What makes personal data personal and how does the law protect them?

Published: 4 April 2018

Your data are personal if they can be used to identify you. If you think about it, you will realize how many of these data you share on social media sites without considering the potential consequences. The Fundamental Law, the Civil and the Criminal Code and the Act on Informational Self-Determination all protect your personal data. This is important to remember, given that even the sharing of a photo may represent a breach of the law if it is done without your consent.

Personal data are information suitable for identifying a specific person, i.e. these details are unique and sensitive data directly associated with you. You are the only person who was born at a given date and place as the child of a given set of parents, hold a certain job, live in a particular location with persons close to you, belong to certain communities and stand up for certain convictions. Documents on your state of health, pictures taken of you and your browser and mobile app history all belong to you, as do your bank and email accounts with the specific passwords and secondary identifiers. Some of these may enable fraud on their own, but you may be especially vulnerable if unauthorized persons access several of these data simultaneously.

For this reason, you need to protect these data especially carefully. Protection is provided in our Fundamental Law, the Civil Code, the Criminal Code and, last but not least, Act CXII of 2011 on Informational Self-Determination and the Freedom of Information.

Personal and special

As defined by the law, your personal data include your name, date of birth, residential address and marital status information. Special data are a separate subset: they are more sensitive as they relate to, among other things, your racial origin, nationality, political opinion or party affiliation, religious or other philosophical convictions, and sexual life; other data in this category include health and addiction data.

These are all information that you would be unwilling to share with anyone other than those closest to you, as it is easy to misuse such data. The Internet and the various social media sites are typical places of such fraud and personality right breaches. Your right to your own image is breached any time a photo is shared of you on Facebook without your consent. Anyone who registers on a website with your personal data, i.e. uses them unlawfully, will be in breach of your right to the protection of your personal data.

Specific purpose, limited, proportional

Section VI (2) of the Fundamental Law states that everyone has the right to the protection of personal data. The Civil Code (Section 2:43) includes under specifically named personality rights the right to the protection of personal data and the right to image and sound recordings. In Section 219 on the misuse of personal data, the Criminal Code regulates personal data being managed unlawfully or in deviation from its purpose, aiming to gain pecuniary advantage or resulting in significant damage to interests. In practice the abstract “management” of data means when someone uses your data for some purpose or merely retains, saves and stores them in a database. Special data are even more important, and the Criminal Code imposes more severe penalties on their misuse. The management of personal data and data protection are regulated in Act CXII of 2011 on Informational Self-Determination and the Freedom of Information. The Act (Section 5) states that personal data may be managed only with the data subject’s consent; this means that you dispose over your data yourself and you decide who can keep them on record and use them, and how. It is important to know – and the Act states it as a basic principle (Section 4) – that personal data may be managed only for specific purposes, in order to exercise a right and fulfil an obligation, and only such personal data may be managed as are essential to achieving the purpose of the data management process and suitable for achieving it.

Increasingly transparent

If a website publishes your name and address without your consent or if it uploads a recording where you can be clearly identified, it has breached the law. It is also in breach of the law if it stores your data for purposes you have not consented to and are not associated with the purpose for which you have entered into a contract with the service provider.

As the digital economy increasingly generates and utilizes big data, the European Union demands ever greater transparence in the management of data. You are probably going to find out more in the near future about what happens to the data gathered from you during your day-to-day online transactions. This is one of the objectives of the European Union’s new General Data Protection Regulation (GDPR), which will enter into force on 25 May 2018; its other main aim is to provide uniformly high-level legal and technical protection for personal data across Europe.