GDPR Compliance Without Red Tape: Protect Data and Keep Business Moving

JUDr. Jakub Dohnal, Ph.D., LL.M.
JUDr. Jakub Dohnal, Ph.D., LL.M.
18.5.2026 | ARROWS law firm

GDPR is more than just a legal obligation – it is a key business factor affecting client trust and a company’s financial stability. This article shows how to set up effective data protection without slowing down business operations. Attorneys from ARROWS help companies achieve compliance with the regulation while ensuring smooth day-to-day operations.

In the image, we see an expert addressing GDPR compliance issues.

  • GDPR is not just an IT matter: It is a comprehensive legal framework that affects marketing, HR, sales, order processing, and many other processes. Ignoring any of them can cost you a significant fine as well as reputational damage.
  • A fine of up to EUR 20 million or 4% of annual turnover is not a theoretical threat: The most serious GDPR breaches are penalised at these levels. The reality of European authorities, including the Czech Data Protection Authority (ÚOOÚ), in recent years shows that fines are not an exception but a standard part of supervision.
  • Practical GDPR setup reduces risk more than paper documents: A security audit, review of processor contracts, the right tools for obtaining consent, and data tracing will ensure that when an inspection comes, you will not be on the defensive.
  • ARROWS attorneys understand both the theory and the real mistakes businesses make: You will not be building protection that looks good on paper but does not work in practice, or that ties your hands to the point where you can no longer do business normally.

Why companies confuse GDPR with paperwork procedures

Most often, we see companies believing they are GDPR-ready because they have:

  • A cookie banner on the website (often configured incorrectly)
  • General terms and conditions with a reference to data processing
  • Some GDPR file in an internal document
  • The words “GDPR” in the visitor rules

In reality, it is like thinking you are covered by health insurance because you have an insurance card, but you do not go for preventive check-ups and you live an unhealthy lifestyle.

In practice, GDPR means:

Conscious mapping of what data you process, from when, for what purpose, and how long you retain it. Companies often find that:

  • They keep old client emails in archives without any legal basis to retain them.
  • Salespeople keep contact spreadsheets via personal email accounts without proper protection.
  • The HR department processes health-related data without a clear legal basis and an adequate level of protection.
  • Websites track visitor behaviour using tools that are not properly documented and for which they do not have valid consent under the Czech Electronic Communications Act.

Chain of responsibility. GDPR does not impose obligations only on the company. In the event of a serious breach, specific individuals who decided on the processing may also be held liable, for example in misdemeanour proceedings or even criminal proceedings under Czech legislation (e.g. Criminal Code, Section 180a Breach of the secrecy of letters and other documents kept in private, Section 180 Breach of confidentiality of individual data).

Real security measures, not just paperwork. When the Czech Data Protection Authority (ÚOOÚ) carries out an inspection, it is not interested only in formal documents. It asks how you ensure data security in practice, how access to data is handled, who has access to systems, how long backups are kept, and how those backups are protected.

Where GDPR reality usually exposes non-legal solutions

A processor is another legal entity or natural person that processes personal data on your behalf and based on your instructions (e.g. a cloud provider, a payroll company, an email marketing platform, an accounting firm). Without a valid data processing agreement (DPA – Data Processing Agreement), you are in breach of Article 28 GDPR. But this is not just a formality.

ARROWS attorneys commonly see situations where: a company has a contract with a cloud provider, but the DPA is not included at all or is completely inadequate.

  • A DPA exists, but it does not include the processor’s obligations to ensure appropriate technical and organisational security measures, including the possibility of conducting a security audit.
  • Processes between the company and the processor have changed, but the data processing agreement has not been updated.
  • The DPA lacks clear rules for the event of a personal data breach (a “data breach”).

The absence of a DPA or an incomplete DPA constitutes a serious GDPR breach, for which a fine of up to EUR 20 million or 4% of total annual turnover may be imposed, regardless of whether there has been a direct infringement of data subjects’ rights. The Czech Data Protection Authority (ÚOOÚ) places strong emphasis on a properly drafted DPA.

Legal bases and consent – a weak spot

Many companies think that a general consent (“I agree to the processing of personal data”) is sufficient.

