GENERAL DATA PROTECTION REGULATION EU – GDPR 2016/679
Due to the aforementioned deficiency of the regulations who have been regulated the processing and flow of information in EU and to third countries, after several years of preparations, on April 27, 2016, the European Parliament elected the General Data Protection Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data number 2016/679, which entered into force on May 25. 2018, and it brings series of new rules with intention to protect personal data in a greater extent than it was previously.
The general regulation contains a number of new terms and categories in relation to the previous regulatory framework, such as the term pseudonymisation, biometric data, the main company’s business place that shall be considered as a controller or data processor, etc.
Due to the complexity of the issue, but also the regulation itself, which implementation requires professional assistance and a high level of responsibility, the European Parliament has envisaged a new category – Data Protection Officer, who is responsible for providing professional assistance and advising public and state bodies in the capacity of controller and processor, as well as in the case of controllers whose main activity is mass monitoring, data collection and processing. The obligation to engage a Data Protection Officer also exists in the case of processing sensitive categories of personal data.
The Regulation has binding effect in relation to the previous Directive, and all Member States must apply it directly, notwithstanding on national laws which must not be in conflict with its provisions. Respectively, the Regulation gives a lot of space to the member states to solve some issues differently and mostly to expand the conditions and manner of collection and processing, but without affecting the basic principles of the Regulation itself, which must not be questioned.
The regulation also brought changes when it comes to territorial and personal scope, because it also refers to countries that are outside of the Union, i.e. if the controller and processor have their headquarters outside the Union and their activities are directed towards EU citizens. The regulation specifies in which situations the offer of commodity or services will be considered aimed at EU citizens, taking into account the language in which the offer is made, the currency, etc.
GDPR PREAMBLE – WHY IT MATTERS
The preamble of the GDPR is very important for a better understanding of the integral regulation’s text, its more precise application, but also and for understanding the essential reasons why this regulation had to be adopted, and which principles and values are protect by it. It is difficult to expect from regulation that has the characteristics of a general law act for such an important area, and it is also difficult for the less than a hundred members to enable a simple and clear formulation of legal norms, i.e. that they precisely assign the task to the subjects who should apply these provisions. Therefore, such a generalized introduction in the form of a preamble has to a large degree enabled us to understand the GDPR in the right way.
At its beginning, the preamble refers to Article 8 of the Convention on Human Rights, as well as Article 16, paragraph 1, of the Treaty on the Functioning of the European Union, confirms that the protection of individuals regarding to the processing of personal data is a fundamental right, as well the rules and principles of the protection personal data in relation to the processing of their personal data must respect their fundamental rights and freedoms, regardless of their citizenship or residence, whereby the creator of the regulation makes the necessary connection with other relevant regulations and gives legitimacy to the Regulation itself.
The further text indicates the restrictions on the right to protection of personal data for the sake of other interests that currently prevail over the interest of privacy. The right to data protection is certainly not an absolute right, so the social context must be taken into account, i.e. it must be seen within a unique legal system in order to achieve the necessary balance with other subjective rights. In any case, the Regulation must respect the guaranteed rights, freedoms and principles recognized by the European Convention on Human Rights, the UN Charter and other important international acts with an emphasis on rights concerning privacy such as the neediness of guarantee private and family life, home and communications, but also freedom of opinion, conscience and religion, freedom of expression and information, freedom of business, the right to an effective remedy and a fair trial, as well as the right to diversity related to culture, religion and language.
The preamble clarifies the effect of the regulation in the personal sense, and so it specifies that the protection provided by this regulation must apply to natural persons, regardless of their citizenship or residence, or indicates that act does not cover the processing of personal data concerning legal entities, including business name, form and contact details. This effectively excludes the possibility of interpreting whether the address data are impersonal with the emails and telephone numbers of the legal entity in the domain of the GDPR or not. Furthermore, this regulation does not apply to the processing of personal data in the course of exclusively personal or domestic activities.
