- Email: [email protected]
The first personal data protection act in Yugoslavia
THE FIRST PERSONAL DATA PROTECTION ACT IN YUGOSLAVIA Out of six Republics which belong to the Yugoslav Federation, only the Republic of SIovenia has introduced a Data Protection Act, i.e. more precisely known as the Personal Data Protection Act. The Act was passed in the Assembly of the Republic Slovenia on March 7, 1990. It was disclosed on March 16, 1990 and came into force eight days after this date. This Act is valid only in this Federal unit, i.e. in Slovania. The first proposal for the passing of this Act was written as early as 1983 and was discussed in the Slovenia Assembly on February, 20 and 21, 1984. At that time it was decided that work on the Act would be temporarily stopped with the explanation that this field must first be uniformally recognised by Federal law, i.e. at the level of the Yugoslav Federation. That has never been done, so in the Spring of 1989 the Institution for Republic Administration at the Faculty of Law in Ljubljana (the capital of the Republic Slovenia) produced a law draft. These proposals were sent to the Federal body in the hope of bringing into force a Federal Personal Data Protection Act. However, it was without result. So the Republic SIovania brought in its own Personal Data Protection Act, which is valid only on its territory. This Act, which in Yugoslav legal territory has no tradition, is based on OECD Directives from 1980, as well as on the Convention of the European Council from 1981. The constitutional ground for the Act is amended Article 321 of the Slovenian Constitution. The content of the Act is, in its essential parts, in accordance with the most of the West's European Acts. The Act consists of 12 chapters: 1 General provisions 2 Personal data protection 3 Personal data security 4 Catalogues of data and catalogues of data files 5 Rights of data subjects 6 Protection of data subject rights 7 Limitations of data subject rights 8 Transfer of personal data out of the country 9 Inspection supervision 10. Control of execution of law 11. Penal provisions 12. Transitory and final provisions
only on the basis of law or on the ground of written permission of an individual (data subject), authorized to use the personal data.
PERSONAL DATA PROTECTION (Articles 6 - 10) Applying the principle of legal collection and use of personal data, the Act states in this chapter that the controller of a data file can collect, process, store and transfer these personal data for which he is authorised by law or by written permission of the individual concerned. Particular activities in connection with the collecting, processing, keeping and transfer of personal data can by the controller of the data file be entrusted to another person (legal or physical), contractually registered for performing such activities, which must, inter alia, include conditions and measures for security of personal. (Article 6) Applying the principle of direct personal data collecting, the Act provides that the personal data are to be collected directly from the individual concerned. In particular cases however personal data can also be collected from third parties or from the existing data files. In such cases the persons from whom, and data files from which, the personal data can be collected must be specified. Unless otherwise provided by law, the individual (data subject) concerned, must previously be notified that the data about him will be obtained from the already existing datafile. (Article 7) Respecting the principle of collection and use of personal data Article 8 of the ACt states that personal data can be collected, processed, kept and transferred only for purposes determined by law or more obviously by the will of the individual. Data cannot be used for contrary objectives. The same is also true in respect of data matching which connects personal data, drawn from different data files. Once the purpose for which personal data were collected, processed and stored has been fulfilled the latter must be erased from data file, unless otherwise provided by law (for instance, in the field of natural and cultural heritage) (Article 9). Article 10 deals with the transfer of personal data to other users. They must be authorised for such use by law or be granted permission by the data subject to use such data. The users may not transfer the collected personal data to other persons and they can use them only for the purposes laid down by the Act. If users want to use personal data for statistical, scientific or research work, for educational or other similar purposes, the controller of data file can transfer the requested personal data to these persons, but in a form which ensures the anonymity of that data subject. In addition, the controller of the data file must ensure that the personal data transferred, can later be identified together with the recipient and purposes for which it was used. This applies for the period during which the particular data are being kept.
