Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management

In what circumstances can personal data be collected, stored and processed?

Personal data must be:

  • processed lawfully and fairly;
  • collected and recorded for specific, explicit and legitimate purposes and used in further processing operations in a way that is consistent with said purposes;
  • accurate and kept up to date;
  • relevant, complete and not excessive in relation to the purposes for which it is collected or subsequently processed; and
  • kept in a form which permits identification of the data subject for no longer than is necessary for the purposes for which the data is collected or subsequently processed.

Any personal data that is processed in breach of the above principles will be deemed to have infringed the law. 

Moreover, in order to process personal data lawfully, data controllers must rely on a valid legal ground, such as:

  • the data subject’s consent;
  • the necessity to comply with a legal obligation; or
  • where the data processing is necessary for the performance of obligations resulting from a contract to which the data subject is a party or otherwise in order to comply with specific requests made by the data subject before entering into a contract.

As of May 25 2018, the legal grounds to process personal data according to the General Data Protection Regulation are as follows:

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes;
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject before entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

As a rule, personal data must be stored in a way that allows identification of the data subject for a period no longer than is necessary in relation to the scope within which the data has been collected and processed (see Section 11 of the Personal Data Protection Code). In some cases, the law itself establishes a specific retention period – for example, providers of electronic communication services (e.g. telecoms service providers, Voice over Internet Protocol providers and email service providers):

  • can process traffic data that is strictly necessary in relation to contracting parties’ billing and connection payments for up to six months;
  • must retain telephone traffic data for 24 months from the date of communication for the purpose of detecting and suppressing criminal offences; and
  • for the same purpose, must retain electronic communication traffic data, but not the content of communications, for 12 months from the date of the communication.

The Chamber of Deputies recently approved an amendment, which is now awaiting confirmation by the Senate, to the draft Law implementing EU Directives (the ‘European Law 2017’). The amendment extends the data retention period for the purpose of detecting and suppressing certain serious criminal offences (eg, terrorist activities and activities performed by stable criminal organisations) to 72 months.

Under the General Data Protection Regulation, data controllers will have to disclose the period for which personal data will be stored or, if that is not possible, the criteria used to determine that period.

Do individuals have a right to access personal information about them that is held by an organisation?

Data subjects have the right to confirm whether personal data concerning them exists, regardless of whether it has already been recorded. Data subjects also have the right to request the communication of such data in an intelligible form.

Further, data subjects have the right to be informed of:

  • the source of the personal data;
  • the purposes and methods of processing;
  • the logic applied to processing, if it is carried out by electronic means;
  • the identity and details of the data controller, data processors and the designated representative; and
  • the entities or categories of entity to which the personal data may be communicated and the parties that may be privy to the data in their capacity as:
    • designated representatives in the state’s territory;
    • data processors; or
    • managers of the processing.

As of May 15 2018, data subjects will have further rights such as:

  • the right to lodge a complaint with a supervisory authority;
  • the right to request from the data controller rectification or erasure of personal data or the restriction of processing concerning the data subject, or to object to processing; and
  • the right to data portability (see Articles 15 to 22 of the General Data Protection Regulation). 

Do individuals have a right to request deletion of their data?

Data subjects have the right to:

  • erase, anonymise or block data that has been processed unlawfully, including data which need not be retained for the purposes for which it has been collected or subsequently processed; and
  • obtain certification to the effect that the processing operation has been notified (as has the content of the data) to the entities to which the data was communicated or disseminated.

The General Data Protection Regulation has further elaborated on this right, by introducing the so-called ‘right to be forgotten’. According to the new rules, data subjects have the right to erase personal data concerning them from the data controller without undue delay and the data controller must comply with the request if, for example:

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • the data subject withdraws consent and there is no other legal ground for the processing;
  • the data subject objects to the processing (i.e. profiling or direct marketing); or
  • the personal data has been unlawfully processed.

Moreover, where the data controller has made the personal data public and is obliged to erase it, the data controller, taking into account the available technology and cost of implementation, must take reasonable steps, including technical measures, to inform the data controllers that are processing the personal data that the data subject has requested the erasure of any links, copies or replications of the personal data (right to de-listing).

Consent obligations

Is consent required before processing personal data?

The processing of personal data by private entities or profit-seeking public bodies is usually based on the data subject’s express, informed, specific and freely given consent, unless one of the legal exceptions to this rule applies. The data subject’s consent may refer either to the processing as a whole or to one or more of the operations involved in the processing.

As a rule, consent must be given in writing if the processing concerns sensitive data. Sensitive data may be processed only with the data subject’s written consent and the Data Protection Authority’s prior authorisation.

If consent is not provided, are there other circumstances in which data processing is permitted?

Consent need not be provided if, for example:

  • the processing is necessary to comply with an obligation imposed by law, regulations or EU legislation;
  • the processing is necessary for the performance of obligations resulting from a contract to which the data subject is a party, or in order to comply with specific requests made by the data subject before entering into a contract;
  • the processing concerns data taken from public registers, lists, documents or records that are publicly available, without prejudice to the limitations and modalities laid down by laws, regulations or EU legislation with regard to their disclosure and publicity;
  • the processing concerns data relating to economic activities that are processed in compliance with the legislation in relation to business and industrial secrecy; and
  • the processing is necessary to safeguard life or bodily integrity of a third party or to ensure that that defence counsel can carry out investigations or defend a legal claim.

Further specific exceptions to the rule of consent are contained in the Personal Data Protection Code.

Under the General Data Protection Regulation, data controllers may process personal data even without prior consent if at least one of the following applies:

  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • Processing is necessary for compliance with a legal obligation to which the controller is subject;
  • Processing is necessary in order to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

What information must be provided to individuals when personal data is collected?

The data subject must be preliminarily informed either orally or in writing of:

  • the purposes and modalities of the processing for which the data is intended;
  • the obligatory or voluntary nature of providing the requested data;
  • the consequences if he or she fails to reply;
  • the entities or categories of entities to which the data may be communicated or that may have access to the data in their capacity as data processors or persons in charge of processing;
  • the scope of dissemination of the data; and
  • information regarding the data controller and, where designated, the data controller’s representative in the state and the data processor.

The General Data Protection Regulation establishes in Articles 12, 13 and 14 the information to be provided to individuals depending on whether personal data are collected from the data subject or not.

Click here to view the full article.