19
Fri, Jul
50 New Articles

GDPR Misconceptions

GDPR Misconceptions

Czech Republic
Typography

The GDPR comes into effect on May 25, 2018. Since data processing concerns a wide range of activities, very few companies or entrepreneurs will be unaffected. Numerous articles and discussions have been posted about the GDPR in the media, some of which contain false or misleading information and therefore give rise to concern, especially considering the possibility of high penalties. Failure to adopt national implementing legislation does not help the situation either. In this article we would like to highlight some of this misleading information and explain the inaccuracies.

The Regulation is often described as a “revolution in personal data protection.” This is not correct, and the Czech Office for Personal Data Protection, which continues to act as the supervisory authority and provides interpretative opinions, has tried to rebut this presumption, as the current Czech law, which has been in effect since 2000, already regulates most of the issues. Both it and the GDPR contain similar terms, such as “personal data,” “processing,” “data subject,” and “controller” defined similarly. The GDPR also does not constitute a new catalogue of rights of data subjects, as most of them – such as the right to erasure (known as “the right to be forgotten”) had already been established by the current legislation. The GDPR also does not bring with it a revolution in the duties of data controllers and processors; it only goes further with their specifications and provides some additional duties for these subjects, such as informing the supervisory authority if there is a data breach.

The GDPR does, however, establish a new right – the right to data portability – which, under certain conditions, gives data subjects the right to receive, on request and in a commonly-used format, any of their personal data that had been provided to a controller, and to transfer it to another controller.

Another misleading piece of information is that there is an obligation to procure consent for any personal data processing. Consent has to be given by an informed data subject and has to be revocable at all times. The GDPR specifies the conditions that need to be met for lawful consent. At the same time it provides five other legal reasons for data processing, e.g., performance of a contract. Because “free consent” can be difficult to establish in an employment relationship, reliance on that particular basis is not recommended, and other bases provided by the GDPR for processing employee personal data should be found wherever possible. 

Another reason for worry is the belief that every company needs to have a data protection officer with special certification. This duty only concerns public authorities and controllers whose core activity consists of processing operations requiring the systematic monitoring of data subjects on a large scale or processing special categories of data. The obligation will therefore affect public bodies such as municipalities, schools, and hospitals, along with financial institutions or large companies having data processing as their core business. A data protection officer does not need to have special certification, as is often claimed. 

More misleading information that has appeared is the necessity of implementing expensive technical measures related to the pseudonymization of data. The GDPR does not prescribe an obligation to encrypt collected data. Pseudonymization is named only as an option of a technical safety measure. Particular measures are chosen by the controller according to the nature, purpose, and scale of the data processing and the expected costs of such measures. 

The widest concern in regard to the GDPR is the threat of liquidating sanctions. The GDPR allows for fines up to EUR 20 million or 4% of total worldwide annual turnover. Such a concern does not mention that administrative fines up to CZK 10 million are already allowed under the current Czech legislation. Fines have to be imposed in each individual case in a proportional, effective, and dissuasive way. Nevertheless, imposing a fine is not a necessity, and the supervisory authority may decide to issue only a warning or reprimand or use other corrective powers. Moreover, the GDPR lists a large number of facts that need to be taken into consideration when imposing a fine.

In conclusion, the GDPR brings with it some changes and an enlargement of the regulation of personal data protection. However, the GDPR is aimed primarily at huge companies and entrepreneurs processing data on a large scale, and its goal is not to punish small traders and employers for each and every breach of their duties. Therefore, it is pointless to stir up panic. The GDPR should be understood as a challenge to improve business operations rather than as a threat.  

By Adela Krbcova, Partner, Dan Loukota, Senior Associate, Peterka & Partners 

This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.

Czech Republic Knowledge Partner

For more than 25 years PRK Partners has been providing top tier, comprehensive legal services in all areas of law – always at the highest professional level. The company’s offices in Prague, Ostrava and Bratislava, as well as its specialised teams of legal practitioners and tax advisors, allow PRK Partners to offer solutions to any kind of legal issues, providing an international point of view and in-depth knowledge of the respective local legal system.

The full-service law firm has worked on many of the region’s largest and most complex transactions. The firm puts emphasis on the highest standards of quality, efficiency and flexibility in its advisory services, which are tailored to the specific requirements of each client. 

Our team is composed of professionals with international education and experience. The firm frequently works on a non-exclusive basis with leading international law firms on large cross-border transactions.

PRK Partners is consistently recognised among the top law firms by leading international and domestic directories and ratings agencies and has been honoured with numerous awards: 

• National Law Firm of the Year 2016 by the Chambers Europe Awards, the most prestigious international law firm competition. This is the fifth award PRK Partners has received since the awards were first given; National Law Firm of the Year 2014, 2013 and 2010 and Law Firm of the Year 2012 for Best Client Service.

• 2018 Best Law Firm of the Year in the category of Banking &Finance and the absolute winner in the main category of the Domestic Law Firm of the Year awards organised by epravo.cz under the auspices of the Czech Bar Association three times since the award's inception (in 2016, 2013 and 2011).

• a finalist of the Central European Law Firm of the Year category in The Lawyer European Awards 2018. 

The firm has a strong commitment to corporate social responsibility and pro bono work.

PRK Partners is the exclusive member firm in the Czech Republic for Lex Mundi, the world’s leading network of independent law firms, with in-depth experience in 100+ countries worldwide. In addition, the firm is a member of Celia Alliance, AFI (Association for Foreign Investment) and CVCA (the Czech Private Equity and Venture Capital Association).

Firm's website: www.prkpartners.com

Our Latest Issue