An administrator is any entity, does not decide what legal forms, which determines the purpose and means of processing personal data, processes and is responsible for it. An administrator may be a natural person or a legal entity where the legal entity is a legal person and not an employee or a member of the company. The responsibility for the processing of personal data lies with the legal person as such.
An administrator may authorize or authorize the processor to process the personal data. The processor is then any entity that processes personal data under a special law or administrator. It is not the responsibility of an administrator to hire a processor. From an administrator, the processor differs by the fact that, within the framework of an activity for an administrator, he can perform only such processing operations as the administrator entrusts or derives from the activity for which the processor has been entrusted by the trustee. It should be noted that the processor is the processor only in relation to the personal data provided by the controller, not the personal data it processes for the purposes that are of direct concern to it. A typical processor is, for example, an external wage accounting firm (or a tradesman) or a cloud provider (repository, etc.). As with the administrator, the legal form does not determine the processor.
Administrator’s responsibilities are:
- determine the purpose for which personal data are to be processed,
- to determine the means and method of processing personal data,
- process only the accurate personal data he has obtained in accordance with the law
– if necessary, update the personal data if the controller finds that the personal data processed by him / her are not accurate with regard to the intended purpose, without undue delay, takes reasonable measures, in particular the processing is blocked and the personal data are repaired or supplemented, otherwise personal data will be liquidated
– Inaccurate personal data must be marked
– informations on the blocking, correction, supplementation or liquidation of personal data is the controller obliged to pass on to all recipients without undue delay,
- to collect personal data corresponding only to the intended purpose and to the extent necessary for the fulfillment of the purpose,
- to retain personal data only for such time as is necessary for the purpose of its processing
– at the end of this period, personal data may be retained for the purposes of the State Statistical Service only, for scientific and archival purposes
– when used for these purposes, the right to protection against unauthorized interference with the private and personal life of the subject must be respected and personal data anonymized as soon as possible,
- process personal data only in accordance with the purpose for which it was collected
– processing personal data only within the limits set by law or, if the data subject has given its prior consent,
- to collect personal information only openly; it is excluded to collect data under the pretext of another purpose or other activity,
- not to associate personal data that have been obtained for different purposes
The administrator may process personal data only with the consent of a natural person. Consent must be freely given specific, informed and explicit indication of his wishes by which the data
subject signifies a declaration or other obvious confirmation of his agreement to the processing of their personal data. It is an active and voluntary expression of the will of the data subject, which must not be compelled to do so. Consent is one of the legal grounds on which the administrator may process and process personal data if the processing cannot be subordinated to purposes for which consent is not required.
Consent is always given for a particular purpose of processing that the data subject must know. Consent is revocable. Not always revoking consent means the obligation of the administrator to liquidate personal data, as withdrawal of consent is for a particular purpose for which personal data are processed and the controller may process personal data for other purposes for which it uses a different legal reason for processing than the consent of the data subject. In other words, in case of withdrawal of consent, the administrator is obliged to cease processing personal data for the purposes defined in the agreement. If consent was the only legal reason for processing, the dissolution of personal data will, as a rule, follow.
Without such consent, they may process:
- if it carries out the processing necessary to comply with the legal obligations of the controller,
- where the processing is necessary for the performance of the contract to which the data subject is party or for the negotiation of the conclusion or modification of a contract made on the proposal of the data subject,
- where necessary to protect the vital interests of the data subject, consent must be obtained without undue delay, and if the consent is not given, the administrator must terminate processing and discard the data,
- in the case of legitimately disclosed personal data in accordance with a special legal regulation, but without prejudice to the right to the protection of the personal and personal life of the data subject,
- where it is necessary to protect the rights and legitimate interests of the administrator, the recipient or other person concerned; such processing of personal data shall not be contrary to the data subject’s right to the protection of his or her private and personal life,
- if it provides personal data on a public official, officials or public servants who are testifying about his public or official activities, his or her function or job position or,
- if the processing is exclusively for the purposes of archiving pursuant to a special law.
When processing the personal data, the administrator and the processor shall ensure that the data subject does not suffer prejudice to his or her rights, in particular the right to the preservation of human dignity, and shall also ensure that unauthorized interference with the private and personal life of the data subject is ensured. The data subject must be informed of the purpose of the processing and the personal data that the consent is given to, the controller and the period. The data subject’s consent to the processing of personal data must be capable of being demonstrated by the controller throughout the processing. Disagreement with processing must be expressed in writing.
If the processor finds out that the trustee is in breach of the obligations stipulated by this Act, he is obliged to immediately notify him / her and terminate the processing of personal data. Failing to do so, it shall be liable for any damage to the data subject, jointly and severally with the administrator.
The data subject may also request information about the processing of his or her personal data, in which case the trustee is obliged to pass this information without undue delay to the entity. The Administrator is entitled to require reasonable compensation for the provision of the information, not exceeding the costs necessary to provide the information.