How Individuals Care for Personal Data Protection When Using Online Services Benjamin Lesjak University of Primorska and Datainfo.si Slovenia benjamin.lesjak@fm-kp.si Mojca Čretnik Nova KBM d.d., Slovenia cretnikovam@hotmail.com Purpose: Individuals have more mechanisms for personal data protection according to the new EU General Data Protection Regulation. Therefore, we researched the actions of individuals concerning the protection of their personal data when using online services. Study design/methodology/approach: . We wanted to assess the awareness of individuals about the importance of personal data protection and if there are any differences regarding age, education and gender concerning personal data protection when using online services. We examined the individuals' rights in connection to personal data and connection to ICT use. In the empirical part, we collected several data regarding the behaviour of individuals, related to the protection of personal data. Findings: We emphasized that at least age is one of the factors influencing the behaviour and added recommendations for improvement of protection of personal data in conclusions. Originality/value: This paper is a revised and updated version of a Master thesis and its results with the title Personal data in the modern information society by Mojca Čretnik and mentor Benjamin Lesjak. Introduction Each individual has the opportunity to choose how much information about himself he will disclose to the public, to whom he will say something and how he will allow the use of information about himself in individual cases. The less an individual has the opportunity to control his private data, the less room for a choice he has and the harder it is to assume the image of an indeterminate man, which is essential for the normal functioning of modern democratic society (Bernard Korpar et al. 2018, 125). Goddard (2017, 703) explains that personal data is that data that can directly or indirectly identify an individual, which includes web identifiers such as IP addresses, cookies, digital fingerprint, location data that can identify individuals. Wagner DeCew (1997, 146–147) points out in his work that almost every transaction carried out with personal data is today recorded on a computer, and as a result, the routine collection and transmission of personal data in digitized form, with individuals it is difficult to determine whether information about them is being used and further processed. Bernard Korpar et al. (2018, 277-278) point out that if individual personal data is published in a record and accessible to the public does not mean that it in case that the data is not personal data. On the contrary, personal data is always personal and any further processing of this data is regulated by personal data protection provisions. The processing of personal data, including the aggregation or creation of personal data collections, is permitted only if such processing is prescribed by law or the individual consents to such processing relating to his or her personal data. Personal data can therefore only be collected for specific and lawful purposes, from which International Journal of Management, Knowledge and Learning | ISSN 2232-5697 Volume 10 (2021) 139–148 | https://www.doi.org/10.53615/2232-5697.10.139-148 it can be concluded that there must be an appropriate legal basis for their processing, as only the law can adequately prescribe the purpose of personal data collection. Article 6 of the General Data Protection Regulation defines the lawfulness of the processing of personal data and provides for six legal bases for the processing of personal data, namely: consent, a contract, legal obligation, the protection of the interests of life, the public interest or the legitimate interest. Common to all the above legal bases, except for consent, is that the processing of personal data must be necessary to achieve the purpose, which means that the processing of personal data is targeted and its interference with individual rights is proportionate to the objectives set by the controller. it pursues data through such processing and if the same purpose cannot be achieved by milder encroachments on the rights and freedoms of the individual (Markovič et al. 2019, 67–68). Bernard Korpar et al. (2018, 277) explains the importance of the principle of proportionality. An appropriate balance needs to be struck between different interests and constitutionally protected goods. Namely, in a democratic society, no human right can be absolute, since it already follows from the content of individual human rights that the right of one restricts the right of the other, as defined in the Constitution of the Republic of Slovenia. Cerar et al. 2009, by Bernard Korpar et al. (2018, 277) raise the question of how far it is permissible to protect the right of one individual without interfering with or restricting the right of another individual, to which the above-mentioned principle of proportionality provides an answer. Bernard Korpar et al. (2018, 337) mentions as one of the fundamental principles of personal data protection the principle of definiteness and limitation of purposes, according to which the purpose of personal data processing must be clearly defined in advance and thus clearly predictable for the individual. In the paper, we wanted to research the behaviour of individuals regarding personal data protection on a selected