In this section you will find the most frequent questions that the Personal Data Protection Agency receives. You can search and filter by categories such as: controller, video surveillance, personal data protection officers, rights of the subject of personal data, cookies, etc.
- General questions
- Legitimate interest
- Open data
- Prior approval from AZLP
It can be considered a legitimate interest if the controller proves such an interest by conducting a balancing test, but it is advised to draw up internal rules where both the awarding of prizes and the announcement of winners would be elaborated, so that the participants would be aware of the possibility for publication of their names.
For those reasons, it is recommended that the participants be notified in advance of the intention to publicly announce the names and surnames of the winners of the organized prize draw.
Apart from consent, such processing may be based on a demonstrated legitimate interest.
However, the subjects of personal data should be informed in advance (for example, through the voice machine) that the conversation will be recorded and that the personal data will be processed for the purpose of improving the service.
Should a request be submitted to the AZLP for the approval of the processing of personal data that refers to data on the health of employees for the purposes of safety and health at the workplace?
A condition for legal processing is the legal basis given in Article 10, paragraph (1) of the ZZLP and the existence of one of the exceptions given in Article 13, paragraph (2) of the ZZLP.
In the case of approval, the processing of health data can only be carried out after previously obtained approval from the AZLP in accordance with Article 84 of the ZZLP .
Approval is not required in the event that the processing of personal data is determined by a law that contains security and other measures to protect the rights and freedoms of the subjects of personal data.
In such cases, the Agency makes a decision within 90 days after receiving the request for approval.
In general, courts process personal data based on a legal obligation or public authority.
The courts need such information to determine and prove the facts in the proceedings that are conducted on the dispute, so the controller must provide the information to the court.
In case of an audit, should the consent of the employees be ensured or is it enough that they are informed?
There must be an appropriate legal basis for the processing of personal data according to Article 10 of the GDPR.
If the audit is carried out in accordance with the law, then the consent cannot be legally applicable except for the processing.
In the case of resumes submitted for possible future employment or advertised positions, does the company have an obligation to obtain the consent of the candidates to have their resumes stored in the prospective candidate database?
The employer can try to prove his legitimate interest by conducting a legitimate interest test or ask for the candidate’s consent (the consent must meet the conditions given in Article 11 of the ZZLP).
In any case, the candidate must be aware of such processing in accordance with the principle of transparency.
In the case of an access control system based on biometric data, does the legal entity have to inform the AZLP before starting to process such data and what documents should be submitted to the AZLP for that purpose?
According to Article 13 of the ZZLP, biometric data are a special category of personal data.
The condition for legal processing is the legal basis from Article 10, paragraph (1) of the ZZLP and the existence of one of the exceptions given in Article 13, paragraph (2) of the ZZLP.
For example, the legal basis for processing biometric data for entry into official premises may be express consent.
However, since this represents a relationship between employer and employee (unequal relationship, relationship of dependence), the question should be raised whether the employee voluntarily gives his consent (voluntariness is one of the conditions for consent).
For those reasons, the employer must ensure that the consent is voluntary and must provide the employee with an alternative for a different entrance to the office premises (via card, code, etc.)
In case of approval, the processing of biometric data can be carried out only after prior approval by the AZLP in accordance with Article 84 of the ZZLP, although the processing is carried out after the express consent given by the subject of personal data.
Approval is not required in the event that the processing of personal data is determined by a law that contains security and other measures to protect the rights and freedom of the subjects of personal data.
In such cases, the Agency makes a decision within 90 days from the receipt of the request for approval.
Given the economic dynamics and the need for companies to adapt to new requirements and trends to keep up with market competitors, do they have an obligation to keep employee records for a period of 45 years after the employee has left the company, as required by applicable regulations?
If the retention period is established in a law that regulates labor relations, then there is a legal basis for such processing of personal data according to Article 10, paragraph (1), point (c) of ZZLP.
It is important to understand that consent is not the only legal basis for processing personal data.
