Protection of personal information act 4/2013

 

PURPOSE OF THE ACT

The purpose of the Protection of Personal Information Act 4/2013 (hereinafter referred to as “the Act”), is to protect Personal information against the unlawful collection, retention and use of said information.  This act considers the right to privacy weighed up against the right and need for economic and social progress.

As any right is limited, the right to privacy is subject to justifiable limitations.

 

PROCESSING LIMITATION (SECTION 11)

Personal information may only be processed (i.e. collected, recorded or used) if

  • there is consent or
  • Processing is necessary for perusing the legitimate interest of the responsible party (person who is processing the information)

The data subject (person whose information is being processed) my object at any time to the processing of personal information.

 

Personal information may only be collected directly from the data subject, except

  • if the information is derived from a public record or
  • collection of the information from another source would not prejudice a legitimate interest of the data subject.
  • Collection of information from another source is necessary to maintain the legitimate interest of the responsible party to whom the information is supplied.

 

PURPOSE (SECTION 13)

Personal information may only be collected for a specific, explicitly defined and lawful purpose, relating to the function or activity of the responsible party.

 

The data subject is to be made aware of the purpose of the collection of information

The collection of personal information and the further processing thereof is to be for the same legitimate purpose.

 

RETENTION AND RESTRICTION OF RECORDS (SECTION 14)

Records of personal information must not be retained any longer than necessary for achieving the purpose for which the information was collected or subsequently processed unless;

The responsible party reasonably requires the records for a lawful purpose relating to its functions and activities.

 

The responsible party must establish appropriate safeguards against the records being used for any other purpose.

 

If personal information is destroyed, it must be done in a manner which prevents the information being reconstructed.

 

Once a responsible party no longer requires the personal information of a data subject, then the responsible party is to restrict the use of said personal information.

 

DIRECT MARKETING BY MEANS OF UNSOLICITED ELECTRONIC COMMUNICATIONS (SECTION 69)

 

Direct marketing is prohibited unless the data subject;

  • Has given consent for the processing
  • Is a current customer of the responsible party

 

A responsible party may approach a data subject only once in order to request the consent of the data subject for said marketing.

 

A responsible party may only process (collect, record or use) the personal information of a data subject who is a customer if;

  • The responsible party has obtained the contact details of the data subject in the context of the sale of a service or product,
  • For the purpose of direct marketing of the responsible party’s similar products/services and
  • If the data subject has been given reasonable opportunity to object to said processing

 

Any communication for the purpose of direct marketing must contain;

  • Details of the sender of the communication
  • An address or contact details of the sender of the said communication.