Sadržaj/Table of Contents
- Processing Principles
- Processing for Other Purposes
- Processing for Other Purposes by Competent Authorities
- Storage, Storage Periods, and Review of the Need for Storage in Special Cases
- Differentiating Individual Types of Data Subjects
- Differentiating Individual Types of Personal Data
- Quality Assessment of Personal Data and Special Conditions for Processing Performed by the Competent Authorities for Special Purposes
- Lawfulness of Processing
- Lawfulness of Processing Performed by the Competent Authorities for Special Purposes
- Lawfulness of Processing in Special Cases
- Consent
- Consent of an Underage Person in Relation to Information Society Services
- Processing of Special Types of Personal Data
- Processing of Special Types of Personal Data Performed by the Competent Authorities for Special Purposes
- Processing Relating to Criminal Convictions and Punishable Acts
- Processing Which Does Not Require Identification
Processing Principles
Article 5
Personal data must be:
1) processed lawfully, fairly, and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”). Lawful processing is the processing performed in compliance with this Law and/or other laws regulating processing;
2) collected for specified, explicit, and legitimate purposes and cannot be further processed in a manner that is incompatible with those purposes (“limitation relating to the purposes of processing”);
3) adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed (“data minimization”);
4) accurate and, if necessary, kept up to date. Taking into account the purposes for which it is processed, every reasonable measure must be taken to ensure that personal data that is inaccurate is erased or rectified without delay (“accuracy”);
5) kept in a form that permits identification of persons only within the time limit that is necessary for the purposes for which the personal data is processed to be realized (“storage limitation”);
6) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, as well as against accidental loss, destruction, or damage, by using appropriate technical, organizational, or staff-related measures (“integrity and confidentiality”).
The controller is responsible for the application of the provisions of paragraph 1 of this Article and must be able to demonstrate the application thereof (“accountability for actions”).
Processing for Other Purposes
Article 6
By way of exception from Article 5, paragraph 1, item 2) of this Law, where further processing is carried out for the purposes of archiving in the public interest, for scientific or historical research purposes, as well as for statistical purposes, in compliance with this Law, it is considered that personal data is not processed in the manner which is incompatible with the original purpose.
If processing for a purpose which is other than the purpose for which data has been collected is not based on the law prescribing the necessary and proportionate measures in a democratic society with a view of safeguarding the objectives referred to in Article 40, paragraph 1 of this Law, or on the consent from the data subject, the controller must access whether processing for such other purpose is in line with the purpose of processing for which data has been initially collected, in particular by taking into account:
1) whether there is a connection between the purpose for which data has been collected and other purposes of intended processing;
2) circumstances under which data has been collected, including the relationship between the controller and data subjects;
3) the nature of data, and in particular whether some special types of personal data referred to in Article 17 of this Law is being processed or not, and/or whether or not the personal data related to criminal convictions and punishable offenses referred to in Article 19 of this Law is being processed;
4) the possible consequences of further processing for data subjects;
5) application of adequate safeguards, such as encryption or pseudonymisation.
Provisions of paragraphs 1 and 2 of this Article do not apply to processing performed by the competent authorities for the purposes of prevention, investigation, and uncovering of criminal offenses, prosecution of perpetrators of criminal offenses, or enforcement of criminal sanctions, including prevention and protection from threats to public and national security (hereinafter referred to as: for special purposes).
Processing for Other Purposes by Competent Authorities
Article 7
Personal data collected by the competent authorities for special purposes cannot be processed for a purpose other than the purpose for which data has been collected, except if the law prescribes such further processing.
Processing performed by the competent authorities for special purposes, which are purposes other than those for which the personal data has been collected, is permitted if the following conditions are aggregately met:
1) the controller is authorized to process such personal data for such other purposes, in compliance with the law;
2) processing is necessary and proportionate to such other purpose, in compliance with the law. Processing performed by the competent authorities for special purposes may cover the archiving of personal data for the public interest and/or its use for scientific, statistical, or historical purposes, providing that adequate technical, organizational, and staff-related measures are applied with the aim of protecting the rights and freedoms of data subjects.
Storage, Storage Periods, and Review of the Need for Storage in Special Cases
Article 8
By way of exception from Article 5, paragraph 1, item 5) of this Law, personal data processed exclusively for the purposes of archiving for the public interest, for scientific or historical research, as well as for statistical purposes, can be stored for a longer period, while complying with the provisions of this Law on application of adequate technical, organizational and staff-related measures, all with a goal to protect the rights and freedoms of data subjects.
In the case of personal data processed by the competent authorities for special purposes, a time limit must be set for the erasure of such data and/or a time limit for periodical evaluation of the need for its storage.
If the time limit referred to in paragraphs 1 and 2 of this Article is not determined by the law, it is determined by the data controller.
The Commissioner supervises compliance with the time limits referred to in paragraphs 1 through 3 of this Article in compliance with their powers prescribed by this Law.