The employer can install a GPS device on an official vehicle if he can prove the existence of a legitimate interest in the same.
Namely, workers sometimes use the company’s resources for private purposes, so it can be said that there is a legal basis for the processing of workers’ personal data.
The Law on Labor Relations does not prescribe the method for determining the right to paid leave.
Requesting evidence in a case where the employee has the right to paid leave (due to important personal reasons such as the birth of a child) to confirm the justification of using paid leave is not against the provisions of the law and for the same a legal basis can be found in the form of legitimate interest.
The justification for using paid leave can be determined by inspecting a certificate that proves the important personal reason for requesting paid leave, unless otherwise determined in the collective agreement or in the internal acts of the employer.
The content of the invoice is determined by several laws, for example, the Law on Value Added Tax, the Law on Registration of Cash Payments.
Among other things, one of the elements of the bill’s content is a label for the operator (person) of the billing instrument itself.
Hence, there is no need to put the name of the person. On the contrary, the controller may prescribe internal designations for its employees as part of the internal acts.
This method of delivering the payroll to employees is not contrary to the provisions of the law, provided that appropriate technical and organizational measures are applied.
The provisions of the law apply regardless of whether certain personal data were previously made public.
Hence, if the controller intends to process personal data, it must have an appropriate legal basis for the processing in accordance with Article 10 of the GDPR.
Also, since the personal data is not obtained directly from the personal data subject, the controller must provide to the personal data subjects all the information prescribed in Article 18 of the ZZLP (eg, who is the source of the data).
In the case of processing personal data for the purposes of direct marketing, does the legal entity need to obtain prior express consent from the subject of personal data for any type of direct marketing, regardless of whether it involves profiling related to direct marketing?
According to Article 94 of the ZZLP, the processing of personal data for the purposes of direct marketing, including profiling to the extent that it relates to direct marketing, is permitted only if the personal data is processed after the subject of personal data has given express consent (Article 11 of ZZLP).
Granularity is closely related to the need for consent to be specific.
Namely, when consent is given for several different purposes (while the purpose of the processing must be as specific as possible), granularity means that the purposes are separated and that a separate consent is given for each purpose.
For example, parents or guardians should be able to give consent for the school to take photographs of students for educational purposes, but not to give consent for the photographs to be published publicly on the school’s website or in a newspaper to promote the school.
Separation of processing purposes can be achieved by placing a blank tick box in front of each processing purpose so that the parent/guardian can indicate consent, if desired.
Does the company have an obligation to ask employees who leave the workplace to sign a consent to keep their personal data?
The retention period is prescribed in the Labor Law and the employer has a legal basis (legal obligation) for the processing, and therefore there is no need to use consent.
In the case of entering into business relations with clients (bank), the law prescribes a mandatory listing of all persons related to the client, with first/surname, unique citizen identification number (EMBG), etc. Does this situation require consent to the processing of the personal data of the related persons specified by the client of the bank?
According to Article 10, paragraph (1) of the ZZLP, there are six legal bases for processing personal data:
- legal obligation;
- substantial interests;
- public interest/public authority;
- legitimate interest.
There must be an appropriate legal basis for any processing of personal data. Hence, the legal basis for processing personal data through a contract between a bank and a client is the contract.
For other categories of data the legal basis may be a legal obligation of the controller.
Consent is only one of the six legal bases prescribed by law. If there is a legal basis for any specific processing, there is no need to use consent.
The beauty salon processes data based on an agreement between the salon and the client.
However, at the time of photographing a person for marketing purposes, another legal basis is required, such as consent or legitimate interest.
No. In such a case, the processing is based on a contract/actions that precede the conclusion of a contract, therefore there is no need for consent, nor is the order via e-mail considered consent.
According to Article 96 of the ZZLP, the processing of personal data for the purposes of direct marketing, which includes profiling to the extent that it relates to direct marketing, is permitted only if the personal data is processed after the subject of personal data has given explicit consent (Article 11 from ZZLP).
