DELEGATED CONTROLLER HELP NOTE
Notification overview ......................................................................................3
Chapter 1: Notification information : .................................................................................. 3
Chapter 2: General description of the processing:........................................................... 3
Chapter 3 Purpose of the processing:................................................................................ 3
Chapter 4: Main characteristic of processing and data:................................................... 3
Chapter 5: Responsible for processing and data: ............................................................ 3
Chapter 6: Transfer of data:................................................................................................. 3
Chapter 7: General description of security measures:..................................................... 3
Chapter 8: Complementary information:............................................................................ 4
How to modify/complete a draft notification?...............................................5
Step 1: Select menu ’Modify/complete a draft notification’.........................5
Step 2: Draft notification modification ..........................................................5
1. Browsing the notification................................................................................................. 5
2. Using the on-line help ...................................................................................................... 5
3. Using the references to the Regulation 45/2001............................................................ 5
4. Filling-in the notification fields........................................................................................ 5
Step 3: Saving a notification ..........................................................................6
Step 4: Access to the Data Flow part of a notification.................................6 How to ask for an advice on a draft notification?.........................................6
Step 1: Access to the data flow page and ask for acceptance and
clearance of the notification...........................................................................6 How to give an advice on a draft notification? .............................................7
Step 1: Select menu ‘Advice and request for information on a draft
notification;......................................................................................................7
Step 2: Selection of the 'draft' notification;...................................................7
Step 3: ‘Draft' notification modification; .......................................................7
Step 4: Access the Data Flow part and return the advice............................7 How to ask for acceptance and clearance of a notification.........................7
Step 1: Access to the data flow page and ask for acceptance and
clearance of the notification...........................................................................7 How to ask for a prior advice to the DPO......................................................7
Notification overview
A notification is divided into 8 chapters. Here is a list of the questions contained in each chapter:
Chapter 1: Notification information :
1) Date of submission (Automatical y fil ed-in)
2) Name and first name of the control er
3) Title
4) Directorate, service or unit to which the control er is attached
5) Directorate general to which the control er is attached
Chapter 2: General description of the processing:
6) Name of the processing
7) Description of the processing
8) Automated processing operation(s)
9) Manual processing operation(s)
10) Comments if applicable
Chapter 3 Purpose of the processing:
11) Legal basis of the processing
12) Lawfulness of processing
13) Purpose(s) of the processing
Chapter 4: Main characteristic of processing and data:
14) Data subject(s) concerned
15) As you are processing personal data
16) Category(ies) of data subjects
17) Data field of data subject
18) Category(ies) of data fields
19) Storage media of data
20) Recipient(s) of processing
21) Category(ies) of recipients
22) Retention of policy of (categories of) personal data
Chapter 5: Responsible for processing and data:
23) Name and first name of the processor
24) Title
25) Directorate, service or unit to which the processor is attached
26) Directorate general to which the processor is attached
Chapter 6: Transfer of data:
27) Legal foundation of transfer: Only transfers to third party countries not subject to
Directive 95/46/EC (Article 9) should be considered for this question. Please treat
transfers to other institutions and bodies and to member states under question 20
28) Category(ies) of Personal Data or Personal Data to be transferred
Chapter 7: General description of security measures:
29) Nature and Category(ies) of Personal Data to be protected
30) Nature of related processing to be protected
31) Technical measures to ensure level of security appropriate to the risks represented
by questions 29 and 30 and to prevent any unauthorised disclosure or access, accidental
or unlawful destruction or accidental loss, or alteration, and to prevent al other unlawful
forms of processing. (Each question of the subset fol owing contains a yes/no choice, and
a text area for explanations)
a) Preventing any unauthorised person from gaining access to computer systems
processing personal data;
b) Preventing any unauthorised reading, copying, alteration or removal of storage
media;
c) Preventing any unauthorised memory inputs as wel as any unauthorised
disclosure, alteration or erasure of stored personal data;
d) Preventing unauthorised persons from using data-processing systems by
means of data transmission facilities;
e) Ensuring that authorised users of a data-processing system can access no
personal data other than those to which their access right refers;
f) Recording which personal data have been communicated, at what time end to
whom;
g) Ensuring that it wil subsequently be possible to check which personal data
have been processed, at what time and by whom;
h) Ensuring that personal data being processed on behalf of third parties can be
processed only in the manner prescribed by the contracting institution or body;
i) Ensuring that, during communication of personal data and during transport of
storage media, the data cannot be read, copied or erased without authorisation;
j) Designing the organisational structure within an institution or body in such a
way that it wil meet the special requirements of data protection;
32) Organisational measures to ensure level of security appropriate to the risks
represented by questions 29 and 30 and to prevent any unauthorised disclosure or
access, accidental or unlawful destruction or accidental loss, or alteration, and to prevent
al other unlawful forms of processing. This question is based on 10 sub-questions
composed of a yes/no question and text area for description purposes. The subset of
questions is the same as for question 31.
