GDPR - general information
1. General Personal Data Protection Regulation
Regulation is primarily aimed at strengthening the rights of natural persons to the protection of their personal data and at decrease of administrative burden associated with their protection. Another of the aims of the new legislation is to facilitate the free flow of personal data in the area of digital single market, which has greatly relieve multinational companies from administrative burdens related to ensuring compliance with the laws of the various European countries. Regulation should have a positive impact on increasing legal certainty for consumers and improve competition in the European Union.
The regulation aims to ensure a consistent level of protection for natural persons throughout the Union and to avoid disparities, which are an obstacle to the free movement of personal data within the internal market. The regulation will provide a legal certainty and a transparency for economic subjects, including small and medium businessmen. The Regulation also provides to individuals the same level of rights protection in all Member States and on the other hand lays down equivalent sanctions in all Member States. However, the regulation does not apply to the processing of personal data of legal persons.
The EU must be equipped with a comprehensive, coherent, modern and quality framework, which effectively protects the fundamental rights of individuals, in particular privacy, with regard to any processing of personal data of individuals within and outside the EU and in all circumstances, in order to solve many problems related to data protection, such as problems caused by globalization, technological development, the growth of activities undertaken on the internet, by using in connection with an increasing number of activities, as well as questions of security (for example a fight against terrorism). The intention of the Regulation is therefore to harmonize the national laws on personal data protection throughout the EU by current addressing of new technological development without the need for implementation into national orders.
1.1. The Definition of personal data
Personal data are defined in the Regulation as any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
For example, online identifier such as the IP address of the natural person can be understood under this term. This is an expansion of the definition of personal data in order to ensure the protection of any identifiable natural person.
Sensitive personal data such as for example the processing of genetic data, biometric data for individual identification of natural person, data concerning health or data relating to sexual life or sexual orientation of natural person can be processed only in the case when it is the exception defined in the Regulation. One of the exceptions, it is also the case if the data subject manifestly makes public these data (eg. on the social network).
The processing of photographs should not systematically be considered to be processing of special categories of personal data as they are covered by the definition of biometric data only when processed through a specific technical means allowing the unique identification or authentication of a natural person.
2.2. The principles of the Regulation
Principles relating to processing of personal data are: lawfulness, fairness and transparency; accuracy; purpose limitation; storage limitation; data minimisation; integrity and confidentiality.
The principle of transparency requires that any information addressed to the public or to the data subject be concise, easily accessible and easy to understand, and that clear and plain language and, additionally, where appropriate, visualisation be used. Such information could be provided in electronic form, for example, when addressed to the public, through a website. This is of particular relevance in situations where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected, such as in the case of online advertising. Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand.
The principles of fair and transparent processing require that the data subject be informed of the existence of the processing operation and its purposes. The controller should provide the data subject with any further information necessary to ensure fair and transparent processing taking into account the specific circumstances and context in which the personal data are processed. Furthermore, the data subject should be informed of the existence of profiling and the consequences of such profiling. Where the personal data are collected from the data subject, the data subject should also be informed whether he or she is obliged to provide the personal data and of the consequences, where he or she does not provide such data. That information may be provided in combination with standardised icons in order to give in an easily visible, intelligible and clearly legible manner, a meaningful overview of the intended processing. Where the icons are presented electronically, they should be machine-readable.
The most important benefit of the new regulation is the principle of liability under which the controller is responsible for compliance with all principles and must be able to demonstrate it. So the burden of proof is shifted on the controller.
2.3. Territorial scope of the Regulation:
The Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. Regulation should therefore apply to anyone who processes personal data in the European Union, but also not in Union, if it fulfils the conditions laid down by regulation. The Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or the monitoring of their behaviour as far as their behaviour takes place within the Union. For the needs of fulfilling of the preceding paragraph, the controller or the processor must designate in writing their own representative in the Union.
2.4. Individual rights under the Regulation
The right to be informed includes the obligation to provide "fair processing of information", typically through a notice on the protection of personal data. It emphasizes the need for transparency over how you use personal data.
Right of access to personal data is based on the right to obtain confirmation from the controller of whether personal data are processed relating to it and, if yes, it has the right to have access to this personal data and defined information.
Right to rectification of personal data if these data are inaccurate or right to incomplete personal data completed.
Right to erasure (‘right to be forgotten’) is based on the principle of allowing a person to apply for erasure and removal of personal data and those where there is no reason for their further processing. Anyone can request to have his personal data erased unless the personal data are no longer necessary in relation to the purposes for which they were collected or the person does not want the data were further processed, withdraw their consent and there is no other legal basis or legitimate reason for their processing and preservation. In practice this means for example that if someone asked for an internet company to delete their personal data, the company is obliged to refer the request to other companies who have received these personal data. This right has long been discussed in terms of the real technological possibilities of the complete deletion of personal data. The regulation defines the obligation of the controller to erase the personal data, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.
Right to restriction of processing is the obligation to restrict another processing of the data but it is not the obligation to erase the existing data. Thus, the controller may retain too much data to make sure that the limitation of processing in the future will be secure.
Right to personal data portability to another service provider means that „the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.“ Data subjects should be allowed to replace the service provider, including the transfer of their personal data directly from one controller to another, if it is technically feasible and without any loss of data (such as contacts or previous e-mails) and need for their re-entry.
Profiling means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements. The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her. The new rules of Regulation restrict the use of profiling without the prior consent of the data subject. By profiling there must be no discrimination against a person whose data are processed.
The right to know about the personal data breach. The data subject has the right to be informed that there was a threat of the security of their personal data. Notification of a personal data breach to the supervisory authority is laid down in Article 33 of the Regulation, which states in sections 1 and 2: „In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay. The processor shall notify the controller without undue delay after becoming aware of a personal data breach.“ The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the supervisory authority to verify compliance with this Article.
