The New Law on Personal Data Protection – Key Novelties
PART II
The new Law on Personal Data protection started to apply on August 21, 2019. In the series of blog posts, we explain the key novelties which the new Law introduced.
In our previous blog post, Tic-Toc, the Clock is Ticking… Is Your Company Compliant With the New Law on Personal Data Protection? we explained when does the new Law apply, what is personal data and what are the principles and legal grounds for personal data processing. In this blog, we will cover the technical measures of personal data protection, the Data Protection Officer and the rights of the data subject.
TECHNICAL MEASURES FOR THE PERSONAL DATA PROTECTION
The security of personal data is one of the key founding principles of into the new Law. In light of that, the Law obliges the controller to take adequate technical, organizational and personnel measures to ensure that the personal data processing is carried out in accordance with the Law, while the controller should take into account the nature, scope, circumstances, the purpose of processing, the risk assessment for the rights and freedoms of natural persons.
If needed, the controller needs to be able to demonstrate to have acted in compliance with this legal requirement.
Even though it may seem that the above-mentioned provision is imprecise, the Law actually follows the approach from the General Data Protection Regulation (GDPR) which takes into the account the rapid technological progress as well as various areas in which the personal data processing takes place. That is the reason why the Law hesitantly specifies in detail what are the “technical, organizational and personnel measures” that the controller should implement.
Once the protection measures have been implemented, they should not be seen as permanent and unchangeable. On the contrary, the controller should assess and update them, if needed.
The security of personal data protection means that the controller and the processor conduct the appropriate technical, organizational and personnel measures, to ensure the adequate security level of the personal data in relation to the specific risk against their security. When doing that, one should have in mind the degree of technological advancements and the expenses of their implementation, the nature, the scope, the circumstances and the purpose of processing, as well as the probability of the risk occurring and the degree of risk for the rights and freedoms of natural persons.
The significance of the implementation of the above-mentioned measures is best reflected in the fact that the great number of penalties for the violations of the GDPR has been imposed due to the lack of technical security. For example, the penalty of EUR 204,000,000.00 has been imposed upon the company British Airways in the United Kingdom, for the personal data violation due to the hackers’ attack, as we talked about in our news British Airways and Marriott International Violated GDPR – What Consequences Could They Face?.
WHAT CAN YOU DO TO PROTECT THE PERSONAL DATA?
RISK ASSESSMENT
In order to choose the adequate measures for your company, you will first need to identify which risks threaten the security of the personal data which you process, as well as the probability for those risks and possibilities to become reality.
An example:
If you process the personal data in the electronic form, the risks which threaten their security might include unauthorized access to the databases, alteration or deleting the personal data, physical damage to servers and other hardware which stores the data, or which are used for other processing operations, due to fire, flood etc.
PROTECTION MEASURES AGAINST RISKS
A. PSEUDONYMIZATION
Pseudonymization is personal data processing which disables the connection of personal data with a particular data subject, without using the additional information. In other words, pseudonymization “hides” the data subject, but it is still possible to ascertain the identity of that person by using additional information. It is very important to keep the additional information separate, as well as to take technical, organizational and personnel measures to prevent the attribution of personal data to an identified or identifiable data subject.
B. ANONYMIZATION
Anonymization is data processing that causes permanent inability to ascertain the identity of the data subject. Starting from the moment when the personal data are anonymized, you are no longer obliged to treat that data in accordance with the Law on Personal Data Protection.
C. ENCRYPTION
Encryption of data is a protection method which encrypts information and enables the access solely to a person which has the encryption key. The encrypted data are shown in unreadable form to whomever wishes to access them without the encryption key.
D. SUPERVISORY AUTHORITIES
Filing systems have to be kept far from the persons who are not authorized to have insight into the filing systems within the company. The compliance process with the Law on Personal Data Protection means that the rights, obligations and responsibilities of employees in terms of storing and using the filing systems need to be clearly determined. Some data may be available to all employees of the company (for instance, business email addresses), while other data can be available solely to the employees with special authorizations (for example, specific persons within the human resources department).
NOTIFYING THE COMMISSIONER ABOUT THE PERSONAL DATA BREACH
In the event that the personal data breach occurs, regardless of the implementation of the protection measures, which can cause a risk for rights and freedoms of natural persons, the controller has the obligation to notify the Commissioner about the breach as soon as possible, within 72 hours as of the date of being aware of the breach at the latest.
On the other hand, the processor is obliged to notify the controller about every data breach, regardless of the degree of risk for rights and freedoms of natural persons, without undue delay.
The controller needs to keep their record about all data breaches, which contains details of a breach, the consequences of a breach and the actions taken for their removal.
NOTIFYING THE DATA SUBJECT ABOUT THE PERSONAL DATA BREACH
If the data breach can cause high risk for rights and freedoms of natural persons, the controller has to notify the data subject, without the undue delay, unless the controller has taken the adequate measures as their reaction to the breach.
Therefore, we can see that only high risk for rights and freedoms of natural persons produces the obligation of notification of the data subjects, while the Commissioner has to be notified in case of less significant risk.
DATA PROTECTION OFFICER (DPO)
When to Designate a DPO?
