Personal data protection and digital privacy

Processing of personal data

Back
Previous topic
Next topic

Processing of personal data

Processing of personal data is an operation or set of operations performed on personal data or sets of personal data.

Examples: acquisition, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, whether or not by automated means

Essentially any "handling" of personal data

The life cycle of personal data processing. Source: https://www.researchgate.net/publication/343212120_Digital_Privacy_in_the_Network_World

Rights of data subjects

Data subject = natural person about whom personal data are processed.

Right to access personal data

Data subjects have the right to request information about what personal data is being processed about them and for what purposes. This right allows for transparency in the data processing process.

If the data subject finds that their personal data is inaccurate or out of date, they have the right to request its correction. This ensures that the data used about them is correct.

Data subjects may object to the processing of their personal data on specific grounds. This right gives them control over how their data is used.

Data subjects have the right to request the erasure of their personal data, in particular if they are no longer necessary for the purposes for which they were originally collected.

Data subjects may request the restriction of the processing of their personal data in certain cases, for example if the personal data is disputed or the processing entities no longer need the data for certain purposes.

Data subjects have the right to have their personal data accurate and up-to-date. This means that processing entities must have mechanisms in place to ensure the accuracy of the data.

Data subjects have the right not to be subject to decisions based solely on automated processing of personal data, unless this has a legal or other significant impact on them. This ensures that the human factor is maintained in important decisions concerning the data subject.

It is important that organizations that process personal data respect these rights and ensure that data subjects can exercise their rights in accordance with applicable law.

Examples of violations of data subjects' rights

Example 1: The operator of the personal data information system did not comply with the request of the applicant as a data subject regarding the exercise of the right to access his personal data within 1 month of its delivery (commercial company, €10,000)
Example 2: Failure to process the request of the data subject within 1 month of its delivery (providing information on whether the company has a photocopy of the ID card) (commercial company, €1,000)
Example 3: Failure to process the request of the data subject within 1 month of its delivery (state authority, €700). Obligation to continuously monitor work emails, including spam, within 10 days of the decision becoming final, in order to timely record the exercise of the rights of data subjects and process them without delay, no later than within 1 month of the delivery of the request of the data subject

Controller vs. Processor

These two terms define different roles and responsibilities in the process of processing personal data.

Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.

Example 1: Issuing certificates

  • UPJŠ – processor
  • Disig – controller


Example 2: Providing cloud services (emails, storage)

  • UPJŠ – controller
  • Microsoft – processor

Personal data processing policies

The principle of legality, fairness and transparency

According to Art. 5 (1) (a) GDPR/56 of the Personal Data Protection Act
personal data must be processed lawfully, fairly and transparently in relation to the data subject.

According to Art. 5 para. 1 letter b) GDPR / 57 of the Personal Data Protection Act
personal data are collected for specific, explicit and legitimate purposes and may not be further processed in a manner incompatible with those purposes.

According to Article 5 (1) (c) GDPR/58 of the Personal Data Protection Act
Personal data must be processed in a way that is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

According to Art. 5 para. 1 lit. d) GDPR / 59 of the Personal Data Protection Act
personal data must be processed correctly and, where necessary, updated. All necessary measures must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.

According to Article 5(1)(e) of the GDPR / Section 510 of the Personal Data Protection Act
personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

According to Art. 5 para. 1 lit. f) GDPR / §11 of the Personal Data Protection Act
personal data must be processed in a manner that ensures adequate security of personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, through appropriate technical or organizational measures.

According to d.2 GDPR/S12 Personal Data Protection Act
The operator is responsible for compliance with the basic principles of personal data processing, for compliance of personal data processing with the principles of personal data processing.
He is obliged to demonstrate this compliance with the principles of personal data processing upon request of the authority.

Transparency

This is about transparency towards individuals about how their personal data is collected, used and processed, including the definition of the scope of processing. All information regarding the processing of personal data must be easily accessible, easily understandable and in clear and simple terms.
Individuals should be informed about the risks, rules, safeguards and rights when processing personal data, as well as how to exercise their rights when processing such data. Particular emphasis is placed on defining the purpose of processing personal data.

