General Data Protection Regulation (GDPR)

The new EU regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, the “GDPR Regulation”) was adopted on 27 April 2016. The GDPR Regulation introduces an entirely new level of personal data protection and brings about major changes in the area of the treatment of personal data, which will significantly affect the majority of businessmen. The GDPR Regulation will come into effect and enforceability on 25 May 2018, with no transposition into the legal order of the Czech Republic.

We are monitoring the matters of personal data protection in the long term. We are also represented by our Colleague Tomáš Mudra in the working group of the Government of the Czech Republic for legislation in the field of data protection.
At our clients’ businesses we analyse the current state and implement the new system. We work closely with our IT partner SIMAC TECHNIK ČR, a.s.

What of importance does the General Data Protection Regulation bring about?

Data protection by design
The essential and ever-present aspect of the GDPR Regulation is the requirement to reflect data protection in the course of all relevant activities of the data protection controller, which means from the moment of the determination of the means for processing. The GDPR Regulation assumes not only that the data protection system will be implemented by default and systematically from the initial idea of a new project, but also the regular evaluation and updating of the system with regard to the development of technical means and emerging threats. The principle of data protection by design will also become an important interpretation rule for the whole GDPR Regulation.

Data protection impact assessment
The GDPR Regulation cancels the current obligation to notify the relevant supervisory authority in the event of new processing of personal data and replaces it with an internal analysis of the impact assessment of implemented processes on the protection and the security of processed personal data. The controller is obliged to contact the supervisory authority only when the analysis confirms high risk to the rights and freedoms of natural persons. However, the data protection impact assessment has binding rules and strongly reflects the above mentioned principle of data protection by design.

Severe fines for infringement
The GDPR Regulation significantly increases fines for personal data protection breaches, up to tens of millions of euros. These fines may be newly imposed up to the amount of EUR 20,000,000 or even higher, up to 4% of the worldwide annual turnover of the personal data controller (if this sum is higher than EUR 20,000,000). Please note as well that the Czech supervisory authority also obtains, directly from the GDPR Regulation, new control powers which are not yet laid down in the administrative laws of the Czech Republic.

Records of processing activities
The GDPR Regulation places increased demands on the systematic recording of operations with personal data. Each controller, with certain exceptions laid down, is obliged to maintain records of processing activities with the content determined by the GDPR Regulation. Generally, a significant increase of compulsory documentation related to personal data processing is expected.

Obligation to communicate a personal data breach
In various cases the GDPR Regulation lays down the new obligation of the controller to communicate directly to the data subjects a personal data breach (“data leaks”), including additional information regarding such a breach. Furthermore, it is always necessary to inform the supervisory authority, without delay, about a personal data breach and provide it with the information regarding the breach in accordance with the GDPR Regulation.

Data protection officer (DPO)
The GDPR Regulation establishes in Czech jurisdiction an entirely new institute of a data protection “internal auditor.” The controller is obliged to designate him/her in the event that the treatment of personal data within a particular company includes a regular and systematic monitoring of natural persons on a large scale or in the event that the core activity of the company consists of processing special categories of personal data on a large scale. The designated DPO can be an employee directly subordinate to the top management of the company, or an external provider. Despite the fact that the form of the contractual relationship between the company and its DPO is left up to the will of the parties, the obligations and rights of the DPO are specifically determined by the Regulation.

Right to data portability
The data subject has a new right to receive her/his personal data from the controller in a machine-readable format free of any charge, or alternatively to request the transmission of such personal data directly to another controller. This right potentially comes into conflict with copyright (database security in particular), but in many cases also with trade secrets (e.g. marketing analysis, solvency analysis). Therefore, it is important to know the exact boundaries of this right and to adjust its realization to specific conditions within your company. We will gladly help you with that.

New rules for the transfer of personal data to third countries
The GDPR Regulation attempts to regulate further, currently already very problematic, transfers of personal data to countries outside the EU, to which it introduces new instruments.
Please also note that some obligations according to the GDPR Regulation will even apply to personal data processing that commenced in the past (e.g. conditions for giving legal consent to the processing of personal data). Simultaneously, the adaption to new requirements will result for many companies in the necessity to perform legal and data analysis of current processes and documentation and the subsequent implementation of entirely new processes.