We continuously update the list of frequently asked questions and answers on the topic of rights and obligations, WP29 recommendations, guidelines of the European and Czech Office for Personal Data Protection in the area of GDPR, etc.


The General Data Protection Regulation represents a revolution in personal data protection. The new EU General Data Protection Regulation (GDPR) changes the rules for processing personal data and introduces huge sanctions. Up to 4% of worldwide turnover, or € 20,000,000

Regulation GDPR 679/2016 is valid in the territory of the Union with higher legal force at the level of an international agreement. In the event of a collision of Act No. 101/2000 Coll. the GDPR then has a higher legal force and therefore the GDPR will apply. The GDPR itself does not repeal the law, but in a sense it overcharges and replenishes where they are in conflict.

Do you collect, store or use the data below? Then you have to follow the rules of GDPR. Do you process data for other companies? Then this applies to you as well.

Virtually any data (not just in electronic form) that helps you identify a specific individual. In addition to the name, it is the place of residence, date and place of birth, identification numbers and IDs, IP address, cookies, etc ..

Personal data:

  • Name, address, location
  • Electronic identifier
  • Medical data, income, etc.

Insurance companies that can insure you against cyber risks include Allianz to a limited extent, another insurance solution is offered by Renomia, and Colonnade offers probably the best covered areas of Cyber Security and GDPR.

A single set of rules valid throughout the EU will be created. A "single point of contact" system will be introduced - a company operating in several countries would be the responsibility of a single data protection authority (ie the authority in the country where the company has its head office).

Unnecessary bureaucratic requirements, such as notification obligations, will be eliminated. The transfer of data from the EU will be simplified, while the protection of personal data will be guaranteed.

New, simpler, clearer and stronger rules will make it easier for citizens to protect their data online. These rules will also significantly reduce business costs.

To give EU companies an advantage in global competition, as they will be able to guarantee their customers that their data will be strictly protected, while at the same time being able to do business in a simpler legal environment.

People and businesses expect data protection rules to be coherent and uniformly applied across the EU. Almost 90% of Europeans say they want the same data protection rights everywhere in the EU. This is not the case today.


Personal data transfer increasingly crosses borders (both virtual and geographical) and data is stored on servers in a number of different countries, both inside and outside the EU.

This is the essence of so-called cloud computing. As data flows flow around the world, individuals' rights to data protection internationally need to be strengthened. This requires strong data protection principles that facilitate the flow of personal data across borders while ensuring strong and consistent protection that has no gaps or is unnecessarily complex.

The new rules reinforce the so-called "right to be forgotten", which means that if you no longer want your personal data to be processed, and if there is no legitimate reason for the organization to keep it, it must be removed from its system.

Instead of proving that it is no longer necessary for your data to be collected, data controllers must prove that they still need your data. Providers must adhere to the principle of "default data protection settings", which means that the default settings should guarantee you the highest possible protection of privacy. Companies will need to tell you as clearly and comprehensibly as possible what your personal information will be used for so that you can best decide for yourself what data you will share. This information must be accompanied by easy-to-understand standard icons.

The new general data protection regulation will ensure that you are provided with clear and comprehensible information when your personal data is processed. If your consent is required, the company that wants to process your personal data must first ask you to provide it with a clear confirmation.

The new rules will also strengthen the so-called right of an individual to be forgotten, which means that if you no longer want your personal data to be processed, and if there is no legitimate reason for the company to keep it, it must be deleted.

The new regulation will also ensure that you have free and easy access to your personal data, making it easier for you to find out what personal information companies and public authorities have about you and to transfer your personal data between service providers. principles of "data portability".

Privacy will be the standard. Police and criminal justice authorities will apply data protection principles from the design and standard setting of data protection at the beginning of any personal data process, for example when developing new databases.

Those responsible for processing personal data will have more responsibility for their work. For example, the authorities must appoint so-called data protection officers, who will be in charge of the protection of personal data within their organization. It shall also ensure that national supervisory authorities are informed as soon as possible of cases of serious data breaches.

Different and incompatible data protection rules currently apply in the 28 EU Member States. In some cases, companies in the EU have to comply with 28 different sets of data protection rules. The result is a fragmented legal environment that leads to legal uncertainty and unequal protection of individuals.

Businesses also incur unnecessary costs and significant administrative burdens. In particular, small and medium-sized enterprises are discouraged by this difficult situation from expanding to other EU countries and an obstacle to economic growth.

