Any company, institution, individual or online service provider that works with personal data shall be affected by the GDPR obligations which can often present great administrative burden for them.
The General Data Protection Regulation (GDPR) is a revolutionary EU legislation that significantly tightens the protection of citizens' personal data. The GDPR represents a new legal framework for the protection of personal data in the European area in order to defend the rights of EU citizens against unauthorized use of their data as much as possible. The obligated entities under the GDPR are all companies, institutions, individuals or online services that process user data and for which this Regulation represents a significant administrative burden.
The GDPR enters into force on 25 May 2018 and, as an EU regulation, is directly effective in the Czech Republic. In our office, we have a team of legal experts who are intensively involved in this area and will advise you best on how to prepare for GDPR and how to set up the necessary processes in your organization.
Many of the mechanisms contained in the GDPR are known to us from the current legislation. However, it also introduces many new obligations, one of them being data processors which has so far been covered by the data controller. The Regulation introduced a new obligation for controllers and processors, regardless of their size or number of employees, to put in place technical, organizational and procedural measures to demonstrate compliance with the principles of the GDPR. This represents a considerable time and financial investment for entrepreneurs. Our specialists will provide you with legal assistance with the adoption of the required internal concept, the implementation of a procedural change and the implementation of measures that are necessary, in particular, compliance with the principle of intentional and standard protection of personal data. These measures also include the so-called minimization of personal data processing, their pseudonymisation, transparency with regard to the purposes and processing of personal data and enabling citizens to access their data.
For many, the biggest scare is the reporting obligation in the event of a data breach. Therefore, upmost caution must be taken in relation to massive leaks of personal data only after a few years, as happened, for example, in the Yahoo case. According to the GDPR, the processor must report the leakage or threat to the security of personal data to the Office for Personal Data Protection no later than 72 hours from the moment he became aware of the incident. In some cases, they must also inform the persons and entities affected by the leak. The definition of personal data is also being expanded, which now includes technical parameters such as e-mail, IP address or the so-called cookie in the user's device. A new category is the so-called genetic and biometric data, the processing of which will be subject to a stricter regime. The GDPR contains much more news. Contact us for a comprehensive overview of the responsibilities that will apply specifically to you. The validity and compliance with the obligations under the GDPR must be documented by the organization throughout the processing. It is necessary to understand that they only process data that is necessary for a specific purpose. We provide assistance to entrepreneurs and non-commercial institutions with these new responsibilities. This is not only conducted in the form of ad hoc advice on a specific obligation, but also with the preparation of a comprehensive concept for the smooth compliance with all obligations arising from the GDPR tailored to a specific client.
The GDPR imposes astronomical fines for violating its rules, following the example of competition regulations, several times higher than what we have normally been used to so far. Their maximum amount is 20,000,000 euros or 4% of the company's total annual turnover (whichever is higher). Last but not least, companies are exposed to loss of trust and reputational risks caused by mishandling of personal data.
It is important to emphasize that the maximum amount of the fine may be established on both a smaller company with five employees and a large multinational corporation if it does not take the necessary steps to comply with the principles and obligations arising from the GDPR.
We provide especially the following legal services in relation to the GDPR: