1. Subject of personal data under GDPR is an individual who can be identified, directly or indirectly, by an identifier / name, identification number, location data, online identifier, physiological, genetic, mental, economic, cultural or social identity, i.e. any information that directly identifies or is capable of identifying one individual.

Personal data could be also tax ID, encrypted data, etc. which could identify an individual if the identification number is connected with the person.

2. Special categories of personal data under GDPR: race, political views, religious, membership of trade unions, genetic or health status, sexual orientation, biometric data, etc.

This personal data requires special protection under the GDPR and in principle they should not be processed unless processing is authorized in the specific cases provided for in the GDPR. The controllers handling such personal data (for example, medical centers, hospitals, dental clinics, etc.) must apply appropriate and specific measures to protect the rights of data subjects.

3. Controller:

- a natural or legal person, a public body, an agency or other entity that alone or jointly with others DEFINE THE PURPOSES AND FACILITIES FOR THE PROCESSING OF PERSONAL DATA.


- a natural or legal person, a public body, an agency or other entity that processes personal data on behalf of the controller – for example, external accountants, lawyers, etc.

5. Legal grounds for processing of personal data under GDPR

- consent of the data subject - for each specific purpose.

-execution of contract

- a legal obligation,

-protection of the vital interests of the subject or of another person,

- a public interest,

- legitimate interests pursued by the controller or a third party.

In any case, the controller must prove that there is a legal basis for processing the personal data.

Rights of the data subject under GDPR:

During the process of processing of personal data the individuals must be informed at least about the following:

-Who is the controller?

-Why the controller shall collect the personal data- for which purposes?

- The categories of relevant personal data

- The legal basis for the processing of data;

- How long the data will be stored;

- Whether personal data will be transferred to a recipient outside the EU;

- Subjects should be informed that they are entitled to require a copy of their data (right of access to their personal data) and other basic rights in the field of data protection, right to information, right to correction of personal data, the right to delete / the right to be forgotten;

- Their right to submit an appeal before the Data Protection Authority (DPA);

-Their right to withdraw their consent at any time;

DPO (Data protection officer)

If an enterprise has more than 250 employees or processes large amount of data and / or systematically processing personal data, it must appoint a Data Protection Officer. It can be employee from the controller’s company or an external person under a civil contract.

Legal services under GDPR

-Consultation in relation with protection of personal data under GDPR

-Staff training under GDPR

--Preparing of all necessary legal documentation under GDPR

-Legal help in relation with imposed sanctions from the Data Protection Authority (DPA)

-Legal help in case of risk for violation of personal data.

* As the implementation of the requirements under GDPR regarding the technical measures requires the involvement of IT specialist, our team is able to work in cooperation with IT specialist from the company-controller or processors.