Rights of individuals
The main principles which should underlie the lawful processing of the personal data of individuals by data controllers are set out in LPDP.In compliance with art.2, para.2 of LPDP personal data must be:
· processed in legal compliance and in a bona fide manner;
· collected for specific, precisely defined and legal purposes and not be submitted to additional processing in a manner incompatible with such purposes; additional personal data processing for historical, statistical or research purposes shall be allowed provided the data controller has ensured proper protection, guaranteeing that such data are not being processed for any other purpose;
· proportionate to, related to and not exceeding the scope of the purposes for which they are being processed;
· accurate and updated, if necessary;
· deleted or corrected when found to be imprecise or disproportionate to the purposes for which they are being processed;
· maintained in a form that enables identification of respective individuals for a period not exceeding the time necessary for the purposes for which such data are being processed; personal data which will be stored for a longer period of time for historical, statistical or research purposes shall be kept in a format precluding the identification of individuals.
Each individual has the right to request:
· information (confirmation) on whether his/her personal data is processed by a relevant data controller for the purposes of data processing, for data categories and for recipients (categories of recipients), which the data is disclosed to.
· access to personal data referred to him or her.
· information (communication) in a comprehensible form containing his/her personal data processed by the relevant data controller;
· information (communication) on the source of data that relates to the person and are processed by the data controller;
· information on the logic of any automated personal data processing.
· deleting, adjusting, blocking his/her personal data;
· notifying third parties, which personal data has been disclosed to, of any deleting, adjusting or blocking his/her personal data (unless impossible or refers to excessive efforts).
Each individual has the right to request access to his/her personal data processed in the information funds of the Ministry of Interior or SIS collected without his/her knowledge.
Each individual is entitled to request information from the Minister for Interior regarding the collection, recording, organization, storage, adjustment or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, disclosure, update, deletion or destruction of personal data about him/her in NSIS.
Each individual is entitled to request updating, deleting or destroying personal data about him/her in NSIS under the Ministry of Interior Act and the Personal Data Protection Act.
Individuals can exercise rights by submitting a written request (in person or by a person expressly authorized by power of attorney) to the data controller (in this case the Minister for Interior). The request can be filed electronically under the Electronic Document and Electronic Signature Act.
The Minister for Interior is obliged to decide within 14 days of receipt of the request for access. Upon request by the individual a copy of his/her personal data processed can be granted on paper.
The Minister for Interior, in his/her capacity of data controller, may refuse all or partially providing of information, when:
· a danger would arise:
- for the national security or public order;
- for the protection of information classified as state or official secret;
- from the disclosure of information sources or the secret methods and means for its collecting;
· providing such data to the person would frustrate the implementation of statutory tasks of the Ministry of Interior and the judicial authority;
· information is entered into SIS by another country which is not allowed to disclose it.
The Notification to the applicant of refusal to provide information about personal data processing shall be in writing, stating the legal grounds only. The lack of notification within the legally prescribed terms also is considered a refusal. An Individual whom is ordained a refusal may appeal the refusal under the Administrative Code within 14 days after issuance of the statement before the respective Administrative Court. Court shall reach its decision within a month. In case of illegal refusal to issue a document the court requires the data controller to issue it by setting a specific deadline.
Any individual has the right to ask CPDP to examine the data concerning him/her and included in the Schengen Information System as well as to obtain information about its use. If data is entered by another Contracting Party CPDP will examine in close cooperation with the supervisory authority of that Contracting Party.
In the event that data controller (in this case Minister for Interior) does not takes into consideration the request for access to an individual or he/she considers there is a breach of PDPA in connection with his/her personal data processing (e.g. preventing the exercise of individual rights), any individual has the right to complain to CPDP (protection through administrative channels ).Failure to appeal before CPDP does not preclude judicial appeal (the refusal of access or refusal to provide information on exercising the right of deleting, adjusting, and blocking). Commission on Personal Data Protection shall examine and take a decision which becomes binding on the personal data controller upon its entry into force. If the subject of the complaint was the refusal of granting an access CPDP could oblige the controller through its instructive decision to carry out the requested access.
In the event of identified infringement during the personal data processing CPDP could impose to the data controller administrative penalty-fine or property sanction.
Protection through judicial channels - the individual may seek protection by lodging a complaint before the appropriate administrative court or the SAC - under the general rules of jurisdiction. Court proceedings, in this case the Supreme Administrative Court, shall take place under the general court procedural rules set forth in the Administrative Procedure Code and Civil Procedure Code.
Where an act of certain data controller, which violates the individual rights, represents a crime under the Criminal Code, the protection can be implemented as envisaged by the Criminal Procedure Code. The legal procedure brought under CPC prevents the opening another legal procedure with the same subject, so CPDP can not examine a complaint with the same subject, in case of legal procedure opened. If administrative procedure is brought before CPDP concerning a complaint, it shall be suspended pending the decision on criminal liability under the Penal Code by the court responsible.