The New Law on Personal Data Protection – Key Novelties
PART II
The new Law on Personal Data protection started to apply on August 21, 2019. In the series of blog posts, we explain the key novelties which the new Law introduced.
The new Law on Personal Data protection started to apply on August 21, 2019. In the series of blog posts, we explain the key novelties which the new Law introduced.
In our previous blog post, Tic-Toc, the Clock is Ticking… Is Your Company Compliant With the New Law on Personal Data Protection? we explained when does the new Law apply, what is personal data and what are the principles and legal grounds for personal data processing. In this blog, we will cover the technical measures of personal data protection, the Data Protection Officer and the rights of the data subject.
The security of personal data is one of the key founding principles of into the new Law. In light of that, the Law obliges the controller to take adequate technical, organizational and personnel measures to ensure that the personal data processing is carried out in accordance with the Law, while the controller should take into account the nature, scope, circumstances, the purpose of processing, the risk assessment for the rights and freedoms of natural persons.
If needed, the controller needs to be able to demonstrate to have acted in compliance with this legal requirement.
Even though it may seem that the above-mentioned provision is imprecise, the Law actually follows the approach from the General Data Protection Regulation (GDPR) which takes into the account the rapid technological progress as well as various areas in which the personal data processing takes place. That is the reason why the Law hesitantly specifies in detail what are the “technical, organizational and personnel measures” that the controller should implement.
Once the protection measures have been implemented, they should not be seen as permanent and unchangeable. On the contrary, the controller should assess and update them, if needed.
The security of personal data protection means that the controller and the processor conduct the appropriate technical, organizational and personnel measures, to ensure the adequate security level of the personal data in relation to the specific risk against their security. When doing that, one should have in mind the degree of technological advancements and the expenses of their implementation, the nature, the scope, the circumstances and the purpose of processing, as well as the probability of the risk occurring and the degree of risk for the rights and freedoms of natural persons.
The significance of the implementation of the above-mentioned measures is best reflected in the fact that the great number of penalties for the violations of the GDPR has been imposed due to the lack of technical security. For example, the penalty of EUR 204,000,000.00 has been imposed upon the company British Airways in the United Kingdom, for the personal data violation due to the hackers’ attack, as we talked about in our news British Airways and Marriott International Violated GDPR – What Consequences Could They Face?.
In order to choose the adequate measures for your company, you will first need to identify which risks threaten the security of the personal data which you process, as well as the probability for those risks and possibilities to become reality.
An example:
If you process the personal data in the electronic form, the risks which threaten their security might include unauthorized access to the databases, alteration or deleting the personal data, physical damage to servers and other hardware which stores the data, or which are used for other processing operations, due to fire, flood etc.
Pseudonymization is personal data processing which disables the connection of personal data with a particular data subject, without using the additional information. In other words, pseudonymization “hides” the data subject, but it is still possible to ascertain the identity of that person by using additional information. It is very important to keep the additional information separate, as well as to take technical, organizational and personnel measures to prevent the attribution of personal data to an identified or identifiable data subject.
Anonymization is data processing that causes permanent inability to ascertain the identity of the data subject. Starting from the moment when the personal data are anonymized, you are no longer obliged to treat that data in accordance with the Law on Personal Data Protection.
Encryption of data is a protection method which encrypts information and enables the access solely to a person which has the encryption key. The encrypted data are shown in unreadable form to whomever wishes to access them without the encryption key.
Filing systems have to be kept far from the persons who are not authorized to have insight into the filing systems within the company. The compliance process with the Law on Personal Data Protection means that the rights, obligations and responsibilities of employees in terms of storing and using the filing systems need to be clearly determined. Some data may be available to all employees of the company (for instance, business email addresses), while other data can be available solely to the employees with special authorizations (for example, specific persons within the human resources department).
In the event that the personal data breach occurs, regardless of the implementation of the protection measures, which can cause a risk for rights and freedoms of natural persons, the controller has the obligation to notify the Commissioner about the breach as soon as possible, within 72 hours as of the date of being aware of the breach at the latest.
