GDPR FAQWe continuously update the list of frequently asked questions and answers on the topic of rights and obligations, WP29 recommendations, guidelines of the European and Czech Office for Personal Data Protection in the area of GDPR, etc.
The General Data Protection Regulation represents a revolution in personal data protection. The new EU General Data Protection Regulation (GDPR) changes the rules for processing personal data and introduces huge sanctions. Up to 4% of worldwide turnover, or € 20,000,000
Regulation GDPR 679/2016 is valid in the territory of the Union with higher legal force at the level of an international agreement. In the event of a collision of Act No. 101/2000 Coll. the GDPR then has a higher legal force and therefore the GDPR will apply. The GDPR itself does not repeal the law, but in a sense it overcharges and replenishes where they are in conflict.
Do you collect, store or use the data below? Then you have to follow the rules of GDPR. Do you process data for other companies? Then this applies to you as well.
Virtually any data (not just in electronic form) that helps you identify a specific individual. In addition to the name, it is the place of residence, date and place of birth, identification numbers and IDs, IP address, cookies, etc ..
Personal data:
Insurance companies that can insure you against cyber risks include Allianz to a limited extent, another insurance solution is offered by Renomia, and Colonnade offers probably the best covered areas of Cyber Security and GDPR.
A single set of rules valid throughout the EU will be created. A "single point of contact" system will be introduced - a company operating in several countries would be the responsibility of a single data protection authority (ie the authority in the country where the company has its head office).
Unnecessary bureaucratic requirements, such as notification obligations, will be eliminated. The transfer of data from the EU will be simplified, while the protection of personal data will be guaranteed.
New, simpler, clearer and stronger rules will make it easier for citizens to protect their data online. These rules will also significantly reduce business costs.
To give EU companies an advantage in global competition, as they will be able to guarantee their customers that their data will be strictly protected, while at the same time being able to do business in a simpler legal environment.
People and businesses expect data protection rules to be coherent and uniformly applied across the EU. Almost 90% of Europeans say they want the same data protection rights everywhere in the EU. This is not the case today.
Personal data transfer increasingly crosses borders (both virtual and geographical) and data is stored on servers in a number of different countries, both inside and outside the EU.
This is the essence of so-called cloud computing. As data flows flow around the world, individuals' rights to data protection internationally need to be strengthened. This requires strong data protection principles that facilitate the flow of personal data across borders while ensuring strong and consistent protection that has no gaps or is unnecessarily complex.
The new rules reinforce the so-called "right to be forgotten", which means that if you no longer want your personal data to be processed, and if there is no legitimate reason for the organization to keep it, it must be removed from its system.
Instead of proving that it is no longer necessary for your data to be collected, data controllers must prove that they still need your data. Providers must adhere to the principle of "default data protection settings", which means that the default settings should guarantee you the highest possible protection of privacy. Companies will need to tell you as clearly and comprehensibly as possible what your personal information will be used for so that you can best decide for yourself what data you will share. This information must be accompanied by easy-to-understand standard icons.
The new general data protection regulation will ensure that you are provided with clear and comprehensible information when your personal data is processed. If your consent is required, the company that wants to process your personal data must first ask you to provide it with a clear confirmation.
The new rules will also strengthen the so-called right of an individual to be forgotten, which means that if you no longer want your personal data to be processed, and if there is no legitimate reason for the company to keep it, it must be deleted.
The new regulation will also ensure that you have free and easy access to your personal data, making it easier for you to find out what personal information companies and public authorities have about you and to transfer your personal data between service providers. principles of "data portability".
Privacy will be the standard. Police and criminal justice authorities will apply data protection principles from the design and standard setting of data protection at the beginning of any personal data process, for example when developing new databases.
Those responsible for processing personal data will have more responsibility for their work. For example, the authorities must appoint so-called data protection officers, who will be in charge of the protection of personal data within their organization. It shall also ensure that national supervisory authorities are informed as soon as possible of cases of serious data breaches.
Different and incompatible data protection rules currently apply in the 28 EU Member States. In some cases, companies in the EU have to comply with 28 different sets of data protection rules. The result is a fragmented legal environment that leads to legal uncertainty and unequal protection of individuals.
Businesses also incur unnecessary costs and significant administrative burdens. In particular, small and medium-sized enterprises are discouraged by this difficult situation from expanding to other EU countries and an obstacle to economic growth.
