|Abstract:||Protection of personal data presents an institute, which has been gaining on meaning due to information technology development and consequentially more difficult control over information spreading. Passing of the General Regulation (General Data Protection Regulation) caused that organizations have to re-check the data about regulations for personal data protection and give it more attention than before. Legislation of personal data protection area demands certain obligations from all organizations and most of the obligations had already existed before the passing of the General Regulation. The master's thesis researches the obligations and activities, which have to be done for organizations of private sector to successfully avoid risks of legislation violation at the area. The stress is on documentation preparation, which organizations have to pass or prepare, and activities and measures, which have to be executed in practice. Most of the General Regulation novelties have been presented, such as the institute of plenipotentiary for protection of personal data, evidence of activity processing, protection of personal data policy, obligation of official violation informing (obligation of self-report).
In Slovenia, there is a »legal void« because the new local Law for protection of personal data has not been passed (in continuation: ZVOP-2). It causes doubt if the information plenipotentiary as a supervisory body even have appropriate authorization to regulate violation of statutory provisions of the General Regulation. For now, regulations for violations are still charged after the existing Law for protection of personal data (in continuation: ZVOP-1). However, the supervisory body has certain authorisation power according to the General Regulation.
The mentioned local law ZVOP-1 or the incoming ZVOP-2 cannot be neglected because the statutory provisions of ZVOP-1 are still used for the areas that the General Regulation does not arrange or can be arranged differently by the local law. Therefore, the future ZVOP-2 will arrange specific institutes, which are not arranged by the General Regulation, among others the area of video control and direct marketing, which are very frequent practices of most of organizations.
In numerous states, members of European Union, the supervisory bodies have already charged sanctions because of the General Regulation statutory provision violations. The most frequent violations have been imperfections at the personal data protection area, (insufficient) information security, and unauthorized inspections. Multinational organizations have expectedly received the highest sanctions for violations. However, not even large and small economic companies, which save data about only a couple of hundred customers, are not immune to risks at the personal data protection area. The keeping of the valid legislation at the area of personal data protection helps to limit possible risks. However, at the same time, it increases the reputation of the company in the eyes of individuals, competition, and other subjects.|