GENERAL PROVISIONS (Articles 1 - 5) The Act provides by general provisions the subject, which it regulates (Article 1) and the contents of personal data security (Article 2). Personal data protection comprises the rights, principles and measures which prevent illegal and unauthorised breaches of individual integrity, including personal and social life arising from the collecting, processing, storing, transmitting and using of data. Personal data security comprises legal, organizational and appropriate logical and technical procedures and measures, which prevent unauthorised or unregistered access to rooms, to machine and program equipment, unintentional or intentional unauthorized destruction of data, their modification or loss, as well as unuathorized access, processing and transfer of these data and their use. The Article 3 provides that the data files, which include personal data, can be compiled, managed and maintained
PERSONAL DATA SECURITY (ARTICLES 11 - 12) In this chapter the Act obliges the controllers of data files and others, who in accordance with the law, collect, process, keep and transfer personal data, to introduce internal measures providing appropriate logical and technical procedures consistent with personal data security.
66
I[]L -o, AU(~
T H E C O N P U T E R I , £ ~ ? AN[} SECURITY R E P O R ?
/ 9 9 0 - 9 { :~ 7 C1.SR
as the health service. However, it is not possible to limit rights of access to the register of data files or the right to court hearing.
REGISTER OF DATA AND DATA FILES (Articles 13-14) In this chapter the Act obliges the controllers of data files and others, who in accordance with the law, collect, process, keep and transfer personal data, to introduce internal measures providing appropriate logical and technical procedures consistent with personal data security.
TRANSFER OF PERSONAL DATA OUT OF COUNTRY (Articles 2 6 - 29) The controller of data file can transfer personal data out of the country to foreign users, if the country, to which the data are transferred, data protection legislation in force which protects foreign citizens too. The Republican administration, competent for international relationships, issues the necessary certificate. For personal data transfer, a second condition must apply too viz. an appropriate legal basis for the transfer e.g. international treaty or agreement or contract for scientific, business, technical, cultural or other similar collaboration. Notwithstanding these conditions, the transfer of personal data out of the country to foreign users, is allowed with the written permission of the data subject (Article 26). Exceptionally, the transfer of data to foreign users is not permitted for certain types of personal data for which the particular law provides. (Article 27). The controller of the data file can transfer to Federal bodies and organizations, and to users in the other Yugoslav Republics only personal data for which the Federal law or agreement between Republics provides. This does not apply if the transfer is agreed to by written permission of the data subject (Article 28). The data subject can ask for judicial protection if he thinks that by the transfer of data according to Articles 26, 27 and 28 his rights under Article 29 may be infringed.
REGISTER OF DATA AND DATA FILES (Articles 13 - 14) The Act requires the controller of the data file to record the following information in the Register: the name of data file; its controller; the legal basis for creating it; the categories of data subjects in the file; the kinds of personal data in the file; the legal basis for collection and collection methods; the purpose; the time limitation for keeping and using of personal data; limitations of rights of individuals in respect of the data in file and the legal basis for such limitations; data users; if data are being transferred out of the country, where, to whom and the legal basis for that. In addition, the Republican administration conducts and issues the Register of all data files (common data catalogue).
RIGHTS OF DATA SUBJECTS (Articles 1 5 - 1 7 ) The Act ensures the following rights to the data subject: • the right to access to the data files and right to copies of the data contained in it; • the right of access to data, which are contained in a data file and relate to data subject, and the right of their transcript and output; • the right to request the list of third parties to whom the data relating to him were transferred; • the right to request the addition and correction of incomplete, incorrect or not updated data; • the right to request the erasure of data unlawfully collected.
INSPECTION SUPERVISION (Articles 3 0 - 3 2 ) The ACt provides for inspection and supervision to ensure that the provisions of the Act are obeyed. These powers are vested in the Republican administration responsible for the Register. The inspection is given appropriate powers to deal with any irregularities that are found.
CONTROL OF EXECUTION OF LAW (Article 33)
PROTECTION OF DATA SUBJECT RIGHTS (Articles 18 - 24)
The competent working body of the Assembly of the Republic of Slovenia controls the state in the field of personal data protection and the execution of the provisions of this Act.
