Do you know what GDPR is?
The GDPR is a regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of individuals with regard to the processing of their personal data and on the free movement of such data, effective from 25 May 2018; it also regulates matters related to the processing of the personal data of natural persons. It introduces many new rights for individuals and obligations upon Administrators.
Basics of processing
The processing of personal data by the administrator must take place on the basis of at least one of the prerequisites for the legality of processing, as specified in the GDPR.
- The consent of the subject of the data must be expressed intentionally and voluntarily (Art. 6 point 1 letter a).
- It is necessary to implement the contract or to undertake activities requested by the subject of the data, before concluding the contract. (Art. 6 point 1 letter b).
- There is a requirement that processing the data must discharge the Administrator's legal obligation (Art. 6 point 1 letter c).
- There is a requirement that the vital interests of the subject of the data and/or those of another natural person be protected. (Art. 6 point 1 let. d).
- There is a requirement that the task be carried out in the public interest. (Art. 6 point 1 letter e).
- There is a requirement that the task be undertaken for purposes resulting from legitimate interests (Art. 6 point 1 letter f).
In the debt recovery process, Ultimo S.A. acts on behalf of Data Controllers and processes data on the basis of a data processing, entrustment agreement and also in accordance with Art. 6 point 1 letter f, due to the necessity of processing for purposes resulting from the legitimate interest of the Controller. In accordance with Art. 6 point 1 letter c, this is to discharge the Administrator's legal obligation and is in accordance with Art. 6 point 1 letter b, for the performance of the agreement, which is the settlement concluded with the Administrator.
Ultimo S.A. processes data on its own behalf, based on the consent given, in accordance with Art. 6 point 1 letter a), to discharge the legal obligations, pursuant to Art. 6 point 1 letter c) and for purposes resulting from the legitimate interest of the Administrator, in accordance with Art. 6 point 1 letter f.
Information obligation, i.e. information on data processing.
The Data Controller is obliged to implement ‘information obligation’ so-called, that is, information is to be provided, in a transparent and easily accessible form, when processing the personal data and rights of persons whose data is being processed and when obtaining data directly from that person (Art. 13 GDPR); this must be effected, at the latest, within a month of obtaining the same, if the Controller has not previously obtained data from the aforesaid subject of the data (Art. 14 of GDPR).