Privacy or not - that is the question
Ivan Cirković
Algebra College
icirkov@racunarstvo.hr
This paper analyses the personal data protection
measures identified by the European Union and adopted
the General Data Protection Regulation (GDPR), which
entered into force on 25 May 2018. The changes that the
GDPR brings should give greater control to EU citizens
over the personal data that organizations collect and
process to provide them with specific services. In today's
information society, whose development is based on the
processing of a multitude of data, regulation of the
collection and processing of personal data is needed to
protect the rights of individuals and to prevent the misuse
of their data.
 Key words – GDPR, PII, personal data, regulative,
data protection, data processing, data collection,
information society
I. INTRODUCTION
The development of information technology in
recent years has been rapid and extensive. Most
production processes are automated and streamlined
and partly brought to the level of artificial intelligence
management. The market is globalized and its
functioning has been brought to the highest level. It is
obvious that because of the rapid development of
modern information and communication technology
and new ways of automated data processing, there was
a need to create a detailed legislative framework to
control and ensure the protection of data and
information and the fundamental freedom of individuals
involved in the information process whose data is
processed [1].
Data disseminated and processed into information
through knowledge sharing, communication and other
processing methods and data processing techniques
must be accurate, consistent and true, which of course is
difficult to control. What has been controversial in these
theories is data partiality and inconsistency despite the
truth of their theses. One of the biggest problems that
arises with the development of information technology
and data processing is human rights and their threat [1].
As data protection is greatly influenced by
legislation, it will be shown how certain regulations
have had an impact on the flow of data on the market
and on their protection. The protection of personal data
in different countries of the world will be compared to
the level of protection in Croatia and the EU, given that
the European Union has been most concerned with the
issue of the flow, protection and automatic processing
of personal data. The paper will particularly highlight
the General Data Protection Regulation (GDPR),
which has led to numerous changes in data protection,
and has updated the issue of personal data protection
and has encouraged public debate on the topic globally
[1].
II. PII AND PROTECTION
Personal identifiable information (PII) is
information that can identify an individual. PII may
contain direct identifiers that can identify a person
uniquely, or quasi-identifiers that can be combined
with other quasi-identifiers to successfully recognize
an individual. Data that can be included is IP address,
login data, social media posts, digital images,
geolocation, behavioural data or biometric data [4].
III. GDPR
A major step forward in the area of personal data
protection and information security is the adoption of
the new General Regulation on the protection of
individuals with regard to the processing of personal
data and on the free movement of such data 2016/679
(General Data Protection Regulation - GDPR) and its
entry into force on 25 May 2018, which repeals current
Directive 95/46 / EC [1].
One of the first steps for organizations on the
journey to GDPR compliance is to find out what
'personal data' (i.e. any information relating to an
identified or identifiable natural person) are stored
where. In image 1, there can be seen 5 recommended
steps for discovering data. First step is to create all of
data stores by recording their name, purpose and
physical location. Second step is to select data stores
that are already know to contain personal data. Third
step is to capture or reverse the physical model of the
selected data stores. Fourth step is to identify metadata
of personal data and of objects that are related to
personal data for each selected data store. Last, fifth
step is to create or enrich logical data model using the
business data dictionary [8].