The Decree prescribes that its rules do not apply to judicial agency either, in the part that is relates to the performance of their judicial function, all with the aim of ensuring the independence of the judicial in relation to the executive and legislative power. With the fact that, because of the more functional mechanism of power’s separation, the legislator clarifies that this part of judicial activity must not remain completely out of control of the law, so it should be possible to supervise such data processing by special bodies through a system of complaints, which would increase judges’ awareness of their obligations.
An important part of the Preamble is the one concerning the definition of the personal effect of the document in relation to deceased persons. Since the text of the regulation itself does not speak about that, the preamble resolves this dilemma and limits the effect only on living natural persons.
Also, regarding the procedure of obtaining consent for the processing of children’s data, the GDPR does not go into the details of this regulation, yet shifts the responsibility to the controller by the provision that he is obliged to do everything what is in his power to check whether the consent was given or approved by the holder of parental responsibility over the child, taking into account the available technology. This overly broad rule the preamble clarifies some extent by adding that children deserve special protection with regard to their personal data, as they may be less aware of the risks, consequences and protection measures, as well as their rights regarding to the processing of personal data, and that special protection must apply in particularly when it comes to using children’s personal data for the purpose of marketing or creating personal or user profiles and also collecting of children’s personal data when it comes to using services offered directly to the child. In these situations, the consent of the holder of parental responsibility over the child should not be necessary if it is in the context of preventive or counseling services offered directly to the child. This clarification significantly limits the scope of situations in which the controller would have to obtain the prior consent of the parents, i.e. the executor of parental rights, which can often be impractical in practice, but also unnecessary.
Also, in the case of the right to be forgotten, the legal norm states that the person to which the data relates has that right if the data are no longer needed for the purposes for which they were collected or otherwise processed. But the preamble further clarifies in which situations data is no longer needed. Thus, if the data subjects have withdrawn their consent or if they object the processing of personal data concerning them or if the processing of their personal data in other ways is not in accordance with this Regulation, the processing of data will not be considered as necessary. This right is particularly important if a person gave his or her consent when he or she was a child when he or she was not fully aware of the risk of processing, and at some point later has a neediness to remove such personal data, especially online. Given the importance of the right to be forgotten in order to enhance its effect in the Internet environment, the right to be forgotten should be extended so that the controller who published personal data has the obligation to notify other data controllers who process such personal data to delete all copies of that data, and all of the links that lead to that content. On that occasion, the controller must take acceptable measures, and takes into account available technology and available resources to the data controller, including technical measures, to inform the data controllers about the request of the data subject, which is not an easy task, but it certainly contributes to a higher level of individual protection.
The regulation prescribes the rule that if the controller cannot determine the identity of a natural person on the basis of the personal data he was processing, the controller has no obligation to collect additional information to determine the identity of the data subject, all in order to collect as little information as possible, with what indirectly reduced the risk of the person’s privacy whose data is process. However, the Preamble elaborates on this provision in more detail and stipulates that the controller shall not refuse additional information provided by the data subject in order to support the realization of his or her rights. Identification should include the digital identification of the data subject, for example through an authentication mechanism such as the same data that the data subject used to log in to online services offered by the controller such as Double opt-in authentication (double user’s identity verification, i.e. verification of whether the subject user really has access to accounts or other contact information, by sending an email, SMS or automatic call with a verification code and link.
GDPR PREAMBLE AND SPECIAL PERSONAL CATEGORIES
Personal data that are, by their nature, particularly sensitive to fundamental rights and freedoms are included in to preamble in the category of data that deserve special protection because their processing could lead to significant risks for fundamental rights and freedoms. These personal data have to certainly include personal data that reveal racial or ethnic origin. Furthermore, photography or its processing should not be considered to special category of personal data at all costs because they will be only consider as biometric data if they are treat with special technical means and recognition algorithms that allow identification of a natural person, as is the case with individual internet platforms that use their programs to identify people on photos. Such processing is in principle not permitted, unless provided for in special cases in this Regulation, provided that Member States are left to lay down specific data protection provisions in order to adapt the application of the rules of this Regulation to comply with a legal obligation or to enforce a task performed in the public interest or within the performance of official capacity assigned to the controller. The rule on the ban in principle may also be deviated from if the person whose identity is revealed has given his / her explicit consent, which fulfills the conditions essential for its validity.
