Introduction to the GDPR
It is less than one year that remains for all entities processing any personal data (governmental authorities, business corporations and small enterprises as well) to adopt measures to comply with personal data protection rules according to the new EU Regulation - General Data Protection Regulation – “GDPR“). Should the entities concerned not comply with the new rules of personal data processing laid down in the GDPR, they may be penalised up to EUR 20,000,000.- or up to 4 % of their annual sales.
Basic information about GDPR
The GDPR, which should come into effect already on 25 May 2018, regulates newly for example conditions for obtaining consent to processing of personal data from individuals and from one-man businesses. Consent to personal data processing must be express, unambiguous, unconditional and withdrawable at any time. Individuals will have a right for example to demand from entities processing their personal data to specify which particular personal data are maintained about them, to enable their transfer or irreversible deletion from internal systems of such entities.
At the same time, it should be noted that the responsibility for compliance with requirements of the GDPR shall still be borne primarily by the personal data controller, who shall also consistently prove compliance of personal data processing with the GDPR. Should an incident occur (for example leakage of personal data outside controller´s systems), the controller shall be obliged to report such incident to a supervising authority and also to all affected persons, as the case may be, within 72 hours from the time of detection of the incident.
Public administration organisations or state-owned enterprises and also companies the main activity of which consists in systematic monitoring of data subjects (individuals) or in extensive processing of special categories of personal data shall be obliged to appoint a so-called data protection officer (DPO). The main task of the DPO shall be to supervise compliance of activities of such subjects with the GDPR, to communicate with the Office for Personal Data Protection and to carry out internal activities, such as internal audits or trainings of such organisations.
Although the GDPR is based on the legal regulation of personal data protection existing before, in practice it places new high especially administrative requirements upon personal data controllers. Some demands that are unclear or difficult to be applied in practice are interpreted step by step by the WP29 workgroup. Also the Office for Personal Data Protection publishes its opinions. It is going to be an utmost lively legal regulation and it can be expected that outlines of real implementations of GDPR requirements for personal data protection will be shaped by case law, too.
GDPR - specific impact of the GDPR on some types of entities:
- banks – in practice, they will be obliged to appoint a DPO and perform the PIA (Privacy Impact Assessment) according to Art. 35 of the GDPR when introducing new products, national legal regulation vs. GDPR
- hospitals and other medical centres – they process special categories of data – sensitive data, the conditions for processing of personal data received shall become stricter, especially as far as their security, protection and treatment are concerned. It is necessary newly to regulate personal data processing for follow-up care (e.g. forwarding data as for pacemakers and their monitoring over computer). The GDPR applies not only to digital data, it is necessary newly to regulate and to secure processing of patients´ data in hard-copy card files etc.
- public administration – tasks of public power may be performed by private-law entities, too (e.g. public mass transport, utilities, roads, public service broadcasting). According to recommendations of Art. 29 WP, these private entities shall also appoint a DPO, although within the meaning of Art. 37 Par. 1 of the GDPR they don´t have such duty.
- IT sector – technological companies – administration, development of new IT and mobile applications. New GDPR requirements for processing of data in this sector. The data processed there often include data about children and youth, which shall enjoy a special protection according to the GDPR.
- security systems – a special category of personal data: biometric and genetic data, camera surveillance systems, the GDPR entails a special stricter regulation of processing and securing such data. A warning concerning camera surveillance systems used for security of buildings shall be demanded more consistently.
- e-commerce – provision of services and goods by online e-shops: monitoring and identification of clients, international exchange of personal data –the GDPR sets forth new conditions and rules. For example the requirement to obtain approval of rules/code of conduct for transmission of data outside the territory of the EU.
- marketing, advertising and profiling of users – automated profiling, contracts with processors (e.g. dealer – advertising agency), processing of a wide range of personal data, obtaining and scope of consent to such activities from the data subject.
- social media – provision of data portability and the right to information, control over the scope of personal data, responsibility of the controller and processor in case of an incident
- research and scientific institutes – very good position according to the GDPR. But it is suitable to prepare summarisation of processes with references to exemptions according to the GDPR and to set up high-quality protection of personal data that may be processed
- hotel and spa facilities – personal data of guests, special national legal regulation for foreigners vs. the GDPR, spa services – processing of a special category of data, transfer of data within the framework of hotel networks, optimally to elaborate a code of conduct (Art. 40 of the GDPR)
- educational facilities (leisure facilities, schools), private and public schools – they process personal data of children (newly it is necessary to obtain consent from the legal guardian of the child)
For its clients, Advokátní kancelář Kříž a partneři has set up a legal team specialised in the area of personal data protection and related legal issues. Team members JUDr. Veronika Křížová, LL.M., JUDr. Michal Morawski and Mgr. Tomáš Slabý have been preparing themselves for the new legal regulation coming up within the framework of the GDPR for a long time and they keep monitoring the latest developments and interpretation opinions concerning implementation of the GDPR in practice.
Besides the wide international cooperation of our law office in the area of IP/IT/data protection, an added value of this specialised legal team is also a strong legal background in related areas of intellectual property law, which is evidenced by the fact that for the years 2013, 2015 and 2016 Advokátní kancelář Kříž a partneři was awarded the title Law Firm of the Year in the category of intellectual property, within which this area to a large extent falls.
Another convincing strength is engagement of several members of our law office in pedagogical activity at the Faculty of Law of Charles University in Prague and other teaching and publication activity in the Czech Republic and abroad. Members of our specialised team have been lecturing on the GDPR at international conferences and concerned workplaces already for a year.
Our law office is also focused on e-commerce issues and legal aspects of advanced technologies, both in terms of copyright law and industrial property law, and in the area of personality protection, media law, advertising and marketing, which enables us fast identification of needs of clients from such sectors in connection with the GDPR.
Services provided in connection with the GDPR
For clients in connection with the GDPR we provide comprehensive legal advising. For provision of technical solutions, we cooperate with a renowned IT company.
Basic GDPR services:
- audits of personal data processing and revision of all processes
- solution of matters of rights of data subjects
- training of staff
- elaboration of contracts with DPO and legal advising in connection with implementation of this position
- comprehensive solution in the form of assessment of needed changes, organisational or technical measures
- elaboration of internal guidelines and internal regulations
- legal advising concerning elaboration of a special category of personal data (formerly referred to as „sensitive data“)
- adjustment of deeds such as contractual documents, consents and communication forms, agreements on personal data processing concluded between controllers and processors
- assistance in solution of transfer of personal data to a foreign country
- assessment of processing risks, necessity to perform PIA
- regular audits and updates of processes and internal guidelines
- representation in disputes in connection with GDPR (administrative procedures, civil-law disputes)
For more information related with the GDPR do not hesitate to contact our office by e-mail at email@example.com or by phone at No. +420 224 819 340.