The General Data Protection Regulation, commonly known as GDPR, is now in its fourth year with us and protects the rights of EU citizens against unauthorized handling of their data and personal information. In that time, we have seen 3 revisions and updates - the first did not affect the Czech Republic, the second in 2018 brought 28 changes and the third in the 2021 stream also brought 28 changes. What changes will the GDPR regulation bring in 2023?
At the beginning of the year, we informed you about the legislative changes in Intrastat and how to address customers in 2022 in accordance with the current legislation. What news will 2023 bring regarding GDPR and personal data processing? According to current information, no major or fundamental changes are expected. European directives concerning personal data that could possibly have an impact on our legislation are currently under negotiation. These are proposals for legislation on artificial intelligence (AIA) and electronic identity (eIDR). The AIA foresees the prohibition of technologies posing an unacceptable security risk, such as social rating of people. The update of the eIDR (i.e. the "European Digital Wallet") should allow for private proof of identity. These regulations will probably also affect the processing of personal data in the Czech Republic, but most likely not in 2023.
What will definitely apply in 2023, however, are the sanctions and penalties for violation of the GDPR regulation. To help you avoid them, we have prepared a list of the biggest mistakes, errors, inaccuracies and misleading interpretations of the GDPR.
The GDPR does not explicitly require the use of specific measures such as encryption when processing personal data. Only the implementation of adequate technical and organisational measures in the processing of personal data is mandatory. Encryption is only mentioned in the GDPR as an example of possible measures, however, taking into account the possible risks (accidental or unlawful destruction, alteration or unauthorised access to data).
The Data Protection Officer (DPO) is one of the many means of protecting personal data. DPOs are appointed by the data controller, but only if one of the following conditions is met:
In other cases (i.e. when carrying out activities other than those listed above), administrators are not obliged to appoint a DPO.
If you are subject to the obligation to appoint a DPO (see previous paragraph), you must do so having regard to:
The above requirements are not further specified, i.e. there is no obligation for the DPO to prove himself by a certificate or attestation. Only in cases where the controller processes personal data under the classified information regime, the DPO must comply with the conditions set out in the related regulations.
The GDPR defines the imposition of penalties for possible violations. However, in the Czech legal environment, it is not clearly defined that the sanctions are to be based on turnover. It is only stated that sanctions should be effective, proportionate and dissuasive. The Office for Personal Data Protection (i.e. the state authority authorised to impose sanctions for breaches of the GDPR) may impose a fine of up to CZK 10 million. However, the highest fine imposed so far was not even half of this amount.
The controller and the data processor have a duty to ensure that the DPO does not receive direct instructions concerning the tasks imposed by the General Regulation. Furthermore, the DPO cannot be sanctioned or even dismissed in relation to the performance of these tasks. However, this does not mean that the controller cannot impose tasks on the DPO - it is even possible to impose tasks and assign activities that do not directly follow from the interpretation of the GDPR (e.g. testing and assessing the controller's data security measures). However, it is still the case that the DPO must not have a conflict of interest for similar types of tasks.
If you want to make sure your organisation is GDPR compliant, contact us. We provide services as an independent DPO and have guided over 150 clients through GDPR issues and we will guide you too, whether you are a private company or a government body.