Rights of individuals
Chapter Five "Rights of Individuals" has been specified as a separate unit of the active LPDP.
With a view to their contents and the manner of exercising, the rights of individuals may be specified in two basic groups:
1. Right to be informed, including:
· right of information for the processing of their personal data;
· right to object to the data controller against the processing of their personal data. In these cases if the objection is reasonable the personal data concerned shall not be further processed.
2. Right of access to personal data referred to them (art. 109 of CISA). As a result of exercising this right, the individuals shall be entitled to require that data collectors should delete, rectify or block their personal data, when their processing does not comply with the provisions of LPDP (art. 110 of CISA).
1. RIGHT TO BE INFORMED
Information may be reviewed in two aspects – on the one hand, as a subjective right of a specific individual, and on the other hand, as the awareness of the public on their rights in accordance with LPDP and the Schengen Convention.
1.1. In the process of collecting personal data related to the individual the right of this individual to be informed is arranged among the basic principles regulated in LPDP. The contents of this information is specified in the provisions of art. 28 of LPDP, related to the following:
· confirmation as to whether or not data relating to him/her are being processed; information as to the purposes of such processing, the categories of data concerned and the recipients or categories of recipients to whom the data are disclosed;
· a notification to him/her, in an intelligible form, containing his/her personal data which are being processed, and any available information about their source;
· information concerning the logic involved in any automatic data processing concerning him/her, at least in case of automated decisions referred to in art. 34b.
Guarantee for exercising this right is provided by means of the imperative provisions of art.19 and art.20 of LPDP, stipulating that the personal data controller shall provide the individual with the following information:
· data which identify the data controller and its representative;
· purposes for which the data are being processed;
· recipients or categories of recipients to whom the personal data may be disclosed;
· information about the obligatory or voluntary manner of providing the data and the consequences in case their provision is denied;
· information about the right of access and the right to rectify the collected data.
With respect to the significance of the matter, in the event that art.19, para.1 and art.20, para.1 of the LPDP are violated, there is a penalty provided in a separate sanction regulation.
An exception to the rule for providing the specified information shall be allowed when:
· processing is performed for statistical, historical or scientific purposes and the provision of the data is impossible or would require disproportionate efforts;
· entry or disclosure of data is explicitly laid down by law;
· the individual to whom such data refer already has the information;
· there is an explicit prohibition for this, stipulated by law.
1.2. CPDP maintains a policy of public awareness on the rights of the individuals related to the protection of their personal data in conformity with Schengen Convention and the legislation active in the country. The programme is implemented by means of:
· Publishing a bulletin;
· The information website of the Commission – publishing the respective regulations; additional clarifications and rights of defence;
· Mass media: publishing articles, consultations, television programmes, etc.;
· Holding seminars aiming at training controllers dealing with personal data processing, located both in the capital and throughout the country;
· Publishing brochures;
· Information and Contact Centre of the Commission.
2. RIGHT OF ACCESS
Any individual shall be entitled to access their personal data which is among the fundamental rights, stipulated in LPDP and particularly in Chapter Five of the law.
The main purpose of exercising the right of access is to provide the individual with the necessary, yet admissible by the law information.
According to the provisions of art. 26, para. 1 of LPDP, any individual shall have the right of access to the personal data referred to them. As per art.28а of the same law any individual shall be entitled to require, at any time, from the controller:
· To erase, rectify or block his or her personal data, the processing of which does not comply with the provisions of this law;
· To notify any third parties to whom his or her personal data have been disclosed of any erasure, rectification or blocking carried out, unless this is impossible or involves a disproportionate effort.
According to the active legislation the right under art. 26, para.1 and the rights under art.28а of LPDP shall be exercised directly by submitting a written application to the personal data controller. Art.30, para.1 of LPDP provides information on the obligatory components of the application. It shall be filed personally by the individual or by explicitly authorized person with a power of attorney certified by a notary public. The application may be sent electronically as per the terms of the Electronic Document and Electronic Signature Act.
After the receipt of the application the personal data controller shall file it into the register. The Controller or the explicitly authorized by him/her person shall review it and shall announce its decision within 14-day term after its filing. In case a longer term is reasonably required with a view to collecting all requested data and this would impede seriously the activity of the data controller, this term may be extended up to 30 days. By virtue of a decision the personal data controller grants or denies access and/or the information requested by the applicant. According to art. 34 of LPDP, the personal data controller shall deny access to personal data when such data do not exist or their provision is prohibited by law.
The individual may exercise these rights indirectly, by approaching CPDP.
The Ministry of Interior Act stipulates that any individual shall be entitled to require access to the personal data referred to him/her and processed in the data collections of the Ministry of Interior and collected without the individual’s knowledge. Within 14 days after the submission of the application for access the data controller shall announce a decision. Upon request of the individual a copy of the processed data referred to him/her shall be provided on hard copy. The units of the Ministry of Interior shall entirely or partially refuse delivery of data, if a risk for the national security or the public order may arise, or for safeguarding of information classified as state or official secret, for revealing the sources of such information or the secret methods and means for data collection, or if delivery of such data to a person would harm the execution of tasks legally assigned to the units of the Ministry of Interior. The notification to the applicants concerning the refusal shall be made in writing, at which only the legal reason shall be given. The lack of notification within the terms provided by legal status shall be regarded a refusal. According to art.161 of the Ministry of Interior Act the refusal shall be subject to appeal under the Administrative Proceedings Act
In the event that the units of the Ministry of Interior do not consider the request for access or in case they act contrary to the provisions of LPDP, the individual shall be entitled to submit a petition to CPDP.
The Commission for Personal Data Protection examines the petition and makes a decision, after the enforcement of which it shall become mandatory for the data controller. By virtue of the decision on the petition and set directions CPDP is able to put the data controller under an obligation to execute the requested access.
The right of appeal against the acts of personal data controllers is stipulated in the provisions of art.34а of LPDP. This right may be exercised with respect to the request for access and the data controller’s decision and includes the right of objection against the acts of the controller:
· against processing of his/her personal data on the basis of legitimate grounds; when such objection is justified, the personal data of the relevant individual may not longer be processed;
· against processing of the personal data for the purposes of direct marketing;
· to be informed before his/her personal data are disclosed for the first time to third parties or used on their behalf for the previously set purposes and to be given the opportunity to object to such disclosure or use.
As with the other rights of the individuals, the exercising of the right of objection is stipulated in the same regulation with the obligation of the data controller to inform the individual about his/her rights.