GDPR distinguishes between six different legal bases for processing personal data (Articles 6 and 9 GDPR):

  • Consent – must be explicit, informed, specific, freely given, and unambiguous. It can be withdrawn at any time.
  • Performance of a contract – processing is necessary for the performance of a contract to which the data subject is a party.
  • Legal obligation – processing is necessary for compliance with a legal obligation to which the controller is subject (e.g. tax filings, employment-law obligations under Czech legislation).
  • Protection of vital interests – processing is necessary to protect the vital interests of the data subject or another natural person (exceptional cases, e.g. emergencies).
  • Public interest or exercise of official authority – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller (only for public authorities).
  • Legitimate interests – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. This basis requires carrying out a so-called balancing test.

If you choose the wrong legal basis, it is a breach—even if you have consent, but in fact you should have used, for example, the “performance of a contract” basis. It may seem like a nuance, but the Czech Data Protection Authority (ÚOOÚ) monitors it, and selecting the correct legal basis is key to GDPR compliance.

Data subjects’ rights – what if your clients get in touch?

GDPR grants individuals a number of rights (Articles 12–22 GDPR) that the data controller must be able to fulfil effectively:

  • The right to access your personal data and information about its processing.
  • The right to rectification of inaccurate or incomplete data.
  • The right to erasure (“the right to be forgotten”) under certain conditions.
  • The right to restriction of processing.
  • The right to data portability to another controller.
  • The right to object to processing.
  • The right not to be subject to automated individual decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you.

Companies that are not prepared for such a request often end up in a situation where they do not know where all the data is stored (including backups, archives, external services).

  • They cannot guarantee that they will meet the statutory deadline for responding (one month, extendable by a further two months depending on the complexity and number of requests, i.e., a maximum of 90 days).
  • They cannot securely provide the data without the risk of disclosing other persons’ data.
  • They delete the data from the main system but forget about backups where the data still exists.

Any delay or refusal without due reason is a breach.

Related questions: Legal bases and data subject rights

1. Do I need the consent of everyone who has an email address in order to send them a commercial offer?
It depends. If you have the person as an existing customer and you send them commercial information about similar products or services, you may rely on the legal basis of “legitimate interest” under Section 7(3) of Act No. 480/2004 Coll., on Certain Information Society Services, provided that the person can easily and free of charge unsubscribe. However, a new contact without a related relationship requires explicit consent. ARROWS attorneys in Prague can help you determine which legal basis is the most reasonable for your situation and compliant with applicable regulations.

2. What should we do if someone contacts us and wants their data?
You must respond within one month of receiving the request. In justified cases (complexity, number of requests), this period may be extended by a further two months, but you must inform the data subject within one month, together with the reasons for the extension. If you have data in a number of systems, you should know this in advance and have a process in place to handle it. ARROWS attorneys in Prague can prepare an internal procedure and ensure that deadlines are met.

3. Is it safer to simply email everyone: “If you do not wish to receive offers, unsubscribe”?
No. This breaches Act No. 480/2004 Coll. and the GDPR. With such an approach, you have likely assumed the basis of “legitimate interests” or “consent” without proper prior information or obtaining consent. Direct marketing is permitted only on the basis of the recipient’s prior consent or the existence of a prior business relationship under strictly defined conditions. The consequences can be significant.

Security measures and employees – where things can go wrong

One of the most common breaches is insufficient management of access to data within a company, which falls under the principle of integrity and confidentiality under Article 5(1)(f) GDPR.

Typical situation:

  • A receptionist has access to a system containing all client data, but only needs to know the data from a specific order.
  • An HR employee has access to a cloud containing payroll data of all employees just so she can store personal files there.
  • Former employees who have left the company still have active access to some systems.
  • An accountant has access via a password shared with an assistant.

The GDPR requires (Article 32 GDPR) data and access minimisation, auditing and maintenance, and encryption of sensitive data.

  • Data minimisation – process only the personal data that is necessary for the given purpose.
  • Access minimisation – each user should have access only to the data and systems they strictly need to perform their work (the “need-to-know” principle).
  • Audit and maintain – keep records of who has access to what, and regularly review and update these access rights (especially when employees leave).
  • Encrypt sensitive data – ensure appropriate encryption of sensitive personal data (e.g., health data) and pseudonymisation or anonymisation of other data, especially during transfer or archiving, where appropriate and technically feasible.