Defining purposes (selection):

  1. Study purposes (providing and providing studies)

2. Issuance of student ID cards

3. Provision of food and accommodation

4. Fulfillment of obligations and tasks of a public higher education institution

5. Library and information purposes (university library)

6. Personnel and payroll purposes

7. Protection of property, safety and health

8. Raising awareness of the university (marketing purposes)

9. Ensuring information and cybersecurity security   

10. Management of digital identities of users of electronic (network and information) services of the university    

11. Elektronická komunikácia s orgánmi verejnej moci (e-Government)

Examples of transparency violations

Example 1: The recording from the camera system installed in the museum containing the applicant's personal data (image and information about her movement in a given time and space) was not used exclusively for the declared purpose, but also for the purpose of fulfilling the applicant's work duties (museum, €700).
Example 2: The operator did not provide the data subjects (participants) with the information that he is obliged to provide when obtaining their personal data in a sufficiently transparent (brief, clear, understandable) manner, as he did not include information about the purpose, legal basis for processing and appropriate guarantees in connection with the possible transfer of their personal data to a third country, thereby acting in a non-transparent manner towards the data subjects (ISP, €3,000).
Example 3: The operator on its website, in the General Terms and Conditions, as part of fulfilling the information obligation, included references to the ineffective Act No. 122/2013 Coll. and this ineffective law was also referred to in the so-called "consent to processing of personal data" addressed to the data subject (commercial company, €500).

Data minimization

Personal data must be adequate, relevant and limited to the extent necessary in relation to the purposes for which they are processed.
Example 1: In the case of cameras, the area monitored also exceeds the scope necessary to achieve the purpose of monitoring (surrounding family houses and gardens) – (municipality, €700).
Example 2: During a telephone conversation conducted from a telephone number – the operator, for the purpose of processing a request to verify the availability of services at the address of permanent residence, required the potential client (applicant) to provide his/her personal identification number, the acquisition of which was not necessary to achieve the given purpose of processing (commercial company, €1,200).

Minimizing retention

In order to ensure that personal data are not kept longer than necessary, the controller should set time limits for erasure or periodic review.

Example 1: the 14-day retention period of the personal data set by the operator was not necessary to achieve the intended purpose of protecting property, persons and detecting criminal activity (commercial company, €700).
Example 2: it kept recordings from the camera system beyond the time frame necessary to fulfill the purpose of processing (6-8 days depending on the storage capacity) – (municipality, €700).
Example 3: the operator of the Office did not prove the necessity of processing the applicant's work email for a period of 10 months from the termination of the employment relationship with him (commercial company, €500).
Example 4: the operator kept clients' insurance documentation in electronic form for at least 15 years from the termination of the contractual relationship with the person concerned, while this was not necessary to achieve the purpose set in this way (insurance company, €6,500).

Lawfulness of processing personal data

  1. Consent
    The data subject (e.g. patient) has consented to the processing of their personal data.
    E.g. sending marketing messages from a healthcare provider.
    Performance of a contract: Processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract.
    E.g. employment relationships.
  2. Legal obligation
    Processing is necessary to fulfill the legal obligation of the controller.
    For example, Act No. 576/2004 Coll. on healthcare, services related to the provision of healthcare and on amendments and supplements to certain acts, as amended, according to which the consent of the data subject (patient) to the processing of data from medical documentation under the conditions set out in this Act is not required.
  3. Vital interest
    Processing is necessary to protect the vital interests of the data subject or another natural person.
    E.g. processing of personal data of a victim or participants in a traffic accident.
    E.g. processing of personal data is necessary for humanitarian purposes.
  4. Public interest
    Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
    For example, the provision of healthcare itself.
  5. Legitimate interest: processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party.
    For example, the operation of a camera system on the premises of a healthcare provider.

 

Example 1: Using the email address of the data subject in the period after the termination of the employment relationship of the data subject without a legal basis (municipality, €500).
Example 2: The controller did not demonstrate to the Office an adequate legal basis for processing the work email address of the claimant after the termination of the employment relationship with him, since, pursuant to Article 6(1)(f) of the GDPR, it did not consider comparing the individual rights of the data subjects with his legitimate interest at all.
Example 3: Publishing on the operator's website (in the announcement Decision of the Bratislava Labour Inspectorate on imposing a fine) the name, surname and date of birth of the data subject without legal basis (municipality, €2,000).