Dealing with the same issue?
Contact us
Contact us
Mgr. Karel Kotrba
associate
Regardless of what legal issue you may have, do not hesitate to contact me. I would be happy to learn more about your case.
GDPR has been the bogeyman of the past few years. In 2018, everyone was revising internal data processing rules, updating vendor contracts, deleting old data, and putting new and longer data processing information memoranda on the web.
Do you think you're over that now? Unfortunately, it's not that easy. The interpretation of GDPR is evolving and controls are focusing on weak points. The risk of fines is increasing.
The GDPR and the Czech Data Processing Act are general regulations. The basic rights, obligations and rules apply to all those who process personal data in practice, regardless of size, sector of operation, number of clients or employees. Interpretive practice, case law and methodologies of supervisory authorities specify how to comply with individual obligations. It is also important to take into account sectoral regulation, which in many areas contains specific conditions for the use of personal data.
We could count dozens of important case law and new methodologies since 2018. Let's summarise the most important changes and updates:
Transfer of personal data outside the European Union
Do you share information about your clients, employees or suppliers with a parent or sister company based outside the EU? Do you use cloud services from a US company or have a customer support service in India?
The GDPR places specific requirements on such data transfers. There are at least two recent developments that are important to note:
To ensure the protection of data transferred outside the EU, so-called European standard contractual clauses are often used. This means that you enter into a specific contract with the data recipient (e.g. a supplier). In it, the supplier guarantees how it will protect the data, that it will not use it for its own purposes, allow your clients to exercise their rights, etc.
In 2021, the European Commission issued new model contract clauses that must be concluded in such a case. The old contracts could only be used until 27 December 2022. Have you concluded a new contract in time?
The European Data Protection Board, a body bringing together supervisory authorities from each EU member state, issued detailed recommendations in 2021 on what data protection measures to take before transferring data to third countries. This goes beyond standard contractual clauses. All risks associated with such data disclosures must be documented in a "transfer impact analysis". And with them, the additional measures taken by the data exporter to protect the persons concerned.
Have you mapped all cases where your personal data is accessed by non-EU entities? Have you analysed the risks involved, can you demonstrate to the Data Protection Authority, when asked, what measures you have taken and why? And when did you last assess whether these measures are effective?
Online cameras now covered by the GDPR
The Czech Data Protection Authority was previously of the opinion that the rules on the processing of personal data applied only to camera systems with recording equipment. It did not address online cameras.
However, this has changed in 2022.
The European Data Protection Board has issued a comprehensive methodology on cameras, which does not use this distinction (online cameras vs. cameras with recording). And the DPA, rather quietly, modified the position on cameras on its website in July 2022. It now assesses compliance with GDPR obligations for all cameras, regardless of whether or not permanent footage is taken from them.
What does this mean in practice?
If you operate an online CCTV system, for monitoring traffic, monitoring building access, assessing workload at individual sites, warehouses etc., and the camera also captures individuals, you are in the GDPR regime. You need to define and describe the purpose of the processing, its legal title, set parameters, document security, inform employees and other affected persons about the data processing, etc.
If your cameras record employees, you must also take into account the relevant provisions of the Labour Code. The latter provides for some detailed or stricter requirements for workplace surveillance than those generally introduced by the GDPR.
Do you use (online) cameras in the workplace? Are they compliant with the regulation?
Do you have an authorised officer? And could we see it?
The GDPR has required a number of regulated entities to appoint so-called data protection officers.
Anyone who carries out extensive and regular processing of client or employee data, regularly monitors individuals or processes sensitive data must designate an employee to deal internally with processing compliance with the regulation. Equip him or her with sufficient resources, competencies, and involve him or her in business and operational issues impacting personal data. And document everything.
The actual functioning of the data protection officers will be the focus of inspections by the European Data Protection Authorities in 2023. And the Czech Data Protection Authority too.
And they will ask questions like this:
As long as you can easily document all this during the audit, you can rest easy.
How do you manage security incidents and personal data leaks?
GDPR requires every regulated organization to identify security incidents impacting personal data. Data leaks, but also data unavailability, loss, unauthorized modification, access by unauthorized persons.
All incidents must also be assessed in a timely manner. In terms of impact and potential risks to the affected persons, employees, clients, etc. If the risk to the affected persons is relevant, but not small, then the organisation must inform the OIOS about the incident. Within what timeframe? The GDPR says that the organisation must comply with this obligation without undue delay, no later than 72 hours after the incident is discovered.
Relevant risk, greater than low risk, without undue delay... Yes, these are all rather vague terms that everyone can interpret in practice in their own way.
To standardise the approach, the European Data Protection Board has prepared two methodologies.
Do you know about all the security incidents in your organisation? Are you managing them, fixing vulnerabilities, addressing data leaks? And do you have a documented process, a methodology for assessing incidents, communicating with the authority? Are you confident that you will be able to notify the OSSA of a significant security incident within 72 hours?
What can we help you with?