Image 1: The process for data discovery [8]
The aim of the GDPR regulation is to harmonize all
laws regarding the protection of personal data
throughout the European Union. The introduction of the
regulation gave individuals more control over the
management and sharing of personal information with
third parties [7].
GDPR protects political views, person's identity
information (Name, address, ID card), web data such as
user location, cookie data, IP addresses, RFID (radio
frequency identification), biometric data, race, ethnicity,
health status and genetic information and sexual
orientation [7].
Most important rights secured with GDPR
regulative are transparency, the right to move from the
database, the right to rectification, the right to oppose
automated individual decision making (profiling), the
right to portability, the right to object to the processing
of personal data, the right to restrict processing and the
right for access to data [7].
The processing manager must inform the respondent
of his / her identity and contact information, the
purposes of the processing and the legal basis for
processing the data, the recipients, their export to third
countries, the storage period, the possibility of
withdrawal of the permit. All newsletter subscribers
must be able to be removed from the list at any time.
processing managers must delete the unsubscribe
information. The user has the right to request correction
of incorrect personal information that has been
collected relating to him. The user is also entitled to
complete incomplete personal information, including by
submitting an additional statement. Respondent has the
right not to be affected by a decision based solely on
automated processing. The respondent has the right to
receive his or her personal data and to transfer this
information to another processing manager. When
someone calls on to the right to object to the processing
of the personal data, then the processing manager may
no longer process the personal data of the respondents
unless they prove that their legitimate reasons for
processing outweigh the interests of the respondents. In
certain situations, the respondent has the right to request
that processing be restricted with the exception of
storage and some other types of processing. The user
may ask the processing manager to confirm whether the
personal data relating to him is being processed and if
such personal data is being processed, access to
personal data and information, among other things,
about the processed personal data, the purpose of the
processing, storage time, transfer to third countries. etc
[7].
 The protection of personal data is not an absolute A. Data protection around the world
right but a right that must be balanced against other
rights. Therefore, the General Data Protection The French National Data Protection Agency CNIL
Regulation provides a mechanism to respect and (Commission Nationale de l'Informatique et des
balance between data protection rights and other rights. Libertés) has published on its website an interactive
In this way, under EU or national law, the leader or the map (Figure 2) that offers a brief overview of the level
executor of processing can limit the scope of the rights of legislative protection of personal data of all countries
of respondents if such a restriction respects the essence in the world for which they have data. On the map,
of fundamental rights and freedoms and constitutes a countries are categorized according to the suitability of
necessary and proportionate measure in a democratic the level of protection applicable in a particular country.
society for the protection of significant values such as The European Commission may decide to transfer data
national security, defence, public security, other to another company in a third country "without the need
important objectives of general public interest in the EU for a data exporter to provide additional safeguards or
or a Member State, the protection of the independence without being subject to additional conditions. In other
of the judiciary, etc. Each such legislative measure words, transfers to an "appropriate" third country will
contains specific provisions on processing purposes or be equated with intra-EU transfers. " The first category
processing categories, categories of personal data, the on the map, indicated in deep blue, consists of the
extent of restrictions introduced, safeguards to prevent countries of the European Union and the European
abuse and other aspects to protect the rights of Economic Area (EEA), and the following categories
individuals [5]. consist of countries that according to the EU have an
adequate level of protection of personal data
GDPR clearly defines situations where personal (Switzerland, Argentina, Uruguay, Israel and New
information covers circumstances where it is not Zealand), partially appropriate level countries (Canada,
possible to clearly determine to whom the data relate, USA), countries that do not provide a sufficient level of
such as location data or IP addresses, but it is still protection as assessed by the EU (Serbia, BiH,
possible to identify an individual through that data. The Macedonia, Albania, Mexico, Australia, South Korea,
insurance industry must therefore be aware that location Colombia, Ukraine, Tunisia, etc.), as well as countries
data, collected in e.g. telematic boxes or wearables and who also have personal data protection laws but are
IP addresses collected in website analysis, will need to considered insufficient (Russia, Turkey, China, Brazil).
be GDPR compliant. Applying GDPR to processing An overview of each country on the map also shows
executives undoubtedly approximates a greater balance which organization is in charge of enforcing data
between the processing manager and the processing protection laws [7].
executor. It is often considered as an unfair burden for
processing managers to manage their own data
protection obligations as well as the activities of their
processing executors. However, long-term pre-
contractions are likely to be required as data executors
will inevitably require clear contractual provisions
detailing the agreed relationship between the parties
with respect to each aspect of processing, the
responsibilities of the processing manager and the
processing executive and specific processing
instructions to ensure compliance with obligations
imposed by GDPR. It is reasonable to anticipate that
such requests will make agreements and negotiations
for data processing much more complex and time
consuming [6]. Image 2: Map showing the level of legislative
protection of personal data as assessed by the EU [7]
The three main reasons for introducing GDPR are
the introduction of the same laws for each EU Member
State, which translates into savings of around € 2 billion
for businesses, eliminating the risk of each company
changing or setting its own data protection rules,
thereby automatically allowing for faster international
business and transactions, and generally greater rights
and protection of an individual's personal information,
and a more secure use of it.
B. Pros and cons of gdpr implementation