Data Protection Officer / Commissioner

The general regulation does not define the term broad. WP29 recommends that, in particular, the following factors be taken into account when determining whether processing is extensive:

(a) the number of data subjects concerned - either in absolute terms or by share of the relevant population

(b) the volume of data processed and / or the range of data items

(c) the duration or continuity of the processing activity

d) the territorial scope of the processing activity

Examples of extensive processing:

(a) the processing of patient data in the normal course of the hospital's activities

b) processing of travel data of individuals using public transport (eg tracking by chip tram)

(c) the processing of data on the current geographical location of customers of international fast food chains for statistical purposes by a processor focused on this activity

d) processing of customer data in the ordinary course of business of the insurance company or bank

e) processing of personal data by a search engine for the purposes of behavioral advertising

f) data processing (on content, operational, location) by telephone and internet service providers

Examples of non-extensive processing:

(a) the processing of patient data by an individual doctor

(b) the processing of personal data relating to criminal convictions and criminal offenses by an individual lawyer

Yes. According to Article 37 (6), the officer may be an employee of the controller or processor (internal officer), or "he may perform tasks under a service contract". This means that the officer may be an external expert, in which case he performs his function on the basis of a service contract concluded with an individual or organization.

All the requirements of Articles 37 to 39 apply to the external officer. about the client. In this case, it is essential that each member of the external organization acting as officer fulfills all the requirements of the General Regulation.

In the interest of legal clarity and good organization, the Guidelines recommend having a clear division of tasks in the service contract within the external officer team and appointing one specific person as the lead contact in charge of client care.

The "main activities" can be considered as key operations aimed at achieving the objectives of the controller or processor. This also includes all activities where data processing is an integral part of the administrator's or processor's activities. For example, the processing of medical data, such as patient medical records, should be considered as one of the main activities and the hospital must appoint officers.

On the other hand, all organizations perform certain support activities, such as staff payroll or standard computer and information technology support. These are essential functions that support the organization's core business or business. Whether necessary or essential, these activities are considered as ancillary functions rather than a key activity.

The General Regulation stipulates that the officer "must be appointed on the basis of his or her professional qualities, in particular on the basis of his or her expertise in data protection law and practice"

The required level of expertise should be determined depending on the processing operations performed and the protection of the personal data processed. For example, if the processing activity is particularly complex or is carried out with a large amount of sensitive data, the officer will need knowledge and support at a higher level.

The necessary skills and experience include:

(a) knowledge of national and Union law in the field of data protection and practical experience, including in-depth knowledge of the General Regulation

(b) knowledge of the processing operations carried out

c) knowledge of information technology and data security

d) knowledge of the field of business and organization

e) the ability to promote a data protection culture in the organization

The General Regulation requires the appointment of officers in three specific cases where:

(a) the processing is carried out by a public authority or body (irrespective of the data being processed);

(b) the main activities of the controller or processor consist of processing operations which require extensive regular and systematic monitoring of the data subjects;

(c) the main activities of the controller or processor consist in the extensive processing of specific categories of data and personal data relating to criminal convictions and criminal offenses.

In addition, Union or Member State law may require the appointment of a officer in other situations. Even in cases where the General Regulation does not require the appointment of a officer, organizations may decide that the voluntary appointment of a officer is useful. The Article 29 Working Party (WP29) supports such a voluntary initiative.

The General Regulation requires the organization to support its officer by "providing him with the resources necessary to perform (these) tasks, to access personal data and processing operations and to maintain his expertise".

Depending on the nature of the processing operations and activities and the size of the organization, the resources that the officer should have at his disposal are the following:

a) active support from senior management

(b) sufficient time to complete the tasks

(c) adequate financial, technical support (office space, equipment, facilities) and staffing as required

(d) formal notification of the appointment of a officer to all employees

(e) access to other departments in the organization so that the Commissioner has the necessary support and information from those departments

f) continuous training

No. In this case, it would be a typical case of conflict of interest. The role of the Commissioner for Personal Data Protection is to comply with security rules, control users and processors, as well as administrators. The solution is to choose another natural or legal person.

Regular and systematic monitoring of data subjects The General Regulation does not define, but clearly this term includes all forms of tracking and profiling on the Internet, including for the purposes of behavioral advertising. However, the concept of monitoring is not limited to the online environment.

