Although the new Law on Personal Data Protection (hereinafter: the Law), which introduced a completely new concept in understanding the importance of processing and protection of personal data in the digital age, was adopted in November 2018, it’s implementation started with a 9-month grace period, in order to provide enough time to all legal subjects to harmonize their activities and business with the provisions of the Law.
The Commissioner’s attitude also attracted the attention of the general public, as he announced the plan to delay the implementation of the Law, just one month before the implementation. The rationale behind such a decision lays in the fact that no one got prepared for this implementation, due to the high standards and numerous obligations for the companies, government bodies and all parties that process personal data in any capacity. Nevertheless, the Law began with implementation on August 21, 2019.
The Law applies to everyone who processes personal data in any capacity, such as collection, recording, organization, consultation, erasure, storage, as well as all other actions relating to personal data, which was the topic in our previous blog – Tic-Toc, the Clock Is Ticking…Is Your Company Compliant With the new Law on Personal Data Protection?
Interestingly, the vast majority of companies have the misconception that if the company’s core business does not involve directly collecting personal data of third parties, then there is no space for the application of the Law. However, almost every company processes personal data about its employees, job candidates and persons hired on a part-time or temporary contract. We outlined this and other misconceptions employers frequently have about their obligations concerning the protection of their employees’ privacy in our blog post 9 Most Common Misconceptions of Employers on Personal Data Protection.
One of the initial obligations of the companies relates to the so-called “data mapping”, which implies that they need to ascertain which personal data they collect, in which manner, from whom and for which purpose. Therefore, the company is obliged to make a complete set of internal acts and introduce appropriate procedures to fully comply with the Law. For all those who neglect their obligations, the Law prescribes fines ranging from fifty thousand to two million dinars.
If we interested you to become more familiar with all the novelties that the Law introduces, we recommend you to read the blog The new Law on Personal Data Protection – Key Novelties that may come useful.