topic. Individuals' rights and personal data protection Burton et al. (2016, 6) explain that the General Data Protection Regulation strengthens the rights of individuals, ie. the right to information, the right to access personal data, the right to rectification, erasure, objection and the right not to be subject to automated decision-making, including profiling, and to bring many new rights for individuals. In an age of fast-growing digital economy and big data, the individual's supervisory rights, as ensured by the protection of personal data, face many challenges. An important question is raised as to how and to what extent an individual can still establish control over personal data relating to him in the above circumstances (Bernard Korpar et al. 2018, 357). Ausloos, Veale and Mahieu (2019, 284) point out that the rights of the data subject are crucial in the new European data protection regime. Hoofnagle, Van der Sloot and Zuiderveen Borgesius (2019, 88-89) explain that the rights of individuals were already defined by Directive 95/46 / EC of 1995 and that they also have their roots in constitutional instruments. However, the General Data Protection Regulation defines the rights of individuals even more deeply. Politou, Alepis and Patsakis (2018, 4) explain in detail other principles as defined by the General Data Protection Regulation, namely fairness, legality and transparency, the principle of purpose limitation, minimum data, accuracy, storage limitation, integrity and confidentiality and finally liability, which imposes the responsibility Lesjak & Čretnik | How Individuals Care for Personal Data Protection When Using Online Services 140 for the compliance of the processing of personal data on the controller, who must also be able to prove such compliance. The right of access to data is an important tool in the hands of the individual, with which he can monitor the operation of controllers and their compliance with the general principles governing the processing of personal data. Compliance with the basic principles as defined by the General Regulation on the Protection of Personal Data, such as the principle of minimum data size, accuracy, the principle of storage limitation, is easier to verify when exercising the right of access to personal data (Ausloos, Veale and Mahieu 2019, 285). The right of access to data has been extended by the new General Data Protection Regulation, to increase the fairness and transparency of the processing of personal data, as it allows data subjects to verify the lawfulness of the processing carried out on their personal data (Voight 2017, 150). Recital (63) of the General Data Protection Regulation explains that the data subject has the right to access personal data collected in connection with him and the right to simply exercise this right at reasonable intervals to be able to acquaint with the processing and verify its legality. The right of access to personal data is exercised in two steps, with the individual having the right in the first step to obtaining confirmation from the controller whether personal data are being processed in relation to him, and if the controller processes the individual's personal data. (Voight 2017, 150-151). It is also very important the self-awareness of an individual whose personal data he shares about himself on the World Wide Web or passes it on to other, third parties. Particular caution applies to the transmission of financial data, such as credit card number, etc. (Information Commissioner 2019, 6–10). Individuals very often naively rely on others to protect their privacy and personal data, but the fact is that in the first phase they can do the most in this area themselves (Information Commissioner 2015, 15). Bernard Korpar et al. (2018, 357) explain that individuals ’control over the processing of personal data is an integral part of the right to the protection of personal data. Haskins (2018) gives some practical advice for the average individual and the protection of his or her personal data and recommends: • that an individual protects the devices they use regularly with passwords. Mobile phones, laptops and tablets are easily lost or alienated from an individual. If such devices are not properly password protected, access to data on these devices is very simple; • use strong passwords that are long and random (contain a combination of uppercase / lowercase letters, numbers and characters). Many individuals use the same and simple passwords for different devices/applications, which is risky behaviour; • to set up two-factor identification on financial accounts and e-mail accounts. Most banks in online and mobile banking already require this, by entering a special code that an individual receives through another channel, e.g., to your mobile phone; • performing online shopping and other financial transactions on secure online networks. It is recommended to use your device and a secure network (Wi-Fi); • Regular software updates, including anti-virus software, operating system used, etc. Cyber threats change frequently, and many updates address such security issues; • individuals should not send personal data by telephone or e-mail. Be careful when opening e-mail attachments or clicking on forwarded links, as doing so may infect your computer with malware. The Information Commissioner (2015, 6–9) also emphasizes the importance of updating the operating system and antivirus