What does GDPR mean? It is an abbreviation of the General Data Protection Regulation. It is an 88-page legal framework for the protection of personal data in the European area (or EU area) (11 chapters and 99 articles), which defines the rules for the processing of personal data, including the rights of the data subject (i.e. natural persons - EU citizens).
Since when GDPR applies or a brief historical window
The GDPR regulation is based on the European Directive 95/46/EC on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (in the Czech Republic, this directive was reflected in Act No. 101/2000 Coll., on the protection of personal data). However, Directive 95/46/EC was not satisfactorily unified in all EU countries within the framework of local legislation, and moreover, it was "caught up with the times", so to speak - it did not foresee technical means and methods of processing personal data corresponding to the current times. Because of this, it did not guarantee sufficient protection of natural persons and their rights.
It was therefore necessary to come up with something more 'forteous', a regulation that would guarantee:
- the protection of personal data within a framework appropriate to the present time,
- achieving greater consistency of the legal framework across EU countries,
- sufficient strengthening of the rights of data subjects; and
- achieving a unified interpretation but also supervision by the different national authorities in the EU Member States.
The GDPR Regulation aimed to set standards for the secure regulation of data flows, but from the outset it was primarily intended to create a legal basis for the secure use of technology by EU citizens.
The GDPR came into legal force approximately 5.5 years ago, specifically it has been in force since 25 May 2018. On the same day, the GDPR replaced the existing Act No. 101/2000 Coll., on the protection of personal data (which was eventually repealed completely on 24 April 2019).
Currently, the framework of the GDPR regulation is supplemented by Act No. 110/2019 Coll., on the processing of personal data, which defines a directly applicable general regulation. The GDPR itself has been updated three times since its introduction.
Since the GDPR came into force across the EU, the relevant data protection authorities have imposed fines of over €2.5 billion (i.e. approximately CZK 63 billion) for breaches of the GDPR.
GDPR and personal data protection - a future perspective
So we know when the GDPR is in place, but what about future changes and who will they affect? As far as the new GDPR for 2024 is concerned, there are only very minor changes related to the amendment of Act No. 301/2000 Coll., on civil registers, names and surnames - so there will be no impact on individuals (self-employed persons) and private companies.
New legislation is in the pipeline at European level, but when it will come into force is a question for now - no indicative date has been announced. It aims to harmonise certain cooperation procedures between data protection authorities in cross-border cases (i.e. between Member States). There have been more than two thousand such cases since 2018.
For individuals, the new legislation should clarify what they need to submit when making a complaint and ensure they are properly involved in the process. For businesses, the new rules will clarify their due process rights when the relevant data protection authority investigates a possible breach of the GDPR.
Overall, it should streamline cooperation between relevant parties in resolving disputes and set a kind of gold standard for data protection at home and abroad.
How to GDPR - basic overview
We've looked back at the history and outlined the future outlook. What is the present and what should you look out for when processing personal data? As we mentioned above, the GDPR regulation is quite extensive, and in addition, the supplementary Act No. 110/2019 Coll., on the processing of personal data, must be taken into account. If we were to boil down the main idea as much as possible, it would read as follows:
GDPR Regulation:
- Sets out rules for the protection of natural persons in relation to the processing of their personal data,
- defines the rules for the processing and movement of personal data; and
- protects the fundamental rights and freedoms of natural persons, with a particular focus on data protection law.
The GDPR Regulation is binding in its entirety in all EU Member States. It applies to any processing of personal data (i.e. automated and non-automated) with a few exceptions where personal data is processed:
- in the course of personal (or domestic) activities carried out by an individual,
- activities not covered by the law and its enforcement within the EU,
- by public authorities for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
Before we discuss each point in more depth, let's at least briefly define the most basic concepts related to the GDPR regulation.
What the key terms in GDPR mean
The exact definition of all key terms can be found in Article 4(1) of the GDPR. We list the basic ones below:
- Personal data - any information or data that can be used to identify a natural person. This includes, quite intuitively, an address, name, date of birth, photograph or registration number. Less intuitively, this category also includes location data, IP addresses, cookies, but also, for example, employee codes. Remember that the GDPR regulation applies to all your employees if you collect or process the above personal data. What is not personal data? Especially legal entity data (company registration number, email address like info@spolecnost.cz) or anonymised data.
- Data subject - the natural person to whom the personal data relates. The GDPR does not apply to deceased natural persons.
- Processing of personal data - quite generally, any non-random act or treatment of personal data (i.e. recording and collection, organisation and structuring, adaptation and alteration, retrieval and consultation, any use and disclosure, restriction, erasure or destruction).
- Data controller - an entity (of any legal form) which, by virtue of its activity (or so-called legitimate interest), defines the purpose and means of processing personal data for which it is also responsible.