Specific protection for children and the conditions relating to the consent of the child as defined in Article 8 Section 1 of Regulation: „Where point (a) of Article 6(1) applies, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old. Where the child is below the age of 16 years, such processing shall be lawful only if and to the extent that consent is given or authorised by the holder of parental responsibility over the child. Member States may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.“ This means that children under a certain age will need the consent of a parent or other legal representative that they can for example set up accounts on various social networks like Facebook, Instagram, whereby fixing an age limit is left to the will of the legislators of the Member States in the range of age from 13 to 16 years. In this way it is ensured that the states could keep their current legislation on the consent of the legal representative. The aim of legislation is to protect children from sharing their own personal data without the awareness of the consequences of such action. It should be noted that the aim is not to restrict children from receiving information obtained through the Internet.
2. Directive on personal data protection in the field of justice and the judiciary
The specific nature of police and judicial activities requires specific rules of personal data protection in order to ensure the free flow of information and cooperation between Member States in these areas. The directive aims to protect the rights of individuals to protection of their personal data with the simultaneous guarantee of a high level of public safety.
The aim of the Directive is to replace the framework decision on data protection 2008/977/ JHA, which currently regulates the processing of personal data in police and judicial cooperation in criminal matters, but from it implies for Member States the obligation to use the specified level of protection of personal data only in connection with their cross-border exchange.
Compared with the Framework Decision 2008 directive provides a comprehensive legislation, as it should also apply to the protection of personal data by processing at national level, by which the reducing of the disparities between different legislations and the resulting enhanced level of data protection should be achieved.
The Directive was adopted to ensure a high level of personal data protection while improving cooperation in a fight against the terrorism and other serious crime. After the Lisbon Treaty came into force, the protection of natural persons with regard to the processing of personal data is explicitly recognized as a fundamental right. Article 8 (1) of the Charter of Fundamental Rights of the European Union ( "the Charter") and Article 16 (1) of the Treaty on the Functioning of the European Union (TFEU) defines that everyone has the right to protection of personal data concerning him. However, Declaration 21, annexed to the Final Act of the Intergovernmental Conference which adopted the Treaty of Lisbon recognizes the specific nature of the security nature deserves a special legislation. According to the approach of the European institutions, a processing in the police and criminal justice in context must be distinguished from all other processing of personal data. The European legislator has at first sight distinguish between fields by selecting two different types of legal instruments (Regulation and Directive). Protection and free movement of data processed by competent authorities for the purposes of the prevention, investigation, detection and prosecution or the execution of punishments has been regulated by the Directive, which allows for Member States some flexibility as well as incorporating into their national legislation, while the regulation was adopted to regulate the general processing of personal data. In this way the EU will recognize two-speed process to harmonize all processing of personal data in the EU.
One of the main differences between the general regulation and directive on personal data protection in the field of justice and the judiciary (regulating data protection within the scope of criminal law) is essentially the right to information and access to personal data. If the rights set out in the regulation are carried out as far as possible in the event of criminal law, it would prevent carry out criminal offences. That is the reason why the specific provisions concerning police and judicial area must be defined in the directive. The Directive aims to balance the objectives of data protection and security policy, while it certainly contributes to the creation of less fragmented framework.
Member States in accordance with this Directive protect fundamental rights and liberties of natural persons, especially their right to the protection of personal data, and ensure that the exchange of personal data between competent authorities within the Union, if this exchange is required under European Union law or the law of the Member State, is not be restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.
The processing of personal data under this Directive is permissible only for the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including protection against threats for public safety. If personal data are processed for other purposes, then the General Data Protection Regulation is used. The Directive applies to the processing of personal data exercised wholly or partly by automatic means, and to the processing otherwise than by automatic means in the case of personal data which form a part of the information system or are intended to form a part of the information system. The processing of personal data carried out in the exercise of activities which fall outside the scope of EU law (eg. Activities related to national security) as well as the processing of personal data by the bodies, institutions and other subjects of the European Union are excluded from the Directive.
The purpose of the Directive is to ensure the personal data protection in relation to victims, witnesses, suspects and defendants in criminal proceedings. Uniform legislation at European level will simplify cross-border cooperation of law enforcement agencies and prosecutors, which ensures more efficient and faster fight against serious crime and terrorism in Europe. Directive concerns the cross-border transfer of data within the European Union and minimum standards for the processing and exchange of data by police and judicial authorities are laid down by the Directive.
However, EU Member States have the right to determine, in their national legal systems greater protection thus transmitted data what is defined in Article 1 Section 3 of the Directive and that this Directive does not prevent Member States to set more stringent guaranties than those established in this Directive to protect the rights and liberties of data subjects with regard to the processing of personal data by competent authorities.
Supervision is carried out by the national authority for the protection of personal data (in Slovakia, it is Office for Personal Data Protection), with sufficient powers to enforce compliance with the rules. Police and judicial authorities in principle will be governed by the same privacy policies as those specified by the Regulation, but with the necessary of adjustments for this sector.
Directive shall enter into force on the day following its publication in the Official Journal of the European Union. Within 6 May 2018 Member States shall adopt and publish the laws, any other enactments and administrative provisions which are necessary to comply with this Directive.
3. Violation of rights to the protection of personal data
Violation of rights related to the protection of personal data will be more difficult by introducing the disclosed reform package. The reform package is the uniform legislation in all EU Member States and therefore it will be necessary to comply this legislation in EU and also by controllers which are not established in the EU Member States. Penalties for violations of the rights laid down uniformly and it will not be able to seek a favorable jurisdiction for the violation. The reform package represents guarantees for natural persons and respect their rights to the protection of personal data.