- Personal Information
Explains the types of information that the law applies to, and introduces the data principles. Data Privacy/Protection Principles (DPPs). It also explains a tool for applying the DPPs – the Information Life Cycle.
According to the law, personal data is defined as “any data relating to an identified natural person, or one who can be identified directly or indirectly by way of linking data, using identifiers such as name, voice, picture, identification number, online identifier, geographic location, or one or more special features that express the physical, psychological, economic, cultural or social identity of such person. It also includes Sensitive Personal Data and Biometric Data.”
Article 20 – Personal Data Security
- The Controller and Processor shall establish and take appropriate technical and organizational measures and procedures to ensure achievement of the information security level that is commensurate with the risks associated with Processing, in accordance with the best international standards and practices, which may include the following:
- encryption of Personal Data and application of Pseudonymization.
- application of procedures and measures that ensure the confidentiality, safety, validity and flexibility of Processing systems and services.
- application of procedures and measures that ensure the timely retrieval and access of Personal Data in the event of any physical or technical failure.
- application of procedures that ensure a smooth testing, evaluation and assessment of the effectiveness of technical and organizational measures so as to ensure the security of Processing.
- When evaluating the level of information security provided for in Item (1) of this Article, the following shall be taken into account:
- risks associated with Processing, including Personal Data damage, loss, accidental or illegal modification, disclosure or unauthorized access, whether transmitted, stored or processed.
- the costs, nature, scope and purposes of Processing, as well as the different potential risks to the privacy and confidentiality of the Personal Data of the Data Subject.
- Collection: Collection of customer information
Explains the key steps to take when you are collecting personal information. Collection is Stage 1 of the Information Life Cycle.
Collection is included in the processing
Processing:
Any operation or set of operations which is performed on Personal Data using any electronic means, including Processing and other means. This process includes collection, storage, recording, organization, adaptation, alteration, circulation, modification, retrieval, exchange, sharing, use, or classification or disclosure of Personal Data by transmission, dissemination or distribution, or otherwise making it available, or aligning, combining, restricting, blocking, erasing or destroying Personal Data or creating models therefor.” Another type is automated processing which is “processing that is carried out using an electronic program or system that is automatically operated, either completely independently without any human intervention, or partially independently with limited human supervision and intervention.
Article 4 – Cases of Processing Personal Data without the Data Subject’s Consent
It is prohibited to process Personal Data without the consent of the Data Subject. However, the following cases, in which Processing is considered lawful, are excluded from such prohibition:
- if the Processing is necessary to protect the public interest.
- if the Processing is for Personal Data that has become available and known to the public by an act of the Data Subject.
- if the Processing is necessary to initiate or defend against any actions to claim rights or legal proceedings, or related to judicial or security procedures.
- if the Processing is necessary for the purposes of occupational or preventive medicine, for assessment of the working capacity of an employee, medical diagnosis, provision of health or social care, treatment or health insurance services, or management of health or social care systems and services, in accordance with the legislation in force in the State.
- if the Processing is necessary to protect public health, including the protection from communicable diseases and epidemics, or for the purposes of ensuring the safety and quality of health care, medicines, drugs and medical devices, in accordance with the legislation in force in the State.
- if the Processing is necessary for archival purposes or for scientific, historical and statistical studies, in accordance with the legislation in force in the State.
- if the Processing is necessary to protect the interests of the Data Subject.
- if the Processing is necessary for the Controller or Data Subject to fulfill his/her obligations and exercise his/her legally established rights in the field of employment, social security or laws on social protection, to the extent permitted by those laws.
- if the Processing is necessary to perform a contract to which the Data Subject is a party or to take, at the request of the Data Subject, procedures for concluding, amending or terminating a contract.
- if the Processing is necessary to fulfill obligations imposed by other laws of the State on Controllers.
- any other cases set by the Executive Regulations of this Decree Law.
Article 5 – Personal Data Processing Controls
Personal Data shall be processed according to the following controls:
- Processing must be made in a fair, transparent and lawful manner.
- Personal Data must be collected for a specific and clear purpose, and may not be processed at any subsequent time in a manner incompatible with that purpose. However, Personal Data may be processed if the purpose of Processing is similar or close to the purpose for which such data is collected.
- Personal Data must be sufficient for and limited to the purpose for which the Processing is made.
- Personal Data must be accurate and correct and must be updated whenever necessary.
- Appropriate measures and procedures must be in place to ensure erasure or correction of incorrect Personal Data.
- Personal Data must be kept securely and protected from any breach, infringement, or illegal or unauthorized Processing by establishing and applying appropriate technical and organizational measures and procedures in accordance with the laws and legislation in force in this regard.
- Personal Data may not be kept after fulfilling the purpose of Processing thereof. It may only be kept in the event that the identity of the Data Subject is anonymized using the “Anonymization” feature.
- Any other controls set by the Executive Regulations of this Decree Law.
- Storage: Storage of customer information
Explains the requirements for storing personal information. Storage is Stage 2 of the Information Life Cycle.
Refer to the definition of processing previously given, as well as Article 2.a.
Article 8 – General Obligations of the Processor
The Processor shall:
- protect and secure the Processing operation and secure the media and electronic devices used in the Processing and the Personal Data stored therein.
- Use: Use of customer information
Highlights key considerations when using personal information within your organization. Use is Stage 3 of the Information Life Cycle.
Refer to the definition of processing previously given, as well as Article 8.6.
Profiling:
A form of Automated Processing consisting of the use of Personal Data to evaluate certain personal aspects relating to a Data Subject, including to analyze or predict aspects concerning his/her performance, economic situation, health, personal preferences, interests, behavior, location, movements or reliability.
Cross-Border Processing:
Dissemination, use, display, transmission, receipt, retrieval, sharing or Processing of Personal Data outside the territory of the State.
- Disclosure: Disclosure of customer information
Highlights what you must remember when you disclose customer information to organizations outside the organization.
Disclosure is Stage 4 of the Information Life Cycle.
Article 8 – General Obligations of the Processor
The Processor shall:
- not to take any action that would disclose the Personal Data or the results of Processing, except in cases permitted by law.