Keeping a nationwide personal data set register and providing information about such registered sets is one of the basic tasks of the General Personal Data Inspection Officer (GIODO) provided for with the act (art. 12, item 3). In practice, GIODO accepts personal information database submissions for registration, examines the sent applications in terms of their compliance with the statutory requirements and, if they are observed, adds a given set to the Nationwide personal data set register. The register kept by GIODO is public. This means that it is made publicly available - for instance, via e-GIODO electronic platform which allows to search database for various criteria. 

When you don't need to register a database in GIODO...

Not every database requires to be registered. Personal data sets that do not require registering in GIODO include, among others, databases related to documenting persons using medical, notary or legal services, services of a patent attorney, statutory auditor as well as sets of data concerning students. Registration is not required either in case of data processed with respect to employment, for the purpose of issuing an invoice or a receipt, members of associations and the so-called publicly available data. It is, however, very important to remember that the lack of obligation to register such data in GIODO does not relieve the administrator from observing other obligations under the personal data protection act, in particular the ones related to confidentiality and security. 

...and when is it necessary?

In particular, any databases of personal information related to online stores are subject to registration in GIODO. Such store's customer database is continuously processed for various purposes (notifications, completion and monitoring of orders, marketing and others) and this makes it a data set within the meaning of the Personal Data Protection Act. Such database usually cannot be submitted for registration in GIODO as one unbroken personal data set as the data contained in it are processed in various ranges and for various purposes. In practice this means that submitting it for registration involves several interrelated personal data sets kept for various purposes and one specific registration of a data set might only include one data set (pursuant to art. 41 of the aforementioned Act). 

While submitting a data set for registration a data administrator should be aware that individual personal data sets differ, for instance, in the scope of processed data, the purpose of processing the data or the legal basis for keeping the set. That's why completing one submission for several personal data sets does not allow to explicitly outline their subsets given various criteria such as the statistical identification number (REGON), city, surname etc. This makes it difficult to indicate the characteristic elements that influence their identity. Consequently, it is impossible to state what scope of information concerns each of these sets. 

A rather standard, generally understood personal information database of an online store involves many types of data and relations - such as completing orders, keeping sales statistics and a civil law contracts database. Various data sets kept for various purposes are related to them. In practice it consists in the fact that each of them should be reported on a separate application form. You should then correctly specify and enter the scope of collected information as well as the purposes, for which they are collected and processed.