GPDR is EU regulation number 2016/679 on protection of personal data of physical persons in connection with processing and transfer of their personal data, which is to become effective on 25 May 2018 and to replace the 95/46/ES directive of 1995, which has become insufficient for the new demands of the digital market. In the Czech environment, it supersedes act no 101/2000 Coll., on protection of personal data, and as the GDPR is effective directly, there is no need for its further implementation to Czech legislation.
The regulation is seen as the most complex set of personal data protection rules, which stipulates rights and obligations in dealing with personal data with the aim to protect the digital rights of EU citizens and to ensure the law enforceability and closer cooperation of supervising authorities. All subjects (companies, state organizations or individuals) which deal with personal data of physical persons seated in the European Union within the scope of their business activities are concerned; it means that such organizations are obligated to process the personal data of EU citizens in accordance with the Regulation. The data in question include personal data of employees, information about clients or databases of patients. The Regulation also addresses subjects seated outside the EU if they process EU citizens’ data for business purposes of goods and/or services offers. Also, the GDPR is valid for data transfer within a group of companies.
The obligations of the data controller
A company which is subject to the GDPR needs to be able to prove that its technical and organizational data protection safeguards are functional, and every data controller is to present agreement with the basic principles, i.e. that the data have been processed in a correct, legitimate and precise manner and that they are up-to-date. One of the most important aspects is the assurance of data processing legality, which may only be achieved by: a) an explicit consent of a physical person, b) the processing is necessary for fulfilling the terms of a related contract, c) the legal obligation of the controller is stipulated by law, d) the processing is necessary for protection of vital interests of a physical person, e) public interest and justified data protector’s interest is concerned.
Other obligations include keeping records about processing the personal data, specifically the purpose why the data have been processed, the extent of the processed personal data, information about their recipient, transfer of the data, the deletion deadlines and the data security provisions. The controller, then, needs to document detailed information. Furthermore, the controller is obligated to report all cases of data protection safeguard breaches no later than 72 hours after such a case has been detected.
The rights of physical persons
In accordance with the GDPR, all physical persons have the right to acquire the information on what data have been processed and for what purpose and should they disagree with the process, they may raise an objection, which will result in the controller’s inability to process the data any further unless there is a justifiable reason to do so. Also, a physical person may exercise their right to demand deletion of the data that are registered by the controller or, alternatively, that the data be forgotten. If a physical person decides to, they may transfer the data to a new controller.
The GDPR promises stronger and more coherent framework for data protection which will be backed by strong enforcement of the law; the Regulation should prevent the differences hindering the free data movement and provide security and transparency. Only time and practice will, obviously, show the pros and cons the GDPR. The regulation, however, introduces severe penalties for failing to meet the obligations, and, therefore, it ought to be paid special attention to.