GDPR news in 2023

GDPR news in 2023
Articles and interesting facts

The General Data Protection Regulation, commonly known as GDPR, is now in its fourth year with us and protects the rights of EU citizens against unauthorized handling of their data and personal information. In that time, we have seen 3 revisions and updates - the first did not affect the Czech Republic, the second in 2018 brought 28 changes and the third in the 2021 stream also brought 28 changes. What changes will the GDPR regulation bring in 2023?

At the beginning of the year, we informed you about the legislative changes in Intrastat and how to address customers in 2022 in accordance with the current legislation. What news will 2023 bring regarding GDPR and personal data processing? According to current information, no major or fundamental changes are expected. European directives concerning personal data that could possibly have an impact on our legislation are currently under negotiation. These are proposals for legislation on artificial intelligence (AIA) and electronic identity (eIDR). The AIA foresees the prohibition of technologies posing an unacceptable security risk, such as social rating of people. The update of the eIDR (i.e. the "European Digital Wallet") should allow for private proof of identity. These regulations will probably also affect the processing of personal data in the Czech Republic, but most likely not in 2023.

What will definitely apply in 2023, however, are the sanctions and penalties for violation of the GDPR regulation. To help you avoid them, we have prepared a list of the biggest mistakes, errors, inaccuracies and misleading interpretations of the GDPR.


Obligation to encrypt the processing of personal data

The GDPR does not explicitly require the use of specific measures such as encryption when processing personal data. Only the implementation of adequate technical and organisational measures in the processing of personal data is mandatory. Encryption is only mentioned in the GDPR as an example of possible measures, however, taking into account the possible risks (accidental or unlawful destruction, alteration or unauthorised access to data).


Obligation to appoint a data protection officer

The Data Protection Officer (DPO) is one of the many means of protecting personal data. DPOs are appointed by the data controller, but only if one of the following conditions is met:

  • The processing of personal data is carried out by a public body (or a public authority).
  • The core activities of the controller or processor require extensive systematic and regular monitoring of the subjects.
  • The main activities of the controller or processor consist of extensive processing of data relating to criminal offences and criminal matters in general.

In other cases (i.e. when carrying out activities other than those listed above), administrators are not obliged to appoint a DPO.


Mandatory certified DPOs

If you are subject to the obligation to appoint a DPO (see previous paragraph), you must do so having regard to:

  • the professional quality of the DPO (i.e. expertise in law and experience in the field of data protection),
  • the ability to fulfil the tasks imposed by the GDPR.

The above requirements are not further specified, i.e. there is no obligation for the DPO to prove himself by a certificate or attestation. Only in cases where the controller processes personal data under the classified information regime, the DPO must comply with the conditions set out in the related regulations.


Sanctioning according to turnover

The GDPR defines the imposition of penalties for possible violations. However, in the Czech legal environment, it is not clearly defined that the sanctions are to be based on turnover. It is only stated that sanctions should be effective, proportionate and dissuasive. The Office for Personal Data Protection (i.e. the state authority authorised to impose sanctions for breaches of the GDPR) may impose a fine of up to CZK 10 million. However, the highest fine imposed so far was not even half of this amount.


The administrator cannot directly task the DPO

The controller and the data processor have a duty to ensure that the DPO does not receive direct instructions concerning the tasks imposed by the General Regulation. Furthermore, the DPO cannot be sanctioned or even dismissed in relation to the performance of these tasks. However, this does not mean that the controller cannot impose tasks on the DPO - it is even possible to impose tasks and assign activities that do not directly follow from the interpretation of the GDPR (e.g. testing and assessing the controller's data security measures). However, it is still the case that the DPO must not have a conflict of interest for similar types of tasks.


If you want to make sure your organisation is GDPR compliant, contact us. We provide services as an independent DPO and have guided over 150 clients through GDPR issues and we will guide you too, whether you are a private company or a government body.


Unleash the full potential of your IT today
By selecting "Submit" I acknowledge the personal data processing policy.

Related articles

We will find a solution for you too

Contact us

Interested in trying our services or a consultation? Leave us your contact details and we will get back to you within 3 hours.
- We will get back to you within 3 hours
- Non-stop support in English and Czech
- You have a preliminary offer within a week
- 99.99% data availability guarantee
Call us
You don't want to wait for an answer?
Call us at
+420 225 006 555
By selecting "Submit" I acknowledge the personal data processing policy.