NOTIFICATION ON PRESERVING PRIVACY
HOW WE USE YOUR INFORMATION
PERSONS LODGING A COMPLAINT WITH IDP
PERSONS USING IDP SERVICES
VISITORS IN OUR WEBSITE
SUBJECT PROVIDING “NOTIFICATION” ACCORDING TO THE LAW ON PERSONAL DATA PROTECTION
JOB APPLICANTS, CURRENT EMPLOYEES AND FORMER EMPLOYEES OF THE COMMISSIONER
ACCESS TO PERSONAL DATA
LINKS WITH OTHER WEBSITES
AMENDMENTS IN THIS NOTIFICATION ON PERSONAL DATA PROTECTION
COMMENTS OR ANSWERS
HOW TO CONTACT US
POLICY OF INFORMATION SECURITY
This notification on preserving your privacy informs you on data processing when the Information and Data Protection Commissioner (hereinafter IDP) collects your data. This applies to the collected information with regard to:
Complainants whom file complaints regarding their claims for data breaches when processing is carried out by controllers.
Other individuals submitting various requests to obtain information, providing consultancy, etc.
Visitors in our website.
Controllers notifying under the Law on Personal Data Protection.
Candidates for employment and current employees and former employees.
When a person files a complaint, it is registered in the record office by the respective employee that has previously signed the declaration of confidentiality and is informed on the institution’s code of ethics approved, as well as with the regulation of the right to information, approved paper by the Commissioner.
We use the collected personal data only for the process of examination of complaints and to check the level of services we provide. We compile and publish statistics reflecting information such as the number of complaints received, by always preserving individuals’ identification.
We obtain personal data which are included at complaints records in compliance with the law and our policy of protection of personal data. They’re stored in a safe environment and access is restricted based on the principle “necessity to being informed and acquainted”.
When we provide recommendations or impose sanctions to the controller, we may publish the latter’s identity in the annual report or in a press release. IDP do not make such identification prior to its publication..
The Information and Data Protection Commissioner offers various services for the public. For example, IDP publishes awareness materials with the press media aiming awareness of data subjects. In this case we use a third party which deals with the respective publication allowing using only the information provided by IDP.
We use details of provided data and store them with the intention to provide services to the subject also in cases requested by the latter for other related purposes. For example, when we answer to a person whom previously requested information on drafting a diploma thesis, we may use his/her data to test if the person or persons are satisfied with the level of service. When individuals sign up to obtain services by IDP, they may revoke their registration at any time and in order to do so, they shall have it easy.
The Authority of Information and Data Protection Commissioner disposes the official website of institution www.idp.al. By means of the website, the Commissioner’s Authority transmits and collects information. The aim of transmitting and collecting information via the internet is to stay closer with the controllers and data subject. Through the official website, the Commissioner assists controllers by introducing the law and by reflecting their obligations and responsibilities with regard to the processing of personal data that they process, as well as by informing data subjects on their rights. The IDP Authority assists also data subjects by publishing in the official website various information related to legislation, awareness information regarding data protection in the daily life, the use of electronic communication means, etc.
As regards www.idp.al visitors, the system gathers standard information which is related to articles or sections in this website. This information is collected for statistical purposes and research (to indicate visitor’s approach, to see which are the most sensitive section and in addition the interest of data subjects, by always preserving their identity).
We collect this information safely in order to not identify any visitor. We do not make any effort to reveal visitors’ identity in our website. The Commissioner’s Authority do not use (and do not allow any third party) analytic statistical means to follow or collect personal information making visitors identifiable. We do not link any collected data by this website with any personal data identifying the visitor by any source, as part of our usage.
The search engine in our internet website is designed to be strong and easy to use as in the search of Google. The search is enabled by a hardware (search application) being sustained by Google, which is closed in our sever and indexes continuously the content in our website. All search requests dealt by the application and information is not accessible to any third party including Google.
We want to collect information personally identifiable through our internet website. We want to make clear the case when collecting personal information and explain what we intent to do with it.
The Law on Personal Data Protection requires controllers whether public or private to notify with IDP several specific information according to an approved standard by the Commissioner’s Authority. This information may contain personal data of individuals being tasked by the controllers for fulfilling this obligation aiming authentication of declaration and holding contacts intending conclusion of legal competencies of Commissioner’s Authority. When companies complete their notification forms, they are requested to provide data contact of a crucial member of personnel. The Commissioner’s Authority shall use this for its purposes, for example when we have a question regarding notification, but do not disclose these data.