protection, as malware (viruses, worms, other malicious code) search for security holes in operating systems and, if detected, often allows them to do so. to Lesjak & Čretnik | How Individuals Care for Personal Data Protection When Using Online Services 141 take control of an individual’s computer or his or her cell phone. The measure also cites data encryption as an important protection measure, as the data that individuals have is stored on computer hard drives, memory cards in mobile phones, USB sticks and other media, most often in unencrypted form. The encryption process can ensure that unauthorized people will not be able to read our confidential messages or data. ICT use and personal data protection The use of modern information technologies increases the efficiency, speed of collection, storage, use and transfer of data. Both public and private institutions need a constant flow of data on individuals for the smooth performance of work or the provision of their services, which are an integral part of modern life. The provision of health services, social security, credit, insurance, and crime prevention and detection presupposes the availability of a significant amount of personal data as well as the willingness of individuals to provide that data (Wacks 2018, 121). Standards for the protection of personal data are becoming increasingly high, and companies and other organizations face an increasingly complex task to assess whether their data processing activities are legally compliant, especially in an international context. Data by its very nature today easily crosses borders and plays a key role in the global digital economy (Voight 2017, 1). Ahtik et al. (2014, 10) point out that the widespread use of modern ICT, in addition to many opportunities, also brings new risks, citing the example of Internet accessibility of public databases, which increases the possibility of intrusion into them and thus misuse of personal data collected there. The importance of information in modern information technology has increased significantly, as information has become a product in itself that can be traded in the information society and is legally protected. Information, from the point of view of the company, represents a special capital or value of the company, which in the knowledge society is measured by their "know- how" and not in production factors (such as machines, land) (Roszak 1994, 8, according to Kovačič et al. 2010, 26). Rapid technological development enables increased data storage capacity, which enables companies and other organizations to expand data collection, processing and interconnection. These companies and other organizations are increasingly using this data for various purposes, such as personalization of services, marketing, etc. Although new technologies and services benefit both businesses and individuals or consumers, they also pose serious risks to an individual's privacy. As a result, people's confidence in data collection and processing companies may decline, and a lack of trust may slow down the development of innovative uses and the development of new technologies if appropriate personal data protection practices are not implemented (Tikkinen-Piri, Rohunen and Markkula 2017, 135). When using modern information technologies, the individual must know his rights and duties, as well as the rights and duties of others, i.e. controller and processors of personal data who have personal data of individuals (Turk and Vogrinčič 2019, 7). The Information Commissioner emphasizes that individuals must have the power to decide who is allowed access to their personal data and the right to clear information about what individual companies and other organizations will do with that data. Of course, the rights of individuals in terms of their decision-making power are limited to the extent that the collection of personal data is provided by law. In the first phase, individuals can do a lot for the security of their personal data by themselves with certain preventive measures, such as with caution in transmitting data to different service providers (Information Commissioner 2019, 4). Lesjak & Čretnik | How Individuals Care for Personal Data Protection When Using Online Services 142 There are many technical possibilities for protecting privacy on the Internet, but it should be borne in mind that due to the nature of the Internet, the protection of one's own data is primarily the responsibility of the user himself. The development of modern information technologies is constantly bringing new and more effective tools that can encroach on individual personal rights, and on the other hand, new technology also offers a range of solutions that help individuals protect their interests regarding privacy and anonymity of individual activities (Makarovič et al. 2003, 114). Wacks (2018, 158) explains that to protect personal data, in the age of modern information technologies, appropriate support must be sought in technology as well as in legislation. Also, recent studies among students (Zwilling et al. 2021) show that internet users possess adequate cyber threat awareness but apply only minimal protective measures usually relatively common and simple ones and such measures influence personal data protection as well. Methodology and results The survey was conducted based on questionnaires, which were used to determine the extent to which individuals are aware of the