For those reasons, consent is the only possible legal basis for direct marketing purposes.
Do debt collection agencies need to obtain consent for the processing of personal data they carry out?
According to the Law on Obligation Relations, entrusting the collection of claims (debts) does not require obtaining consent from the debtor, but the creditor is obliged to inform the debtor about entrusting the collection to another legal entity, which means that it is a contractual relationship.
In addition, establishing contact with persons other than the debtor requires a different legal basis in terms of consent or proven legitimate interest.
In the case of a minor child, consent should be obtained from a parent or guardian, except in the case of processing of personal data relating to information society services offered directly to the child.
In such a case, the child can give consent, but only if he is 14 years of age or older.
Does the controller have to request and obtain consent in case of processing personal data through cookies?
Yes. Consent is the only possible legal basis for processing personal data in the context of using cookies.
It is provided for in the Law on Electronic Communications (Article 168). However, there is also an exception for cookies that are technically necessary.
Apart from consent, the controller must also provide public information to the subject of personal data in accordance with Articles 17 and 18 of the ZZLP.
Does the controller have to ask for and obtain consent for every processing of personal data? When should and should not seek consent?
No. The controller does not need to request and obtain consent for each processing of personal data.
Any activity for the processing of personal data must be based on one of the legal bases given in Article 10, paragraph (1) of ZZLP.
Consent is only one of the legal bases for processing personal data prescribed by law.
If there is another legal basis for processing personal data (eg, legal obligation or contract), there is no need to use consent.
For example, according to the Law on Labor Relations, the employer is obliged to keep records of the working hours of the employees, while according to the Law on Associations and Foundations, an association of citizens is obliged to keep a list of its members, and in such cases there is no need for consent because the legal obligation of the controller is a legal basis for the processing of personal data.
Consent is used to process personal data for direct marketing purposes, including profiling, in accordance with Article 96 of ZZLP.
Another example where consent is used is a hair salon that, as a controller, publishes pictures of its own activity (a popular “before and after” column) on social media or processes data through cookies placed on the website, because it cannot demonstrate a legitimate interest.
The retention period for personal data is often set out in specific laws (eg, labor regulations determine the retention period for employee payslips).
However, when the regulations do not establish a storage period, the principle of limiting the storage period given in Article 9 of the ZZLP is applied.
Personal data must be kept in a form that allows the identification of the subjects of personal data for a period that is not longer than is necessary for the purposes of processing the personal data.
Personal data can be stored for a longer period only if they are processed for the purposes of archiving in the public interest, for scientific or historical research or for statistical purposes in accordance with Article 86, paragraph (1) of ZZLP, in which appropriate technical and organizational measures should be applied. measures in accordance with ZZLP, in order to protect the rights and freedoms of the subjects of personal data.
If the storage term is not established by law, the controller keeps personal data as long as it is needed for the purposes of personal data processing.
Personal data is any information relating to an identified natural person or an identifiable natural person (personal data subject), while an identifiable natural person is a person whose identity can be determined, directly or indirectly.
Personal data is a broad concept. Below are some examples:
- name and surname;
- home address, e-mail, telephone number;
- date of birth, age of the person;
- unique identification number;
- trade union membership data;
- IP address or domain of the computer used to visit websites;
- location information;
- credit or debit card number;
- health data;
- biometric data (eg, fingerprint);
- representation of a person on a recording or image from video surveillance, audio recording, etc.;
- vehicle registration number;
The controller must scan the situation in the organization, which includes mapping the movement of personal data (determines the categories of personal data that are processed, whether special categories of personal data are processed, as well as the legality, transparency and purposes of the processing of personal data , transfer of personal data, etc.).
More information on the general obligations of the controller is provided in the information sheet ” 10 QUICK STEPS FOR COMPLIANCE WITH THE LAW ON THE PROTECTION OF PERSONAL DATA “, published on the AZLP website.