33) Technical measures to safeguard the secure use of the telecommunications networks
and terminal equipment, if necessary in conjunction with the providers of publicity
available telecommunications services or the providers of public telecommunications
networks (having regard to the state of the art and the cost of their implementation, these
measures shal ensure a level of security appropriate to the risk presented
34) Organisational measures to safeguard the secure use of the telecommunications
networks and terminal equipment, if necessary in conjunction with the providers of
publicity available telecommunications services or the providers of public
telecommunications networks (having regard to the state of the art and the cost of their
implementation, these measures shal ensure a level of security appropriate to the risk
presented
35) In the event of any particular risk of a breach of the security of the network and
terminal equipment, the Community institution or body concerned shal inform users of
the existence of that risk and of any possible remedies and alternative means of
communication. Have you foreseen any such mechanism or procedure (Yes/No)? If Yes
or No, please explain
36) Do you publish / distribute / give access to one or more printed and/or electronic
directories? Personal Data contained in printed and/or electronic directories of users and
access to such directories shal be limited to what is strictly necessary for the specific
purposes of the directory
Chapter 8: Complementary information:
37) Complementary information to the different questions if applicable, including
attachments to this notification which should not be public
How to modify/complete a draft notification?
Step 1: Select menu ’Modify/complete a draft notification’
Select the left menu entry ‘Modify/complete a draft notification’ to access the list of notifications
available for modification.
Select the notification you want to modify by clicking on the corresponding pencil image .
Step 2: Draft notification modification
1. Browsing the notification
To browse the different chapters of the notification, use the navigation part of the screen. The
highlighted text (grey background) of the navigation part indicates in which chapter of the
notification you are positioned. To display a specific chapter of the draft notification, you just have
to click on the label of the corresponding chapter.
Figure 1
2. Using the on-line help
On-line help messages are represented by a symbol. Each question of a notification has an
associated help message.
To view the help message, simply move your mouse over the symbol. When the mouse moves
out of the symbol, the message disappears.
3. Using the references to the Regulation 45/2001
When a question or chapter of the notification has a direct reference to an article of the
Regulation 45/2001, you can view it by clicking on the text corresponding to the reference.
Usual y, the reference is represented by the referenced article title or part. Al the references to
the Regulation begin with the ‘Ref.:’ text.
Figure 2: reference example
4. Filling-in the notification fields.
- Text fields and text areas: Most questions of the notification present simple text fields
or text areas to fil -in the answers. You can modify the content of these fields by adding,
or changing the text. For these fields you have the possibility to type in a text, or to paste
a text copied from any type of file that support the copy/paste functionality (Microsoft
Word document, HTML file, PDF document, etc …).
- Attachments: some questions can have a need for a longer text in the answer. The
NDPO&R IS offers an ‘Upload file’ functionality to bypass the 2000 characters limit of text
area fields. The ‘Upload file’ functionality is represented by a link named ’Attachment(s)’.
Clicking this link displays a pop-up window listing the files joined to the question.
Typical y the ‘Upload file’ functionality al ows using existing documents already available
in the documentation of an information system, as those elaborated for example during
the project phase.
