Personal data protection and digital privacy

Introduction

Back
Previous topic
Next topic

Basic human rights

The fundamental human right to the protection of personal data is an important aspect in the current era of digital communication and information technologies.
This right is enshrined in various legislative documents, such as Article 8 of the Charter of Fundamental Rights of the European Union and Article 19 of the Constitution of the Slovak Republic.

Article 8 of the Charter of Fundamental Rights of the EU
Everyone has the right to the protection of personal data concerning him or her.
Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. Compliance with these rules shall be subject to control by an independent authority

Article 19, paragraph 3 of the Constitution of the Slovak Republic
Everyone shall have the right to be protected against unjustified collection, disclosure and other misuse of his or her personal data.

However, it is important to remember that the right to the protection of personal data is not an absolute right.
It is also necessary to take into account other fundamental rights and balance the right to the protection of personal data with other related fundamental rights, e.g.:

  • the right to respect for private and family life, home and communications;
  • freedom of expression and the right to information;
  • freedom of enterprise;
  • the right to an effective remedy and a fair trial.

Who is protected?

The fundamental right to the protection of personal data applies exclusively to natural persons, regardless of their nationality or place of residence, as long as they are in the EU.
Protection is not granted to legal persons, e.g. in relation to companies and their business name, legal form and contact details. Protection is also not granted to the personal data of deceased persons.

What do we consider personal data?

Article 4(1) GDPR: “personal data means any data relating to an identified or identifiable natural person”

We distinguish:

  • identified person – we can clearly determine who it is based on certain data;
  • identifikovateľnú osobu – a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Examples of personal data

Example 1: Taking and storing fingerprints by state authorities (CJEU decision in case C-291/12 Michael Schwarz vs. Stadt Bochum)
Example 2: Working time records (CJEU decision in case C-342/12)
Example 3: Data on the amount of benefits (CJEU decision in cases C-465/00, C-38/01, C-139/01)
Example 4: Time and date of calls and messages

Special categories of personal data

The processing of personal data that reveals:

  • racial or ethnic origin,
  • political opinions,
  • religious or philosophical beliefs or trade union membership,
  • processing of genetic data,
  • biometric data for the individual identification of a natural person,
  • health-related data.

Example 1: when processing fingerprints (biometric data) in connection with logging into the "ISKO" information system, the company did not meet at least one of the conditions for processing special categories of personal data specifically enumerated in Art. 9, para. 2 GDPR (commercial company, fine €1,700)

Online identifier

What is considered an online identifier?

  • IP address,
  • cookies,
  • other.

IP address as personal data

Case Patrick Breyer v Federal Republic of Germany (C-582/14): It states that it is necessary to refrain from storing itself or having third parties store the IP address of the applicant's host system.

Objective approach

  • "an IP address is personal data in the hands of everyone because an Internet Service Provider (ISP) can link the IP address to Mr. Breyer's real-world identity, even if no one else can"

Subjective approach

  • an IP address is personal data in the ISP's domain, but it will not be personal data in the hands of another party who does not have the legal means to access the information held by, for example, the ISP

Cookies

They are a means of transmitting information between the original server and the user and storing it on the user's end device.
Cookies are small data or text files used by the servers of websites visited by users to collect information, and are stored directly on the user's end device.

In terms of the purposes for which cookies are used, the following can be mentioned in particular:

  • storing information about the user's preferences in relation to the website being visited (selected language, font size, etc.),
  • verifying a user's identity in order to log in to a specific site or to conduct online business transactions (without the need to re-enter information),
  • analysis of the effectiveness and use of a specific website (traffic),
  • analyzing the effectiveness of ads displayed on the site and implementing targeted online advertising and marketing based on previous user behavior.

Legitimate interest

Legitimate interests may provide a legal basis for processing where they are not overridden by the interests or fundamental rights and freedoms of the data subject, taking into account the reasonable expectations of the data subjects based on their relationship with the controller.

This means that if the controller has legitimate interests that are in accordance with the law and do not have a negative impact on the data subject, he may process their personal data based on this legal basis.

Proportionality test: When applying the legal basis of "legitimate interest", it is important for the controller to assess whether the amount and scope of personal data being processed is not excessive and whether it is appropriate to achieve the objective pursued by the legitimate interests.

Examples:

  • ensuring network security and information security,
  • operation of a camera system (protection of property and security),
  • contact form on the website.

Personal data security

Security of processing of personal data under the GDPR (Article 32):
The controller and the processor shall, taking into account the latest knowledge, adopt appropriate technical and organizational measures to ensure a level of security appropriate to the risk, where appropriate, including:

  • pseudoanonymization and encryption of personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability of and access to personal data in a timely manner in the event of a physical or technical incident;
  • the process of regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing.

Information security:
From an information security perspective, it is important to ensure the confidentiality, integrity and availability of not only personal data.

  • Confidentiality – information accessible only to persons we designate
  • Integrity the information is complete and has not been unknowingly modified
  • Availability – information accessible upon request by these individuals at that time
Example 1

The controller, through two mass emails, made available, without legal basis, the personal data of 372 students of the 10th year of study in the following scope: name, surname, email address, test result, data related to placement in study groups (the data was made available to students and all faculty employees) and the personal data of 217 students of the 10th year of study in the following scope: name, surname, generally applicable identifier (personal identification number), data related to placement in study groups (the data was made available to students and all faculty employees) (university, €900). The controller took measures - retraining the employee.

The intermediary sent an email containing the personal information of the data subject in the scope of name, surname, date of birth, address, telephone number and insurance policy number of the mobile device to an email address without the personal information provided within the sent email being password-protected, thereby making the personal information available to another person without legal basis (ISP, €700).

Publication of personal identification numbers of 186 applicants for study (school, €700).
The new legal regulation on the protection of personal data does not include the generally applicable identifier - the personal identification number of the natural person among the so-called special categories of personal data, but the processing of personal identification number continues to be subject to a special regime pursuant to Section 78(4) of the Personal Data Protection Act.

Anonymization vs. pseudoanonymization

Anonymization is the process by which personal data is modified in such a way that it can no longer be attributed to a specific data subject without the use of additional information. This means that the data is completely disconnected from individuals and cannot be identified.

Zdroj: Freepik

Pseudoanonymization is the process by which personal data is modified so that an individual cannot be immediately identified, but there is still the possibility of associating the data with the data subject using additional information, a key or identifier.
Even if the data is ostensibly anonymized, it is necessary to ensure that the key or information to de-anonymize it is properly protected and stored securely.

Source: http://www.protegrity.com/pseudonymization-vs-anonymization-help-gdpr/

Controller’s responsibility

The controller is responsible for compliance with the principles and must be able to demonstrate this compliance ("accountability") (Article 5(2) GDPR).
Taking into account the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and be able to demonstrate that the processing is carried out in accordance with this Regulation (Article 24(1) GDPR).
In the event of a personal data breach, the controller shall notify the personal data breach to the supervisory authority without undue delay and, where possible, not later than 72 hours after having become aware of it… The data subject (Articles 33(1) and 34(1) GDPR).

Which incidents need to be reported?
Personal data breach
Security breach

Who must report?
Every controller and processor

Who should the incident be reported to?
Úradu na ochranu osobných údajov, dotknutým osobám (niektoré prípady)

By when must the incident be reported?
Without undue delay, or within 72 hours