importance of protecting their own personal data and how well they know this area. We wanted to find out what the conduct practices are and whether individuals are taking appropriate measures and activities to secure their personal data. In the study, we used the snowball sampling method. The survey questionnaire was active by publication on the survey web portal from 10 February 2020 and remained active until 3 March 2020 inclusive, when the survey was completed. Invitations to participate in the survey were also published on online social networks (Facebook). We received 228 completed survey questionnaires, which we then used in the data analysis. We used mainly descriptive statistics when analysing respondents’ data. With the statements where we encountered the lowest results by respondents, we tested results with Kolmogorov- Smirnov test, Kruskal-Wallis test and the Mann-Whitney test to determine the differences and examined in detail to explain the possible reasons. 71.9% of women and 28.1% of men answered the questionnaire. Most respondents are aged between 41 and 50 (34.6%), the least is over 61 (4.8%). Most respondents have completed secondary education or less (32.0%), the least have a doctorate (1.3%). We were interested in how respondents see certain general statements in the field of personal data protection as described in Table 1. Respondents answered with a score from 1 (not true at all) to 5 (absolutely true). On average, respondents most agree that they confirm the offered cookies for access to the desired website (average = 3.89; SD = 0.86). On the other hand, they at least agree that when using online services, they read the terms and privacy policy (average = 2.37; SD = 1.06). The legislation protects internet users or enables better protection of their privacy by being properly informed about cookies and offered the opportunity to decide, but based on the received statements of respondents, it can be assumed that individual web users are generally poorly informed, as well as the tools that are available to them and with which cookies can be managed. As expected, our research also showed that the terms and privacy policy of web service users are often deliberately ignored, which can be attributed to longer texts, which can be time-consuming, perhaps even incomprehensible, too demanding, etc. for an individual user. The results obtained point to the fact that individual users simply come to terms with the fact that if they want to use a particular service, they must therefore accept the terms of use and privacy policy. Lesjak & Čretnik | How Individuals Care for Personal Data Protection When Using Online Services 143 Table 1: Agreeing with general statements in the field of personal data protection Statement Median Average SD To access the desired website, I confirm the offered cookies. 4.00 3.89 0.86 I read the terms and privacy policy when using online services. 2.00 2.37 1.06 I regularly delete or block cookies on my computer and other mobile devices. 2.00 2.51 1.10 I turn off the location detection feature of my mobile phone and use it only in certain situations. 4.00 3.43 1.28 I always have an antivirus program installed on my computer and other mobile devices. 4.00 3.80 1.04 I use different passwords to access equipment, devices, and digital services. 4.00 3.74 1.01 I change my passwords regularly. 3.00 2.90 1.12 Further on we were interested in whether respondents know when companies and other organizations can collect their personal data (respondents were able to give more than one answer). We have given only the correct answers to this question. 93.0% of respondents answered that a company and other organizations can collect personal data of individuals when they have given their consent and been informed in advance about the processing of their personal data. Under the second, 1.8% of respondents answered that they have signed a contract for this and when the processing of personal data is in the public interest. From the above, it can be assumed that the respondents do not know all the available legal bases for the processing of personal data and therefore gave the greatest weight to consent, which could be because many companies and other organizations immediately acceded after the General Data Protection Regulation to collect new consents. We were also interested in whether the respondents know when a company or a person in a company in the private sector is entitled to personal data (respondents gave answers with "Yes" or "No"). We have given various fictional examples. The majority of respondents gave the correct answer to the questions where the disproportion of the purpose of processing such data was clearly visible. However, the least correct answers could be observed in certain more borderline cases, and it would be sensible in further research to find out why the respondents gave the wrong answers. Table 2: Fictional cases if a company is entitled to personal data The statement Correct Answer % of correct The butcher requests your State identification number. No 99.1 You have entered into a copyright agreement with the company. The company requires a tax number or State identification number from you. Yes 91.2 You took the car to the service station. At the service station, they ask you to find out what brands of cars your family members drive. No 98.2 When concluding a mobile package for retirees, they ask for information