Four stages were specified as necessary for the preparation of the legal analysis for compliance of certain laws with the Law on Personal Data Protection:
- Defining the areas of application of the Law on Personal Data Protection
- Specifying the applicable laws in the defined areas
- Establishing the research methodology
- Analysis of the answers to the questions set out in the methodology
Defining the areas of application of the Law on Personal Data Protection
The identification of areas in which the application of the Law on Personal Data Protection is of particular importance to citizens was based on an analysis of the frequently asked questions posed by citizens to the Directorate for Personal Data Protection (DPDP) in the period from June 2011 to September 2014. The analysis included the answers that citizens had received from the DPDP, as an indicator of the situation in each separate area.
After the analysis of the citizens’ questions and the answers of the DPDP, the following 12 areas were defined for the analysis: insurance, telecommunications, judiciary and security, banking, healthcare, media, labor relations, education, housing, social issues and public enterprises.
Specifying the applicable laws in the defined areas
After defining the areas in which the application of the Law on Personal Data Protection is of particular importance to the citizens, the applicable laws for each of the defined areas were also identified. A total of 35 laws were identified, and a database of the texts of all these laws was created.
Establishing the research methodology
After the methodology for conducing the legal analysis was established, it was necessary to define the questions that the legal analysis was required to answer.
The principles of personal data protection were used as the basis for defining the questions for the analysis. According to these principles, personal data is to be processed justly and in accordance with the law, to be collected for specific, clear and legally stipulated purposes and to be processed in accordance with those purposes, as adequate, relevant and not excessive in relation to the purposes for which they are collected and processed, accurate, complete and, where necessary, updated and stored in a form that allows the identification of the personal data holder, but no longer than the time necessary to meet the purposes for collecting the data.
Hence, 11 questions were defined, based on which the analysis of the 35 laws from the 12 areas was carried out.
- Does the law require personal data collection and in what form (records, registry, database)?
- What is the purpose of the personal data collection and is the purpose clear?
- Does the volume of data being processed match the purpose?
- Who is collecting the data initially(company, institution)?
- Should the processing of a certain data category be conducted with the personal data holder’s consent?
- Is there a defined period of time for storing personal data?
- Is there a specific article for personal data protection that clearly indicates the application of technical and organizational measures?
- Is the processing of the data stipulated in this law related or should it be related to the application of some other law?
- Are there any exceptions for processing sensitive personal data? (personal identification number, biometrics, video surveillance)
- Has the DPDP provided its opinion on the Law?
- Was the opinion of the DPDP taken into consideration?
Analysis of the answers to the questions set out in the methodology
This is how the results from the analysis of the answers to the questions in the methodology are presented
- The answers to the questions are presented as facts, e. a confirmation or negation of whether the principles of personal data protection have been respected and
- An explanation about the legislation for personal data protection and guidelines and proposals for complete harmonization of the separate laws with the Law on Personal Data Protection
The opinions of the Directorate for Personal Data Protection regarding the compliance of the laws with the Law on Personal Data Protection were not delivered before this website was finalized, so they were not included in the legal analysis. For the latest information on this matter, visit the Directorate for Personal Data Protection website.