28
Thu, Mar
63 New Articles

GDPR Misconceptions

GDPR Misconceptions

Czech Republic
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

The GDPR comes into effect on May 25, 2018. Since data processing concerns a wide range of activities, very few companies or entrepreneurs will be unaffected. Numerous articles and discussions have been posted about the GDPR in the media, some of which contain false or misleading information and therefore give rise to concern, especially considering the possibility of high penalties. Failure to adopt national implementing legislation does not help the situation either. In this article we would like to highlight some of this misleading information and explain the inaccuracies.

The Regulation is often described as a “revolution in personal data protection.” This is not correct, and the Czech Office for Personal Data Protection, which continues to act as the supervisory authority and provides interpretative opinions, has tried to rebut this presumption, as the current Czech law, which has been in effect since 2000, already regulates most of the issues. Both it and the GDPR contain similar terms, such as “personal data,” “processing,” “data subject,” and “controller” defined similarly. The GDPR also does not constitute a new catalogue of rights of data subjects, as most of them – such as the right to erasure (known as “the right to be forgotten”) had already been established by the current legislation. The GDPR also does not bring with it a revolution in the duties of data controllers and processors; it only goes further with their specifications and provides some additional duties for these subjects, such as informing the supervisory authority if there is a data breach.

The GDPR does, however, establish a new right – the right to data portability – which, under certain conditions, gives data subjects the right to receive, on request and in a commonly-used format, any of their personal data that had been provided to a controller, and to transfer it to another controller.

Another misleading piece of information is that there is an obligation to procure consent for any personal data processing. Consent has to be given by an informed data subject and has to be revocable at all times. The GDPR specifies the conditions that need to be met for lawful consent. At the same time it provides five other legal reasons for data processing, e.g., performance of a contract. Because “free consent” can be difficult to establish in an employment relationship, reliance on that particular basis is not recommended, and other bases provided by the GDPR for processing employee personal data should be found wherever possible. 

Another reason for worry is the belief that every company needs to have a data protection officer with special certification. This duty only concerns public authorities and controllers whose core activity consists of processing operations requiring the systematic monitoring of data subjects on a large scale or processing special categories of data. The obligation will therefore affect public bodies such as municipalities, schools, and hospitals, along with financial institutions or large companies having data processing as their core business. A data protection officer does not need to have special certification, as is often claimed. 

More misleading information that has appeared is the necessity of implementing expensive technical measures related to the pseudonymization of data. The GDPR does not prescribe an obligation to encrypt collected data. Pseudonymization is named only as an option of a technical safety measure. Particular measures are chosen by the controller according to the nature, purpose, and scale of the data processing and the expected costs of such measures. 

The widest concern in regard to the GDPR is the threat of liquidating sanctions. The GDPR allows for fines up to EUR 20 million or 4% of total worldwide annual turnover. Such a concern does not mention that administrative fines up to CZK 10 million are already allowed under the current Czech legislation. Fines have to be imposed in each individual case in a proportional, effective, and dissuasive way. Nevertheless, imposing a fine is not a necessity, and the supervisory authority may decide to issue only a warning or reprimand or use other corrective powers. Moreover, the GDPR lists a large number of facts that need to be taken into consideration when imposing a fine.

In conclusion, the GDPR brings with it some changes and an enlargement of the regulation of personal data protection. However, the GDPR is aimed primarily at huge companies and entrepreneurs processing data on a large scale, and its goal is not to punish small traders and employers for each and every breach of their duties. Therefore, it is pointless to stir up panic. The GDPR should be understood as a challenge to improve business operations rather than as a threat.  

By Adela Krbcova, Partner, Dan Loukota, Senior Associate, Peterka & Partners 

This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Czech Republic Knowledge Partner

PRK Partners, one of the leading Central European law firms, has been helping clients achieve their business objectives almost 30 years. Our team of lawyers, based in our Prague, Ostrava, and Bratislava offices, has a unique knowledge of Czech and Slovak law and of the business environment. Our lawyers studied at top law schools in the United States, United Kingdom, Switzerland and elsewhere. They also have experience working for leading international and domestic law firms in a number of jurisdictions. We speak your language, too. Our legal team is fluent in more than 15 languages, including all the key languages of the region.

PRK Partners has one of the most experienced legal teams on the market. We are consistently rated as one of the leading law firms in the region. We have received many significant honours and awards for our work. We represent the interests of international clients operating in the Czech Republic in an efficient way, combining local knowledge with an understanding of their global requirements in a business-friendly approach. We are one of the largest law firms in the Czech Republic and Slovakia. Our specialised teams of lawyers and tax advisors advise major global corporations as well as local companies. We provide comprehensive legal advice drawing on our profound knowledge of local law and markets.

Our legal advice delivers tangible results – as proven by our strong track record. We are the only Czech member firm of Lex Mundi, the world's leading network of independent law firms. As one of the leading law firms in the region, we have received many national and international awards, in some cases several years in a row. Honours include the Chambers Europe Award for Excellence, The Lawyer and Czech and Slovak Law Firm of the Year. Thanks to our close cooperation with leading international law firms and strong local players, we can serve clients in multiple jurisdictions around the globe. Our strong network means that we can meet your needs, wherever you do business.

PRK Partners has been repeatedly voted among the most socially responsible firms in the category of small and mid-sized firms and was awarded the bronze certificate at the annual TOP Responsible Firm of the Year Awards.

Our work is not only “business”: we have participated on a longstanding basis in a wide variety of pro bono projects and supported our partners from the non-profit sector (Kaplicky Centre Endowment Fund, Tereza Maxová Foundation, Czech Donors Forum, etc.).

Firm's website: www.prkpartners.com

Our Latest Issue