The protection of privacy is a good which we have to be aware of and have to be able to use at key moments. This is also reflected in the single European legislation, which ensures a single approach in providing this right to all individuals in the EU. Despite the fundamental human right in the Constitution of the Republic of Slovenia and the mechanism for the protection of human right at the EU level, violations continue to occur. The task of the Information Commissioner is to monitor the personal data processing as regulated by the General Data Protection Regulation and the national legislation regulating the field of personal data protection and to prevent and remedy violations in this area.
The General Regulation determines that the Regulation protects the fundamental rights and freedoms of individuals and in particular their right to the protection of personal data. In doing so, the General Regulation emphasizes the importance of the individual. In the introductory provision no. 4 it states that the personal data processing should be designed in manner as to serve the people. The purpose of protecting personal data is not the protection of personal data as such, but the protection of the rights of data subjects.
The principles defined in Article 5 of the General Regulation are the backbone of personal data protection. These are the fundamental principles of personal data protection, which primarily require that the data are processed fairly, transparently and on a legal basis. Furthermore, that the data are processed only for specified, explicit and legitimate purposes and that their further processing which does not correspond with the purposes of collection shall be avoided. To limit the collection of data only to suitable and relevant data as well as data limited to the purposes of collection, which shall prevent the collection of a “stock” of personal information. To ensure that the collected data is accurate and up-to-date and that they are not kept longer than required to fulfil the purpose of the collection. Care for the integrity and accessibility of personal data is required since this is the pillar of personal data security. The key novelty introduced by the General Regulation is the accountability principle, which imposes an obligation to persons liable to be able to ensure at all times that they process personal data accordingly and that they fulfil all requirements imposed by the General Regulation and the national rules on the personal data protection.
The processing of personal data must primarily be lawful, meaning that the processing requires there to be at least one legal basis prescribed by Article 6 (1) of the General Regulation as permissible legal base for the processing of personal data. In the private sector, personal data are often processed based on the consent of individuals or a contract concluded by individuals with private sector processors. Due to the dominating nature of its operation, the principle of involuntary relationship between individuals and authorities shall apply in the public sector. Consequently, consent is usually not a valid legal basis for the processing of personal data (unless special law prescribes the consent as a basis for the processing for a specific case). Because of the diction of Article 38 of the Slovenian Constitution, IC considers that the processing of personal data is admissible for the processing of personal data only if it is so determined by the law governing the processing for a specific case. Exceptionally processing is admissible in the public sector if it is necessary for the exercise of legal competences, tasks or obligations of the public sector if the processing does not infringe with the interests of the data subject. The processing of these so called special types of personal data that are of more sensitive nature are subject to special conditions of protection – Article 9 of the General Regulation.
An individual who believes that their personal data being processed illegally can submit a report to the Information Commissioner.
Even before that, the individual may request to be acquainted with all of their personal data in order to determine the actual situation or may under certain conditions also request a correction, restriction of processing or deletion of illegally processed data (Articles 15 to 18 of the General Regulation). Under certain conditions, the General Regulation also offers individuals the right to object to processing carried out in accordance with Articles (e) or (f) of the General Regulation (Article 21 of the General Regulation).
According to the General Regulation, an individual may also exercise the right to data portability with the processor, for the information which the individual provided on the basis of consent or a contract with the processor and is automatically processed. This right allows the individual to obtain personal data related to him that he sent to the processor in a structured, generally used and machine-readable form AND to forward that data to a different processor without the being hindered by the first processor thereby (to whom the data was provided) (Article 20 of the General Regulation).