The Data Protection Law recognises two parties who deal with personal data:
- Data Processors: the subject or legal entity that processes personal data on behalf of the Data Controller.
- Data Controller: the subject or legal entity that decides on the processing of personal data.
Their relationship must be established through contractual clauses or other legal instruments in a way that proves the existence, scope and nature of such relationship.
According to the Data Protection Legislation, the principles that must be observed by controllers and/or processors in the processing of personal data are the following:
- Legitimacy: Personal data must be collected and processed in a lawful manner;
- Consent: The data subject must give its consent for the processing of its personal data;
- Information: Through a Privacy Notice, the Data Controller must inform the data subject about the existence and the characteristics of their personal data processing;
- Quality: This principle is given when the personal data is provided directly by the data subject; if not, the Data Controller must take the measurements to meet the quality principle and adopt mechanisms that are considered necessary to ensure that the data is accurate, complete, updated and correct;
- Purpose: Personal data can only be processed for the purposes established in the Privacy Note.
- Loyalty: Personal data must be processed safeguarding the protection of the data subjects’ interests and the reasonable expectation of privacy;
- Responsibility: Data Controllers must ensure the processing of personal data in their custody, as well as the data transferred to a Data Processor.
Additionally, the following legal requirements should be taken into account when processing personal data:
- Personal data must be collected and processed in a lawful manner in accordance with the provisions established by the Data Protection Legislation and other applicable regulations;
- Personal data must not be obtained through deceptive or fraudulent means;
- In all processing of personal data, it is presumed that there is a reasonable expectation of privacy, understood as the trust any one person places in another for personal data provided to be treated pursuant to any agreement of the parties in the terms established by the Law;
- Personal data should not be kept for any longer than is necessary in order to comply with the purposes for which the personal data was originally held. Data Controllers must establish and document retention procedures, including deletion and/or blocking of personal data, taking the nature of the data into account.
Protection of personal data is based on:
- processing that is fair and lawful;
- a collection for specific, clearly defined and legitimate purposes and shall be processed in a way that is compatible with these purposes;
- adequate data, which are relevant to the purpose of their processing and not excessive in relation to such purpose;
- accurate data, and where necessary, updated; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
- keeping data in a form that allows the identification of data subjects for no longer than it is necessary for the purpose for which they were collected or further processed;
The controller is in charge of applying these requirements to all kinds of processing of data, be it automatically or by other means.
The personal data may be processed only if:
- Personal data subject has given his or her consent;
- Processing is necessary for the performance of a contract to which the data subject is party or in order to negotiate or amend a draft/contract at the request of the data subject;
- in order to protect the vital interests of the data subject;
- to comply with a legal obligation of the controller;
- for the performance of a legal task of public interest or in exercise of powers of the controller or of a third party to whom the data are disclosed;
- processing is necessary for the protection of the legitimate rights and interests of the controller, the recipient or any other interested party. However, in any case, the processing of personal data cannot be in clear contradiction with the data subject’s right to protection of personal life and privacy.
Processing of personal data in the framework of crime prevention and prosecution activities, in cases of a criminal offence against the public order and other violations in the field of criminal law, defence and national security, shall be performed by official authorities as stipulated in the law.
In the event, the controller or processor may carry out personal data processing for the purpose of offering business opportunities or services provided that the data were taken from a public list of data.
The controller or processor cannot process any further the data specified in this paragraph, if the data subject has expressed his or her disagreement or has objected to further processing. No additional personal data may be attached to the data specified above without the consent of the data subject.
The controller is allowed to keep the personal data in its own filing system.
Such data can only be used if the data subject gives his or her consent.
The collection of personal data which is related to a data subject solely for reasons of direct marketing is allowed only if the data subject has given his or her explicit consent.
Obligations of the Controller and Processor:
- obligation to inform;
- obligation to rectify and erase;
- obligations of the Processor.
Personal data can only be processed with the consent of its owner, which must be prior, informed, express and unequivocal.
Consent may be obtained through written or verbal means. In the case of sensitive data, consent must be given in written form.
The data controller must comply with the following information on the data subjects: (i) the identity and address of the data controller and data processor, if applicable, (ii) the purpose of the personal data processing, (iii) who the recipients may be (national or international transfers), (iv) the existence of the data bank where the information will be stored, (v) the mandatory or optional nature of the proposed questionnaire, (vi) any consequences of providing personal data and any refusal to do so, (vii) transfer of personal data, (viii) time holding personal data, and (ix) means and possibility of exercising rights of access, rectification, opposition and cancellation.
The data controller and the data processor, when applicable, must comply with the following obligations:
- Not to collect personal data by fraudulent, unfair or illegal means;
- Collect up-to-date, necessary, relevant and adequate personal data in connection with a determined, explicit and legal purpose;
- Not to use personal data for any means other than the those for which it was collected in the first place unless such data undergoes an anonymisation or dissociation process;
- Store personal data in such a manner that allows data subjects to enforce their rights;
- Delete or replace personal data upon knowledge of its inaccuracy or incompleteness;
- Delete personal data when it is no longer necessary for the purpose for which it was collected, unless such data undergoes an anonymisation or dissociation process;
- Provide the information that the DPA requests.