Informacijski pooblaščenec Republika Slovenija
    SLO | ENG

Security of personal data

+ -

Without the security of personal data, there is no protection of personal data, since the security of personal data is one of the fundamental principles of the broader concept of the personal data protection. Data security means to ensure:

  • integrity,

  • confidentiality and

  • the availability of personal data

Detailed organizational, technical and logical technical procedures and measures for the security of personal data would be very difficult to determine in the organic law, since it depends on various circumstances in which individual personal data are processed.

Data security according to the General Data Protection Regulation

The General Data Protection Regulation follows the information security standards, where the main principle is that security measures need to be adapted to risks that threaten the protected goods. The risks are usually evaluated as a combination of the likelihood that an unwanted event will occur and the severity of the consequences if such actually happens. In Article 32, the General Regulation therefore determines that in determining the suitable level of security especially takes risks of processing into account, especially because of unintentional or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data which was sent, stored or otherwise processed.

The decision on the degree of security required by a particular person liable is therefore their own obligation; thereby they shall also take the level of technological development and the implementation costs and the nature, scope, circumstances and the purpose of processing into account; they shall also take risks for rights and liberties of individuals that differ by probability and severity into account. The General Regulation prescribes the following measures where applicable (i.e. not always and everywhere):

  • pseudonymisation and encryption of personal data;

  • the ability to ensure uninterrupted confidentiality, integrity, availability and resilience of processing systems and services;

  • the ability to timely recover the availability and access to personal data in case of a physical or technical incident;

  • the procedures for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures for ensuring the safety of processing.

 

Data security according to ZVOP-1

ZVOP-1 uses the term "insurance" and defines the obligations in Articles 24 and 25. Article 24 of the ZVOP-1 determines the objectives that must be met by the procedures and measures for the insurance of personal data. The implementation of the internal Insurance Act is recommended for the purposes of the integrity and transparency of data security rules, however, the implementation of appropriate procedures and measures in practice is certainly of key importance.

The organizational, technical, logical and technical procedures and measures for the insurance of personal data must primarily prevent the unauthorized processing of personal data while they must also prevent the accidental or deliberate unauthorized destruction of data and their change or loss. To achieve this, appropriate procedures and measures must be chosen in order to: 

  1. protect spaces, equipment and system software, including the input-output equipment;

  2. protect the software used for processing personal data;

  3. prevent unauthorized access to personal data during its transfer, including the transfer over the telecommunications networks;

  4. provide an effective way of blocking, destroying, deleting or anonymizing personal data;

  5. allow for a later determination of when the individual data was input in the personal data collection, which was used or otherwise processed, who did so in a time period during which the legal protection of the individual's right for the inadmissible transfer or processing of personal data was possible.

It is important that all employees are aware of procedures and measures and that in accordance with provisions of Article 25 of the ZVOP-1 persons who are responsible for certain collections of personal data and persons who are allowed to process certain personal data (i.e. access rights) are determined. Access rights are determined by the management of the organization, however, these are limited by the principle of urgency – access should be limited to the extent that certain employees or sectors actually need during their work.