about your age. Yes 71.1 When taking out life insurance, the insurance company asks you if you are a smoker. Yes 65.4 Along with the completed crossword puzzle with which you participate in the draw for the colour TV, they require a tax number for the prize before the draw. No 57.0 The Mountaineering Association requires a copy of your identity document for membership. No 59.6 You are less than 15 years old. The company requires your consent to process your personal data. No 58.8 We were interested in how many respondents had bought a product or paid for a service in an online store in the last 12 months. There were 81.1% of them, which indicates a fairly high percentage of individuals who use the online shopping method, which can often save time and Lesjak & Čretnik | How Individuals Care for Personal Data Protection When Using Online Services 144 money, as they can make the purchase with a few clicks on their home computer. These respondents then answered three additional questions. The first additional question was how often they shop online. Most respondents shop online several times a year (55.1%), followed by those who shop online several times a month (20.0%). A smaller volume of online shopping may have because the product itself, which the individual intends to buy, cannot be seen live and for security reasons, primarily related to the necessary transmission of personal data online. Also, these respondents who bought a product in the online store in the last 12 months or paid for a service with a rating from 1 (not true at all) to 5 (absolutely true) answered three additional statements in the field of their online purchase. Table 4 shows that, on average, respondents most agree that they have received the receipt of security SMS messages or other instant notification services for online payments (average = 3.74; SD = 1.29), and the least agree, to check before buying online, whether the company or s. p. entered in the Business Register of Slovenia (average = 2.40; SD = 1.12). It is always recommended that an individual, before making a purchase online, check only the website and that by including an SMS service or other instant notification service, he gains the necessary insight into the transactions made with the help of the card. From the answers received from respondents, it can be assumed that they are aware of the dangers that threaten online shopping, which can be assessed as positive, as each individual first must make their own online business as safe as possible. Table 3: Agreeing with a general statement in the field of personal data protection Statement Median Average SD Before buying online at home, I check whether the company or. s. p. entered in the Business Register of Slovenia. 2,00 2,40 1,12 Before making a purchase, I check that the website is marked "HTTPS" in the address bar of the browser, as this way the website provides a secure connection. 3,00 2,91 1,21 For online payments, I have turned on the receipt of security SMS messages or other instant notification services, as my bank allows me to do so. 4,00 3,74 1,29 When analysing the results, it should be noted that, on average, respondents at least agreed with the statement: “I read the terms and privacy policy when using online services” (average = 2.37; SD = 1.06) and with the statement: "I check before buying online whether the online company is real in the Business Register of Slovenia" (average = 2.40; SD = 1.12). In a more detailed analysis, we found that only 16.2% of respondents agree with the second statement and 3.8% of respondents who bought a product or paid for a service in an online store in the last 12 months completely agree with it. Therefore, we were further interested in whether these two opinions differ statistically significantly according to the age, education and gender of the respondents. We used the Kolmogorov-Smirnov test to find that the statement "I read the terms and privacy policy when using online services" is not approximately normally distributed (Stat. = 0.251, df = 228, P <0.001) and the statement "Before buying online at home, I check whether the company is really in the Business Register of Slovenia" is not approximately normally distributed (Stat. = 0.244, df = 185, P <0.001). We used the Kruskal-Wallis test (age, education) and the Mann- Whitney test (gender) to determine the differences. The opinion of respondents, that they read the terms and privacy policy when using online services differs statistically significantly according to age (P = 0.000) and also according to their education (P = 0.032). Respondents over the age of 61 agree most with this statement, while respondents under the age of 20 agree the least. Regarding education, respondents with a college or university degree agree the most with this statement, while respondents with a completed specialization or master's degree agree the least. On the contrary, we found that the Lesjak & Čretnik | How Individuals Care for Personal Data Protection When Using Online Services 145 answers of the respondents did not differ statistically significantly according to gender (P = 0.921). When identifying differences in reading the general terms and conditions and privacy policy online, it can be assumed that the opinion studied differs statistically significantly according to age and education, but not according to the gender of the respondents. By claiming that when using online services, respondents