Differentiating Individual Types of Data Subjects
Article 9
If it is a case of personal data processed by the competent authorities for special purposes, the competent authority is obliged to, on the occasion of processing thereof, if possible, make a clear distinction between data relating to individual types of persons on which data is being processed, such as:
1) the persons against whom there is reasonable suspicion that they have committed or that they intend to commit criminal offenses;
2) the persons against whom there is reasonable suspicion that they have committed criminal offenses;
3) the persons who are convicted of criminal offenses;
4) victims of a criminal offense or persons about whom it is presumed to be victims of a criminal offence;
5) other parties related to a criminal offense, such as the witnesses, persons who can provide information on a criminal offense, related persons, or collaborators of the persons referred to items 1) through 3) of this Article.
Differentiating Individual Types of Personal Data
Article 10
If it is a case of personal data processed by the competent authorities for special purposes, the competent authority is obliged to, to the degree to which it is possible, clearly separate the personal data, which is based solely on the findings of facts from the personal data which is based on a personal assessment.
Quality Assessment of Personal Data and Special Conditions for Processing Performed by the Competent Authorities for Special Purposes
Article 11
The competent authorities processing personal data for special purposes are obliged to ensure, by applying reasonable measures, that any inaccurate, incomplete personal data that have not been updated are not transmitted and/or inaccessible.
The competent authorities check the accuracy, completeness, and whether or not personal data is kept up to date, to the extent possible, before initiating the transfer and/or before making such data available.
The competent authority that is transmitting personal data to another competent authority is obliged to, to the extent possible, additionally deliver information that is necessary for ascertaining the degree of accuracy, completeness, authenticity, and/or reliability of personal data, as well as to provide a notice on keeping of such data up to date.
If inaccurate personal data is transmitted and/or if personal data is transmitted unlawfully, the competent authority to which such data is transferred must be notified thereof without delay, and personal data transmitted must be rectified or erased, and/or its processing must be limited in compliance with this Law.
If special conditions are required by law for processing, the competent authority transmitting personal data is obliged to inform the recipient of data of such special conditions and of the obligation to comply with them.
Lawfulness of Processing
Article 12
Processing is lawful only if one of the following conditions is met:
1) the data subject has consented to the processing of their personal data for one or more specifically designated purposes;
2) processing is necessary for the performance of a contract concluded with the data subject or for taking actions, at the request of the data subject, before the conclusion of the contract;
3) processing is necessary with the aim of complying with the legal obligations of the controllers;
4) processing is necessary with the aim of protecting the vitally important interests of the data subjects or of another natural person;
5) processing is necessary with the aim of carrying out the tasks in the public interest or executing the legally prescribed powers of the controllers;
6) processing is necessary with the aim of realising the legitimate interests of the controllers or of a third party, except if the interests or the fundamental rights and freedoms of the data subject for whom personal data processing is required prevail over such interests, and in particular if the data subject is an underage person.
Paragraph 1, item 6) of this Article does not apply to the processing performed by a public authority within its scope of competence.
Provisions of paragraphs 1 and 2 of this Article do not apply to the processing performed by the competent authorities for special purposes.
Lawfulness of Processing Performed by the Competent Authorities for Special Purposes
Article 13
Processing performed by the competent authorities for special purposes is lawful only if it is necessary for conducting their tasks and if the law prescribes it. Such law, at a minimum, lays down the objectives of processing, the personal data to be processed, and the purposes of processing.
Lawfulness of Processing in Special Cases
Article 14
The basis for processing referred to in Article 12, paragraph 1, items 3) and 5) of this Law is laid down by the law.
If it is a case of processing referred to in Article 12, paragraph 1, item 3) of this Law, the law additionally lays down the purpose of processing, and if it is a case of processing referred to in Article 12, paragraph 1, item 5) of this Law, the law lays down whether or not processing is necessary with the view to carrying out the tasks in the public interest or the exercise of the legally prescribed authorities vested in the controllers.
The law referred to in paragraph 1 of this Article prescribes the public interest that is intended to be realized, as well as the obligation to comply with the rules on proportionate processing to the objective intended to be achieved, and may additionally prescribe conditions governing permissibility of processing by the controllers, the types of data which are subject to processing, the data subjects concerned, the persons to which data can be disclosed and the purpose of disclosure thereof, limitations relating to the purpose of processing, the storage and keeping period, as well as other special actions and the procedure of processing, including the safeguards for lawful and fair processing.
Consent
Article 15
If processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of their personal data.
If the data subject’s consent is given in the context of a written declaration that also concerns other matters, the request for the provision of consent must be presented in a manner that distinguishes it from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration contrary to this Law has no legal effect.
The data subject has the right to withdraw their consent at any moment. The withdrawal of consent does not affect the permissibility of processing performed based on the consent before withdrawal. Before providing consent, the data subject must be informed of the withdrawal right, as well as of the effect of the withdrawal. Withdrawing consent must be simple, just as it is simple to give consent.
When assessing whether consent for the processing of personal data is freely given, special attention must be paid to whether or not the performance of contracts, including the provision of services, is conditional on giving consent that is not necessary for the performance of that contract.