On the other hand, the processor is obliged to notify the controller about every data breach, regardless of the degree of risk for rights and freedoms of natural persons, without undue delay.
The controller needs to keep their record about all data breaches, which contains details of a breach, the consequences of a breach and the actions taken for their removal.
If the data breach can cause high risk for rights and freedoms of natural persons, the controller has to notify the data subject, without the undue delay, unless the controller has taken the adequate measures as their reaction to the breach.
Therefore, we can see that only high risk for rights and freedoms of natural persons produces the obligation of notification of the data subjects, while the Commissioner has to be notified in case of less significant risk.
In general, the controller and the processor may designate a DPO but are not obliged to do that. However, when it comes to business entities, the Law on Personal Data Protection stipulates as a mandatory designation of a DPO if:
If a controller, or a processor, which are legal entities, does not designate a DPO in the above-mentioned cases, they will be monetarily penalized for a misdemeanor in the range of RSD 50,000 – RSD 2,000,000.
A controller or a processor is obliged to publish the contact information of a DPO and to deliver them to the Commissioner.
DPO is available to data subjects, who can turn to the DPO concerning all matters which concern the processing of their data, as well as concerning the realization of their rights.
DPO directly responds to the manager of the controller or the processor for the fulfillment of the DPO’s legal obligations.
The Law allows for DPO, besides the activities relating to the personal data protection at the controller or the processor, to perform other activities and fulfill other obligations. The controller or the processor is obliged to ensure that the performance of other activities and the fulfillment of other obligations do not lead the DPO into a conflict of interest.
If the data are collected from a person to whom that data is related, the controller has to, at the moment of collecting the data, provide that person with the information which the Law prescribes, such as identity and the contact information of the controller, the contact information of the DPO, the purpose of intended processing and legal basis for processing, the recipients, the period of storage of the personal data, the rights of the data subject in relation to their data, as well as other information.
The data subject is entitled to request information from the controller whether the controller processes their personal data, to request access to that data, as well as information about the purpose of processing, about the types of data which are processed, about the period of storage of personal data, about the rights of the data subject in terms of processing of their data, and other information.
The controller is obliged to, after the request of the data subject, deliver a copy of the personal data which it processes, which are related to that data subject.
If the personal data are inaccurate, the data subject is entitled to ask the controller for correction of the data, without undue delay.
If the personal data is incomplete, taking into account the processing purpose, the data subject is entitled to supplement their personal data.
The data subject is entitled to file a request to the controller for the erasure of their personal data by the controller.
The controller is obliged to erase the personal data if:
If the controller had publicly published the personal data, their obligation to erase the data includes taking all reasonable measures for notification of other controllers which process that data that the data subject filed the request for the erasure of all copies of this data and referrals, i.e. electronic links towards these data.
The data subject is entitled to have their personal data processing restricted by the controller in the following cases:
The data subject is entitled to transfer their personal data, which it had previously delivered to the controller, to another controller without interference by the controller to whom that data had been initially delivered, if:
1) the processing is based on the consent of the data subject or it is based on the contract;
2) the processing is performed automatically.
The right to data portability also includes direct transfer from the previous to the new controller.
The data subject is entitled to, at any time, file the objection against the processing of their personal data to the controller, which is performed in accordance with the public interest or the fulfillment of the legal authorizations of the controller, or the legitimate interests of the controller or the third party, as the legal grounds of the processing.
The controller is obliged to stop with the processing of the data of the person who filed the objection, unless if it can prove that there are legal reasons for the processing which outweigh the interests, the rights or the freedoms of the data subjects or which are related to the filing of, the realization of or the legal claim defense.
Finally, in the third and the final text in our series of texts about the key novelties of the new Law on the Personal Data Protection, we will deal with the penalty provisions of the new Law.
Stay in the loop with the most important updates