The current law includes an outdated requirement— the registration of databases— which has been largely eliminated in modern privacy laws. The amendment significantly reduces the registration requirement, mandating registration only in the following cases:
The primary purpose of the database is to collect personal data for the purpose of transferring it to third parties as a business activity or in exchange for payment, and the database contains personal data of more than 10,000 individuals; or
The controller of the database is a public body, unless the database contains only employee data.
At the same time, the amendment introduces a new notification requirement to the Privacy Protection Authority, requiring controllers to report databases containing highly sensitive data of more than 100,000 individuals, even if they are not subject to registration.
Although the amendment reduces bureaucratic burdens, database controllers are still required to comply with legal restrictions on data collection and use, including data security requirements. In fact, as we will see, the liability of controllers is increasing.
Comments