The Law on Personal Data Protection establishes the rights of citizens when processing their personal data in different, everyday situations. In order to understand our rights regarding the protection of our personal data, we first need to understand what constitutes personal data, i.e. what is considered personal data. In this text, we will explain which data are considered personal data and in which situations they fall within the scope of the Law on Personal Data Protection.
The Law on Personal Data Protection defines personal data as any information relating to an identified individual or an identifiable individual. An identifiable individual is a person whose identity can be determined directly or indirectly, specifically based on an identifier. In other words, any information through which the identity of a specific individual can be determined is considered personal data. In this case, the individual is called the personal data subject. For example, the description “the doctor’s son” is not considered personal information because it can refer to more than one person. On the other hand, if the personal name and surname or home address of the “doctor’s son” is added to this description, the description will be considered personal data because through that set of information the identity of the natural person can be determined.
Furthermore, when it comes to identifiers, the Personal Data Protection Law provides an open list of data through which individuals can be identified, that is, which would be considered personal data. Thus, the Law states: name and surname; citizen’s identity number; location data; online identifier; as well as one or more characteristics specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual. The list is open because other information of the citizen can be considered as personal data, depending on the situation. For example, a transaction account number or debit/credit card number may be considered personal data in financial services, because it is unique information that can identify its user.
At the same time, the Law on Personal Data protection provides for the pseudonymization of personal data. Pseudonymization is the processing of personal data in such a way that the personal data can no longer be associated with a specific personal data subject (individual) without using additional information, provided that such information is kept separately and is subject to technical and organizational measures to ensure that personal data are not linked to an identified individual or an identifiable individual. In this case, pseudonymized data are no longer considered personal data because they cannot be linked to and identify a specific natural person. For example, if students at a particular faculty are assigned an index number, where access to the index number assignment system will be restricted, the index number will not be considered personal data. On the other hand, if the index number is accompanied with the student’s name and surname, their picture or ID number, it will be considered personal data because the student can be identified through it.
The Law on Personal Data Protection also establishes special categories of personal data that include information that reveals racial or ethnic origin, political views, religious or philosophical beliefs or membership in trade union organizations, as well as genetic data, biometric data, data relating to the health or data about the sexual life or the sexual orientation of the individual. The processing of these personal data is prohibited except in certain cases determined in the Law on Personal Data Protection.
The processing of personal data related to criminal convictions and criminal offenses is also prohibited, except in cases where the processing is carried out under the control of a competent authority of the state government or when the processing is permitted by a law that establishes appropriate measures for the protection of the personal data subjects (individuals).
To fully understand the rights arising from the Law on Personal Data Protection when processing our personal data, we first need to understand what data is considered personal data. Basically, personal data are all information or collections of information through which an individual can be identified, that is, “separated” from other individuals – personal data subjects.
Author: Nikola Dimitrov, M.Sc
This text has been prepared with the support of the European Union. The contents of this text are the sole responsibility of the partners of the project “Privacy by Design – Building an Inclusive Digital Ecosystem” and of the author and in no way reflect the views of the European Union.