Uredba o zaštiti osobnih podataka – GDPR

The European Parliament and Council’s General Data Protection Regulation (GDPR) aims to harmonize data privacy laws across Europe to catch up with technological development. The process of adjustment began on April 27, 2016, and on May 25, 2018, was the deadline for the process and system adaptation.

GDPR applies to all organizations handling data of the EU citizens. If you suspect a data breach, the entity can lodge a complaint in the country where you live, work or the country where the violation occurred.

The term personal data refers to any information relating to an identified or identifiable natural person.

The principles of processing personal data under the Regulation are:

  • Lawfulness, fairness and transparency
    Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject.
  • Purpose limitation
    Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
  • Data minimisation
    Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
  • Accuracy
    Personal data shall be accurate and, where necessary, kept up to date.
  • Storage limitation
    Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
  • Integrity and confidentiality
    Personal data shall be processed in a manner that ensures appropriate security of the personal data.
  • Accountability
    The controller shall be responsible for and be able to demonstrate compliance with the principles.

Becoming compliant with the Regulation is not an activity that is performed all at once but requires continuous repetition of certain processes. In accordance with the principle of accountability of the Regulation, the burden of proving that the principles are met is on the data controller and it must be able to demonstrate always that the processing of personal data in the organization is compliant with the Regulation.

Aestus d.o.o. offers a complete service of organization’s compliance process with the Regulation by using additional legal, technical, organizational and IT help and continuous monitoring.

Analysis and revision of compliance with the General Data Protection Regulation (GDPR):

The service consists of 3 phases:

  1. Analysis and mapping of personal data processing in the daily operations
    – Outcome: Recommendations and Record of processing activities
  2. Creating an Action Plan (GDPR Roadmap) with provisions to align with the Regulation.
    – Outcome: Project plan with defined activities for the implementation of technological and organizational measures
  3. Implementation and control of the adjustment plan
    – Advising on implementation of the project plan in the daily operations of the organization


Legal – IT support for personal data management

To provide its customers with the full technical and organizational support when harmonizing your organization with the Regulation, Aestus d.o.o. has signed a partnership agreement with Poslovna Inteligencija d.o.o. Upon signing the contract, we are jointly able to offer you software implementation for your organization – Consent lifecycle manager.

Data Protection Officer:

Data Protection Officer (DPO) performs the task of informing and consulting management and staff performing data processing activities with their obligations under the GDPR. DPO shall monitor compliance with the Regulation and other legal obligations.

DPO acts as a contact point for the supervisory body on processing matters and considers the risks associated with the processing operations as well as the nature, scope, context and purpose of processing.

In accordance with the Regulation, three groups of organizations have the obligation to appoint a Data Protection Officer:

  1. the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  2. the core activities of the controller or the processor consist of processing operations which, by their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
  3. the core activities of the controller or the processor consist of processing on a large scale of special categories of data

If your organization has an obligation to appoint a Data Protection Officer, Aestus d.o.o. can offer you outsourcing of the DPO role, but also additional legal, technical, organizational and informational assistance related to your organization’s specific issues.

Data Protection Impact Assessment (DPIA):

Where a type of processing using new technologies, and considering the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.
Aestus d.o.o. as a company specializing in the development of strategic documents makes the Data Protection Impact Assessment according to the methodology that best suits your organizational culture and internal organization.