Author: Nicolae Ploesteanu
Publisher year: 2019
The paper is the result of the need to implement the General Regulation on Data Protection, which means the adoption by data operators of procedures and forms necessary for the operationalization and development of the activity in compliance with the "standard" of personal data protection.
It is a useful work for any person working in the management of a company or in public administration, regardless of its specialization, because at the beginning of any of the procedures or form is briefly specified its role and practical importance.
The authors intend that through this paper to contribute to the awareness of those involved in the processing of personal data and, in particular, of civil servants regarding the importance of compliance with the General Regulation on Data Protection.
I. Data protection agreements / 13
1. Model Confidentiality Agreement to be concluded with students requesting access to the hospital database / 13
2. Model Data Privacy and Integrity Agreement / 15
3. Model Agreement for the protection of personal data under a contract / 35
4. Model Agreement for the protection of personal data in the case of beneficiaries of grants and contracting authorities / 42
5. Model of Confidentiality Clauses regarding the execution of works / 45
II. Consent forms / 48
1. Neighbors consent form - CCTV / 48
2. Request for consent for the processing of special categories of personal data / 50
3. Data Operator's internal note regarding the consent given to the processing of certain categories of data and the duration of the data processing / 54
III. Form forms for the exercise of rights by the persons concerned / interested / 57
1. Application for the exercise of the rights of the data subject (candidates / employees / former employees / other interested persons) / 57
Internal note / 57
2. Model of operational procedure regarding the settlement of requests for the exercise of rights by data subjects under the General Regulation on Data Protection / 64
3. Model of the internal procedure for solving the requests for exercising the specific rights of the RGPD, regarding the type and flow of operations within the organization / 79
4. Model of the operational procedure regarding the settlement of requests for the exercise of rights regarding personal data Candidates / Employees / Former employees / Other interested persons / 85
IV. Strategies for implementing the personal data protection standard / 106
1. Model of implementation strategy at the level of an administrative-territorial unit of the standard for the protection of personal data and privacy / 106
2. Model of implementation strategy at the level of a public pediatric hospital of the standard of protection of personal data and privacy / 112
3. Model of implementation strategy at the level of a school institution of the standard of protection of personal data and privacy / 120
4. Logical scheme of the standard implementation strategy / 127
V. Forms specific to the data protection officer / 129
1. Request for advice / 129
2. Regulation on the organization and functioning and working procedure of the Data Protection Officer at the level of a hospital institution / 131
3. Regulation of organization and functioning and Working procedure of the Data Protection Officer at the level of a mayor's office / administrative-territorial unit / 142
4. Model Memorandum on Risk on meeting the requirements of the RGPD regarding the Statute of the Data Protection Officer within a mayor's office / administrative-territorial unit / public institutions / 155
5. Establishing the performance evaluation system of the Data Protection Officer within an administrative-territorial unit / 161
6. Model of the Job Description of the Data Protection Officer within a mayor's office of the administrative-territorial unit / 165
7. Job description of the Data Protection Officer within a hospital / 175
8. Model Information Note addressed to the operator's management regarding the compliance of the CCTV mechanism used within the institution with the standards of personal data protection / 182
A. Information note regarding the processing of personal data using the CCTV / 185 system
B. Information note addressed to the operator's management / 187
VI. Politics / 190
A. Model of the General Policy of confidentiality and protection of privacy / 190
C. Model of the General policy of confidentiality and protection of privacy at the level of a hospital / 214
D. Model Policy for the processing of personal data regarding the use of GPS systems in the transport activity / 226
E. Model Video Surveillance Policy (TVCI) / 247
This volume represents a contribution of the activity of the members of the Research Center for data protection, established within the University of Medicine, Pharmacy, Sciences and Technology "George Emil Palade" from Targu Mures.
The research center is a laboratory that has actively contributed throughout its activity to supporting the socio-economic environment in Romania in raising awareness of the importance of personal data protection and the usefulness of adopting implementing measures and complying with specific legislation to protect privacy and personal data. Along these lines of study and analysis, the laboratory has created a series of forms that can be a useful tool for public institutions and economic agents, to have a managerial, economic and administrative activity oriented in the spirit of protecting the privacy of individuals. The laboratory benefited from primary data provided by private agencies working in the field of consulting. Each form or document has a justification and substantiation of the need for its adoption. These justifications and substantiations are a form of practical guidance for implementation. The specificity of the forms is given especially by the activity of the local public administration, but it is easily adaptable by those interested for the central public administration or to private companies, especially those in the category of data operators who have the obligation to appoint a data protection officer.
The paper presents a practical importance because it facilitates at the level of data operators the implementation of the General Regulation on Data Protection, given that a body of specialists in this field is only in training in Romania. Precisely for this reason, problems will be encountered, reflected by these forms and models, detached from the daily practical activity. Probably the most delicate of these is the issue of a Data Protection Officer (DPO) status, because the operationalization of this function generates in companies and institutions certain reluctance and tense moments, which can lead to some inefficiency in the application of the regulation.
The paper is easily accessible to those who, although they do not have a specialization in the field of data protection, have managerial attributions and are interested in making decisions in compliance with the legislation specific to this field. For example, the head of a technical department should be interested in adopting a policy of using the GPS (Global Position System) system on company vehicles, which must be done by taking into account the General Data Protection Regulation.
The paper has a deep practical character, allowing the data controller and the data protection officer to adopt a strategic position when it comes to the implementation of the General Regulation on Data Protection. The models and forms included in the volume must be read carefully by each Data Protection Officer, after which he should recommend the adoption of any of it only with proposals that reflect the specifics of each data controller. Perhaps this is the most important practical idea suggested here, namely never to focus on purchasing "putties" of models and forms, forgetting that the implementation is specific to each issue. This volume provides means for a correct and justified implementation, without claiming neither the exhaustiveness of the implementation modalities nor the exhaustion of the possible models in different fields. The paper is elaborated exclusively based on the authors' experience, being addressable to those who need implementation, public institutions and economic agents. Those who have in their attributions to contribute to the implementation of the RGPD, will discover in the document models a series of instructions and criteria for which to proceed step by step to the implementation. When a particular activity involves higher risks and the amount of personal data processed is considerable or, moreover, sensitive, the data protection officer must support the adoption of specific policies and compliant procedures.
The laboratory of the research center benefited from the collaboration of SC Amplusnet SRL from Targu Mures, meaning that the rights over the work are distributed both at the center and at the level of the collaborator. In this way I would like to thank them and I hope to consolidate and further develop this partnership.
At the same time, I would like to thank the "George Emil Palade" University for the research facilities provided and the positive effervescence in the field of research.
I would also like to thank the members of the center, co-authors of this paper, who contributed to its elaboration, namely Darius Farcas, Hilda Sumalan, Raul Miron, Laurentiu Bucur, Augustin Farcas, Cornelia Sus, Dumitru Cazac and Laurentiu Ricu with the thought that this paper falls in a series of practical works. Subsequently, the two volumes will be supplemented with a scientific study on the fundamental problems in public administration that were generated by the application of the General Regulation on Data Protection.
I also thank the director of the Editura Universitara and his collaborators for their support in publishing this volume.
Dr. Nicolae Ploesteanu
Targu Mures, September 2019
Customer Support Monday - Friday, between 8.00 - 16.000745 200 718 0745 200 357 firstname.lastname@example.org
write a review