Understanding the field of personal data protection is changing from day to day in theory and practice. General information is informative and aimed at providing assistance to individuals in understanding the difficult subject of personal data protection. If this information is in contravention of the applicable legislation, supervisory authorities’ practices and court practice, the latter shall prevail.
What is personal data?
Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Personal data are, for instance: name and surname, home address, location, e-mail address, age, date of birth, place of birth, citizenship, nationality, education, personal identification number, tax number, mobile phone number, bank account number, data on the living conditions of the individual, disability category, seniority, etc.
What does processing of personal data mean and when do the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (ZVOP-2) apply for processing?
Processing of personal data is any handling of personal data. It is therefore everything we do with personal data. Typical examples of personal data processing are collecting, obtaining, storing, forwarding, etc.
The General Data Protection Regulation is used for processing of personal data that is carried out in whole or in part by automated means. However, if the processing is carried out entirely by hand (not in even partly by automated means), the GDPR requirements apply, if the data being processed is already a part of a collection or is intended to be included in the personal data collection.
ZVOP-2 applies to the processing of personal data in fields regulated by the General Regulation or specifically regulated by this Act and is performed wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
Who is the personal data controller in a particular case?
The personal data controller for personal data of natural persons in a particular case is the University of Maribor, Slomškov trg 15, 2000 Maribor, registration number: 5089638000, tax number: 71674705 More information on the University of Maribor, its faculties and other university members is available on the existing website.
How does the University of Maribor collect personal data?
The University of Maribor obtains personal data from various sources. For the most part, individuals provide data directly (e.g., students upon filling out the registration form, employees upon completing the statement on the reimbursement of transport costs to and from work, etc.), and the University of Maribor processes also the data obtained from other legitimate sources (e.g., official records, etc.).
Which categories of personal data are collected and processed?
As part of its activities, the University of Maribor collects and processes various categories of personal data of natural persons. Which personal data are processed in a particular case depends on the purpose and the legal basis for the processing. In doing so, we strictly adhere to the principle of data minimisation. The University of Maribor is processing only the data without which it is not possible to reasonably achieve the purpose of the processing or for the processing of which we obtain the natural persons’ consent. We are processing the personal data of natural persons lawfully, fairly and in a transparent manner. For each processing of personal data, we have a particular purpose and legal basis, which are adequately recorded in the records of processing activities. When personal data that are clearly not necessary for a specific processing are unintentionally collected, they are deleted without undue delay, otherwise irreversibly destroyed or returned to the natural person they are referring to or to the data controller or processor who has sent them.
Who are the users of obtained personal data?
The users of obtained personal data are primarily the employees of the University of Maribor. We strictly adhere to the principle of minimum processing, integrity and confidentiality of data.
In certain cases, personal data of natural persons are also processed by the so-called contractual processors. These are trustworthy companies that are trusted with the processing of personal data due to different needs and with which the University of Maribor has concluded special contracts on the protection of personal data (e.g. a company producing student identity cards, etc.).
In certain cases, the University of Maribor is also forwarding personal data of natural persons to third parties (e.g. the Labour Inspectorate of the Republic of Slovenia, Financial Administration of the Republic of Slovenia, courts, etc.), if such obligation of forwarding or disclosure is imposed by a law or another regulation.
How long is the University of Maribor storing personal data of natural persons?
The storage period of personal data of natural persons depends on the purpose of obtaining, the legal basis and other circumstances in a particular case of processing. The University of Maribor stores the personal data of natural persons for no longer than is strictly necessary for the purposes for which the data are processed. For cases, when the storage period of personal data is not prescribed in advance by law, the University of Maribor has adopted the Instructions on Setting Storage Periods and Managing Documentary Material of the University of Maribor, with the aim of ensuring the implementation of the storage limitation principle.
Unless another law provides otherwise for the individual categories of personal data, after the fulfilment of the purpose of processing, personal data are deleted, destroyed or anonymised or another procedure is performed which makes it impossible to identify the data subject, especially restricting access to such data, blocking or archiving it.
Taking into account the nature of processed data and risks, the University of Maribor checks periodically and in a documented manner whether the provisions regarding the retention period are observed.
Who can natural persons turn to for additional explanation or information on the processing of personal data, including the information on their rights?
If you have any questions related to the protection or processing of your personal data, you can turn to the authorised person for the protection of personal data at the University of Maribor (in English: data protection officer or DPO), by sending an e-mail to email@example.com.
Detailed information on particular aspects of personal data processing is also available on the web pages of the Information Commissioner of the Republic of Slovenia and the European Data Protection Board as well as in the opinions of the so-called Article 29 Working Party.
How can natural persons exercise their rights in the field of personal data protection?
Natural persons can exercise their rights in the field of personal data protection by a request addressed to the University of Maribor. The request can be submitted in person or via mail to the following address: Slomškov trg 15, 2000 Maribor or by sending an e-mail to firstname.lastname@example.org or email@example.com. The University of Maribor decides on the natural person’s request within 1 month from receipt, in exceptional cases, this time limit may be extended for a maximum of two months, taking into account the complexity and number of requests. When making the request, natural persons can make use of the forms provided by the Information Commissioner of the Republic of Slovenia.
Who can natural persons complain to, if they think that the controller is handling personal data unlawfully?
Natural persons may lodge a complaint against the implied rejection of the complaint with the supervisory authority (Information Commissioner of the Republic of Slovenia, Dunajska 22, 1000 Ljubljana, e-mail: firstname.lastname@example.org, Tel.: +386012309730, website: www.ip-rs.si). There is no time limit for lodging a complaint against the implied rejection.
Natural persons may lodge a complaint against the controller’s refusal with the supervisory authority within 15 days from receiving the controller’s response.
Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes the General Data Protection Regulation. The supervisory authority with which the complaint has been lodged shall inform the complainant on the progress and the outcome of the complaint including the possibility of a judicial remedy pursuant to Article 78.
Natural persons who believe that the controller or processor from the public or private sector infringes their rights provided for in the General Regulation or Acts regulating the processing or protection of personal data, may seek judicial protection of their rights throughout the duration of the infringement without prior exercise of rights under other provisions of ZVOP-2 or the application of other legal remedies.