity of the individual.
sensitive data – information about racial or ethnic origin, political opinions, religion or philosophical beliefs or trade union membership, genetic data, biometric data and data on the health or sex life or sexual orientation of a natural person.
Employer – (employer description)
Administrator – employer if:
determines the purpose of the processing of personal data and the means of processing personal data
as a trustee, a special law
Processor – employer, if, under a contract, empowerment, delegation or regulation, he is entitled to process personal data for another manager
Employee – an employee who is in an employment or similar relationship with the employer
Responsible employee – an employee responsible for the performance of work involving the handling of personal data
Scope of personal data processing – means determining the processing of personal data, retention period, means of processing, identifying categories of recipients, processing reasons and other data describing the processing of personal data in Key. It is also part of the determination of the processing of personal data to determine the legal grounds for the processing of personal data and, in the case of personal data obtained from the data subject, whether the acquisition of personal data is a legal or contractual requirement, or personal data was part of the contract as well as instructing the data subject about the consequences of not providing personal data.
Key – The Privacy Key is a tool for defining the purpose of processing and the extent of personal data collection available at oou.cloud
Office – Office for Personal Data Protection
Computer – personal computer, tablet, phone or other electronic device in which personal data can be stored
III.
Scope of internal regulation
This internal regulation applies to all employees of the employer, who in any way deal with personal data of which the employer is the controller or processor.
This internal regulation is always used, unless the GDPR stipulates otherwise.
IV.
Transparency of personal data processing
The administrator processes personal data in a transparent manner so that anyone can get acquainted with the processing of personal data that they perform.
In terms of transparency, the administrator publishes on the Internet, either on his website or at oou.cloud in the Personal Data Processing Information Section, all information about the processing of personal data categorized by individual processing purposes.
This internal regulation is always used, unless the GDPR stipulates otherwise.
IN.
Determining the Purpose and Scope of Personal Data Processing
The administrator determines the purpose and scope of personal data processing through the Key.
VI.
Fulfillment of duties of controller and processor
Responsibilities of the administrator and processor are performed by the responsible employees, unless stated otherwise below.
When dealing with the Office of the Employer, the statutory body represents the employer.
A responsible employee prepares the documents for all negotiations with the Office to the statutory body of the employer.
VII.
Employee Responsibility for the Processing of Personal Data
The employer distributes responsibility for the processing of personal data by individual employees so that the employee is only authorized to acquaint himself with personal data to the extent necessary for the performance of the employee’s work and is responsible for the processing of such personal data.
The employee is obliged to get acquainted with the stated purpose and the scope of the processing of personal data with which he will come into contact during the performance of his work.
The employee will be acquainted with the intended purpose and scope of personal data processing through the relevant documents generated by the Key.
Under the responsibility of employees for the processing of personal data, employees may not exceed the scope of personal data processed by the administrator through the Key when processing personal data.
VIII.
Retention of personal data
Personal data shall be kept only for such time as is necessary for the purpose of their processing. This time is set by Key.
Documents and other tangible data carriers containing personal data may only be stored
lockable rooms.
Documents and other tangible data carriers containing sensitive data may only be stored
lockable cabinets located in lockable rooms.
Only keep personal information on your computer:
if access to files containing personal information is password-protected
if access to the use of the computer in which the files containing personal data is stored is password-protected.
IX.
Obligations of employees in processing and securing personal data
The employee is obliged to process personal data only by means of processing and to the extent determined by the administrator.
The employee performs the duties of administrator and processor through the Key, if the relevant obligation can be fulfilled through the Key.
The employee is obliged not to allow unauthorized persons to acquaint themselves with personal data. For this purpose, the employee is obliged, especially when leaving the workplace, to comply with the so-called clean table rule, ie not to leave documents containing personal data on the desk and to switch off the personal computer
The employee is obliged to maintain confidentiality regarding personal data and security measures, the disclosure of which would jeopardize the security of personal data.
X.
Final Provisions
The protection of personal data that has hitherto been carried out with the employer shall be brought into line with this Directive within 1 month of the date of entry into force of this Directive.
This directive comes into effect on 1 January 2018