WP29 interprets the word "regular" by a combination of one or more of the following characteristics:

(a) occurring under a particular system

b) preset, organized or methodical

(c) carried out as part of a general data collection plan

 (d) implemented as part of the strategy

Examples: operation of a telecommunications network; provision of telecommunication services; Internet advertising targeting by e-mail, profiling and scoring for risk assessment purposes (eg for credit risk assessment, premium determination, fraud prevention, money laundering detection); location tracking, for example for mobile applications; loyalty programs; behavioral advertising; monitoring healthy lifestyles, fitness and health data using body-wearable devices; camera systems; interconnected devices, eg smart meters, smart cars, smart homes, etc.

No, the officers are not personally liable for non-compliance with the General Regulation. The General Regulation clearly states that it is the controller or processor who must ensure and prove that the processing takes place in accordance with the Regulation. Compliance with data protection regulations is the responsibility of the controller or processor.

The officer cannot hold a position in the organization where he would have to determine the purposes and means of personal data processing. Given the organizational structure specific to each organization, this issue needs to be addressed on a case-by-case basis.

Positions in a senior management (executive director, chief operating officer, chief financial officer, health director, head of marketing department, head of human resources department or head of IT department) can typically be in a conflicting position, as well as positions at a lower level of organizational structure. to decide on the purposes and means of processing.

The officer, in the course of his duties, may in particular:

(a) collect information for the purpose of identifying processing activities

b) analyze and verify the legal compliance of processing activities

(c) inform, advise and make recommendations to the controller or processor

There are several safeguards enabling the officer to act independently in the sense of recital 97:

(a) no instructions from the controller or processor regarding the performance of the officer's tasks

(b) the impossibility of dismissal or sanction in connection with the performance of his duties

(c) ensuring by the controller or processor that no tasks or responsibilities for the officer give rise to a conflict of interest

With regard to personal data protection impact assessments, the controller or processor should seek advice from the officer , inter alia on the following matters:

a) whether or not it is necessary to carry out a personal data protection impact assessment (hereinafter "impact assessment")

(b) what methodology to use in preparing the impact assessment

(c) whether to carry out the impact assessment on its own or outsource its processing

(d) what safeguards (including technical and organizational) to apply to mitigate risks to the rights and interests of data subjects

e) whether the impact assessment has been prepared correctly and whether its conclusions (whether or not they lead to the continuation of the processing operation and determine what safeguards need to be applied) are in line with the General Regulation

In the case of records of processing activities, the controller or processor, not the agent, is required to keep records of processing operations. However, there is nothing to prevent the controller or processor from entrusting the officer with the task of keeping records of processing operations, with the controller being responsible. These records should be understood as one of the tools enabling the officer  to perform the tasks of monitoring compliance, informing and advising the controller or processor.

Data transfer

This new right can be applied if three conditions are met at the same time

1. Requested personal data should be processed automatically (excluding, for example, paper-based materials) with the prior consent of the data subject or as performance of a contract to which the data subject is a party.

2. The personal data requested should relate to and be provided by the data subject. The WP29 Working Party recommends that controllers not take the phrase "personal data concerning the data subject" too restrictively if the data file concerning and provided by the data subject also contains data on third parties and if the data subject uses them to submit a request for personal purposes. Typical examples of data files containing third party data are telephone call records (containing both incoming and outgoing calls) that the data subject would like to obtain, or a bank account history including incoming third party payments.

Personal data may be considered to have been provided by the data subject if they are provided knowingly and actively data subject, such as account data (e.g., email address, username, age) entered via an online form. However, this also includes data generated and collected through use certain services or facilities. In contrast, to data derived from or derived from data provided a data subject, such as a user profile created by analyzing raw data from smart metering, is the right to transfer does not apply as it was not provided by the data subject but created administrator.

3. That the exercise of this new right does not adversely affect the rights and freedoms of third parties. For example, if a data file transmitted at the request of a data subject contains personal data relating to other individuals, the new controller should only process them if there is an appropriate legal basis. Typically, processing only by the data subject as part of purely personal or domestic activities will be in order.

Controllers should inform data subjects of the right to data portability "in a concise, transparent, comprehensible and easily accessible way using clear and simple language means".

In this regard, WP29 recommends that controllers clearly explain the difference between the different types of data that a data subject may receive when exercising the right of portability or access and should also inform about the right to data portability before closing an account, allowing the data subject to obtain and store their data. personal data.