read the terms and privacy policy, those over 61 years of age agree the most, and the younger generations or those up to 20 years of age agree the least. Due to the above, it can be assumed that older respondents are slightly more cautious than younger ones, which could be attributed to the fact that in their youth they were not so involved in online business as opposed to younger generations who know the online environment much better and trust more. It can also be found that individual respondents with a higher level of education give more weight to their online behaviour. The opinion of respondents that before buying online they check whether the company is really in the Business Register of Slovenia, differs statistically significantly according to age (P = 0.015). Respondents over the age of 61 agree most with this statement, while respondents under the age of 20 agree the least. In the following, we used the Post-hoc test to check where or between which pairs of respondents, according to age, there are statistically significant differences. On contrary, such opinion does not differ statistically significantly according to their education (P = 0.156) and gender of the respondents (P = 0.179). When determining differences in behaviour before online shopping, it can be assumed that the studied opinion differs statistically significantly according to the age of the respondents, but not according to education and gender. By claiming that respondents check before buying if the company is really in the Business Register of Slovenia, those over 61 years of age agree the most, and those younger than 20 years of age agree the least. Because of the above, it can be assumed that older respondents are more careful when making online purchases, show greater concern for their safety in doing so and are less confident than younger ones. The reasons why younger people are less careful when carrying out certain activities online should be explored in more detail. Conclusions In the research, we asked the respondents about their actions when visiting the website, how to use passwords, how to install anti-virus software and other activities related to the protection of personal data. It was found that respondents most often simply confirm the offered cookies to access the desired website, as well as do not read the terms and privacy policy when using a particular online service. It was further found that the older generations read the terms and privacy policy more often than the younger generation. We attribute such behaviours to a lack of will and time in today’s fast-paced way of everyday life. Respondents were also asked about the legal grounds on which companies and other organizations can process the personal data of individuals. From the answers received, it can be concluded that the respondents do not know enough about all available legal bases, as most of them chose the answer that their personal data can be processed if they have given their consent. In the research, we were also interested in the practices of respondents when using the method of shopping online. From the received answers it can be concluded that many respondents have included the service of immediate notification of the transaction, which can be assessed as positive, but on the other hand, respondents use the least way to verify the credibility of the payee by inspecting the Business Register. Lesjak & Čretnik | How Individuals Care for Personal Data Protection When Using Online Services 146 The mentioned research could be carried out periodically in the future and on a possible larger sample, which would enable easier generalization, which the sample used in our research did not allow. This would make it possible to identify differences or deviations based on which it would be possible to make recommendations or improve the existing situation in this area. Individuals are primarily aware of threats to the protection of personal data, but at the cost of certain benefits or simply out of convenience, they often ignore certain information available to them that could further protect their personal data. Thus, it often happens that individuals do not read the terms and privacy policy when using online services, or simply confirm the cookies offered to access the desired website, as this path is at first glance easier for the individual. Individuals often see only that attractive and interesting part that is offered to them by the use of certain service (such as shopping from a home armchair or online) or the use of online social networks. In doing so, we suggest that individuals consider whether the use of a particular service or the public disclosure and sharing of certain personal information represents so much added value for them that they are willing to sacrifice part of their privacy for it. According to the obtained results of the survey questionnaires, the recommendation to individual users of modern information technologies refers mainly to the consistent use of the possibilities and tools they offer for greater protection, as there are still untapped possibilities for data protection. From the individual's point of view, he must be familiar with the processing of personal data and its purposes for which data are processed by individual companies and other organizations, as well as that he is well acquainted with the legal bases for processing. The individual must be aware that he is