The general regulation does not define the term broad. WP29 recommends that, in particular, the following factors be taken into account when determining whether processing is extensive:
(a) the number of data subjects concerned - either in absolute terms or by share of the relevant population
(b) the volume of data processed and / or the range of data items
(c) the duration or continuity of the processing activity
d) the territorial scope of the processing activity
Examples of extensive processing:
(a) the processing of patient data in the normal course of the hospital's activities
b) processing of travel data of individuals using public transport (eg tracking by chip tram)
(c) the processing of data on the current geographical location of customers of international fast food chains for statistical purposes by a processor focused on this activity
d) processing of customer data in the ordinary course of business of the insurance company or bank
e) processing of personal data by a search engine for the purposes of behavioral advertising
f) data processing (on content, operational, location) by telephone and internet service providers
Examples of non-extensive processing:
(a) the processing of patient data by an individual doctor
(b) the processing of personal data relating to criminal convictions and criminal offenses by an individual lawyer
Yes. According to Article 37 (6), the officer may be an employee of the controller or processor (internal officer), or "he may perform tasks under a service contract". This means that the officer may be an external expert, in which case he performs his function on the basis of a service contract concluded with an individual or organization.
All the requirements of Articles 37 to 39 apply to the external officer. about the client. In this case, it is essential that each member of the external organization acting as officer fulfills all the requirements of the General Regulation.
In the interest of legal clarity and good organization, the Guidelines recommend having a clear division of tasks in the service contract within the external officer team and appointing one specific person as the lead contact in charge of client care.
The "main activities" can be considered as key operations aimed at achieving the objectives of the controller or processor. This also includes all activities where data processing is an integral part of the administrator's or processor's activities. For example, the processing of medical data, such as patient medical records, should be considered as one of the main activities and the hospital must appoint officers.
On the other hand, all organizations perform certain support activities, such as staff payroll or standard computer and information technology support. These are essential functions that support the organization's core business or business. Whether necessary or essential, these activities are considered as ancillary functions rather than a key activity.
The General Regulation stipulates that the officer "must be appointed on the basis of his or her professional qualities, in particular on the basis of his or her expertise in data protection law and practice"
The required level of expertise should be determined depending on the processing operations performed and the protection of the personal data processed. For example, if the processing activity is particularly complex or is carried out with a large amount of sensitive data, the officer will need knowledge and support at a higher level.
The necessary skills and experience include:
(a) knowledge of national and Union law in the field of data protection and practical experience, including in-depth knowledge of the General Regulation
(b) knowledge of the processing operations carried out
c) knowledge of information technology and data security
d) knowledge of the field of business and organization
e) the ability to promote a data protection culture in the organization
The General Regulation requires the appointment of officers in three specific cases where:
(a) the processing is carried out by a public authority or body (irrespective of the data being processed);
(b) the main activities of the controller or processor consist of processing operations which require extensive regular and systematic monitoring of the data subjects;
(c) the main activities of the controller or processor consist in the extensive processing of specific categories of data and personal data relating to criminal convictions and criminal offenses.
In addition, Union or Member State law may require the appointment of a officer in other situations. Even in cases where the General Regulation does not require the appointment of a officer, organizations may decide that the voluntary appointment of a officer is useful. The Article 29 Working Party (WP29) supports such a voluntary initiative.
The General Regulation requires the organization to support its officer by "providing him with the resources necessary to perform (these) tasks, to access personal data and processing operations and to maintain his expertise".
Depending on the nature of the processing operations and activities and the size of the organization, the resources that the officer should have at his disposal are the following:
a) active support from senior management
(b) sufficient time to complete the tasks
(c) adequate financial, technical support (office space, equipment, facilities) and staffing as required
(d) formal notification of the appointment of a officer to all employees
(e) access to other departments in the organization so that the Commissioner has the necessary support and information from those departments
f) continuous training
No. In this case, it would be a typical case of conflict of interest. The role of the Commissioner for Personal Data Protection is to comply with security rules, control users and processors, as well as administrators. The solution is to choose another natural or legal person.
Regular and systematic monitoring of data subjects The General Regulation does not define, but clearly this term includes all forms of tracking and profiling on the Internet, including for the purposes of behavioral advertising. However, the concept of monitoring is not limited to the online environment.
