Sat, May
62 New Articles

Czech Market Snapshot: GDPR - Storm in the IT Cup?

Czech Market Snapshot: GDPR - Storm in the IT Cup?

Czech Republic
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In the Czech Republic, the most important buzzword in the field of legal services and IT deliveries is “GDPR-Compliance” and it has serious ramifications for organizations, businesses, and public corporations.

Not a single week passes without at least one professional conference focused on GDPR, either in general, or on its selected issues – in particular, the scope and nature of the requirements imposed on DPOs, data portability (both completely new concepts in the Czech Republic), and the handling of personal data of employees and other workers. These subjects seem to be rolling in from all directions. Unfortunately, the debates and presentations are often used to create business leads (driven mostly by fear of draconian fines, which, if actually imposed, may lead to the effective liquidation of sanctioned enterprises) rather than a conceptual discourse on how Czech organizations collecting, controlling, and processing personal data can improve the quality of their management and ensure greater security for themselves and their customers.

A fundamental issue that has emerged recently is the low probability that the Czech legislator (the Parliament, which will pass the ministerial draft prepared by the Ministry of Interior) will adopt the relevant amendment to the Personal Data Protection Act before late autumn or winter of this year. A culminating government crisis has paralyzed the work of the legislature, and it is unclear whether the necessary amended legislation will be prepared in time for Czech personal data controllers and processors to adequately prepare for its requirements. There is also a strong concern that the Czech lawmakers will continue their tradition of extensive gold-plating and will make the national norms even stricter than the GDPR and the Article 29 Working Party’s guidelines. 

It should be noted that although the current Czech Data Protection Act is well-adapted to EU’s Data Protection Directive (1995), its low practical enforceability together with an understaffed control body (the Czech Data Protection Office or UOOU) has resulted in relaxed – and often negligent – oversight of personal data treatment. Therefore, although the GDPR buzzes around in the Czech media almost every week, many organizations have not yet begun making the necessary preparations and are only now about to explore what the new legislation means for them. Regrettably, some of them may find out that diligent preparation cannot be achieved even in the remaining 12 months before the GDPR comes into force.

A second problem is the fundamental misunderstanding of the GDPR’s requirements on the addressees’ side. It is not only in the Czech Republic that the professional public falsely believes that the GDPR is solely the problem of the ICT or legal/compliance department. Only a few actually understand that GDPR is a multidisciplinary problem that Czech organizations will have to address by adopting comprehensive compliance programs, including legal, procedural, and organizational as well as technical approaches. Therefore, changing this biased perception must often be the first step in the compliance project.

A third problem is the inability of organizations to identify what personal data they process, in what amount, and how and for what legal purpose. The Czech economy is characterized by a high proportion of industrial production and services in which personal and other data is merely collected, processed, and stored in one of many enterprise systems without it always being clear if the organization will ever use it. When attempting to perform a basic impact/GAP analysis of the effect of the GDPR on the organization, it often turns out that even the responsible managers do not really know how much data they have, when and where it is processed, and how it is utilized after being processed. Many organizations are, therefore, currently performing more or less complex analyzes of personal data flows within them, the outputs of which often depend mainly on whether the organization was actually able to identify all repositories where the personal data may be located.

Law professionals providing GDPR consultancy and compliance services in the Czech Republic thus often become involuntary business analysts, who need to help the client analyze information systems, processes, and data storage before assessing the legal implications of GDPR in the organization.

By Jindrich Kalisek, Head of IP/IT/Data Protection, PRK Partners

This Article was originally published in Issue 4.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Czech Republic Knowledge Partner

PRK Partners, one of the leading Central European law firms, has been helping clients achieve their business objectives almost 30 years. Our team of lawyers, based in our Prague, Ostrava, and Bratislava offices, has a unique knowledge of Czech and Slovak law and of the business environment. Our lawyers studied at top law schools in the United States, United Kingdom, Switzerland and elsewhere. They also have experience working for leading international and domestic law firms in a number of jurisdictions. We speak your language, too. Our legal team is fluent in more than 15 languages, including all the key languages of the region.

PRK Partners has one of the most experienced legal teams on the market. We are consistently rated as one of the leading law firms in the region. We have received many significant honours and awards for our work. We represent the interests of international clients operating in the Czech Republic in an efficient way, combining local knowledge with an understanding of their global requirements in a business-friendly approach. We are one of the largest law firms in the Czech Republic and Slovakia. Our specialised teams of lawyers and tax advisors advise major global corporations as well as local companies. We provide comprehensive legal advice drawing on our profound knowledge of local law and markets.

Our legal advice delivers tangible results – as proven by our strong track record. We are the only Czech member firm of Lex Mundi, the world's leading network of independent law firms. As one of the leading law firms in the region, we have received many national and international awards, in some cases several years in a row. Honours include the Chambers Europe Award for Excellence, The Lawyer and Czech and Slovak Law Firm of the Year. Thanks to our close cooperation with leading international law firms and strong local players, we can serve clients in multiple jurisdictions around the globe. Our strong network means that we can meet your needs, wherever you do business.

PRK Partners has been repeatedly voted among the most socially responsible firms in the category of small and mid-sized firms and was awarded the bronze certificate at the annual TOP Responsible Firm of the Year Awards.

Our work is not only “business”: we have participated on a longstanding basis in a wide variety of pro bono projects and supported our partners from the non-profit sector (Kaplicky Centre Endowment Fund, Tereza Maxová Foundation, Czech Donors Forum, etc.).

Firm's website: www.prkpartners.com

Our Latest Issue