If the data subject considers that his rights are infringed, he can seek judicial protection. The competent court hears the case in a special, less formal proceeding, which is held speedily and in private. Depending on the circumstances of the case, the court can decide the case immediately, without asking for the defendant's statement first. In addition, the injured data subject can request compensation from the infringer.
PENAL PROVISIONS (Articles 3 4 - 3 8 ) The Act regulates the imposition of fines for offences committed under some provisions of the Act.
TRANSITORY AND FINAL PROVISIONS (Articles 39 - 42)
LIMITATIONS OF DATA SUBJECT RIGHTS (Article 25)
These provisions provide for a transition period during which the controllers of data files must bring their activities into compliance with the new law.
The Act lays down that the rights of the data subject can be limited only in exceptional cases, which are necessary to fulfill the legal purposes of the limitation. According-specific provisions determine these limitations in particular fields such
Nelka Fikeys Krmi~, LL.M., Report Correspondent
67
only on the basis of law or on the ground of written permission of an individual (data subject), authorized to use the personal data.
PERSONAL DATA PROTECTION (Articles 6 - 10) Applying the principle of legal collection and use of personal data, the Act states in this chapter that the controller of a data file can collect, process, store and transfer these personal data for which he is authorised by law or by written permission of the individual concerned. Particular activities in connection with the collecting, processing, keeping and transfer of personal data can by the controller of the data file be entrusted to another person (legal or physical), contractually registered for performing such activities, which must, inter alia, include conditions and measures for security of personal. (Article 6) Applying the principle of direct personal data collecting, the Act provides that the personal data are to be collected directly from the individual concerned. In particular cases however personal data can also be collected from third parties or from the existing data files. In such cases the persons from whom, and data files from which, the personal data can be collected must be specified. Unless otherwise provided by law, the individual (data subject) concerned, must previously be notified that the data about him will be obtained from the already existing datafile. (Article 7) Respecting the principle of collection and use of personal data Article 8 of the ACt states that personal data can be collected, processed, kept and transferred only for purposes determined by law or more obviously by the will of the individual. Data cannot be used for contrary objectives. The same is also true in respect of data matching which connects personal data, drawn from different data files. Once the purpose for which personal data were collected, processed and stored has been fulfilled the latter must be erased from data file, unless otherwise provided by law (for instance, in the field of natural and cultural heritage) (Article 9). Article 10 deals with the transfer of personal data to other users. They must be authorised for such use by law or be granted permission by the data subject to use such data. The users may not transfer the collected personal data to other persons and they can use them only for the purposes laid down by the Act. If users want to use personal data for statistical, scientific or research work, for educational or other similar purposes, the controller of data file can transfer the requested personal data to these persons, but in a form which ensures the anonymity of that data subject. In addition, the controller of the data file must ensure that the personal data transferred, can later be identified together with the recipient and purposes for which it was used. This applies for the period during which the particular data are being kept.
GENERAL PROVISIONS (Articles 1 - 5) The Act provides by general provisions the subject, which it regulates (Article 1) and the contents of personal data security (Article 2). Personal data protection comprises the rights, principles and measures which prevent illegal and unauthorised breaches of individual integrity, including personal and social life arising from the collecting, processing, storing, transmitting and using of data. Personal data security comprises legal, organizational and appropriate logical and technical procedures and measures, which prevent unauthorised or unregistered access to rooms, to machine and program equipment, unintentional or intentional unauthorized destruction of data, their modification or loss, as well as unuathorized access, processing and transfer of these data and their use. The Article 3 provides that the data files, which include personal data, can be compiled, managed and maintained
PERSONAL DATA SECURITY (ARTICLES 11 - 12) In this chapter the Act obliges the controllers of data files and others, who in accordance with the law, collect, process, keep and transfer personal data, to introduce internal measures providing appropriate logical and technical procedures consistent with personal data security.
66
I[]L -o, AU(~
T H E C O N P U T E R I , £ ~ ? AN[} SECURITY R E P O R ?