Consent of an Underage Person in Relation to Information Society Services
Article 16
An underage person who has turned 15 may independently provide consent to the processing of their personal data in the use of information society services.
In the case of an underage person who has not turned 15, consent must be given to process the data referred to in paragraph 1 of this Article by the parent exercising parental rights and/or another legal representative of the underage person.
The controller must take reasonable measures to determine whether the consent has been provided by a parent exercising parental rights and/or by another legal representative of the underage person, taking into account available technologies.
Processing of Special Types of Personal Data
Article 17
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data, biometric data for the purpose of uniquely identifying a person, data concerning health conditions, or data concerning sex life or sexual orientation of a natural person is prohibited.
By way of exception, the processing referred to in paragraph 1 of this Article is permitted in the following cases:
1) the data subject has given their explicit consent to processing for one or more purposes of processing, except if the law prescribes that processing is not performed on the basis of consent;
2) processing is necessary with the aim of carrying out the obligations or exercising legally prescribed authorizations of the controller or of the data subject in the field of labor, social insurance and social protection if such processing is prescribed by the law or a collective agreement providing for appropriate safeguards for the fundamental rights, freedoms and the interests of the data subject;
3) processing is necessary with a view to protecting the vitally important interests of the data subject or of another natural person if the data subject is physically or legally incapable of giving consent;
4) processing is carried out in the course of the registered economic activity and by applying appropriate safeguards by an endowment, foundation, association, or any other not-for-profit organization with a political, philosophical, religious, or trade union aim and on condition that the processing relates solely to the members and/or to the former members of such organization or to persons who have regular contacts with it in connection with the purposes of the organization, as well as that the personal data is not disclosed outside that organization without the consent of the data subjects;
5) processing relates to the personal data that has manifestly been made public by the data subject;
6) processing is necessary for the purpose of establishing, exercising, or defending the legal claims or in the case if a court is acting in its judicial capacity;
7) processing is necessary for the purpose of realizing a substantial public interest, providing that such processing is proportionate to the aim pursued by respecting the essence of the right to data protection and providing that application of suitable and specific measures to safeguard the fundamental rights and the interests of the data subject is provided for;
8) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employees, medical diagnosis, the provision of health or social protection, and/or the management of health or social care systems on the basis of the law or pursuant to a contract with a health professional, providing that the processing is carried out by or under supervision of a medial worker or another person that is subject to the obligation of professional secrecy prescribed by the law or by the rules of profession;
9) processing is necessary for the purpose of achieving public interest in the area of public health, such as protection against serious cross-border threats to public health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices on the basis of the law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular in respect of professional secrecy;
10) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes, or for statistical purposes, in compliance with Article 92, paragraph 1 of this Law, providing that such processing is proportionate to the aims pursued while respecting the essence of the right to personal data protection and providing that suitable and specific measures to safeguard the fundamental rights and the interests of the data subject is provided for.
Provisions of paragraphs 1 and 2 of this Article do not apply to processing performed by the competent authorities for special purposes.
Processing of Special Types of Personal Data Performed by the Competent Authorities for Special Purposes
Article 18
Processing of personal data performed by the competent authorities for special purposes, which is revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, as well as the processing of genetic data band iometric data for the purpose of uniquely identifying a natural person, data concerning health condition or data concerning sex life or sexual orientation of a natural person is permitted only if it is necessary, with application of appropriate safeguards of the rights of data subjects, in one of the following cases:
1) the competent authority is legally authorized to process special types of personal data;
2) the processing of special types of personal data is necessary with a view to protecting the vitally important interests of the data subject or of another natural person;
3) the processing relates to the special types of personal data that the data subject clearly made available to the public.
Processing Relating to Criminal Convictions and Punishable Acts
Article 19
Processing of personal data relating to criminal convictions, punishable acts, and safeguards can be carried out based on Article 12, paragraph 1 of this Law under the supervision of a competent authority only or if processing is authorized by the law, with the application of appropriate special safeguards for the rights and freedoms of data subjects.
The comprehensive records of criminal convictions are kept only by and under the supervision of a competent authority.
Processing Which Does Not Require Identification
Article 20
If for the realisation of the purpose of processing, personal data does not or does no longer require the identification of a data subject by the controller, the controller is not obliged to keep, acquire or process additional information in order to identify the data subject for the sole purpose of complying with this Law.
If, in the case referred to in paragraph 1 of this Article, the controller is able to demonstrate that they are not in a position to identify the data subject, they are obliged to inform the data subject accordingly, if possible.
In the cases referred to in paragraphs 1 and 2 of this Article, provisions of Articles 26, paragraphs 1 through 4, Article 29, Article 30, paragraphs 1 through 5, Article 31, paragraphs 1 through 3, Article 33, paragraphs 1 and 2 and Article 36, paragraphs 1 through 4 of this Law do not apply, except If the data subject, to exercise their rights under those Articles, provides additional information enabling their identification.
Provisions of paragraphs 2 and 3 of this Article do not apply to processing carried out by the competent authorities for special purposes.