These data, processed automatically (due to computer system of notification-registration) and manually (due to legal requests and administrative procedures), are restricted regarding the access that have several specialists, as well as preserving confidentiality on these data is guaranteed by the law.
The obtained information by the notification procedures is made public later on, as a legal request, in the websites of the Register of Controlling Subjects, but in the content of these sites no personal data is contained. The only data that may appear in the sites of this register are the names of subject being registered by the law as natural persons and that lawfully should be made public if it process personal data.
Nevertheless, on these cases, as the register is at public disposal, the Commissioner’s Authority cannot provide any guarantee for the data contained in it, if used by those having access in it. Moreover, when we request information as part of notification process, we have made clear the fact, when providing information is required by the law and when it’s voluntary.
When individuals apply for a job with IDP, we use the information for their process of application and to monitor recruiting statistics. When we want to disclose some data with a third party, for example, when we want to take a reference or receive some data by the other relevant institutions (e.g. Judiciary Status Authority), we do not do so, without priory informing data subjects, only if this information is legally required. Personal data regarding applicants failing to be hired are held for 12 months after the recruitment process has ended and then they’re destroyed or deleted. We hold un-personalized information for statistical purposes with regard to applicants in order to assist our recruitment activities, but no applicant is identifiable by these data. When a civil servant is not in work relations with IDP, we prepare a record for him as regards to the period of work. The included data in it are safely hold and are used only for important purposes on the employment of the person. When their employment at IDP comes to an end, we hold the record in compliance with the law on civil servant status, the law for archives and our internal rules.
The Commissioner’s Authority uses transparency to provide access to data for individuals. Individuals may reveal if we hold any personal data, by sending an “Access request to personal data” under the Law on Personal Data Protection. If we hold your personal data, we shall:
provide their description;
inform you why we hold them;
indicate in which recipient these data may be disclosed;
provide a copy of information in a clear form;
inform if providing personal data is binding or voluntarily.
To make a request with IDP, for any personal data we may hold, it is necessary to make a written request with Communication and Foreign Relations Department or send it to [email protected]
If you agree, we shall try to deal with your request informally, for example by providing the specific information via the phone.
If we hold information on you, you may request correction in it, by contacting once more the Communication Sector.
In many circumstances, we do not disclose personal data without your consent. Anyway, when we investigate a complaint, for example, we should share the personal information with the relevant company and other involved bodies.
You may obtain more information on: Agreements having with other institutions for exchange of information;
circumstances when we may disclose personal data without obtaining the consent, for example to prevent and reveal a crime and to produce anonymous statistics;
our Instruction for the staff on how personal data should be collected, used and deleted;
how we control data if our data are correct and updated.
This notification on preserving privacy in order to protect personal data does not include links among this website with other sites. We want to encourage you to read privacy declarations in other websites you visit.
AMENDMENTS IN THIS NOTIFICATION ON PERSONAL DATA PROTECTION
The Commissioner endeavors to fulfill the highest standards during collection and use of personal data. For this reason, we deal very seriously with complaints in this regard. We also welcome any suggestion for improvement of our procedures.
This notification on personal data protection was drafted with the aim to be clear and brief. Full details on collection and use of personal data by IDP are not provided. Although, we are at your disposal to provide any additional information or explanation. Any request in this regard should be sent at [email protected]
IDP processes information aiming to carry out its statutory obligations. This may include the secret information for controllers and individuals.
The information is a valuable asset. The continuous work of controllers is based upon their integrity and continuous availability. Thus, steps should be taken to protect information by unauthorized use, change, disclosure or rectification, whether occasional or by purpose.
The Commissioner’s Authority is committed to secure the use of information and data of technology systems aiming to preserve integrity and confidentiality of information at its control.
IDP uses a risk based approach during assessment and understanding of risks also uses all physic means of personnel, technical and procedural to attain the appropriate security measures. IDP take into account technology developments and implementation costs to attain an appropriate security level for the nature of information and damage that may result by a security breach.
The personnel of IDP is submitted to the obligation to preserve confidentiality of information which is given to the latter to exercise its functions under the law and may disclose it only to legal authorities. IDP offers guides and trainings to its personnel to enable them to understand and enforce their responsibilities in respecting security. IDP assesses their integrity before they’re hired. IDP monitors their compliance on their obligations with security.