Recently, it has been possible to encounter in the media and elsewhere a multitude of contributions which, in various forms, address the new Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the “Regulation”). Given that certain entities present the Regulation as a revolutionary change in the field of personal data protection which requires immediate attention from personal data controllers (internet traders) and extensive investment on their part, we have decided to address this issue also within this legal circular. We hereby follow up on legal circular No. 10/2015, where we informed about the proposed form of the Regulation.
The Regulation enters into force on 25 May 2018 and has so-called direct effect. This means that it will be directly binding on entities in the territory of the European Union, which is a difference compared to a directive, which must in principle be implemented into the national legal systems of Member States. However, in this case, the Regulation envisages subsequent elaboration of a number of issues by national legislation. The Regulation therefore does not bring about complete harmonisation of the issue of personal data protection within the EU, but rather “only” partial harmonisation. The wording of the supplementary Czech legislation is unfortunately not yet known at this time, whereby this future legislation may have a significant impact on the scope of obligations of personal data controllers and processors.
From the perspective of personal data controllers, in our opinion, the Regulation does not bring radical changes in the concept of personal data protection. The obligations of the personal data controller will not change significantly with the entry into force of the Regulation in relation to the principles of personal data processing, whereby the majority of obligations presented as fundamental novelties are already being derived in the Czech Republic at present by the Office for Personal Data Protection within its interpretative opinions. However, it certainly cannot be claimed that everything remains as it was.
We would consider one of the most important changes to be the shift of the burden of proof to the personal data controller in the sense that it will be obliged to demonstrate that it carries out the processing of personal data in accordance with the regulation: “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation.” We recall that even under the current legal regulation, the controller must be able to demonstrate throughout the entire period of processing the consent of the data subject to the processing of personal data. However, now the burden of proof will relate to the entire process of personal data processing (not only to proving the obtaining of consent to the processing of personal data). The other side of the coin is that the notification obligation of the personal data controller pursuant to Section 16 of the Personal Data Protection Act will be abolished.
The personal data controller will henceforth be obliged, inter alia, to maintain written records of the processing of personal data (including in electronic form) and to ensure sufficient technical security in the processing of personal data. As an important change, the fact that there will be a substantial increase in the maximum sanctions that may be imposed for breach of obligations in the field of personal data processing is usually also presented. However, having regard to the scope of cases of personal data processing in contemporary society and to the real capabilities of public authorities, it can be assumed that only the most flagrant or publicised breaches or those cases where it comes to light that there has been a more extensive leak of personal data will be prosecuted.
We will address further details relating to the new regulation in the field of personal data protection in one of the forthcoming legal circulars.
Josef Aujezdský
Law Office Mašek, Kočí, Aujezdský www.e-Advokacie.cz – on-line legal advisory service
This text was originally prepared by the law office Mašek, Kočí, Aujezdský in cooperation with the Association for Electronic Commerce (APEK) as legal circular No. 2/2017 intended for members of this association.
This text was translated from Czech to English using an AI translator.