In addition, controllers receiving portable data at the request of the data subject could, in good practice, provide the data subject with full information on the nature of the personal data relevant to the provision of their services.

The WP29 Working Group recommends that administrators establish appropriate procedures to enable an individual to submit a data transfer request and obtain data concerning him or her.

Administrators must have an authentication procedure in order to be able to reliably verify the identity of the entity requesting their personal data or generally applying the rights set out in the General Regulation.

The controller processing the request for data transfer is not responsible for the processing performed by the data subject or another company that received the personal data. The receiving controller is also responsible for ensuring that the transferred data is relevant and not redundant with regard to the new processing, that the data subject is clearly informed of the purpose of the new processing and, more generally, that the data protection principles of the General Data Protection Regulation comply. (hereinafter referred to as the "General Regulation") applicable to the processing in question.

Personal data should be transmitted in a structured, commonly used and machine-readable format. This specification is intended to ensure the usability of the data format used by the administrator, ie the ability of systems to interact with each other (interoperability) is desirable.

However, this does not mean that administrators have to run compatible systems. Administrators should make metadata available with the highest possible amount of accuracy and resolution with the data transmitted, in order to maintain the exact meaning of the information exchanged.

Due to the large range of potential types of data that can be processed by the controller, the General Regulation does not make any specific recommendations as to the format of the personal data to be provided.

The most appropriate format will vary from sector to sector, and the corresponding formats may already be available, but those that are comprehensible should always be selected.

The WP29 Working Party urges the cooperation of stakeholders from the sectors concerned and trade associations in order to jointly develop mutually applicable standards and formats that meet the requirements of the right to data portability.

Article 12 prohibits the controller from charging a fee for the provision of personal data if he cannot prove that the requests are manifestly unfounded or disproportionate, "in particular because they are repeated".

In the case of information society services or similar online services specializing in automated personal data processing, it is highly unlikely that processing a multiple transfer request could be considered an excessive burden.

For these cases, WP29 recommends setting a reasonable time frame adapted to the situation and reporting to the data subject.

In essence, data transfer gives data subjects the opportunity to receive and re-use "their" data for their own purposes and across different services. This right will make it easier for them to transfer, copy or transfer personal data without hindrance from one IT environment to another. In addition to strengthening the position of consumers by avoiding the lock-in effect of a single provider (lock-in), there are benefits in terms of opportunities for innovation and the sharing of personal data between controllers in a protected and secure way under the control of the data subject.

In the first place, it is the right to obtain personal data ('in a structured, commonly used and machine-readable format') processed by the controller and to store it for further personal use on a private device without passing it on to another controller. This right thus offers an easy way for data subjects to manage their personal data themselves.

Furthermore, this right gives data subjects the possibility to transfer their personal data from one controller to another, "without preventing the controller to whom the personal data have been provided". It also facilitates the ability to transfer, copy or transfer personal data without difficulty from one IT environment to another.

If an individual exercises his right to data transfer (or another right under the General Regulation), he does so without prejudice to any other right.

The data subject may exercise his rights for as long as the controller processes the data.
For example, the data subject may continue to use and benefit from the controller service even after the data transfer has taken place.

Similarly, if someone wishes to exercise the right to erasure, to object or to gain access to their personal data, the previous or subsequent exercise of the right of transfercannot be used by the administrator as a pretext for postponing or rejecting the request.

Data transferalso does not automatically give rise to the deletion of data from the controller's systems and does not affect the originally set retention period, which was transmitted in accordance with the right to transfer.

High volume data

The main advantage of large volumes of data is that they can reveal patterns between different data sources and sets, thus providing useful insights. Take, for example, health, food security, intelligent transport systems, energy efficiency and spatial planning.

Ultimately, this high-volume data will enable higher productivity and better services, which are a source of economic growth. The use of high-volume data by the 100 largest EU producers could lead to savings of € 425 billion, and by 2020, high-volume data analyzes could boost EU economic growth by a further 1.9%, an increase in GDP of € 206 billion.

High volume data refers to large volumes of different types of data obtained from different sources, such as humans, computers, or sensors. This data can be weather information, satellite imagery, digital photos and videos, transient recordings or GPS signals.

High volume data can include personal data: ie any information relating to an individual, such as names, photographs, email addresses, bank details, social networking contributions, health information or a computer's IP address.

Would you like a gift for your birtday?