Updated last 26.03.2021
In this section you can find the following information:
Why it was necessary to amend the personal data legislation?
We are observing a turbulent development of technologies, social networks and cloud services, where huge amount of information is stored, most of which being confidential. Unauthorized access to such information may result in many types of abuse, such as identity theft, illegal transfers of money, event manipulation of the users in order to make them buy certain goods or vote for a certain candidate at the elections. Ever more often emails and social networks are used by children, who are unable to protect from threats. A part of the servers, where such information is stored, are located outside the European Union, where the Member States are unable to perform checks. By introducing the new rules, the European Union has attempted to mitigate the risks, to which its citizens are exposed on the internet, imposing clear requirements and rules for the protection of their personal information, irrespective of the physical location of such information.
What is important to know about the GDPR (General Data Protection Regulation)?
The full name of this document is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)“ or briefly – the “Regulation“. Unlike the repealed Directive, the regulation applies directly and every person can directly refer to it.
While the Directive was in effect, a Working Party was established, pursuant to article 29, issuing guidelines, recommendations and opinions on key matters and issues, and the interpretation of terms and principles, in the area of personal data. Most of these documents are still usable, in order to clarify the proper application of the Regulation.
The Working Party as per article 29 will continue its existence as the European Data Protection Board.
Who must apply the regulation?
As of 25 May 2018 every company is obliged to process, store and transfer personal data in accordance with the personal data protection requirements, set out in the Regulation. Тhe Regulation applies to the personal data protection of the EU citizens or persons, residing on its territory. If data of such citizens is stored outside the EU, it must nevertheless be stored in accordance with the requirements of the Regulation.
Important to know |
|
The Regulation is not applied by the competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. It is also not applied when personal data is processed for personal purposes or within households. Тhe Regulation is also not applicable to persons, who are not EU citizens and who do not reside within the EU. The Regulation is not applied by the member-states, which perform activities, falling in the applied sphere of the Union’s general foreign policy and security policy, as well as in the progress of activities, which are beyond the applied field of the Union law. |
What are the sanctions for violations of the Regulation's requirements?
The sanctions for failure to observe the provisions of the Regulation may reach a maximum of EUR 20 000 000 or up to 4% of the total annual global turnover of the company for the preceding financial year.
What are the main terms, which you need to know, in order to ensure compliance with the Regulation?
The first step that you must take in order to ensure the security of the personal data that you are operating with, is to understand the key principles and terms, contained in the Regulation:
Term |
Definition |
Example/Explanation |
Personal data (art. 4, item 1 of the Regulation) |
any information relating to an identified or identifiable natural person (“data subject”)
|
names, PIN, number of identity document, social security number, family status, kinship, email address, telephone No., photo, IP address, another registration number, voice, facial image, fingerprints, location information |
Special personal data categories (art. 9 of the Regulation) |
data revealing racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation
|
medical information, fingerprint, scanned image of the retina, document for trade union membership organization |
Data related to sentences and offences (article 10 of the Regulation) |
processed only under the control of an official authority or when the processing is permitted by the Union law or the law of the member – state, which contains adequate guarantees for the rights and freedoms of the data subjects |
conviction certificate
|
Processing (art. 4, item 2 of the Regulation) |
Any operation, performed on personal data |
collection, recording, organization, structuring, storage, adaptation or alteration, use, disclosure, dissemination, combination, erasure, destruction
|
Principles of personal data processing (art. 5 of the Regulation) |
lawfulness, fairness, transparency |
data must be processed in conformity with the law, without any intention of violation or offence and the relevant persons must be aware of the processing |
restriction of purposes |
if data is collected for one purpose, they cannot be used for another; the purpose for which the personal data is processed should be defined prior to the commencement of the process on their collection |
|
|
data minimization |
only the minimum necessary data can be processed |
accuracy |
data must be kept up-to-date and accurate at any time |
|
storage restriction |
