The applicable law is the Personal Data Protection Law Num. 1/2016 dated 22 July.
The applicable law is the Personal Data Protection Law Num. 1/2016 dated 22 July.
Definition of Personal Data
The Personal Data Protection Law under art.4 defines personal data as "any information, testimony or review concerning a person specifically identified or identifiable".
Definition of Sensitive Personal Data
The law does not provide a definition of sensitive personal data. However, art.41(d) consider as a mayor infringement the treatment or given out of personal data in relating to conscience liberty, affiliation or political ideology, health, sex life, race, tribe, religion or any other discrimination form without the express authorization of the owner.
The Governing Data Protection Body.
The General Data Protection Registry (art. 33) is the organ responsible for registration under its Technical Secretariat which takes charge of the registration of public and private personal data files and of carrying out all actions entailing the modification, creation or suppression of personal data through authorised books.
The Governing Data Protection Body through its Technical Secretariat is responsible for ensuring the administration of personal data files, regardless of their ownership, is done in due compliance with the provisions of the law.
Arts. 6 and 9 of the applicable law determines that only personal data that are adequate, accurate, truthful, complete and not excessive in relation to the scope and purpose of their collection may be used, prohibiting the collection of such data by fraudulent and unlawful means.
In this regard, an interested parties to whom personal data are requested must be previously expressly informed in a concise and unequivocal manner and must be informed about the purpose and consequences of the collection, the destination and the recipients of the information, about the mandatory or optional nature of their response to the questions asked, about the effects of the refusal to provide them, as well as the identity and address of the person responsible for the processing or its representative.
The processing of data by third parties according the law must be subject to a contractual agreement under which a third parties must agree in writing to process the data solely and in accordance with the instructions authorised by the owner, that is, the data must not be used or applied for a different purpose or communicated to third parties (art.8).
Art. 21 is to the effect that:
- Personal data obtained by the General administration of the state cannot be communicated or given out unless it is for historic or, statistics of scientific purposes. However, personal data could be communicated between the public administration and other public organs or institutions.
- Private holders of personal data cannot communicate or give out personal data found in their possession unless by a court order instructed by a competent court.
- For the performance of any of the above, the holders of the data have to be notified of the purpose for which their data is to be communicated or given out. Notwithstanding, consent will not be needed from the owner of the data unless the data was made available to the public, and it is likely to be communicated to other public or private files.
Art. 11 determines that, the data controller or data processor must adopt the necessary technical and organisational measures to ensure the security of the personal data processed, ensuring their preservation and avoiding their alteration, loss, unauthorised processing or access. In this sense, personal data must not be recorded in files, systems or processing centres that do not meet the security conditions for the integrity, confidentiality and guarantee of the same.
The breach of notification constitutes a minor infringement when the data was obtained from the person concerned (art. 39 C) and a major infringement when the data was not obtained from the person concerned (art. 40 C).
Mandatory breach notification
The law does provide for a mandatory breach duty. Notwithstanding, it provides that in the case of a severe or major breach likely to affect a fundamental right or personal data the sanctioning organ may require the person responsible to restrain the use, communication, give out, or the illegal transfer.
The enforcement process applied to determine and impose the sanctions is adjusted to the principles, rules and norms of administrative procedure at the request of an audience by the interested party. During the audience, other enforcement measures can be adopted by the sanctioning organ to ensure compliance of the final resolution and to secure the application of the sanctions. However, these measures have a provisional character (art.45).
Where the infringement is committed in a public file, the sanctioning organ has to pass a resolution ordering the dismissal or correction of the infringement, as well as propose the application of disciplinary proceedings against the offenders (art.45).
The resolution of the sanctioning organ is elevated to a higher authority, which must then verify and determine the applicable sanctions against the infringement.
Not regulated by the personal data protection law. However, art. 22 of the Internet Communication Law Num. 1/2017 dates January is to the effect that commercial electronic communications such as adverts and promotions must conform with the data protection laws in relation to the abstention, creation and maintenance of files. More also, data used for such purposes must be clear and identifiable.
Not regulated by the law.