magistrsko delo
Aljaž Lep (Author), Jerneja Prostor (Mentor), Benjamin Lesjak (Co-mentor)

Abstract

Varstvo osebnih podatkov predstavlja institut, ki z razvojem informacijske tehnologije in posledično težjem nadzoru nad širjenjem informacij pridobiva na svojem pomenu. Sprejem Splošne uredbe (Splošna uredba o varstvu osebnih podatkov, ang. General Data Protection Regulation) je povzročil, da morajo organizacije ureditev varovanja osebnih podatkov ponovno preveriti in ji nameniti več pozornosti kot doslej. Zakonodaja na področju varstva osebnih podatkov zahteva od vseh organizacij določene obveznosti, pri čemer je večina obveznosti, ki jih uvaja nova Splošna uredba obstajala že pred njenim sprejemom. Magistrska naloga obravnava obveznosti in aktivnosti, ki jih morajo organizacije zasebnega sektorja urediti, da se uspešno izognejo tveganjem, ki jih nespoštovanje zakonodaje na tem področju prinaša. Poudarek je na pripravi dokumentacije, ki jo morajo organizacije sprejeti oziroma urediti in aktivnostih ter ukrepih, ki jih je potrebno izvrševati v praksi. Predstavljena je večina novosti, ki jih uvaja Splošna uredba, kot so: institut pooblaščene osebe za varstvo osebnih podatkov, evidenca dejavnosti obdelave, politika varstva osebnih podatkov, obveznost uradnega obveščanja o kršitvah (obveznost samoprijave). V Sloveniji je zaradi nesprejetja novega področnega Zakona o varstvu osebnih podatkov (v nadaljevanju: ZVOP-2), nastala "pravna praznina", zaradi katere nastaja dvom, ali ima informacijski pooblaščenec kot nadzorni organ sploh ustrezna pooblastila za sankcioniranje nespoštovanja določb Splošne uredbe. Zaenkrat se sankcije za kršitve namreč še vedno izrekajo po obstoječem Zakonu o varstvu osebnih podatkov (v nadaljevanju: ZVOP-1), kljub temu pa ima nadzorni organ določena pooblastila tudi po Splošni uredbi. Omenjenega področnega zakona ZVOP-1 oziroma prihajajočega ZVOP-2 nikakor ne gre zanemariti, saj se določbe ZVOP-1 še vedno uporabljajo za tista področja, ki jih Splošna uredba ne ureja oziroma jih področni zakon lahko uredi drugače. Tako bo tudi bodoči ZVOP-2 urejal določene institute, ki jih Splošna uredba ne ureja, med drugim tudi področje videonadzora in neposrednega trženja, ki sta oba zelo pogosti praksi večine organizacij. V številnih državah članicah EU so nadzorni organi že izrekali sankcije zaradi kršitve določb Splošne uredbe. Med najpogostejšimi kršitvami so predvsem pomanjkljivosti na področju zavarovanja osebnih podatkov, (nezadostne) informacijske varnosti in nepooblaščenih vpogledov. Najvišje sankcije za kršitve so pričakovano prejele multinacionalne organizacije, vendar niti srednje velike in majhne gospodarske družbe, ki v svojih sistemih hranijo podatke o zgolj par 100 strankah, niso imune za tveganja, ki jim grozijo na področju varstva osebnih podatkov. Upoštevanje veljavne zakonodaje na področju varstva osebnih podatkov nedvomno pripomore k omejevanju možnih tveganj, sočasno pa povečuje tudi ugled organizacije v očeh posameznikov, konkurence in drugih subjektov.

Keywords

varstvo osebnih podatkov;Splošna uredba (GDPR);dokumentacija;ZVOP-1;ZVOP-2;varnostni incident;samoprijava;odgovornost za kršitve.;

Data

Language: Slovenian
Year of publishing:
Typology: 2.09 - Master's Thesis
Organization: UM PF - Faculty of Law
Publisher: A. Lep]
UDC: 342.721(043.3)
COBISS: 5822763 Link will open in a new window
Views: 789
Downloads: 137
Average score: 0 (0 votes)
Metadata: JSON JSON-RDF JSON-LD TURTLE N-TRIPLES XML RDFA MICRODATA DC-XML DC-RDF RDF

Other data

Secondary language: English
Secondary title: Risk management in the company from the point of view of the protection of personal data
Secondary abstract: Protection of personal data presents an institute, which has been gaining on meaning due to information technology development and consequentially more difficult control over information spreading. Passing of the General Regulation (General Data Protection Regulation) caused that organizations have to re-check the data about regulations for personal data protection and give it more attention than before. Legislation of personal data protection area demands certain obligations from all organizations and most of the obligations had already existed before the passing of the General Regulation. The master's thesis researches the obligations and activities, which have to be done for organizations of private sector to successfully avoid risks of legislation violation at the area. The stress is on documentation preparation, which organizations have to pass or prepare, and activities and measures, which have to be executed in practice. Most of the General Regulation novelties have been presented, such as the institute of plenipotentiary for protection of personal data, evidence of activity processing, protection of personal data policy, obligation of official violation informing (obligation of self-report). In Slovenia, there is a "legal void" because the new local Law for protection of personal data has not been passed (in continuation: ZVOP-2). It causes doubt if the information plenipotentiary as a supervisory body even have appropriate authorization to regulate violation of statutory provisions of the General Regulation. For now, regulations for violations are still charged after the existing Law for protection of personal data (in continuation: ZVOP-1). However, the supervisory body has certain authorisation power according to the General Regulation. The mentioned local law ZVOP-1 or the incoming ZVOP-2 cannot be neglected because the statutory provisions of ZVOP-1 are still used for the areas that the General Regulation does not arrange or can be arranged differently by the local law. Therefore, the future ZVOP-2 will arrange specific institutes, which are not arranged by the General Regulation, among others the area of video control and direct marketing, which are very frequent practices of most of organizations. In numerous states, members of European Union, the supervisory bodies have already charged sanctions because of the General Regulation statutory provision violations. The most frequent violations have been imperfections at the personal data protection area, (insufficient) information security, and unauthorized inspections. Multinational organizations have expectedly received the highest sanctions for violations. However, not even large and small economic companies, which save data about only a couple of hundred customers, are not immune to risks at the personal data protection area. The keeping of the valid legislation at the area of personal data protection helps to limit possible risks. However, at the same time, it increases the reputation of the company in the eyes of individuals, competition, and other subjects.
Secondary keywords: protection of personal data;General Data Protection Regulation (GDPR);documentation;ZVOP-1;ZVOP-2;data breach;self-report;responsibility for violations.;
Type (COBISS): Master's thesis/paper
Thesis comment: Univ. v Mariboru, Pravna fak.
Pages: IV, 75 str.
ID: 11232586