- Linked notifications: The NDPO&R IS offers the possibility to link the notification you
are fil ing-in to a notification saved in the Register in chapter ‘2 General description of
processing’ cal ed master notification and in chapter ‘7 General description of security
measures’ cal ed generic notification. This functionality can be useful to avoid entering a
content that has already been entered in an other notification.
- Add/Remove processor(s) interface: Chapter ‘5 Responsible for processing and
data’ of a notification al ows you to add or remove processors to the notification. To
access the ‘Add/Remove processor(s)’ screen, first go chapter 5 of the notification and
click on the ‘Add/Remove processor(s)’ button. For more details about how to use this
interface, please refer to the NDPO&R IS User Guide.
Step 3: Saving a notification
There are 2 possibilities to save a notification:
• Use the ‘Save’ buttons available in top and bottom of each chapter of the notification
• Move to another chapter of the notification, by clicking on the corresponding text in the
upper menu.
Step 4: Access to the Data Flow part of a notification
The Data Flow part of the notification system is accessible from any chapter of a draft notification
by clicking on the ‘Send the Notification’ button displayed next to each ‘Save’ button on the top
and bottom of each chapter. The ‘Send the Notification’ button is displayed if the draft notification
has already been saved once.
The Data Flow part of the notification system is the place from which the user selects an action
and/or a recipient for the draft notification he’s working on.
Use the radio buttons to select the action, enter a message in the ‘Message’ text area, and click
on the submit button to bring the notification to the next step of the workflow.
How to ask for an advice on a draft notification?
Step 1: Access to the data flow page and ask for acceptance and clearance
of the notification
Access the Data Flow part of the notification by clicking on the ‘Send the Notification’ button.
Select the radio button ‘Ask for an advice and/or request information on this notification to:’.
Enter the last name of the person to which you want to ask for an advice, and then click on the
‘Pick’ button.
A pop-up window displays the list of al the officials that match the name you entered. Select the
right person from the list, and click on the add button. The pop-up window is closed.
Enter a message in the ‘Message’ text area, and click on the submit button.
When the ‘Submit’ button is clicked, an e-mail is sent to the person you selected with the
message you entered in the text area.
How to give an advice on a draft notification?
Step 1: Select menu ‘Advice and request for information on a draft
notification;
Select the left menu entry ‘Advice and request for information on draft notification’ to access to
the list of notifications on which an advice has been requested.
Step 2: Selection of the 'draft' notification;
On this page, you can select a notification and give your advice by clicking on the corresponding
pencil . Clicking on this button displays the selected notification.
Step 3: ‘Draft' notification modification;
To give your advice, modify the fields on which your opinion has been requested, and save the
notification.
Step 4: Access the Data Flow part and return the advice.
Access the Data Flow part of the notification by clicking on the ‘Send the Notification’ button.
To return the advice select the radio button ‘Give an advice on this notification’, enter a message
indicating what changes you have made in the ‘Message’ text area, and click on the submit
button.
How to ask for acceptance and clearance of a notification
Step 1: Access to the data flow page and ask for acceptance and clearance
of the notification
Access the Data Flow part of the notification by clicking on the ‘Send the Notification’ button.
Select the radio button ‘Ask for Acceptance and clearance of this notification to:’.
Enter a message in the ‘Message’ text area, and click on the ‘Submit’ button to ask for
acceptance and clearance of the notification to the control er selected in the part 1 of the
notification.
When the ‘Submit’ button is clicked, an e-mail is sent to the control er of the notification, indicating
him that you have asked for acceptance and clearance of this notification, with the message you
entered in the text area.
How to ask for a prior advice to the DPO
Access the Data Flow part of the notification by clicking on the ‘Send the Notification’ button.
Select the radio button ‘Ask for prior advice on this notification to the Data Protection Officer’.
Enter a message in the ‘Message’ text area, and click on the ‘Submit’ button to ask for a prior
advice to the DPO.
When the ‘Submit’ button is clicked, several actions are taken:
-
The draft notification is copied in DPO table and locked for history purposes
-
An incremented version of the draft notification is copied in the DPO table. The
modifications of the DPO are made on this notification.