What is GDPR
The European General Data Protection Regulation (GDPR) introduces new rules for the protection of personal data. Since May 2018, citizens have gained more control over their data and businesses benefit from a level playing field. Act 101/2000 Coll. Is a thing of the past. However, you must perform a number of new responsibilities, such as keeping records of processing.
Who does GDPR concern?
The GDPR introduces a number of new obligations
Thanks to the EU regulation on the protection of personal data, new adaptation laws are being created and those related to Act 101/2000 Coll. Are being repealed. Many organizations have a number of new responsibilities, such as:
- Incident reporting
- Audit
- Having a Data Protection Data Protection Officer
Data Protection Officer
The General Data Protection Regulation (GDPR) obliges a number of organizations to create the position of Data Protection Officer and to fill it with a qualified person.
An internal employee as well as an external expert may be appointed as the Data Protection Officer. In addition, a group of undertakings or public bodies may appoint one trustee to carry out the tasks arising from the GDPR for all of them.
However, the organization must always ensure that the Data Protection Officer does not have a conflict of interest, ie. to decide some processing itself and set its specific parameters.
Rights and obligations of the DPO
Each organization that appoints a trustee is responsible not only for selecting a sufficiently qualified person, but also for allocating resources to the trustees to continue to maintain and develop their qualifications.
The Data Protection Officer must have at least a basic knowledge of law and practice in the field of personal data processing. And it should also have a basic ability to orient in information security, setting up and managing processes and conducting audits. It seems like a challenging task, but we will prepare you for this invitation in an internationally certified course, which does not require any prerequisites.
What is on the agenda of the Data Protection Officer? Under the Privacy Commissioner, an organization can assign you a number of tasks. Participation in staff training, revision of internal guidelines and contracts (concerning the processing of personal data). Keeping records on the processing and reporting of cases where there has been a breach of data security.
Agenda:
- Representative for communication with the Office for Personal Data Protection
- Contact point for all those involved in the processing of personal data
- Monitoring of activities in connection with compliance with the GDPR, cooperation on audits
- Providing internal "advice" on the processing of personal data for management as well as employees
However, the appointment of a Data Protection Officer does not end, but rather begins, the organization's obligations to comply with the GDPR. The organization, whether the controller or the processor of personal data, must ensure, inter alia, that the trustee is involved in a timely and sufficient manner in all processes related to the processing of personal data and setting its parameters, that he has sufficient resources to perform his tasks, independent in their implementation and that they will have access to the organisation's management in matters of data protection.
What is personal data?
Personal data is also seemingly trivial data, such as name, address, or phone number.
Other critical data includes GPS positions, health data, and many other pieces of information that identify or describe a particular individual.
GDPR EUR Lex
The current version of the GDPR regulations, legislation and other documents can be found on the web service EUR-Lex.
The operator is the Publications Office of the European Union. It is possible to search in the regulations by name, document number, celex number, etc.
Saction of up to EUR 20 mil.
In case of breach / non-compliance with obligations or refusal to cooperate with the state control body, the data processor is subject to a sanction of up to EUR 20 million or up to 4% of the company's worldwide annual turnover. The sanction can, of course, be imposed repeatedly.
Article 38
Position of the data protection officer
Based on Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation)
1. The controller and the processor shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.
2. The controller and processor shall support the data protection officer in performing the tasks referred to in Article 39 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his or her expert knowledge.
3. The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalised by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.
4. Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under this Regulation.
5. The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his or her tasks, in accordance with Union or Member State law.
6. The data protection officer may fulfil other tasks and duties. The controller or processor shall ensure that any such tasks and duties do not result in a conflict of interests.
Article 39
Tasks of the data protection officer
1. The data protection officer shall have at least the following tasks:
a) to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
b) to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
c) to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;
d) to cooperate with the supervisory authority;
e) to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.
Controller
The Controller is obliged to comply with the rules as set out in the General Regulation
This is especially the agenda of personal data processing in accordance with the GDPR. If necessary (control, audit), the Controller must be able to document compliance with these processes. In order for the Controller to process personal data, he must first
- sufficiently secure personal data
- have a legal reason for processing personal data
- fulfill other obligations set by the EU GDPR Regulation (which you can learn about in this course)
Basic principles and obligations
- Right to be forgotten
- Easier access to one's data
- Right to data portability
- Security by design and by default
- Stronger enforcement of the rules
- The right to know when one's data has been hacked.
