Taxes, accounting, law and more. All the key news for your business.
We have already touched on this topic in the article GDPR – the Topic of 2018. In that article, we have said that the GDPR will be one of the most discussed issues of this year. We hope everyone will be able to be in accordance with the GRPR without struggle in 2018. Do you feel like the road to achieving that is quite complicated? Are you worried that you don't know how to manage that? Believe us when we say that you are not alone in this.
The General Data Protection Regulation brings not only obligations but also ways how to meet these obligations. Some of these have not been created yet, for example: codes of conduct, data protection certifications, or binding in-house company rules. However, already available are instructions and guidelines of Article 29 Working Party (WP29) which are very important in that they explain the General Regulation and often also provide the best practice recommended. These documents are published continuously on the website of the Office for Personal Data Protection, which is the supervisory authority at the moment and shall continue to be. Here you can find guidelines and instructions regarding the data protection officer, right to data portability, reports of data breach, consent, or imposition of administrative fines.
What are the requirements and obligations we should get ourselves ready for in order to be in accordance with the General Regulation? The obligations provided by the General Regulation are aimed mainly at the data protection officer, the person who determines the purpose and means of personal data processing. The data protection officer (also known as the controller) can authorise another subject to do the processing, the processor. However, even in this case the one responsible for the processing is the data protection officer. The Officer is also responsible for choosing the right processor. That’s why it is important that the officer uses only processors who can guarantee the implementation of suitable measures in order to meet the requirements provided by the General Regulation. The relationship between the officer and the processor will be subject to a written contract. The contract should provide mainly the subject of and the time period for the data processing, the character and purpose of the processing, the type of personal data, category of the data subjects, and rights and obligations of all the involved parties. Using another processor will be possible only after previous approval by the data protection officer and under the exact same conditions provided in the contract between the officer and the processor.
The General Regulation focuses on the rights of the data subjects, that is the natural persons whose information is being processed. From the moment the officer receives the subject’s data, the communication between them should be very simple. In the role of the data protection officer you should inform them about who you are, what data are you planning on processing, for what purpose and based on what legal reason, how long will you be storing the data and who will have access to them. Inform them about their rights and be ready to exercise those rights; right to access to one’s personal data, corrections or deletion of data, right to data portability, right to file a complaint to a supervisory authority etc. If there is high risk in relation to breach of data protection, inform those whose data is concerned. If you need consent of the subject to the processing of their data, this consent should be voluntary, provable, include a clearly stated purpose of the processing, and it should be an individual text document. If the previously received consents do not meet these conditions, one must request new ones, preferably before the General Regulation comes into force.
Together with what has already been said, the General Regulation provides some obligations which are applied on the basis of approach to risk. As the data protection officer or the processor you must be able to prove that with regard to the character, scale, context, purpose, and potential risks of the processing of data, you have implemented appropriate technical and organizational measures to ensure accordance with the requirements of the Regulation. You must keep records of processing activities. The only exception are organizations with less than 250 employees if their data processing does not pose a threat to the rights and liberties of the data subjects and if these organizations do not process personal data belonging to special categories (“sensitive data”). If you are one of those for who the General Regulation provides this obligation, you must name a data protection officer and make public his or her contact information. If there is a high probability of risk to the rights and liberties of natural persons in relation to the processing of their personal data, you as the data protection officer must assess the impact on personal data prior to the processing, sometimes also including consultations with the supervisory authority. As soon as you notice a high-risk breach in personal data protection, you are obliged to report to the supervisory authority without undue delay if you are the controller, and to the data protection officer if you are the processor.
During implementation one must remember that requirements and conditions for personal data processing are not specified by the GDPR only but also by other legal provisions or special regulations, which can provide further requirements for a lawful processing of personal data. These include for example the Civil Code, acts on the evidence of residents and national identification numbers (RČ in Czechia), in payroll for example the Labour Code, acts on employment, communication regarding social and health security and taxes etc. All these laws and provisions will not be changing due to the implementation of the GDPR. In relation to electronic communication we want to mention the act on electronic communications and act on some services of information organizations which will be substituted by the so called ePrivacy provision.
However, the GDPR does not only mean obligations. One of the positives the GDPR brings is the fact that the legal environment will be much clearer since the rules for personal data protection will be uniform across all EU member states. There will be a single contact point and companies and organisations will communicate with only one authority which will ensure greater legal certainty. Clear and unambiguous rules will be available to multinational companies. And the right to data portability will make it easier for potential clients to transfer their personal data among service providers which will support competitive ability. Thus, the GDPR can bring some opportunities, as well.