Without these measures, a company is vulnerable to:

  • Internal carelessness (someone accidentally takes data outside the company or discloses it).
  • Employees with dishonest intent.
  • Cyberattacks – if attackers find insufficient security measures, you are liable for a GDPR breach in the same way as if it were committed by a dishonest employee.
Related questions: Security and access

1. If we are attacked by a hacker and they steal data, are we at fault towards clients?
It depends. The GDPR emphasises the adequacy of technical and organisational measures. If you had appropriate security measures in place under Article 32 GDPR and a breach still occurred, you may be able to defend yourself. If not (e.g., no encryption, weak passwords, insufficient firewall, missing regular system updates), you are liable for a GDPR breach and, in addition, often also for a breach of the duty to protect personal data. When assessing the matter, the Czech Data Protection Authority (ÚOOÚ) takes into account whether you did everything that was reasonably possible. ARROWS attorneys in Prague can help ensure your measures are documented and credible.

2. Which data is most often threatened by cyberattacks? Should I encrypt it specifically?
Most often at risk is data that has high value on the black market: emails, phone numbers, login credentials, financial data, health data, and children’s data. All personal data should be protected by appropriate security measures. Special categories of personal data (e.g., health data, racial origin, political opinions, etc.) require a higher level of protection under Article 9 GDPR. ARROWS attorneys in Prague can help you carry out a security audit and identify where the greatest effort needs to be focused.

Audit and implementation – where real protection is decided

We often encounter companies in a situation where an ÚOOÚ inspection has just started.

At that moment, they find that they do not have an overview of where all their personal data is stored.

  • They cannot demonstrate the implementation of appropriate technical and organisational security measures.
  • They cannot find a legal basis for what they are doing (a legal basis for processing is missing).
  • Their contracts with third parties (processors) are not compliant with the GDPR.

The correct approach to achieving and maintaining GDPR compliance includes:

  • Mapping – a thorough inventory and mapping of all personal data processing activities (what data you have, where it is, how long you retain it, and what you use it for).
  • Legal analysis – determining the correct legal bases for each type of processing and assessing compliance with the other GDPR principles.
  • Contracting – review and amendment of contracts with processors and third parties to ensure they meet the requirements of Article 28 GDPR.
  • Security – audit of existing technical and organisational security measures, identification of weak points and implementation of recommended changes, including proper documentation.
  • Processes – setting up internal processes for handling data subject requests, reporting personal data breaches (data breach), and internal audits.
  • Training – regular, targeted employee training so they know what to do, what their obligations are, and how to handle personal data properly.

ARROWS attorneys carry out this work methodically, based on the latest insights from the practice of the Czech Data Protection Authority (ÚOOÚ) and the European Data Protection Board (EDPB). The difference between “paper” GDPR and truly functional GDPR becomes apparent precisely during an inspection.

Possible issues

How ARROWS helps (office@arws.cz)

Missing processor agreements (DPA) – Breach of Article 28 GDPR, risk of a high fine (up to EUR 20 million or 4% of annual turnover), undermined legitimacy of processing, risk of service suspension.

Review of all relationships with service providers, preparation and negotiation of DPAs under Article 28 GDPR, ensuring the agreement contains all statutory requirements, including security obligations and the right to audit.

Unclear legal bases – Processing without a clear reason leads to a breach of Article 6 or Article 9 GDPR, a potentially high fine, and an inability to defend yourself during an inspection.

Legal audit of all processing activities, data mapping, determination of the correct legal basis for each type of processing, proposal of new procedures and documentation to evidence compliance.

Insufficient security measures – Breach of Article 32 GDPR; a security flaw leads to a data leak noticed by both clients and the regulator; there is a risk of a high fine for the security breach in addition to reputational damage.

Security audit from a legal perspective, recommendations for specific technical and organisational measures, assistance with documenting these measures, employee training, preparation of a plan for a personal data breach (data breach).

Inability to meet data subject requests – Breach of Articles 12–22 GDPR; delays or failure to process a request for erasure, access or portability leads to a fine and reputational damage.

Setting up internal processes and forms for receiving and handling data subject requests, team training, preparation of procedures for timely and proper responses, ensuring data is traceable and accessible for the purpose of fulfilling these rights.

Lack of policies and documentation – Breach of the accountability principle (Article 5(2) GDPR); compliance cannot be demonstrated during an inspection; the regulator perceives this as ignoring GDPR.

