The Changes in the Personal Data Protection Act
In the State Gazette no. 17 of 26.02.2019 the long-awaited amendments to the Personal Data Protection Act (“PDPA”) were promulgated. The amendments aim at ensuring the effective implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“the Regulation“), and regulate public relations related to the protection of individuals’ rights in the processing of their personal data, insofar as they are not covered by the Regulation.
Some of the changes include:
I. Accountability Mechanisms for Compliance with Personal Data Legislation
- Accreditation of certifying bodies and certification of companies/organizations
The Commission of Personal Data Protection shall accredit certifying bodies in accordance with the Regulation, as the terms, conditions and procedures for accreditation and withdrawal of accreditation shall be determined by an ordinance, adopted by the Commission (Art. 14). The criteria, mechanisms and procedures for certification, seals and markings of companies/organizations shall also be laid down in an ordinance adopted by the Commission.
- Codes of Conduct
The Commission shall approve draft codes of conduct by sectors and fields of activity, as it shall accredit the monitoring bodies of the approved codes of conduct (Art. 14a of PDPA).
Codes of conduct and certification are tools that companies/organizations may use to demonstrate compliance with the Regulation. They are optional and each company/organization can decide whether they want to adhere to a code of conduct or whether they want to be certified.
- Trainings in the field of personal data protection
The Commission shall organize, coordinate and conduct trainings in the field of personal data protection and shall issue a certificate to the persons who have passed the training upon successfully passing the exam (Article 16, paragraph 1 of PDPA). The certificate shall be issued for a period of three years and after the expiration of the term the certificate shall be renewed after successfully passing an exam. The law (Art.16, paragraph 3 of PDPA) states that the existence of a certificate shall not be a mandatory condition for the appointment or performance of the functions of a data protection officer.
- Registers, kept by the Commission
The Commission shall keep the following public registers: a register of controllers and processors which have designated data protection officers, a register of accredited certifying bodies and a register of codes of conduct.
The Commission shall also keep the following non-public registers: a register of breaches of the Regulation and PDPA and a register of notifications for personal data security breaches.
- Registers, kept by the processors
Art. 62, para. 2 of the PDPA covers the registers, which the data processors shall keep independently and separately from the registers, kept by the controllers, set out in Art. 62, para. 1 of the PDPA.
Personal data processors shall keep a register of the categories of processing activities performed on behalf of a controller, that contains:
- The name and contact details of the processor, of each data controller on whose behalf the processor is acting, and of the data protection officer, where applicable;
- The categories of processing of personal data carried out on behalf of each controller;
- Where applicable, the transfer of personal data to a third country or to an international organization when explicitly instructed by the controller, including the name of the third country or international organization;
- Where possible, a general description of the technical and organizational security measures.
III. Special cases of personal data processing
Personal data obtained without a legal basis or contrary to the principles of the Regulation
– where personal data is provided by the data subject to a controller or processor without a legal basis or contrary to the principles of the Regulation, within one month of becoming aware, the controller or the processor must return it, and if this is impossible or requires a disproportionate effort, erase or destroy it (Art. 25a of the PDPA). Erasure and destruction shall be documented.
Prohibition on replication of identity documents
– a controller or a processor shall replicate an identity document, driving license or residence document only if provided by law (Art. 25d of PDPA).
The processing of personal data for the purpose of creating a photographic or audio-visual work
– when processing personal data for the purpose of creating a photographic or audio-visual work by capturing a person in the course of his public activity or in a public place the provisions of the Regulation regarding the grounds for processing and rights of data subjects do not apply (Article 25h, paragraph 5 of PDPA).
– the employer or the appointing authority, as a data controller, adopts rules and procedures when the latter: 1. uses a breach reporting system; 2. restricts the use of internal company resources; 3. introduces systems for control of access, working hours and labour discipline (Article 25i, paragraph 1 of PDPA).
Time limits for the storage of personal data of participants in recruitment and selection procedures
– the employer or appointing authority, acting as a data controller, sets a deadline for the storage of personal data of participants in recruitment and selection procedures, which shall not be longer than 6 months unless the applicant has given his or her consent to storage for a longer period. After the expiration of this period the employer or the appointing authority shall erase or destroy the stored documents, containing personal data, unless a special law provides otherwise (Art. 25k, para. 1 of LPPD).
These are part of the accepted amendments to the PDPA. Without pretending to be exhaustive, we hope that the current article will be of help to you.
329 total views, 1 views today