GDPR primarily brings better protection for citizens IV. CONCLUSION

and greater control over the processing of personal data. The paper describes the key concepts necessary to
The stricter rules in themselves also bring about an understand the importance of protecting personal data,
orderly system and greater control and security in namely data, information and the information society,
processing. The novelty is the "right to be erased", also based on the production, processing and exchange of
known as the "right to be forgotten". Right to be data. According to the historical context, it is evident
forgotten. The principle of this right is to allow that data have been recorded, processed and stored over
individuals to request the deletion or removal of the centuries, and that their protection has always
personal information unless there is a compelling depended on the medium on which they are stored. The
reason to process it. It will be interesting to see it put development of information and communication
into practice since then, search engines such as Google, technologies has revolutionized data processing, and
which has domains in all EU countries - for example new technologies have enabled the storage and
Google.com, will delete "links" from all instances, utilization of an increasing amount of data. But it has
which will also be a waste of money and time, but it also brought new challenges in protecting personal
information. According to the European Union, the
results in the key to Europe most interested: EU citizens
highest level of protection of personal data is precisely
have more control over the processing of their personal in the EU countries and the European Economic Area,
data! A special category is precisely the personal data of while the level of protection in other countries of the
children, where the age limit is 16 years, but also the world is considered sufficient.
possibility of predicting a lower age limit for the
permission to process personal data of children up to 13
years, which raises the protection of children's rights. In
Croatia, the legislature has opted for the 16-year limit.
Furthermore, they also have an effect on national
security, with the obligation to pass on data to both
search engines and social networks, which are often
used as a means of communication in order to increase
the level of protection for all those who have not been
subject to EU law by the fact that they have not been
registered in the EU by GDPR enactments were
exempt. The security measures prescribed by the
Regulation for specific categories of personal data,
especially in the growing eHealth system as well as the
new definition of regulation of network identifiers and
genetic and biometric data as personal data, are truly
great news and more than welcome as they have not
been covered by current legislation. It is also opening
up a new market for job counselling for professionals in
the field of personal data protection, which truly
requires a diversification and a need for skills
development in the field of information science,
management and legal profession, since only aligning
an organization with the GDPR requires an
interdisciplinary approach [2].

The downside is the “unpreparedness” and low level

of awareness of the importance of protecting personal
data and the need to protect data processing in the vast
majority of EU Member States. Looking back, the
GDPR was passed two years ago when that leak was
left to adjust and in reality - companies and training
seminars began last September when the private sector
actually understood the importance and need - most
notably with communication about high penalties.
Certainly, new GDPR requirements mean new security
measures, which bring new investment in business
processes and therefore new costs. From the legal basis
to the obligation of explicit consent, deletion and even
pseudonymisation of data at the moment when the need
for their further processing ceases [2].
 REFERENCES

[1] Boban, M. (2018) Zaštita osobnih podataka i nova EU uredba

o zaštiti podataka, Sveučilište u Splitu, stručni rad, available at:
https://bib.irb.hr/datoteka/1038591.HDMI_Zastita_osobnih_po
dataka_i_GDPR.pdf
[2] Clever plugins (unkown year) GDPR Benefits – Pros and cons,
available at: https://cleverplugins.com/pros-cons-gdpr/
[3] CNIL (2019) Data protection around the world, available at:
https://www.cnil.fr/en/data-protection-around-the-world
[4] Grimes, R. (2019) What is personally identifiable information
(PII)? How to protect it under GDPR, available at:
https://www.csoonline.com/article/3215864/how-to-protect-
personally-identifiable-information-pii-under-gdpr.html
[5] Legners, C., Labadie, C. (unkown year) Data Management for
Data Protection (GDPR), available at: https://www.cc-
cdq.ch/data-management-for-data-protection-gdpr
[6] Rooney, N. (2018) What is PII for GDPR, available at:
https://www.groundlabs.com/blog/what-is-pii-for-gdpr/
[7] THE EUROPEAN PARLIAMENT AND THE COUNCIL OF
THE EUROPEAN UNION (2016), Uredba (EU) 2016/679
Europskog parlamenta i Vijeća od 27. travnja 2016. o zaštiti
pojedinaca u vezi s obradom osobnih podataka i o slobodnom
kretanju takvih podataka te o stavljanju izvan snage Direktive
95/46/EZ, available at: https://www.zakon.hr/z/1021/Op
%C4%87a-uredba-o-za%C5%A1titi-podataka---Uredba-
%28EU%29-2016-679
[8] Troike, A. (2017) GDPR – How to discover and document
personal data, Business Modeling Passion, available at:
http://axeltroike.blogspot.com/2017/08/gdpr-how-to-discover-
and-document.html