Publications
Constitutional Law and Criminal Law
Share

Draft EU Regulation on the Protection of Personal Data (GDPR)
David Svoboda
attorney-at-law
2017/08/04
4 minutes to read

On 15 June 2015, the EU Council adopted the so-called general approach to the draft Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

The draft of this regulation was presented by the Commission (EU) as early as 2012. However, only with the adoption of the general approach to the draft regulation by the EU Council was a political agreement reached across all EU Member States and its key points firmly established. On the basis of this agreement, the EU Council commenced negotiations with the European Parliament. However, given the substance of the general approach, it can be expected that the basic concept should not change significantly even after these negotiations. The actual approval and applicability (i.e. legal bindingness) of the regulation is then anticipated not before 2017.

In this legal bulletin, we have prepared a brief summary of the most significant changes and impacts in the area of personal data protection that the draft regulation brings in the sense of the aforementioned agreement.

Change in the territorial scope of the regulation

According to the regulation, obligations in relation to the processing of personal data will newly also apply to the processing of personal data in relation to EU citizens, provided that the processing activities are related to the offering of goods or services or to the monitoring of their behaviour. Compared to the current state, the regulation will therefore apply both to the processing of personal data within the activities of an establishment of a controller or processor of personal data in the EU, and to the processing of personal data of subjects who have their residence in the EU, regardless of the question of whether the controller has its seat in the EU or not. Individual controllers of personal data should, within the framework of supervision of compliance with generally binding regulations in the area of personal data protection, be subject to the personal data protection authority of the state in which they have their main seat.

Granting consent to the processing of personal data

The draft regulation envisages the impossibility of providing consent to the processing of personal data by implied conduct (konkludentně). Consequently, it will no longer be possible to consider as the provision of consent, for example, the mere provision of personal data itself. The data subject will instead have to provide consent to the processing of personal data in a qualified form – i.e. the consent will have to be provided expressly or unambiguously. However, the precise form of granting consent has not yet been decided.

Cookies as personal data

The draft regulation defines in greater detail the terms “natural person” (i.e. the data subject) and “personal data”. It defines personal data as any information relating to the person in question, including all information which may in their totality lead to the direct or indirect identification of the person in question. According to the draft, such information may be considered to include, for example, so-called cookies, information about a person’s location or other similar information, but only in cases where they actually make the person in question identifiable.

Right to erasure of personal data

The draft regulation grants data subjects the right to the immediate removal of any and all information which the controller of personal data holds about them. If the controller has made these data accessible to a third party, an obligation may apply to it to ensure the removal of these data also in relation to these third parties. The above will not apply to personal data processed (published) in the public interest, etc.

Amount of sanctions

The draft regulation envisages a drastic increase in sanctions for infringement of legal regulations in the area of personal data processing. For infringement of legal obligations in the processing of personal data, a fine of up to EUR 1 million or 2% of the turnover of the controller of personal data could newly be imposed.

Other changes:

• Obligation to inform the relevant personal data protection authority and the affected persons in the event of a security breach in the processing of personal data, as soon as possible, with a recommended time limit of 24 hours.

• Special obligations for controllers of personal data with more than 250 employees.

• Simplification of the process of transfer of personal data from one provider of services or goods to another.

David Svoboda

Law Firm Mašek, Kočí, Aujezdský www.e-Advokacie.cz – on-line legal advisory services

This text was originally prepared by the law firm Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal bulletin No. 10/2015 intended for members of this association.

This text was translated from Czech to English using an AI translator.

Enter

More to read

Constitutional Law and Criminal Law

Regulation on General Product Safety

2025/12/19

>
Constitutional Law and Criminal Law

Obligations of the seller in marking goods

2025/12/07

>

Mašek, Kočí, Aujezdský are members of Czech Electronic Commerce Association (APEK) and Mackrell International.
Nosko & Partners s.r.o. is Czech and Slovak member of Interlegal.

© Mašek, Kočí, Aujezdský 2003-2026. All rights reserved.