Acquisition, storage and processing of personal data

General Data Protection Regulation

On May 25, 2018, the General Data Protection Regulation (GDPR) will enter into force. Its goal is to enable residents to control their personal data and to raise the level of personal data protection throughout the European Union through unified regulations.

Key changes for personal data managers and processors

• Zbiranje osebnih podatkov je dovoljeno le na podlagi izrecne in dokazljive privolitve posameznika. Upravljavec mora posamezniku jasno povedati, zakaj bodo njegovi podatki uporabljeni in koliko časa bodo hranjeni. Obdelava osebnih podatkov bo dovoljena samo za namene, ki so bili navedeni v soglasju.
• Posameznik ima pravico do umika soglasja. To mu mora biti omogočeno na enako enostaven način, kot je soglasje podal.
• Upravljavci morajo posamezniku zagotoviti pregledne in enostavno dostopne informacije o njegovih podatkih in njihovi obdelavi.
• Upravljavec mora o kršitvi varstva osebnih podatkov obvestiti nadzorni organ najkasneje v 72 urah (v določenih primerih tudi posameznike).
• V določenih primerih bo potrebno imenovanje pooblaščene osebe za varstvo podatkov.
• Upravljavci ne bodo več dolžni prijavljati zbirk osebnih podatkov v centralni register zbirk osebnih podatkov, vendar bo v določenih primerih obvezno vodenje evidence dejavnosti obdelave.

Ukrepi pred začetkom veljave nove uredbe

• Check the validity of existing consents.
• Adjust the method of obtaining consents in the future.
• Adjust contracts with contractual processors of personal data.
• Check and adjust the inventory of personal data collections (records of processing activities).
• To ensure the rights of individuals to access, limit, delete, correct and transfer personal data.
• Check whether we will need to carry out impact assessments.
• Check whether we will need to appoint a responsible person for the protection of personal data (DPO).
• Check how to minimize the amount of data collected, the scope of its processing, the period of its storage and the number of people who process this data (principle of built-in and assumed data protection).
• Review and adapt security policies on the protection of personal data and their implementation.
• Determine who will report in the event of a security incident.
• Consider whether we need a certificate for properly managing personal data. (Certification will be possible after some time. It will be voluntary, but paid.)
• If necessary, seek external experts to help implement changes.

Sources:

• https://www.ip-rs.si/fileadmin/user_upload/Pdf/GDPR/Splosna_uredba_o_varstvu_podatkov-letak_maj2017_v2.pdf 
• https://www.ip-rs.si/zakonodaja/reforma-evropskega-zakonodajnega-okvira-za-varstvo-osebnih-podatkov/najpogostejsa-vprasanja-in-odgovori/ 
• https://www.ip-rs.si/fileadmin/user_upload/Data_protection_infographic_SL-LR.pdf 
• https://www.ip-rs.si/fileadmin/user_upload/Pdf/GDPR/GDPR_TOP10_14sep2017.pdf 
• http://www.mp.gov.si/fileadmin/mp.gov.si/pageuploads/mp.gov.si/novice/2018/ZVOP-2_javna_razprava_2.pdf

*This article is designed as an interpretation of the General Data Protection Regulation (GDPR), but does not constitute legal advice.