On 27 April 2016 the new legal regulation aiming to unification of European legal framework of personal data protection was adopted on the European level. The reason of its adoption was in particular intensification of free movement of personal data within the EU, as well as the reaction to technological innovation (internet of things, cloud source repository, etc.) representing new platforms for sharing and processing of personal data. The regulation follows preceding European legal legislation based on directive 95/46/EC of the European Parliament and of the Council.
A new supervisory authority will be established on the European level: European Data Protection Board. The Council will act also as an appellate authority against decisions of particular national supervisory authorities (e.g. Czech Office for personal data protection - OPDP (in Czech “Úřad pro ochranu osobních údajů – ÚOOÚ”). It will be possible to appeal to this authority in the case of doubts regarding a decision of ÚOOÚ. If ÚOOÚ decides on the imposition of penalty on the processor, such processor should be entitled to appeal to the European Data Protection Board. Moreover, the data subjects will be entitled to make complaints regarding GDPR before ÚOOÚ about persons residing anywhere in the EU. If a Czech citizen finds out that his or her personal data were treated unlawfully while the processor resides outside the Czech Republic, such citizen will be entitled to make a motion to ÚOOÚ. ÚOOÚ will carry out a supervision in the area of GDPR, either on the basis on its initiative or on the basis of such motions.
One of the most significant innovation among the legal institutes is the right to transfer of personal data. Data subject may obtain his or her personal data free of charge from the processor or controller and transfer them to the new controller without limitation. The only condition is that the personal data have to be processed automatically. The controller shall be obliged to inform the data subject on such right in the course of obtaining the consent with processing of personal data.
The regulation stipulates also stricter requirements for a wording of the consent of the data subject with a data processing. The data subject should obtain information on processing of his or her personal data briefly, transparently, clearly and easily (simple language is necessary), including information on his or her rights guaranteed by the legal regulation. The consent should be granted separately (e.g. on specific separate document) and its granting can’t be condition for concluding the agreement. In practice (in particular practice of e-shops and providers of online services), it will be recommended a duplication of the consent, i.e. the procedure that the data subject will grant consent with processing of his or her personal data firstly in the course of concluding the respective purchase or other agreement and subsequently, the data subject will be asked to confirm his or her consent regardless the before said transaction (e.g. by using a specific generated code sent to the cell phone, etc.). It could be deduced that consents granted under the current legislation will no longer meet requirements stipulated by the law after the effectiveness of the regulation.
The controller or processor should, beside using these new consents, carry out comprehensive setting of their internal processing mechanisms. The controller or processor should carry out the risk analysis and subsequently implement technical and organization measures so that it could be proved that a data processing is in compliance with the regulation. The controller or processor will be obliged to keep records of all data processing. Exception from this obligation to keep records will be applicable to entities with less than 250 employees, provided that data processing is not their main field of activity, there is no risk of limitation of data subjects’ rights and freedoms and no sensitive data are processed. The obligation to keep records will supplement current obligation to register with the OPDP (as such obligation will cease to exist). The records will be submitted to OPDP for inspection upon request.
Further, the regulation introduces the obligation to appoint a commissioner for personal data protection, i.e. Data Protection Officer (DPO). Despite the fact that such obligation will be applicable only to certain groups of processors, such as public authorities or public entities or those controllers whose main field of activity is “extensive processing” of specific categories of data or criminal cases, the term “extensive processing” is not defined. In practice, it could be deduced that such obligation will be applicable to more categories of processors. The Data Protection Officers could be (and in case of any doubts it will be appropriate) appointed also voluntarily.
There are also new obligations regarding breach (e.g. leakage, misuse, etc.) of data security introduced by the regulation. Potential breach has to be notified to OPDP (no later than 72 hours (if feasible) as soon as the controller becomes aware of such breach. The notification should contain at least information on a kind of security risk, number and type of affected data, person who could provide more information, expected impacts of the breach, and measures adopted. In certain cases, also data subjects, affected by the security breach, will need to be informed.
The regulation stipulates much stricter sanctions for infringement of controller’s or processor’s obligations. Fines could be imposed up to the amount of EUR 20 million or up to 4 % of the total worldwide annual turnover of the preceding financial year of the company breaching its obligations, whichever is higher.
Impacts of the regulation on the labour law:
Each employer shall be obliged to obtain a consent with processing of an employee’s personal data (the only exception is the situation where processing of the personal data is necessary for the employer due to fulfilment of his legal obligations). Such consent needs to be informed, i.e. it has to contain an instruction to the employee regarding his or her rights arising of the regulation. The employer shall be obliged to prove that the consent was granted at any time. The employee shall have an option to withdraw such consent at any time. Further, the employer shall be granted a consent on the processing of employees’ sensitive personal data.
The employer shall be obliged, in the course of obtaining the personal data, to provide the employee with an information, in particular regarding its identity, contact details, purpose and time period of processing of personal data. Further, the employer shall be obliged to enable the employee the access to the personal data (making copies) and to correct or supplement personal data without undue delay after becoming familiar with their changes.
ertain cases (such as unnecessity for the respective purpose, withdrawal of the consent with processing of the personal data, etc.), the employer shall be obliged to delete personal data regarding the employee. Further, the employer shall be obliged to protect personal data of the employees by using proper technical and organisational measures (without further specification of such measures).
The Czech Republic
Due to the fact that the Czech national implementing legislation (i.e. the amendment to Act no. 101/2000 Coll., on the Personal Data Protection) has not been adopted yet and the regulation itself leaves quite extensive space for adaptation of certain rules on the national level, it will be necessary for complete assessment of impacts of the regulation on the particular processors to wait for such Czech implementing legislation. We recommend approaching a solution of this issue reasonably and without a panic, which may be raised by some information in media and in statements of the subjects offering guaranteed solutions. We will provide you with further development in this area in the AK-PS legal news.
Slovakia is dealing with similar situation regarding implementation of the regulation. Currently, a new Act on personal data protection is discussed in National Council of the Slovak Republic (in Slovak “Národná rada Slovenskej republiky”). Current proposal of the respective Act is divided into several parts. Part I to III (except for some distinctions) correspond to the wording of the GDPR regulation. Part IV of the Act proposal deals with the personal data protection for the purposes of prevention and detection of criminal offenses. Part V deals with specific situations in the course of personal data processing (e.g. birth number or genetic or biometric data processing). The last two parts of the Act proposal regulate in particular procedural aspects and transitional provisions. In practice, the last three parts of the Act will be the most relevant for the controller and processor of personal data in Slovakia.
(Regulation (EU) 2016/679 of the European Parliament and of the Council dated 27 April 2016, effective from 25 May 2018)