Protection of personal data is based on:
- processing that is fair and lawful;
- a collection for specific, clearly defined and legitimate purposes and shall be processed in a way that is compatible with these purposes;
- adequate data, which are relevant to the purpose of their processing and not excessive in relation to such purpose;
- accurate data, and where necessary, updated; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
- keeping data in a form that allows the identification of data subjects for no longer than it is necessary for the purpose for which they were collected or further processed;
The controller is in charge of applying these requirements to all kinds of processing of data, be it automatically or by other means.
The personal data may be processed only if:
- Personal data subject has given his or her consent;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to negotiate or amend a draft/contract at the request of the data subject;
- in order to protect the vital interests of the data subject;
- to comply with a legal obligation of the controller;
- for the performance of a legal task of public interest or in exercise of powers of the controller or of a third party to whom the data are disclosed;
- processing is necessary for the protection of the legitimate rights and interests of the controller, the recipient or any other interested party. However, in any case, the processing of personal data cannot be in clear contradiction with the data subject’s right to protection of personal life and privacy.
Processing of personal data in the framework of crime prevention and prosecution activities, in cases of a criminal offence against the public order and other violations in the field of criminal law, defence and national security, shall be performed by official authorities as stipulated in the law.
In the event, the controller or processor may carry out personal data processing for the purpose of offering business opportunities or services provided that the data were taken from a public list of data.
The controller or processor cannot process any further the data specified in this paragraph, if the data subject has expressed his or her disagreement or has objected to further processing. No additional personal data may be attached to the data specified above without the consent of the data subject.
The controller is allowed to keep the personal data in its own filing system.
Such data can only be used if the data subject gives his or her consent.
The collection of personal data which is related to a data subject solely for reasons of direct marketing is allowed only if the data subject has given his or her explicit consent.
Obligations of the Controller and Processor:
- obligation to inform;
- obligation to rectify and erase;
- obligations of the Processor.
According to the CDLP the processing of all data shall be carried out:
- In a manner consistent with the law;
- For the purposes permitted by the legal system; and
- With attention to the full exercise of the fundamental rights of the data subject.
Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.
Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.
Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.
Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:
- The law authorises it;
- The data subject expressly accepts said processing;
- Such data is necessary to establish or grant health benefits that pertain to the respective data subject.
Data security: Article 11 of the law establishes that those responsible for the registries or personal data must “take care of them with due diligence” and be liable for damages.