Preparation of a comprehensive privacy policy, GDPR manual, records of processing activities (under Article 30 GDPR), consent records and other internal documents demonstrating proper and transparent processing of personal data.

Final summary

GDPR is not a legal exercise – it is a tangible, day-to-day obligation you must comply with, and one that the regulator actually verifies. Companies that think GDPR is only about a website banner and paperwork usually realise it only when they receive a notice of inspection or when a security incident occurs.

Real data protection means consciously mapping what you process and why, having a legal basis for every processing activity, and ensuring security in practice, not just on paper.

It is not complicated – but it is not trivial either. The difference between a company that says “we’ll buy a GDPR template” and a company that has GDPR set up in practice by an attorney becomes apparent precisely during an inspection. One will be on the defensive; the other will be able to say with a clear conscience that it is prepared.

If you are not sure whether your preparation is sufficient, or if you do not want to risk fines, data transfers, reputational damage or a legal dispute with your clients, the safest solution is to entrust GDPR to the attorneys at ARROWS, a Prague-based law firm. They will be happy to help you see clearly what you really must do – and what is already in order. Contact us at office@arws.cz to arrange an initial assessment.

FAQ: GDPR and data protection

1. What is the real consequence if we breach something under GDPR?
It depends on the severity, scope and impact of the breach. GDPR fines can reach up to EUR 20 million or 4% of total worldwide annual turnover, whichever is higher. There is also the risk of reputational damage (loss of trust of clients and business partners), lawsuits from affected data subjects (right to compensation), and potentially other administrative or criminal sanctions under national regulations. ARROWS attorneys in Prague can help you determine your position and how to strengthen it at office@arws.cz.

2. How often should we be prepared for an inspection?
The Czech Data Protection Authority (ÚOOÚ) carries out inspections on a cyclical basis, but it also responds to submissions from individuals, complaints, or focuses on targeted topics. It is not possible to predict exactly when an inspection will come, which is why companies that process personal data should be prepared at any time. The right approach: prepare properly once, then maintain order and compliance through regular reviews. This is far cheaper and more effective than dealing with crisis situations during an inspection.

3. Do we have to buy special software to manage GDPR?
Not always. It depends on your size, the complexity of processing and the volume of data. A large corporation with tens of thousands of personal data records and complex processes may benefit from specialised software. For a smaller company, however, properly set internal processes, documentation and the use of standard tools are often sufficient. ARROWS attorneys can help you determine what is optimal for you so that software implementation does not create unnecessary costs.

4. What if I am a commercial company and have clients outside the EU?
GDPR has extraterritorial effect. If you provide services to individuals located in the European Union or monitor their behaviour in the EU (e.g., through websites), GDPR applies to you regardless of where your company is established. Conversely, if you have a branch in the EU and process data of EU residents, GDPR applies to you. If you have foreign clients outside the EU and you do not monitor them at all or offer them services in the EU, GDPR does not apply to them; however, it still applies to you in relation to your own employees and EU clients. ARROWS attorneys can help you map what your responsibilities are; if the situation is complex, we will use the ARROWS International network for global advice.

5. How long do we have to retain data?
You may retain personal data only for as long as necessary for the purpose for which it was collected, and once that purpose has been fulfilled it should be erased or anonymised (Art. 5(1)(e) GDPR – the storage limitation principle). There is no universal retention period—it depends on the specific purpose of the processing (e.g., performance of a contract, legal obligations, legitimate interest, marketing, etc.) and the applicable legislation (e.g., tax and accounting regulations, the Labour Code). Many companies mistakenly believe they are entitled to archive everything “just in case”—they are not. The attorneys at ARROWS can help you set the correct retention periods for individual types of data.

Disclaimer: The information contained in this article is for general informational purposes only and serves as a basic guide to the issue as of 2026. Although we strive for maximum accuracy, laws and their interpretation evolve over time. We are ARROWS Law Firm, a member of the Czech Bar Association (our supervisory authority), and for the maximum security of our clients, we are insured for professional liability with a limit of CZK 400,000,000. To verify the current wording of the regulations and their application to your specific situation, it is necessary to contact ARROWS Law Firm directly (office@arws.cz). We are not liable for any damages arising from the independent use of the information in this article without prior individual legal consultation.

Read also: