Tue, Jun
60 New Articles

Gauging the GDPR in the Czech Republic

Gauging the GDPR in the Czech Republic

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

On May 25, 2018, the General Data Protection Regulation finally came into effect, imposing new requirements on organizations within the European Union and on those outside the EU that offer goods or services to EU data subjects or monitor their behavior. To learn more about the state of readiness in one such country, we spoke to Schoenherr attorney and Data Protection specialist Eva Bajakova in Prague.

CEELM: Eva, has the GDPR been fully adopted into Czech law? Were the changes from previous Czech law substantial?

E.B.: On May 25, 2018, the GDPR became directly applicable in the EU, plus Iceland, Norway, and Liechtenstein. In order to better link Czech law with the GDPR, some partial aspects of the GDPR will be regulated in a new Czech Data Processing Act, a draft of which has been finalized, but which awaits parliamentary approval and signing by the president. The act was not passed in time, which is likely to lead to some legal uncertainty.

The GDPR represents the greatest change in Data Protection law in the last 20 years. The GDPR introduces higher privacy standards. What was considered merely good practice under current legislation has become mandatory under the GDPR. And of course there are some new obligations too, such as the obligation to notify the supervisory authority of a personal data breach, and (for some) the obligation to designate a data protection officer. After May 25, 2018, infringers may be fined up to EUR 20 million or 4% of the undertaking’s total worldwide turnover, whichever is higher.

CEELM: What were the highest fines ever imposed by the Czech supervisory authority under the previous regime? 

E.B.: The record fine imposed by the Czech Office for Personal Data Protection was CZK 4.25 million (approximately EUR 167,000) in May 2017 on a spammer company. However, spamming is regulated by special legislation. The highest fine ever imposed based on the old Data Protection Act was CZK 3.6 million (approximately EUR 140,000) in April 2016 on a mobile operator whose employee allegedly stole the personal data of 1.2 million customers. Such fines seem ridiculously low when compared to the maximum fine for data breaches under the GDPR.

CEELM: What’s the general level of readiness of companies in the Czech market?

E.B.: It’s a work in progress. According to data published by the Czech Chamber of Commerce in March 2018, over 80% of Czech companies knew that they needed to implement the GDPR. The survey was conducted in late January and early February, with 580 companies of all sizes taking part. Still, with almost 500,000 companies in the Czech Republic the overall level of readiness is difficult to estimate. My estimation is that the majority of active companies are at least partially GDPR-compliant.     

CEELM: What particular aspects of GDPR compliance are companies pushing back against the most?

E.B.: When implementing the GDPR, many companies find that their internal data processing procedures need to be adjusted to process only what is necessary and to comply with the “need to know” principle. Unfortunately, some companies are also discovering that they cannot rely on consent for personal data processing gained under the previous legislation. They then have to invest a lot of time and effort in obtaining new consents that are GDPR compliant. 

CEELM: What’s your personal view of the GDPR, and on the issue of data privacy in general? Do you believe the GDPR represents an appropriate balance of various interests, or does it go beyond what is necessary?

E.B.: Prior to March 2018, nobody had heard of Cambridge Analytica. I believe that the recent data misuse scandals, like the one involving that company, show that a better legal framework is needed. One of the main goals of the GDPR is to give people more control over their personal data, which is a good and reasonable aim. 

I see the GDPR as a compromise in some ways. It targets all types of companies – large Internet companies (including social networks) as well as small businesses. Of course, for smaller businesses, the GDPR can mean too much paperwork. On the other hand, time will show how efficiently the GDPR can regulate the biggest Internet players and if an extra layer of regulatory tools should be added for them.     

CEELM: What steps has Schoenherr taken in the Czech Republic to help keep clients informed and prepared?

E.B.: Schoenherr has published several detailed newsletters about the GDPR. My colleagues in Prague have also discussed the GDPR at business breakfasts for our clients. GDPR-related topics are very popular throughout Schoenherr’s CEE network. It is a bulky piece of legislation and clients want to know how to deal with it effectively. Currently, we are involved in numerous GDPR projects, some of them covering various European jurisdictions. It is very rewarding work with great international reach. 

CEELM: Will you be continuing these sorts of efforts to help non-compliant firms deal with potential inspections or potential penalties?

E.B.: Absolutely. Schoenherr will closely monitor how the GDPR is enforced in practice. We are prepared to update and alert our clients.     

CEELM: The GDPR is really sucking the air out of the room at the moment, but are there any other issues you and your team are paying attention to right now?

E.B.: My colleagues are paying very close attention to a recent amendment to the Czech Republic’s Public Register Act establishing a new register of ultimate, beneficial owners. The aim of the new law is to clearly disclose corporate ownership structures. Czech companies are obliged to register their beneficial owners by January 1, 2019. For trusts, the deadline is postponed until January 1, 2021.

CEELM: Finally, if you had to give one piece of advice to clients who are only starting the process of becoming compliant now, what would it be?

E.B.: To think about who is most likely to complain to the supervisory authority. This is a good way to prioritize what needs to be done. The Czech Office for Personal Data Protection often initiates its inspections based on a complaint.   

This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Czech Republic Knowledge Partner

PRK Partners, one of the leading Central European law firms, has been helping clients achieve their business objectives almost 30 years. Our team of lawyers, based in our Prague, Ostrava, and Bratislava offices, has a unique knowledge of Czech and Slovak law and of the business environment. Our lawyers studied at top law schools in the United States, United Kingdom, Switzerland and elsewhere. They also have experience working for leading international and domestic law firms in a number of jurisdictions. We speak your language, too. Our legal team is fluent in more than 15 languages, including all the key languages of the region.

PRK Partners has one of the most experienced legal teams on the market. We are consistently rated as one of the leading law firms in the region. We have received many significant honours and awards for our work. We represent the interests of international clients operating in the Czech Republic in an efficient way, combining local knowledge with an understanding of their global requirements in a business-friendly approach. We are one of the largest law firms in the Czech Republic and Slovakia. Our specialised teams of lawyers and tax advisors advise major global corporations as well as local companies. We provide comprehensive legal advice drawing on our profound knowledge of local law and markets.

Our legal advice delivers tangible results – as proven by our strong track record. We are the only Czech member firm of Lex Mundi, the world's leading network of independent law firms. As one of the leading law firms in the region, we have received many national and international awards, in some cases several years in a row. Honours include the Chambers Europe Award for Excellence, The Lawyer and Czech and Slovak Law Firm of the Year. Thanks to our close cooperation with leading international law firms and strong local players, we can serve clients in multiple jurisdictions around the globe. Our strong network means that we can meet your needs, wherever you do business.

PRK Partners has been repeatedly voted among the most socially responsible firms in the category of small and mid-sized firms and was awarded the bronze certificate at the annual TOP Responsible Firm of the Year Awards.

Our work is not only “business”: we have participated on a longstanding basis in a wide variety of pro bono projects and supported our partners from the non-profit sector (Kaplicky Centre Endowment Fund, Tereza Maxová Foundation, Czech Donors Forum, etc.).

Firm's website: www.prkpartners.com

Our Latest Issue