Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

Personal data must be:

  • processed lawfully and fairly;
  • collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is consistent with said purposes;
  • accurate and kept up to date;
  • relevant, complete and not excessive in relation to the purposes for which it is collected or subsequently processed; and
  • kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data is collected or subsequently processed.

Any personal data that is processed in breach of the above principles will be deemed to have infringed the law. 

Moreover, in order to process personal data lawfully, controllers must rely on a valid legal ground, such as:

  • the data subject’s consent;
  • the necessity to comply with a legal obligation; or
  • where the data processing is necessary for the performance of obligations resulting from a contract to which the data subject is a party or otherwise in order to comply with specific requests made by the data subject before entering into a contract.   

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

As a rule, personal data must be stored in a way that allows identification of the data subject for a period no longer than is necessary in relation to the scope within which the data has been collected and processed. In some cases the law itself establishes a specific retention period – for example, providers of electronic communication services (eg, telecoms service providers, Voice over Internet Protocol providers and email service providers):

  • can process traffic data that is strictly necessary in relation to contracting parties’ billing and connection payments for up to six months;
  • must retain telephone traffic data for 24 months from the date of communication for the purpose of detecting and suppressing criminal offences; and
  • for the same purpose, must retain electronic communication traffic data, but not the content of communications, for 12 months from the date of the communication.

The legislature recently extended the compulsory data retention period for the purpose of detecting and suppressing certain serious criminal offences (eg, terrorist activities and activities performed by stable criminal organisations) until July 1 2017.

Do individuals have a right to access personal information about them that is held by an organisation?

Data subjects have the right to confirm whether personal data concerning them exists, regardless of whether it has already been recorded. Data subjects also have the right to request the communication of such data in an intelligible form.

Further, data subjects have the right to be informed of:

  • the source of the personal data;
  • the purposes and methods of processing;
  • the logic applied to processing, if it is carried out by electronic means;
  • the identity and details of the data controller, data processors and the designated representative; and
  • the entities or categories of entity to which the personal data may be communicated and the parties that may be privy to the data in their capacity as:
    • designated representatives in the state’s territory;
    • data processors; or
    • managers of the processing.

Do individuals have a right to request deletion of their data?

Data subjects have the right to:

  • erase, anonymise or block data that has been processed unlawfully, including data which need not be retained for the purposes for which it has been collected or subsequently processed; and
  • obtain certification to the effect that the processing operation has been notified (as has the content of the data) to the entities to which the data was communicated or disseminated.

The EU General Data Protection Regulation has further elaborated on this right, by introducing the so-called ‘right to be forgotten’. According to the new rules, data subjects have the right to erase personal data concerning them from the controller without undue delay and the controller must comply with the request if, for example:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • the data subject withdraws consent and there is no other legal ground for the processing;
  • the data subject objects to the processing (ie, profiling or direct marketing); or
  • the personal data has been unlawfully processed.

Moreover, where the controller has made the personal data public and is obliged to erase it, the controller, taking into account the available technology and cost of implementation, must take reasonable steps, including technical measures, to inform the controllers that are processing the personal data that the data subject has requested the erasure of any links, copies or replications of the personal data (right to de-listing).

Consent obligations
Is consent required before processing personal data?

The processing of personal data by private entities or profit-seeking public bodies is usually based

  • on the data subject’s express, informed, specific and freely given consent, unless one of the legal exceptions to this rule applies. The data subject’s consent may refer either to the processing as a whole or to one or more of the operations involved in the processing.

As a rule, consent must be given in writing if the processing concerns sensitive data. Sensitive data may be processed only with the data subject’s written consent and the Data Protection Authority’s prior authorisation.

If consent is not provided, are there other circumstances in which data processing is permitted?

Consent need not be provided if, for example:

  • the processing is necessary to comply with an obligation imposed by law, regulations or EU legislation;
  • the processing is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or in order to comply with specific requests made by the data subject before entering into a contract;
  • the processing concerns data taken from public registers, lists, documents or records that are publicly available, without prejudice to the limitations and modalities laid down by laws, regulations or EU legislation with regard to their disclosure and publicity;
  • the processing concerns data relating to economic activities that are processed in compliance with the legislation in relation to business and industrial secrecy; and
  • the processing is necessary to safeguard life or bodily integrity of a third party or to ensure that that defence counsel can carry out investigations or defend a legal claim.

Further specific exceptions to the rule of consent are contained in the Data Protection Code. 

What information must be provided to individuals when personal data is collected?

The data subject must be preliminarily informed either orally or in writing of:

  • the purposes and modalities of the processing for which the data is intended;
  • the obligatory or voluntary nature of providing the requested data;
  • the consequences if he or she fails to reply;
  • the entities or categories of entities to which the data may be communicated or that may have access to the data in their capacity as data processors or persons in charge of processing;
  • the scope of dissemination of the data; and
  • information regarding the data controller and, where designated, the data controller’s representative in the state and the data processor.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Personal data flows freely within the European Union and countries that ensure an adequate level of safeguards according to the European Commission.

The transfer of processed personal data to a non-EU member state is permitted if it is authorised by the Data Protection Authority on the basis that the non-EU country has adequate safeguards for data subjects’ rights, or that adequate rules of conduct are in force within the framework of companies and they belong to the same group.

Other legal grounds for the transfer of personal data are provided for in the EU Model Clauses, the Binding Corporate Rules and, if officially approved, the EU-US Privacy Shield for transfers to the United States.

Are there restrictions on the geographic transfer of data?

The transfer of processed personal data to a non-EU member state is permitted if it is authorised by the Data Protection Authority on the basis that the non-EU country has adequate safeguards for data subjects’ rights, or that adequate rules of conduct are in force within the framework of companies and they belong to the same group.

Other legal grounds for the transfer of personal data are provided for in the EU Model Clauses, the Binding Corporate Rules and, if officially approved, the EU-US Privacy Shield for transfers to the United States.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Data subjects must be informed beforehand of the possible communication of their personal data to a third party or a category of third parties. The actual communication of data must rely on a valid legal ground. For example, in order to communicate data to a third party for its own direct marketing purposes, the data controller must seek specific consent beforehand. In other cases, the communication may be authorised, if not mandated, by law. A specific form of disclosure – which does not technically amount to a ‘communication’ in the reading of the law – is that between a data controller and a data processor, where the latter acts under the control and instructions of the former. 

Click here to view the full article.