Personal data protection

Personal data protection is a field of law that is becoming increasingly important with the development of the digital society. New information technologies facilitate collecting, processing and accumulating information about an individual. Here the collision with the human right to the protection of personal data, which is ensured by constitutions and international conventions, is almost inevitable.

The European legislator was well aware of the importance of the protection of an individual’s personal sphere against unauthorised and excessive interference. This was taken into consideration when passing the General Data Protection Regulation, better known under the abbreviation GDPR, on 27th April 2016. The regulation became effective on 25th May 2018, which means it is now directly applicable in every member state of the EU, including Slovenia.

GDPR radically changed the regulation of personal data protection; it conferred more rights to individuals and imposed more obligations on companies collecting and processing personal data. The regulation is applicable not only to information service providers established in the EU, but also to those who have their place of business outside the EU and process information about individuals located in the EU.

According to the GDPR, personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data or an online identifier. Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. The primary legal basis for processing personal data is an individual’s consent. The latter has to be verifiable, clear, understandable and revocable at any time.

Personal data has to be processed lawfully and in a fair and transparent way. Collecting personal data can be done only for a particular, explicit and lawful purpose. The data has to be appropriate, relevant and limited to the purposes for which it is being processed. Furthermore, it has to coincide with the facts and has to be up-to-date. Moreover, it can be stored no longer than the purpose allows it. Finally, the data must be protected with appropriate measures against unauthorised and unlawful processing as well as accidental loss, destruction and damage.

The GDPR pays special attention to sensitive personal data, the processing of which is prohibited in principle. Sensitive personal data represents information about an individual’s racial or ethnic origin, political opinion, religion or beliefs, trade union membership, genetic or health status or sexual orientation.

The regulation confers different rights to individuals. First, there is the right to be informed which of one’s personal data is being collected and processed as well as what is the content of the information and who collects and processes it. The individual has also the right to rectification, meaning that he or she can require the data to comply with the reality. Very important is also the right to be forgotten, on the basis of which the individual can require the controller to erase his or her personal data without undue delay. The individual has also the right to restriction of processing, the right to data portability and the right to object.

On the other hand, the GDPR imposes various obligations on controllers and processors of personal data, for example the obligation to maintain a record of processing activates.

The GDPR pays great attention to preventive measures and prescribes a mandatory data protection impact assessment in case the processing of personal data is likely to result in a high risk to the rights and freedoms of natural persons. If an infringement of personal data nevertheless occurs, the Information Commissioner and the individuals, whose personal data has been infringed, should be informed about the infringement without undue delay.

Another important novelty, introduced by the GDPR, is the obligation to designate a Data Protection Officer (DPO). A DPO can be an employee in the company or an external contractor that is independent and guarantees the compliance of the company’s business with the regulations on personal data protection. The designation of a DPO is mandatory for public authorities and bodies as well as private controllers and processors performing processing operations that require regular and systematic monitoring of data subjects on a large scale (for example, insurance companies, online stores and consumer loyalty clubs) and those who process sensible personal data.