WP29 interprets the word "regular" by a combination of one or more of the following characteristics:
(a) occurring under a particular system
b) preset, organized or methodical
(c) carried out as part of a general data collection plan
(d) implemented as part of the strategy
Examples: operation of a telecommunications network; provision of telecommunication services; Internet advertising targeting by e-mail, profiling and scoring for risk assessment purposes (eg for credit risk assessment, premium determination, fraud prevention, money laundering detection); location tracking, for example for mobile applications; loyalty programs; behavioral advertising; monitoring healthy lifestyles, fitness and health data using body-wearable devices; camera systems; interconnected devices, eg smart meters, smart cars, smart homes, etc.
No, the officers are not personally liable for non-compliance with the General Regulation. The General Regulation clearly states that it is the controller or processor who must ensure and prove that the processing takes place in accordance with the Regulation. Compliance with data protection regulations is the responsibility of the controller or processor.
The officer cannot hold a position in the organization where he would have to determine the purposes and means of personal data processing. Given the organizational structure specific to each organization, this issue needs to be addressed on a case-by-case basis.
Positions in a senior management (executive director, chief operating officer, chief financial officer, health director, head of marketing department, head of human resources department or head of IT department) can typically be in a conflicting position, as well as positions at a lower level of organizational structure. to decide on the purposes and means of processing.
The officer, in the course of his duties, may in particular:
(a) collect information for the purpose of identifying processing activities
b) analyze and verify the legal compliance of processing activities
(c) inform, advise and make recommendations to the controller or processor
There are several safeguards enabling the officer to act independently in the sense of recital 97:
(a) no instructions from the controller or processor regarding the performance of the officer's tasks
(b) the impossibility of dismissal or sanction in connection with the performance of his duties
(c) ensuring by the controller or processor that no tasks or responsibilities for the officer give rise to a conflict of interest
With regard to personal data protection impact assessments, the controller or processor should seek advice from the officer , inter alia on the following matters:
a) whether or not it is necessary to carry out a personal data protection impact assessment (hereinafter "impact assessment")
(b) what methodology to use in preparing the impact assessment
(c) whether to carry out the impact assessment on its own or outsource its processing
(d) what safeguards (including technical and organizational) to apply to mitigate risks to the rights and interests of data subjects
e) whether the impact assessment has been prepared correctly and whether its conclusions (whether or not they lead to the continuation of the processing operation and determine what safeguards need to be applied) are in line with the General Regulation
In the case of records of processing activities, the controller or processor, not the agent, is required to keep records of processing operations. However, there is nothing to prevent the controller or processor from entrusting the officer with the task of keeping records of processing operations, with the controller being responsible. These records should be understood as one of the tools enabling the officer to perform the tasks of monitoring compliance, informing and advising the controller or processor.
This new right can be applied if three conditions are met at the same time
1. Requested personal data should be processed automatically (excluding, for example, paper-based materials) with the prior consent of the data subject or as performance of a contract to which the data subject is a party.
2. The personal data requested should relate to and be provided by the data subject. The WP29 Working Party recommends that controllers not take the phrase "personal data concerning the data subject" too restrictively if the data file concerning and provided by the data subject also contains data on third parties and if the data subject uses them to submit a request for personal purposes. Typical examples of data files containing third party data are telephone call records (containing both incoming and outgoing calls) that the data subject would like to obtain, or a bank account history including incoming third party payments.
Personal data may be considered to have been provided by the data subject if they are provided knowingly and actively data subject, such as account data (e.g., email address, username, age) entered via an online form. However, this also includes data generated and collected through use certain services or facilities. In contrast, to data derived from or derived from data provided a data subject, such as a user profile created by analyzing raw data from smart metering, is the right to transfer does not apply as it was not provided by the data subject but created administrator.
3. That the exercise of this new right does not adversely affect the rights and freedoms of third parties. For example, if a data file transmitted at the request of a data subject contains personal data relating to other individuals, the new controller should only process them if there is an appropriate legal basis. Typically, processing only by the data subject as part of purely personal or domestic activities will be in order.
Controllers should inform data subjects of the right to data portability "in a concise, transparent, comprehensible and easily accessible way using clear and simple language means".
In this regard, WP29 recommends that controllers clearly explain the difference between the different types of data that a data subject may receive when exercising the right of portability or access and should also inform about the right to data portability before closing an account, allowing the data subject to obtain and store their data. personal data.
In addition, controllers receiving portable data at the request of the data subject could, in good practice, provide the data subject with full information on the nature of the personal data relevant to the provision of their services.
The WP29 Working Group recommends that administrators establish appropriate procedures to enable an individual to submit a data transfer request and obtain data concerning him or her.
