Author: Preslav Baldzhiev
It is no secret that personal data is one of the most important and key resources used in business circles. This statement raises several questions, the most significant and the most ambiguous being the way in which this personal data is processed. The answers to this and a number of other questions can be found in the provisions of the General Data Protection Regulation adopted in 2016 (GDPR, Regulation).
What is personal data?
Personal data is a legal concept, the definition of which is contained in Article 4 of the Regulation. According to the text in the GDPR, Personal Data is “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person“.
The definition is long, but the details included in it allow us to determine exactly which categories of data can be called personal. In order to be defined as “personal data”, the information provided must meet the following conditions:
- To concern a natural person – In other words, personal data cannot refer to companies. This is quite understandable, given that both the Bulgarian Commercial Register and the Commercial Registers of other EU Member States are public and information concerning legal entities is generally available;
- It should be sufficient to identify the natural person (whether directly or indirectly) – The identification should not be narrowed only to the meaning of the exact identification of the person (eg the data show that they refer to Assen Assenov Assenov, born on 01.01.1955). For information that can identify a person, it would consider data indicating only gender, eye color, height, marital status, etc. (only one of the above is enough).
What does personal data processing mean?
It is completely pointless to collect personal data if it is not processed. The processing of personal data is also a legal term, the definition of which is contained in Article 4 of the GDPR. According to the text referred to therein, processing “means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction“.
As with the concept of personal data, the definition of personal data processing is extremely broad and voluminous. Given that traders use personal data and the provision of such information is one-way, ie only in the direction from the individual to the trader, it is quite normal to conclude that a monopoly position is created in favor of the business community. Therefore, the broad definition is supported by the grounds explicitly stated in the Regulation (discussed in detail in another article) and principles (which will be discussed in the next paragraph) for the processing of personal data.
Principles of personal data processing
As already mentioned, the principles are explicitly stated in the GDPR and in particular in Article 5 of the Regulation. The principles are 7 in number, and they are:
- Processing to be lawful, fairly, and transparent – This principle of processing corresponds directly to Article 6 of the GDPR, which sets out the grounds for the processing of personal data (processing should be based on one of these grounds). As for the transparency found in the second part of the principle, it ensures that the individual will know for what purpose his/her personal data are collected and processed. That is why the personal data subject has the right to ask what personal data is processed by the respective Data Controller (right to information);
- Limitation of processing purposes – This principle ensures that personal data will only be processed for the purposes for which they were collected. In other words, if the personal data already collected needs to be processed for a purpose other than the original purpose, then this personal data should be collected again. It is important to specify that the Data Controller must determine the purposes of processing before starting to collect personal data;
- Minimization of data – The Data Controller should collect only those personal data that are necessary for the purposes of the processing. If an example is to be given, the example of e-commerce would be appropriate (in case the individual wants to buy a mobile device online, it is necessary to provide three names, telephone number and delivery address, and each other personal data would be unjustifiably collected);
- Accuracy and keeping up to date – Personal data may be changed during the life of the data subject (change of telephone number). In other words, the principle guarantees the right of the data subject to correct and update obsolete information. This principle is directly related to the obligation of the Data Controller to notify the personal data subject if they are stolen or “leaked”;
- Storage restriction – The principle of storage restriction guarantees that the personal data of the individual will not be processed indefinitely. This processing period should be consistent with the purposes for which the personal data were collected. Longer processing times are only allowed for archiving purposes in the public interest, for scientific or historical research, and for statistical purposes;
- Integrity and confidentiality – Personal data is information that reveals important aspects of the life of the individual. That is why the Data Controller has an obligation to implement the necessary technical and organizational measures to prevent unauthorized access to the collected personal data;
- Accountability – This is the only principle set out in a separate paragraph. Thanks to this principle, the personal data subject is maximally facilitated in establishing a breach, as it is the Data Controller who has to prove that the breach has not been committed. Given the situation in civil law (that everyone proves the facts he has stated), it is only natural to ask why the burden of proof has shifted. Accountability, in addition to facilitating the individual, ensures that the Data Controller is aware of his or the obligations and that he/she makes the necessary efforts to comply with the legislative framework governing all issues related to the collection and processing of personal data.
Conclusion
Everything stated so far confirms the importance of personal data and the need for adequate guarantees for their processing. The existence and, above all, the explicit affirmation of the principles and grounds in a normative act is not an accidental move of the European rule-making but is a predictable consequence of the digitalization and globalization of the world. The more society becomes accustomed to these new characteristics of its surroundings, the greater the threats and possible abuses that lurk around the corner. Despite the extensiveness and comprehensiveness of the Regulation, individuals as data subjects should make the minimum effort required to prevent breaches of any of the provisions of the GDPR. And beyond the minimum, European legislation intervenes.
This material prepared by Preslav Baldzhiev aims to provide more information about principles relating to the processing of personal data. It does not constitute a legal opinion and cannot be interpreted as individual consultation on any concrete facts or circumstances. The advice of a specialist should be obtained for specific questions and situations. For more information on the above-mentioned issues and individual consultations, please contact the team of the law firm of Krasimira Kadieva at 00359 882 308 670 or make an inquiry using the contact form of the website. Since 2017 Preslav Baldzhiev is a law student at Sofia University “St. Kliment Ohridski “, having previously graduated from the High School of mathematics and natural science “Acad. Nicola Obreshkov” in Burgas. In February 2020 he took a course for industrial property representatives at the Patent Office of the Republic of Bulgaria in the field of trademarks, geographical indications, and industrial designs. He is interested in intellectual property, personal data protection, commercial and law on obligations and contracts and also regularly attends conferences, practical courses, seminars, and webinars.