protected by the applicable legislation governing the protection of personal data and within which he can demand the protection of his rights. Individuals are recommended to ensure the security of personal data either by knowing the environment in which they have personal data, to know at all times where it is located, to whom they have entrusted it for further processing, etc. Password policy must be followed, which means that individuals regularly change passwords on their devices to select and use secure passwords (not less than eight characters, etc.), use different passwords to access different applications/devices. It is also important to take care of updating anti-virus programs on devices and, in the event of detected shortcomings, to introduce new measures on their own initiative or to adapt existing measures. References Ahtik, Meta, Maja Bogataj Jančič, Maja Brkan, Bojan Bugarič, Matija Damjan, Aleš Galič, Andrej Grah Whatmough, Peter Grilc, Miha Juhart, Boštjan Koritnik, Jerca Kramberger Škerl, Jure Levovnik, Blaž Markelj, Luka Markelj, Špelca Mežnar, Neža Muhič, Neža Pogorelčnik, Jernej Pusser, Lojze Ude, Katarina Zajc in Sabina Zgaga. 2014. Pravo v informacijski družbi. Ljubljana: IUS Software, GV Založba. Ausloos, Jef, Michael Veale in Rene Mahieu. 2019. Getting Data Subject Rights Right. Journal of Intellectual Property, Information Technology, and Electronic Commerce Law (JIPITEC) 10 (3): 283–309. Burton, Cedric, Laura De Boel, Christopher Kuner, Anna Pateraki, Sarah Cadiot in Sara Gabriella Hoffman. 2016. The Final European Union General Data Protection Regulation. Privacy and Security Law Report 15: 1–13. Bernard Korpar, Janja, Sašo Dolenc, Maša Galič, Martin Jančar, Zoran Kanduč, Tina Korošec, Primož Križnar, Liljana Selinšek, Janez Stušek, Helena Uršič, Aleš Završnik in Sabina Zgaga. 2018. Pravo in nadzor v dobi velikega podatkovja. Ljubljana: Pravna fakulteta, Inštitut za kriminologijo pri Pravni fakulteti v Ljubljani. Lesjak & Čretnik | How Individuals Care for Personal Data Protection When Using Online Services 147 Cerar, Miro, Marijan Pavčnik, Albin Igličar, Erik Kerševan, Vladimir Simič, Mirjam Škrk, Franc Testen in Dragica Wedam Lukić. 2009. Pravna država. Ljubljana: GV Založba. Goddard, Michelle. 2017. The EU General Data Protection Regulation (GDPR): European regulation that has a global impact. International Journal of Market Research 59 (6): 703–705. Haskins, Jane. 2018. 8 Smart Ways to Protect Your Personal Data. Https://www.legalzoom.com/articles/8- smart-ways-to-protect-your-personal-data (22. 4. 2020). Hoofnagle, Chris Jay, Bart van der Sloot in Frederik Zuiderveen Borgesius. 2019. The European Union General Data Protection Regulation: What It Is And What It Means. Information & Communications Technology Law 28 (1): 65–98. Information Commissioner. 2015. Zavarovanje osebnih podatkov. Https://www.ip- rs.si/fileadmin/user_upload/Pdf/smernice/Smernice_o_zavarovanju_OP.pdf (5. 8. 2019). Information Commissioner. 2019. Smernice o orodjih za zaščito zasebnosti na internetu: Kaj lahko sami naredimo za zasebnost na internetu? Https://www.ip-rs.si/publikacije/prirocniki-in-smernice/o-orodjih- za-zascito-zasebnosti-na-internetu/ (22. 4. 2020). Kovačič, Matej. 2003. Zasebnost na internetu. Ljubljana: Mirovni inštitut za sodobne družbene in politične študije. Kovačič, Matej. 2006. Nadzor in zasebnost v informacijski družbi. Ljubljana: Fakulteta za družbene vede. Kovačič, Matej, David Modic, Marko Rusjan, Liljana Selinšek, Janko Šavnik in Aleš Završnik. 2010. Kriminaliteta in tehnologija: Kako računalniki spreminjajo nadzor in zasebnost, ter kriminaliteto in kazenski pregon? Ljubljana: Inštitut za kriminologijo pri Pravni fakulteti. Makarovič, Boštjan, Damjan Možina, Špela Mežnar, Domen Bizjak, Maja Bogataj in Goran Klemenčič. 2003. Internet in pravo. Ljubljana: Pravna fakulteta Univerze v Ljubljani. Markovič, Zlatka, Maja Brajnik, Tim Pahor, Sandra Pjanić, Eva Langeršek, Benjamin Lesjak, Aljaž Lep in Denis Trinkaus. 2019. Varstvo osebnih podatkov po uredbi (GDPR). Ljubljana: Založba Reforma d. o. o. Politou, Eugenia, Efthimios Alepis in Constantinos Patsakis. 2018. Forgetting personal data and revoking consent under the GDPR: challenges and proposed solutions. Journal of Cybersecurity 4 (4): 1–20. Roszak, Theodore. 1994. The Cult of Information: A Neo-Luddite Treatise on High-Tech, Artificial Intelligence, and the True Art of Thinking. Berkeley; Los Angeles: University of California Press. Tikkinen-Piri, Christina, Anna Rohunen in Jouni Markkula. 2017. EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Compute Law & Security Review 34 (1): 134–153. Turk, Boštjan Juš in Nika Vogrinčič. 2019. Internetno pravo z izvlečki najpomembnejših zakonov. Ljubljana: Inštitut za civilno in gospodarsko pravo. Voight, Paul. 2017. The EU General Data Protection Regulation (GDPR). Cham: Springer International Publishing AG. Wacks, Raymond. 2018. Zasebnost: zelo kratek uvod. Ljubljana: Založba Krtina. Wagner DeCew, Judith. 1997. Law, Ethics, and the Rise of Technology. Ithaca, London: Cornell University Press. Moti Zwilling, Galit Klien, Dušan Lesjak, Łukasz Wiechetek, Fatih Cetin & Hamdullah Nejat Basim. 2020. Cyber Security Awareness, Knowledge and Behavior: A Comparative Study, Journal of Computer Information Systems, DOI: 10.1080/08874417.2020.1712269 Lesjak & Čretnik | How Individuals Care for Personal Data Protection When Using Online Services 148