The GDPR comes into effect on May 25, 2018. Since data processing concerns a wide range of activities, very few companies or entrepreneurs will be unaffected. Numerous articles and discussions have been posted about the GDPR in the media, some of which contain false or misleading information and therefore give rise to concern, especially considering the possibility of high penalties. Failure to adopt national implementing legislation does not help the situation either. In this article we would like to highlight some of this misleading information and explain the inaccuracies.
The Regulation is often described as a “revolution in personal data protection.” This is not correct, and the Czech Office for Personal Data Protection, which continues to act as the supervisory authority and provides interpretative opinions, has tried to rebut this presumption, as the current Czech law, which has been in effect since 2000, already regulates most of the issues. Both it and the GDPR contain similar terms, such as “personal data,” “processing,” “data subject,” and “controller” defined similarly. The GDPR also does not constitute a new catalogue of rights of data subjects, as most of them – such as the right to erasure (known as “the right to be forgotten”) had already been established by the current legislation. The GDPR also does not bring with it a revolution in the duties of data controllers and processors; it only goes further with their specifications and provides some additional duties for these subjects, such as informing the supervisory authority if there is a data breach.
The GDPR does, however, establish a new right – the right to data portability – which, under certain conditions, gives data subjects the right to receive, on request and in a commonly-used format, any of their personal data that had been provided to a controller, and to transfer it to another controller.
Another misleading piece of information is that there is an obligation to procure consent for any personal data processing. Consent has to be given by an informed data subject and has to be revocable at all times. The GDPR specifies the conditions that need to be met for lawful consent. At the same time it provides five other legal reasons for data processing, e.g., performance of a contract. Because “free consent” can be difficult to establish in an employment relationship, reliance on that particular basis is not recommended, and other bases provided by the GDPR for processing employee personal data should be found wherever possible.
Another reason for worry is the belief that every company needs to have a data protection officer with special certification. This duty only concerns public authorities and controllers whose core activity consists of processing operations requiring the systematic monitoring of data subjects on a large scale or processing special categories of data. The obligation will therefore affect public bodies such as municipalities, schools, and hospitals, along with financial institutions or large companies having data processing as their core business. A data protection officer does not need to have special certification, as is often claimed.
More misleading information that has appeared is the necessity of implementing expensive technical measures related to the pseudonymization of data. The GDPR does not prescribe an obligation to encrypt collected data. Pseudonymization is named only as an option of a technical safety measure. Particular measures are chosen by the controller according to the nature, purpose, and scale of the data processing and the expected costs of such measures.
The widest concern in regard to the GDPR is the threat of liquidating sanctions. The GDPR allows for fines up to EUR 20 million or 4% of total worldwide annual turnover. Such a concern does not mention that administrative fines up to CZK 10 million are already allowed under the current Czech legislation. Fines have to be imposed in each individual case in a proportional, effective, and dissuasive way. Nevertheless, imposing a fine is not a necessity, and the supervisory authority may decide to issue only a warning or reprimand or use other corrective powers. Moreover, the GDPR lists a large number of facts that need to be taken into consideration when imposing a fine.
In conclusion, the GDPR brings with it some changes and an enlargement of the regulation of personal data protection. However, the GDPR is aimed primarily at huge companies and entrepreneurs processing data on a large scale, and its goal is not to punish small traders and employers for each and every breach of their duties. Therefore, it is pointless to stir up panic. The GDPR should be understood as a challenge to improve business operations rather than as a threat.
By Adela Krbcova, Partner, Dan Loukota, Senior Associate, Peterka & Partners
This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.