The GDPR introduces a new legal framework for the protection of personal data across Europe, seeking to afford maximum protection for data subjects from unauthorized collecting and processing of their data. In order to achieve this, the GDPR postulates new rights and responsibilities (rules) that affect all corporations, institutions, and individuals.
Implementing GDPR primarily requires that you determine what kind of personal data you will be processing, and for what purposes.
If you could let us know your answers to these questions at , we will be in a better position to advise you on what to expect in your specific situation in connection with the GDPR, and will be able to analyze the impact of the GDPR on your company.
Compared to the current personal data protection legislation (as enshrined in the Data Protection Act), the GDPR introduces a host of new rules, such as:
- the right to data portability,
- the right to be forgotten,
- the obligation to perform a preliminary data protection impact assessment in selected cases,
- or the obligation to appoint, in certain cases, a Data Protection Officer.
In this regard, data controllers and processors face a certain amount of increased administrative burden. The GDPR moreover stipulates special obligations for organizations who employee 250 or more of staff.
The introduction of uniform technology, a uniform approach and uniform interpretation (which also entails the streamlining of obligations on the part of data controllers and processors): these may all be considered a huge step forward, and belong among the benefits of the new rules contained in the GDPR. That a single set of rules is now being deployed across Europe should also lead to their more straightforward application, and the easier enforceability of compliance by data processors.
Data subjects attain a number of new rights. Not only must data controllers thoroughly instruct them of all their rights, but they may newly e.g. protest the processing of their data, whereupon the data processor may no longer process the data unless it has serious and substantiated reasons to do so. Data subjects may also ask the data controller for explanations in connection with the processing of personal data.
The Czech Office for the Protection of Personal Data remains the supervisory authority in charge of enforcing compliance with the obligations in the realm of data protection in the Czech Republic.
The GDPR takes effect as at 25 May 2018.
All entities who may be affected by the Regulation ought to plan ahead and take the following precautions well ahead of this date:
- review one’s information systems and internal policies and amend them as needed,
- make sure that the procedures currently in place for handling personal data are compliant,
- where necessary, modify these procedures to reflect the new requirements.
We strongly recommend to devote sufficient care and resources to the review of one’s current data processing setup, given that the GDPR envisions stiff new sanctions which may be imposed for a violation of data protection duties – namely, fines of up to 20,000,000 euros.
As part of our services, we provide you with answers to these questions:
- Would you like to know more about, and familiarize yourself with, the rights and obligations of the data controller, the data processor, and the data subjects under the GDPR?
- The GDPR changes the requirements for data processing agreements and their content. Do you need to review your current agreements on the processing of personal data? Or update them to bring them in line with the GDPR?
- It is quite possible that consent obtained from data subjects prior to the effective date of the GDPR, even if it complies with previous legislation, no longer satisfies the new requirements. These state explicitly, among other things, that the consent must no longer be included in general terms and conditions, but must be given on a separate deed. Do you need to have your consent letters and templates analyzed, including an analysis and/or update of your T&C? Do you need newly drafted templates for statements of consent with the processing of personal data?
- Under the GDPR, all data controllers and processors must provide detailed descriptions of their data handling procedures and of the manner in which they collect and process data, in a document which upon request must be presented during audits by the Data Protection Office. Do you need to prepare a policy governing the processing and handling of personal data within your company (code of conduct)?
- Larger data processors will be required under the GDPR to create independent oversight in the form of a Data Protection Officer, whose task it is to monitor the proper handling of personal data, to carry out internal audits and staff trainings, and to report potential data breaches and violations of data protection laws. Would you like to know whether your company must appoint a Data Protection Officer?
- Even after the GDPR has come into force, the Czech Data Protection Office will be the first port of call with respect to most data protection issues. Do you need us to represent you in dealings with this public authority? Would you like us to assist in resolving specific matters associated with the GDPR coming into force?
If you would like to learn more, drop us an e-mail at .
Would you like to attend our upcoming workshop on the topic of GDPR (the registration form available only in Czech)? Let us know, here.
Whatever questions you may have regarding the GDPR, our team will gladly make time for you:
Markéta Pravdová, partner –
Jan Šafránek, partner –
Lukáš Havel, senior associate –
Ondřej Tejnský, associate –
Anna Suchá, associate –
Useful links:
(only in Czech)
General information on the GDPR on the website of the Czech Data Protection Office
Approved GDPR guidelines
Czech wording of the GDPR (pdf)
The GDPR in various languages and formats
Statement by the WP29 working group