data must not be stored longer than necessary to achieve the relevant objectives or for the maximum permitted period, according to the law |
|
integrity and confidentiality |
all necessary measures must be applied, to limit the possibility for unauthorized access |
|
reporting | the data controller should possess proofs for the measures, he undertakes in view of performance of the obligations thereof under the Regulation |
Term |
Definition |
Example/Explanation |
Objectives |
set out in each specific moment, as some of them arise from the law and others from company’s economic activity
|
by law: legal employment relations, access to data, published in the commercial register, economic activity: marketing, sales, office security |
Grounds (art. 6-8 of the Regulation) |
Consent – each freely expressed, particular, informed and unambiguous instruction for the will of the data subject, expressing the consent thereof for the related to her/him personal data to be processed for one or more particular purposes
|
consent is only used, if no other grounds are applicable |
contract |
personal data, included in the contract, may be processed by the parties, as well as, if the received data of natural persons with respect to the signing of a contract, if the natural person has initiated the process
|
|
legal obligations |
employment obligations of the employer, collection of data, related to the obligations, regarding the measures against money laundering
|
|
protection of vital interests of the data subject |
when hospitals or dental specialists carry out their activity, when personal data is processed for humanitarian purpose, including for activities related to natural calamities and disasters, caused by human activity |
|
performing tasks of public interest |
cameras-assisted security, during concerts, football games |
|
|
legitimate interest |
this interest is related to the specific economic activity, e.g., sales, marketing, etc.; the controller shall perform a test for the balance sought between his legitimate interest and the interests or rights and freedoms of the data subjects |
Controller (art. 4, item 7, art. 24 - 27 of the Regulation and See here) |
a natural person or legal entity, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data |
the company as the employer of a person, bound by obligations, related to the measures against money laundering, etc. |
Processor art. 4, item 8, art. 28 of the Regulation See here) |
a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller |
cloud service provider, labor and payroll service provider (accounting house performs activities related to the management of the employer’s (controller’s) human resources), etc. |
Data protection officer art. 37 – 39 of the Regulation See here |
a position with the company, which is a data controller or processor, which must meet certain conditions |
Article 37 of the Regulation lays down the cases, when the appointment of an official on data protection is mandatory |
Means See here |
Includes not only the technical, but also the organizational parameters of the processing |
specific technical products - passwords, encrypting, the organization for the access to the data – locking of premises, safes, etc. |
Term |
Definition |
Example/Explanation |
Personal data breach art. 4, item 12 of the Regulation and See here |
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed
|
a hacker attack, loss of electronic information, loss of electronic information carrier, access to the information by an unauthorized person |
Pseudonymi-sation art. 4, item 5 of the Regulation |
the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately
|
a cryptographic key, where the data used cannot be readable, to be transformed back to readable information, without the reuse of the cryptographic key |
Profiling art. 4, item 4 of the Regulation and See here |
any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person |
processing is used to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements;
|
Automated individual decision-making art. 22 of the Regulation and See here |
Analyzing and evaluation of personal aspects of a natural person, based only on an automated decision, where no analysis is performed by an actual person, but by a machine only |
|
Impact assessment art. 35 and 36 of the Regulation and See here |
A procedure, which must be applied, if there is data, which is being processed and is considered a significant risk |
|
Important to know |
|
Even if data, such as the names and PIN is not available, natural persons can be identified by, for example, IP address, which is a common approach in the case of “cookies“, as well as using an official number, such as the practice in professional organizations and some employers. It is important to note that the person can also be identified, based on a voice or video recording. |
Important to know |
|
Each of the operations as per art. 4, item 2 of the Regulation is considered data processing on its own. If a company only stores or destroys personal data, without any other operations, it still falls within the scope of the Regulation and must apply its requirements. It is not even necessary that the company’s employees have access to the data or to use it in any other manner. |
For more information |
|
For more information, please visit the websites of the: Text of the Regulation |