New obligations under General Data Protection Regulation (GDPR)
Legal basis and principles of GDPR
On 27 April 2016 Regulation (EU) 2016/679 of the European Parliament and of the Council, General Data Protection Regulation (the “Regulation“ or “GDPR“) was adopted. This Regulation is directly applicable in all Member States and constitutes the legal framework for personal data protection applicable in the whole of the EU. It protects the rights of EU citizens from unauthorized treatment of their details and personal data. In particular, the new legislation strengthens individuals’ rights affected by personal data processing. Individuals may now obtain information regarding which data about them are processed and why, and have a better opportunity to demand that entities administering or processing their personal data comply with the rules, and remedy any defects. The strengthened rights of individuals as data subjects are also evident from the reformulation of tasks and obligations of controllers and processors.
Unlike the previous legislation, supervisory authorities may impose significant penalties of up to 20 million EUR or, in the case of corporations, up to 4% of the total annual worldwide turnover for any breach of those tasks and obligations. The new legislation also extends the opportunity for data subjects to lodge a complaint with a supervisory authority against entities responsible for data processing, or to bring a court action for damages.
Starting date of the Regulation and related national legislation
The above Regulation takes effect on 25 May 2018, leaving the regulation of certain factually defined areas to the Member States’ national legislatures. In the Czech Republic, this Regulation will be implemented by a law that will completely replace the existing Act No. 101/2000 Coll., on Personal Data Protection. This law, which is intended to ensure that legislation is consistent with GDPR, has not yet been adopted. The Minister of the Interior recently officially submitted the draft to the Government and, subsequently, to Parliament, for approval within the established legislative practice.
How to avoid sanctions
Although the Regulation has not yet taken effect, its impact should not be underestimated as the high penalties for any violation of the Regulation will be applicable from 25 May 2018. Thus, each entity responsible for personal data processing should prepare for the new regulation in good time. Considering the size of the corporation and the extent of data to be processed, this preparation may take considerable time.
Consequently, every corporation should analyse its existing internal procedures regarding the treatment of personal data well in advance, and identify the measures necessary to harmonize existing procedures with GDPR, and duly implement these measures.
In this context, there will be a need to adopt new internal regulations, and new technical and organizational measures to ensure security of the processed data in compliance with the detailed requirements of the adopted Regulation. Corporations cannot avoid the need to update or comprehensively amend their existing legal documentation regarding personal data, be it customer contracts, commercial terms and conditions, contracts concluded between personal data controllers or processors, or other documents relating to, for example, extended requirements to comply with information obligations relating to data subjects. Similarly, all given consents to personal data processing will need revision, since they will no longer be valid unless obtained in accordance with the rules in the Regulation.
Requirements to be met by entities responsible for personal data processing
New rules concerning personal data protection contain abstract concepts to cover all possible areas of the treatment of personal data. Thus, each entity responsible for personal data processing should analyse which specific obligations arising from the Regulation shall apply to the data processing they carry out as part of their business activities. Under the new regulation, all responsible entities are expected to have a more active approach to data processing than before.
Assessment of the impact of data processing and the new GDPR procedure of preliminary consultation
Each entity responsible for personal data processing will have to assess the nature of the data to be processed and the extent of data processing before any new processing starts.
Where data processing may constitute a significant risk of infringement of the rights and freedoms of a data subject, having regard to the nature, extent and purpose of the data processing, there will be a need to carry out an internal assessment of the impact of the processing on personal data protection in accordance with the Regulation. In defined cases, the Regulation also imposes the obligation to present such an assessment to the supervisory authority as part of a new procedure – a “preliminary consultation” – and request that the authority gives an opinion on the assessment after evaluating it.
Obligation to keep records of data processing and to report infringements
Another new requirement detailed in the Regulation is the obligation of entities responsible for personal data processing to keep, in specified cases, detailed records of any personal data processing and to make such records available to the supervisory authority upon request. Henceforth, each controller is obliged to report any breach of security of personal data in accordance with specified rules, both to the supervisory authority and, in some circumstances, to the data subject concerned. Notification should be made immediately, but no later than 72 hours of the controller becoming aware of such a breach.
Personal Data Protection Inspector
Another new requirement detailed in the Regulation is the obligation of entities responsible for personal data processing to keep, in specified cases, detailed records of any personal data processing and to make such records available to the supervisory authority upon request. Henceforth, each controller is obliged to report any breach of security of personal data in accordance with specified rules, both to the supervisory authority and, in some.
Right to be “forgotten“
The Regulation introduces a number of additional measures, rights and, in particular, obligations relating to personal data controllers and processors. As mentioned above, the Regulation allows data subjects to gain better access to their personal data. Henceforth, data subjects shall have the right to “be forgotten“. In accordance with this measure, the personal data controller or processor has an obligation to delete all personal data of a data subject at its request from all its databases, unless there is a legal entitlement to justify further processing by the controller or processor.
In the light of the above information, each entity responsible for personal data processing needs to pay increased attention to the new personal data protection regulation. In particular, corporations dealing with large amounts of personal data or with special categories of personal data should exert maximum effort to harmonize their internal procedures with the Regulation and Czech law.