Administrators must have an authentication procedure in order to be able to reliably verify the identity of the entity requesting their personal data or generally applying the rights set out in the General Regulation.
The controller processing the request for data transfer is not responsible for the processing performed by the data subject or another company that received the personal data. The receiving controller is also responsible for ensuring that the transferred data is relevant and not redundant with regard to the new processing, that the data subject is clearly informed of the purpose of the new processing and, more generally, that the data protection principles of the General Data Protection Regulation comply. (hereinafter referred to as the "General Regulation") applicable to the processing in question.
Personal data should be transmitted in a structured, commonly used and machine-readable format. This specification is intended to ensure the usability of the data format used by the administrator, ie the ability of systems to interact with each other (interoperability) is desirable.
However, this does not mean that administrators have to run compatible systems. Administrators should make metadata available with the highest possible amount of accuracy and resolution with the data transmitted, in order to maintain the exact meaning of the information exchanged.
Due to the large range of potential types of data that can be processed by the controller, the General Regulation does not make any specific recommendations as to the format of the personal data to be provided.
The most appropriate format will vary from sector to sector, and the corresponding formats may already be available, but those that are comprehensible should always be selected.
The WP29 Working Party urges the cooperation of stakeholders from the sectors concerned and trade associations in order to jointly develop mutually applicable standards and formats that meet the requirements of the right to data portability.
Article 12 prohibits the controller from charging a fee for the provision of personal data if he cannot prove that the requests are manifestly unfounded or disproportionate, "in particular because they are repeated".
In the case of information society services or similar online services specializing in automated personal data processing, it is highly unlikely that processing a multiple transfer request could be considered an excessive burden.
For these cases, WP29 recommends setting a reasonable time frame adapted to the situation and reporting to the data subject.
In essence, data transfer gives data subjects the opportunity to receive and re-use "their" data for their own purposes and across different services. This right will make it easier for them to transfer, copy or transfer personal data without hindrance from one IT environment to another. In addition to strengthening the position of consumers by avoiding the lock-in effect of a single provider (lock-in), there are benefits in terms of opportunities for innovation and the sharing of personal data between controllers in a protected and secure way under the control of the data subject.
In the first place, it is the right to obtain personal data ('in a structured, commonly used and machine-readable format') processed by the controller and to store it for further personal use on a private device without passing it on to another controller. This right thus offers an easy way for data subjects to manage their personal data themselves.
Furthermore, this right gives data subjects the possibility to transfer their personal data from one controller to another, "without preventing the controller to whom the personal data have been provided". It also facilitates the ability to transfer, copy or transfer personal data without difficulty from one IT environment to another.
Controllers should, in the first instance, offer data subjects the possibility of direct downloads and, secondly, they should allow them to transfer data directly to another controller. This can be done, for example, by providing an application programming interface (API).
Data subjects may also use personal data repositories, trusted third parties, to hold and store personal data and authorize controllers to access and process personal data as required so that data can be easily transferred from one controller to another.
If an individual exercises his right to data transfer (or another right under the General Regulation), he does so without prejudice to any other right.
The data subject may exercise his rights for as long as the controller processes the data.
For example, the data subject may continue to use and benefit from the controller service even after the data transfer has taken place.
Similarly, if someone wishes to exercise the right to erasure, to object or to gain access to their personal data, the previous or subsequent exercise of the right of transfercannot be used by the administrator as a pretext for postponing or rejecting the request.
Data transferalso does not automatically give rise to the deletion of data from the controller's systems and does not affect the originally set retention period, which was transmitted in accordance with the right to transfer.
The main advantage of large volumes of data is that they can reveal patterns between different data sources and sets, thus providing useful insights. Take, for example, health, food security, intelligent transport systems, energy efficiency and spatial planning.
Ultimately, this high-volume data will enable higher productivity and better services, which are a source of economic growth. The use of high-volume data by the 100 largest EU producers could lead to savings of € 425 billion, and by 2020, high-volume data analyzes could boost EU economic growth by a further 1.9%, an increase in GDP of € 206 billion.
High volume data refers to large volumes of different types of data obtained from different sources, such as humans, computers, or sensors. This data can be weather information, satellite imagery, digital photos and videos, transient recordings or GPS signals.
High volume data can include personal data: ie any information relating to an individual, such as names, photographs, email addresses, bank details, social networking contributions, health information or a computer's IP address.
Processing of personal data means the authorization of the administrator to process personal data.
