The General Data Protection Regulation – GDPR
On 27 April 2016, a regulation was adopted on the floor of the European Parliament which introduces new, unified data protection rules that apply across all EU member states: the “GDPR” (2016/679). Supplementing the GDPR, a new Directive of the European Parliament and the Council ((EU) 2016/680) has also been passed which concerns the areas of prevention, investigation, detection and prosecution of criminal offenses in connection with the processing of personal data.
Compared to the current legislation (which are contained in the Data Protection Act), the GDPR introduces a host of new rules. While it is true that these rules mean a certain additional administrative effort for data administrators and processors, the new GDPR regime delivers one major, undeniable benefit – namely, the unification of terminology, procedures, and interpretation, but also the unification of duties on the part of data administrators and processors. This new homogeneity ought to be reflected in an easier application of the law by legal practitioners, and thus make it easier to successfully assert compliance by data processors.
In addition, data subjects attain a number of new rights. Aside from the right to demand that the data administrator inform them in detail about their rights, they may newly also bring objections against the processing of their data, whereupon the data processor must immediately cease such processing (barring serious, provable reasons which prevent them from doing so). Data subjects may also demand that the data administrator give explanations regarding the data processing. Another novelty introduced by the GDPR is the right to transferability of data from one data administrator to the next.
With respect to data protection in the Czech Republic, the Office for the Protection of Personal Data retains its role as the supervisory authority in charge of overseeing compliance with data protection obligations.
Both Regulation and Directive come into effect as of 25 May 2018, and member states are obliged to transpose both documents into their domestic legislation by the end of May 2018. During the transitional period, all subjects affected by the Regulation ought to revise their information systems and check their policies for handling personal data as to whether they conform to the new rules (and amend them as necessary). It is more than advisable to devote sufficient attention and care to this review and revision of current instruments and mechanisms: the GDPR provides authorities with the right to impose fees on subjects who are in violation of their data protection duties in an amount of up to EUR 20,000,000. s far as the application of the Regulation and the Directive in the Czech legal environment is concerned, we will have to wait and see whether the lawmaker gives preference to abolishing the existing Data Protection Act in its entirety, or to a selective cancellation and replacement of individual parts.
Source: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data; Act No. 101/2000 Coll., on the protection of personal data, and other, related laws and regulations