In general, the controller and the processor may designate a DPO but are not obliged to do that. However, when it comes to business entities, the Law on Personal Data Protection stipulates as a mandatory designation of a DPO if:
- The main roles of a controller or a processor consist of the processing activities which, due to their nature, scope, or purposes require regular and systematic supervision of a great number of data subjects;
- The main activities of a controller or a processor consists of the processing of special categories of personal data (relating to the racial or ethnical origin, political opinion, religious belief, etc.), on a large scale.
If a controller, or a processor, which are legal entities, does not designate a DPO in the above-mentioned cases, they will be monetarily penalized for a misdemeanor in the range of RSD 50,000 – RSD 2,000,000.
A controller or a processor is obliged to publish the contact information of a DPO and to deliver them to the Commissioner.
How to Engage a DPO in Our Company (at a controller or a processor)?
- Based on employment.
- Based on another contract.
Position of the DPO
DPO is available to data subjects, who can turn to the DPO concerning all matters which concern the processing of their data, as well as concerning the realization of their rights.
DPO directly responds to the manager of the controller or the processor for the fulfillment of the DPO’s legal obligations.
The Law allows for DPO, besides the activities relating to the personal data protection at the controller or the processor, to perform other activities and fulfill other obligations. The controller or the processor is obliged to ensure that the performance of other activities and the fulfillment of other obligations do not lead the DPO into a conflict of interest.
What are the Responsibilities of the DPO?
- To inform and provide an opinion to the controller or the processor, as well as to the employees which conduct the processing activities, about their legal obligations concerning the personal data protection;
- To supervise the application of the provisions of the Law on Personal Data Protection and other laws, as well as internal regulations of the controller or the processor which are related to the personal data protection, including the matters of division of responsibility, raising awareness and training of the employees which take part in the processing activities, as well as of control;
- To provide an opinion, when asked, about the estimation of the impact of processing to the personal data protection and to follow the actions taken in relation to that estimation;
- To be a contact point for cooperation with the Commissioner and to consult with the Commissioner concerning the matters which relate to the processing of personal data.
THE RIGHTS OF A DATA SUBJECT – OBLIGATIONS OF THE CONTROLLER
RIGHT TO BE INFORMED
If the data are collected from a person to whom that data is related, the controller has to, at the moment of collecting the data, provide that person with the information which the Law prescribes, such as identity and the contact information of the controller, the contact information of the DPO, the purpose of intended processing and legal basis for processing, the recipients, the period of storage of the personal data, the rights of the data subject in relation to their data, as well as other information.
RIGHT OF ACCESS
The data subject is entitled to request information from the controller whether the controller processes their personal data, to request access to that data, as well as information about the purpose of processing, about the types of data which are processed, about the period of storage of personal data, about the rights of the data subject in terms of processing of their data, and other information.
The controller is obliged to, after the request of the data subject, deliver a copy of the personal data which it processes, which are related to that data subject.
RIGHT TO RECTIFICATION
If the personal data are inaccurate, the data subject is entitled to ask the controller for correction of the data, without undue delay.
If the personal data is incomplete, taking into account the processing purpose, the data subject is entitled to supplement their personal data.
RIGHT TO ERASURE
The data subject is entitled to file a request to the controller for the erasure of their personal data by the controller.
The controller is obliged to erase the personal data if:
- the personal data are no longer necessary for the fulfillment of the purpose for which they have been collected or otherwise processed;
- the data subject revoked their consent based on which the processing has been conducted, and there is no other legal ground for the processing;
- the data subject filed their objection on the processing of their personal data;
- the personal data have been unlawfully processed;
- the personal data have to be erased for the fulfillment of the controller’s legal obligations.
If the controller had publicly published the personal data, their obligation to erase the data includes taking all reasonable measures for notification of other controllers which process that data that the data subject filed the request for the erasure of all copies of this data and referrals, i.e. electronic links towards these data.
RIGHT TO RESTRICTION OF PROCESSING
The data subject is entitled to have their personal data processing restricted by the controller in the following cases:
- When the data subject disputes the accuracy of the personal data, in the period which enables the controller to check the accuracy of this data;
- When the processing is unlawful and the data subject is against the erasure of data and, instead of erasure, requests the restriction of the use of the data;
- When the controller no longer needs the personal data for the fulfillment of the processing purpose, but the data subject asked for them the filing, the realization or the legal request defense;
- When the data subject filed the objection on the data processing, and while the estimation of whether the legal ground for the processing by the controller outweighs the interests of the data subject is taking place.
RIGHT TO DATA PORTABILITY
The data subject is entitled to transfer their personal data, which it had previously delivered to the controller, to another controller without interference by the controller to whom that data had been initially delivered, if:
1) the processing is based on the consent of the data subject or it is based on the contract;
2) the processing is performed automatically.
The right to data portability also includes direct transfer from the previous to the new controller.
RIGHT TO OBJECT
The data subject is entitled to, at any time, file the objection against the processing of their personal data to the controller, which is performed in accordance with the public interest or the fulfillment of the legal authorizations of the controller, or the legitimate interests of the controller or the third party, as the legal grounds of the processing.
The controller is obliged to stop with the processing of the data of the person who filed the objection, unless if it can prove that there are legal reasons for the processing which outweigh the interests, the rights or the freedoms of the data subjects or which are related to the filing of, the realization of or the legal claim defense.
Finally, in the third and the final text in our series of texts about the key novelties of the new Law on the Personal Data Protection, we will deal with the penalty provisions of the new Law.