/ 9 9 0 - 9 { :~ 7 C1.SR
as the health service. However, it is not possible to limit rights of access to the register of data files or the right to court hearing.
REGISTER OF DATA AND DATA FILES (Articles 13-14) In this chapter the Act obliges the controllers of data files and others, who in accordance with the law, collect, process, keep and transfer personal data, to introduce internal measures providing appropriate logical and technical procedures consistent with personal data security.
TRANSFER OF PERSONAL DATA OUT OF COUNTRY (Articles 2 6 - 29) The controller of data file can transfer personal data out of the country to foreign users, if the country, to which the data are transferred, data protection legislation in force which protects foreign citizens too. The Republican administration, competent for international relationships, issues the necessary certificate. For personal data transfer, a second condition must apply too viz. an appropriate legal basis for the transfer e.g. international treaty or agreement or contract for scientific, business, technical, cultural or other similar collaboration. Notwithstanding these conditions, the transfer of personal data out of the country to foreign users, is allowed with the written permission of the data subject (Article 26). Exceptionally, the transfer of data to foreign users is not permitted for certain types of personal data for which the particular law provides. (Article 27). The controller of the data file can transfer to Federal bodies and organizations, and to users in the other Yugoslav Republics only personal data for which the Federal law or agreement between Republics provides. This does not apply if the transfer is agreed to by written permission of the data subject (Article 28). The data subject can ask for judicial protection if he thinks that by the transfer of data according to Articles 26, 27 and 28 his rights under Article 29 may be infringed.
REGISTER OF DATA AND DATA FILES (Articles 13 - 14) The Act requires the controller of the data file to record the following information in the Register: the name of data file; its controller; the legal basis for creating it; the categories of data subjects in the file; the kinds of personal data in the file; the legal basis for collection and collection methods; the purpose; the time limitation for keeping and using of personal data; limitations of rights of individuals in respect of the data in file and the legal basis for such limitations; data users; if data are being transferred out of the country, where, to whom and the legal basis for that. In addition, the Republican administration conducts and issues the Register of all data files (common data catalogue).
RIGHTS OF DATA SUBJECTS (Articles 1 5 - 1 7 ) The Act ensures the following rights to the data subject: • the right to access to the data files and right to copies of the data contained in it; • the right of access to data, which are contained in a data file and relate to data subject, and the right of their transcript and output; • the right to request the list of third parties to whom the data relating to him were transferred; • the right to request the addition and correction of incomplete, incorrect or not updated data; • the right to request the erasure of data unlawfully collected.
INSPECTION SUPERVISION (Articles 3 0 - 3 2 ) The ACt provides for inspection and supervision to ensure that the provisions of the Act are obeyed. These powers are vested in the Republican administration responsible for the Register. The inspection is given appropriate powers to deal with any irregularities that are found.
CONTROL OF EXECUTION OF LAW (Article 33)
PROTECTION OF DATA SUBJECT RIGHTS (Articles 18 - 24)
The competent working body of the Assembly of the Republic of Slovenia controls the state in the field of personal data protection and the execution of the provisions of this Act.
If the data subject considers that his rights are infringed, he can seek judicial protection. The competent court hears the case in a special, less formal proceeding, which is held speedily and in private. Depending on the circumstances of the case, the court can decide the case immediately, without asking for the defendant's statement first. In addition, the injured data subject can request compensation from the infringer.
PENAL PROVISIONS (Articles 3 4 - 3 8 ) The Act regulates the imposition of fines for offences committed under some provisions of the Act.
TRANSITORY AND FINAL PROVISIONS (Articles 39 - 42)
LIMITATIONS OF DATA SUBJECT RIGHTS (Article 25)
These provisions provide for a transition period during which the controllers of data files must bring their activities into compliance with the new law.
The Act lays down that the rights of the data subject can be limited only in exceptional cases, which are necessary to fulfill the legal purposes of the limitation. According-specific provisions determine these limitations in particular fields such
Nelka Fikeys Krmi~, LL.M., Report Correspondent
67