It further states that a derogation from the ban may also be allowed for health purposes, including public health and the management of health services, in particular to ensure the quality and cost-effectiveness of procedures used to deal with claims for benefits and services in the health insurance system or for archiving in the public interest, also for the purposes of scientific or historical research or for statistical purposes.
The derogation should also allow the processing of such personal data if this is necessary for the establishment, exercise or defense of legal claims before a court or administrative body.
EXPLANATION AND MORE DEFINITION OF THE IMPACT ASSESSMENT IN THE PREAMBLE
The preamble explains through examples in which situations an impact assessment should be carried out, so it is recommended to applied on the large-scale processing operations which is purpose processing of user’s data at regional, national or supranational level and which could affect a large number of persons to which the data relate and which are likely to cause a huge risk. Data protection impact assessment should also be performed when personal data are processed for the purpose of making decisions concerning individuals, i.e. after profiling data collected on natural persons or after processing special categories of personal data, biometric data or data on criminal convictions and criminal offenses.
Also, in the case of extensive monitoring of public areas, especially if cameras are use, it is necessary to perform a preliminary impact assessment.
EXPLANATION OF LEGITIMATE INTERESTS AS THE BASIS OF PREAMBLE PROCESSING
The Regulation prescribes several legal basis for processing to be consider as lawful, i.e. for the principle of processing lawfulness to be fulfillment. Thus, in addition to the execution of a legal obligation, the performance of official powers, the fulfillment of a contractual obligation and the given explicit consent to processing, the legislator also prescribes a legitimate interest as a basis. Despite the importance that the creator of the regulation gave to the legitimate interest by raising it to a new basis of processing, the initial text of the GDPR of 99 articles does not deal with defining the term, which leaves space for interpretation, and thus legal uncertainty. However, the preamble of the General Regulation deals with this basis of processing in some detail and states that the legitimate interests of the controller, including controller’s interests to whom personal data may be disclosed, or of a third person, may constitute a legal basis for processing, under condition that the interests or fundamental rights and the freedoms of data subjects are not predominant, considering the data subject’s reasonable expectations based on their relationship with the data controller. Such a legitimate interest could exist, for example, in the case of a relevant and appropriate relationship between the data subject and the controller in situations such as the situation in which the data subject is controller’s client or an employee of his service. In any case, the existence of a legitimate interest would require a careful assessment in every particular case, including an assessment of whether the data subject can reasonably expect processing for that purpose in the context of the collection of personal data. The data subject’s interests and fundamental rights may in particular outweigh on the controller’s interests if the personal data process in circumstances in which the data subjects do not reasonably expect further processing, i.e. if such processing would harm them. The clarification of the legislator regarding the processing by public authorities in this regard is very important. Namely, the legitimate interest should not be the basis of the authorities processing during the implementation of their tasks, as state by the preamble.
Further, the processing of personal data that is strictly necessary for the purpose of fraud prevention is also a legitimate interest to the controller. It can be considered that there is a legitimate interest in processing personal data for the purposes of direct marketing.
Considering that our Legislator did not take into account the preamble when he was passing the Law on Personal Data Protection of the Republic of Serbia, which implemented many solutions from the EU regulation, it is not even included in the text of our legal act. And since the Republic of Serbia is not part of the EU community, the General Regulation has no effect in terms of direct application, as it applies to its members, we can conclude that the “ZZPL“ (srb. Zakon o zaštiti podataka o ličnosti – Law on Personal Data Protection of the Republic of Serbia) does not deal in detail with legitimate interest as a basis for processing, i.e. from the current legal formulation or practice it cannot be conclude when and under what circumstances may consider that the condition to apply this basis of data processing is fulfilled.