Legal grounds are thus a necessary precondition for legal processing to be discussed by the controller at all, as if the controller did not have a proper legal reason to process personal data, it would be undecided whether he fulfilled other obligations as he processed personal data illegally and had to would destroy personal data.
It is important to know that personal data can also be processed by the controller for different purposes, and for each purpose he needs a legal reason to process personal data.
The processing of personal data is always linked to the purpose on the basis of which the legal reason for the processing is determined. It is not excluded that "one" of personal data (or a certain summary thereof) will be processed by the controller for various purposes, and these purposes may arise or disappear over time, without this constituting an obligation to destroy personal data.
The obligation to destroy personal data arises when the controller loses the last legal reason for processing personal data.
Consent is a free, concrete, informed and unambiguous expression of the will by which the data subject gives his / her consent to the processing of his / her personal data by a statement or other obvious confirmation.
It is an active and voluntary expression of the will of the data subject, to which he must not be forced.
Consent is one of the legal reasons for the controller to process personal data. Consent is always given for a specific processing purpose that the data subject must know.
It is not always the withdrawal of consent that means the controller's obligation to destroy personal data, as the withdrawal of consent is for a specific purpose,
for which personal data are processed, whereby the controller may process personal data for other purposes for which he uses a different legal reason for processing than the consent of the data subject.
In order to achieve freedom, specificity, information and unambiguous expression of the will of the data subject, the General Regulation provides.
The so-called distinctiveness of consent is essential, which means that consent must be distinguished from other facts on which the data subject comments.
For clarity, consent must be separate, for example, from the contract or business conditions, respectively. it is no longer possible for it to be an integral part of them.
At the same time, the conclusion of a contract (eg for a service) must not be conditioned by the provision of consent to the processing of personal data.
However, it goes without saying that, depending on the service or product, the controller will have to process (without consent) a certain amount of personal data of the data subject precisely for the purposes of fulfilling the contract or fulfilling a statutory obligation.
The data subject has the right to withdraw his consent at any time.
The appeal does not affect the lawfulness of the processing based on the consent given before its revocation.
It should be noted that the consent was given for certain purposes and revoking the consent may not always oblige the controller to destroy personal data, but will only oblige the controller to stop processing personal data for the specific purpose for which the consent was granted.
Similarly, in the case where the controller has used the consent for cases where he has another legal reason for processing personal data.
The revocation of consent (ie an act that was not necessary for processing) does not mean the obligation to destroy personal data or to stop processing them, for example, if personal data must have the purposes stipulated by law.
The General Regulation provides for the transfer of consent, provided that the consent has been given in a manner and in accordance with the terms of the General Regulation.
This will be problematic for many administrators, as the consent they obtain will not meet the conditions set out in Article 7 of the General Regulation.
For example, the condition of distinctiveness of consent (consent must not be an inseparable part of the terms and conditions) or the condition not to condition the provision of the service by requiring the granting of consent to the processing of personal data.
Personal data belongs to data subjects and in some cases, especially in cases stipulated by law, they must tolerate their publication, eg in a public register.
Personal data in the public register are published on the basis of the law, as the law so provides (typically eg the trade register).
The fact that the public of the register is determined does not mean that the published personal data can be further taken over and processed indefinitely, eg by their further publication and thus profit from them.
It is necessary to realize that further publication of data from public registers is the processing of personal data and the administrator must be witnessed to this by a legal reason, ie the authorization provided by law.
Compared to Act No. 101/2000 Coll., On the protection of personal data and on the amendment of certain acts, the General Regulation does not contain the equivalent of a legal reason for legitimately published personal data, which is contained in the Personal Data Protection Act.
Further publication of personal data received from public registers under the applicability of the General Regulation will be problematic, as the controller will have to use one of the legal reasons.
The situation is similar for personal data, which data subjects voluntarily publish on the Internet for a specific purpose.
Even these data, even if they are published voluntarily, cannot be processed without further ado, as even in this case the administrator would have no legal reason.
The public of data never a priori means the possibility of their further unlimited processing.
The individual principles are developed in Article 5 (1) of the General Regulation.
Adherence to these principles is essential for administrators, not least because they are de facto obligations at the same time
But because Article 5 (2) of the General Regulation sets out the administrator's responsibility for compliance and at the same time the administrator's obligation to be able to demonstrate compliance with these principles (obligations).
It is an expression of the so-called principle of administrator responsibility. Records of processing activities as well as codes and certificates will be used to demonstrate compliance with these principles.
Would you like a gift for your birtday?
