The field of personal data protection is a complex area. All of us are sensitive to the data on which others can identify us (the ones who manage these data). As technology evolves, the need for personal data security is increasing. The EU has responded in this area and has sought to unify the protection of personal data across all Member States. Since we want that the business of our clients (and all interested ones) is in all respects legal, we have also ensured that your internal legislation will comply with the new rules on the protection of personal data.

On 25 May 2018, the General Regulation (EU) 2016/679, i.e., the GDPR - General Data Protection Regulation came into force. It has brought some novelties in the field of personal data protection. Otherwise, the Regulation does not significantly differ from the existing personal data protection regime, which are governed by European national legislations (in Slovenia this is still valid Zakon o varstvu potrošnikov - ZVOP-1), but it brings some novelty (tightening) that can cost your company, in the event of non-compliance with its provisions, a lot of money (penalties up to EUR 20,000 million or up to 4% of annual turnover if they exceed the amount of the fine).

The right to the protection of personal data is one of the fundamental rights and freedoms guaranteed by the Constitution of the Republic of Slovenia (Article 38).

The General Regulation places great emphasis on the principle of liability, which obligates the data controllers to carry out data protection impact assessments (ie, DPIA). This is a tool aimed for identifying, analyzing and reducing risks, and consequently taking appropriate risk management measures that could lead to a breach of legislation. "Trusting in responsible handling of individuals' data should be crucial in the information society where personal data are the most important currency" (source: Information Commissioner of Republic of Slovenia).

According to the current legislation, personal data are any data that are related to an individual, regardless of its expressed form. An individual is a physical person to whom the personal data relates. A physical person is identifiable if it can be identified directly or indirectly on the basis of personal data. Processing the personal data means any operation or set of activities that is performed in connection with personal data (collection, acquisition, registration, editing, storage, customization, modifying, inspecting, using, spreading or otherwise making available ...).

The aim of the Regulation is to enable residents to control their own personal data and to unify and raise the level of protection of personal data across the EU. In this respect, the Regulation provides uniformed and coordinated action by all Member States.

One of the main features of the Regulation is the rule that personal data can be collected and processed solely on the basis of explicit consent of the individual. This consent is a clear, understandable, verifiable and provable statement given by the individual with an unambiguous affirmative consent.

Companies should also check back the already granted consentsand verify their validity.

The next feature of the Regulation is the individual's right to revoke consent and the right to withdraw consent. Likewise, an individual must have the opportunity to be aware of all the records in which his personal data are stored and, in a clear and comprehensible manner, be informed about how and in what manner and purpose his personal data is processed.

The regulation also gives the individual »the right to forget«. It means that an individual can request that his data must be erased from the record (or collection) of personal data at any time.

The regulation has also enforced a new institute - an authorized data protection person (ie "DPO"). The public sector and companies whose activities include processing regular and systematic extensive monitoring of individuals, or extensive processing of specific types of data (all market operators, banks, insurance companies, loyalty clubs, HR agencies ...) must have an authorized person for the protection of personal data that ensures the lawful and correct implementation of the protection of personal data. The "DPO" must notify the supervisory authority of any breach within 72 hours of the finding a possible irregularity.

Businesses must also keep a description of personal data collections. These are collections (records) of personal data of individuals, which must be adequately described and documented in companys’ internal acts. A company cannot adequately protect the data if it has never checked and recorded them. The documentation that holds the records of personal data collections must be regulary refreshed and adapted to the actual practice and needs.

Agencija SPIN d.o.o. offers the following services for your company:

- the performance of a risk assessment,

- harmonization of internal acts with new European legislation and

- provision of an authorized person who will manage your companys’ personal information.

The GDPR will undoubtedly have a significant impact on the operations and functioning of the public administration, organizations and companies that process personal data, as they will have to harmonize their operations properly and regulate data protection with the new standards and requirements.

Call us today! Remember that the penalties may be imposed and can have disastrous effects on your business if you do not hazmonize your personal data protection with the General Data Protection Regulation.