Informacijski pooblaščenec Republika Slovenija
   
dekorativna slika

Security of personal data

+ -

Without the security of personal data, there is no protection of personal data, since the security of personal data is one of the fundamental principles of the broader concept of the personal data protection. Data security means to ensure:

  • integrity,
  • confidentiality and
  • the availability of personal data

Detailed organizational, technical and logical technical procedures and measures for the security of personal data would be very difficult to determine in the organic law, since it depends on various circumstances in which individual personal data are processed.

Data security according to the General Data Protection Regulation

The General Data Protection Regulation follows the information security standards, where the main principle is that security measures need to be adapted to risks that threaten the protected goods. The risks are usually evaluated as a combination of the likelihood that an unwanted event will occur and the severity of the consequences if such actually happens. In Article 32, the General Regulation therefore determines that in determining the suitable level of security especially takes risks of processing into account, especially because of unintentional or unlawful destruction, loss, modification, unauthorized disclosure or access to personal data which was sent, stored or otherwise processed.

The decision on the degree of security required by a particular person liable is therefore their own obligation; thereby they shall also take the level of technological development and the implementation costs and the nature, scope, circumstances and the purpose of processing into account; they shall also take risks for rights and liberties of individuals that differ by probability and severity into account. The General Regulation prescribes the following measures where applicable (i.e. not always and everywhere):

  • pseudonymisation and encryption of personal data;
  • the ability to ensure uninterrupted confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to timely recover the availability and access to personal data in case of a physical or technical incident;
  • the procedures for regular testing, evaluation and assessment of the effectiveness of technical and organizational measures for ensuring the safety of processing.

Data security according to ZVOP-2

According to Article 22 of the ZVOP-2 the processor must keep a processing log regarding the data processing if any of the following conditions are met:

- large-scale processing of special categories of personal data is carried out in automated processing systems,

- there is regular and systematic monitoring of individuals,

-the risk identified by the impact assessment can be effectively managed by keeping a processing log; or

- if it is required by law.

The processing log must be kept on following processing operations: collection, alteration, consultation, disclosure, including transfers, erasure and other processing operations provided for by law. Also, in accordance with Article 41(6) of the ZVOP-2, the controller must ensure that, for each transfer of personal data, it can be established which personal data have been transferred, to whom, when and on what legal basis, for what purpose or for what reasons, or for the purposes of which procedure, unless another law provides otherwise, or this is evident by a processing log under Article 22 of the ZVOP-2.