Collection and processing of personal data is permissible if carried out pursuant to the data subject’s consent and in compliance with the basic principles of personal data protection.

The form of the data subject’s consent depends on the type of personal data collected and processed. While the collection and processing of sensitive personal data requires explicit written consent from the data subject, the consent for the collection and processing of personal data falling within a category of general personal data does not have to be in writing. However, at the request of the competent authority, the controller has to be able to prove, at any time, the existence of a data subject’s consent for processing of both personal and sensitive personal data. Therefore, having a written consent for collection of any personal data is advisable. When required, written consent must contain at minimum elements prescribed by the DP law.

Apart from the consent, there are also other conditions which must be met for the collection and processing to be regarded as legitimate, including:

• Processing must be done in a fair and lawful way;
• The type and scope of processed data must be proportionate to the respective purpose; and
• Other principles regarding the legitimate reasons for personal data processing.

The DP Law provides an exception when a data subject's personal data may be processed without the data subject’s consent. This is the case where the processing is necessary for the fulfillment of a data controller’s statutory obligations or for preparation or realization of an agreement concluded between a data controller and a data subject (Exceptional Cases). These conditions are considered the basic principles of personal data protection and are applicable to each case of personal data processing.

The legal grounds as well as the data processing requirements envisaged by the Draft Data Protection Law fully correspond to those envisaged by the GDPR.