- Personal data processor - an entity that processes personal data within a specified scope on the basis of a direct mandate from the controller (see previous point). The legal form of the entity is not decisive for this role either.
- Data Protection Officer( DPO) - an entity that, although not responsible for the processing of personal data, provides advisory services and ensures that the processing of personal data complies with the GDPR Regulation and applicable legislation. A DPO is mandatory for your organisation if you are a controller/processor of sensitive personal data in large volumes - this includes hospitals, security agencies (responsible for monitoring public areas or shopping centres), headhunting firms etc.
→ Tip: Did you know that Algotech's DPO will handle communication with the authorities and cooperation with GDPR inspections for you?
What rights of subjects do you have to guarantee as an administrator?
The GDPR Regulation provides all EU citizens with the following rights:
- Right of access - individuals (data subjects) have the right to request access to their personal data. As a controller, you must provide a copy of personal data in electronic form, free of charge and on request.
- Right to erasure - if the data subjects are no longer your customers or withdraw their consent to the processing of their personal data, they have the right to have it erased.
- Right to data portability - data subjects have the right to transfer their personal data from one service provider to another.
- Right to information - data subjects must be informed before data is collected, consent to this collection must be freely and voluntarily given to you by the subject, i.e. not implied. If a data breach has occurred, the data subject has the right to be informed within 72 hours of first becoming aware of the breach.
- Right to rectification of information - data subjects have the right to have their data updated, particularly if it is out of date, incomplete or incorrect.
- Right to restriction of processing - data subjects have the right not to have their data used for processing. You can keep the record but not use it.
- Right to object - data subjects have the right to stop the processing of their data for direct marketing. You must stop any processing as soon as you receive such a request. In addition, you must explain and remind data subjects of this right at the outset of any communication.
What does GDPR mean in practice - what principles do you need to follow as a data controller?
Data controllers/processors of personal data should follow the following main principles under the GDPR Regulation:
- Transparency, fairness, lawfulness - data subjects must be treated fairly, transparently and on the basis of at least one legal justification.
- Limitation of purpose, scope and storage period - personal data may only be processed for legitimate purposes, only to the extent proportionate to those purposes, and only for the time necessary.
- Confidentiality and integrity - the management of personal data must be secured both procedurally and technically.
We can break down these general principles into specific tips on how you as a data controller should handle personal data. At the same time, these are the areas where mistakes are most often made when complying with GDPR regulations:
- Comply with legitimacy - processing of personal data carried out with the consent of the individuals concerned must comply with applicable law and morality.
- Always start from the underlying reason - i.e. the baseline on which the processing of personal data may be based (specifically, this may be, for example, contractual performance, performance of legal obligations, etc.).
- Clearly define the purpose of the processing of personal data - it is the obligation of everyone who processes, collects and stores personal data.
- Remember that the form and extent of the processing of personal data must always be appropriate to the purpose of the processing.
- Ensure the protection of personal data - it is the duty of every controller to adequately secure and protect the personal data collected and stored.
- Excessive invasion of privacy is prohibited, and the reasonableness and justification for any sharing or disclosure of negative or otherwise sensitive data must always be considered.
- Dispose - Once the purpose of processing personal data has been fulfilled, it is your responsibility as the controller to dispose of the data.
GDPR - fines and penalties
All organisations and companies that process personal data should appoint a DPO or data processor who is responsible for GDPR compliance. Companies and organisations that fail to comply with the GDPR face very severe penalties: fines of up to 4% of annual global revenue or up to €20 million.
This is not just a "toothless scare", fines totalling €63 billion have fallen across the EU since the GDPR regulation was introduced. We informed you about the biggest ones some time ago in our article GDPR in practice: The biggest snafus and fines in history. In the Czech Republic, the Office for Personal Data Protection has issued around 130 fines for GDPR violations.
Some time has passed since the publication of that article, so who are the current "record holders" in the imaginary competition for the biggest GDPR violation? The results will probably not surprise you too much, these are (literally) "old companies":
- Meta Platforms (under which Facebook, Instagram and WhatsApp fall) - the "absolute winner" in the massive and sometimes blatant violation of GDPR. In May 2023, the company was fined over £28 billion for illegitimately sending data containing Facebook users' personal information. Just a few months before that - in January 2023 - Meta was fined CZK 9.4 billion for violating GDPR for misusing Facebook and Instagram users' personal data for marketing purposes. In September 2022, it was fined CZK 9.9 billion for exposing the personal data of underage Instagram users. Exactly a year earlier, the Met was fined £5.7 billion by the Irish Data Protection Authority for illegitimately sharing WhatsApp users' data to other apps under the Met. Meta Platforms therefore "received" over C$53 billion in fines for GDPR violations. Meta has thus easily reached first base.
- Amazon - fined approximately CZK 19 billion for illegally transferring users' personal data in violation of data protection rules.
- Google - fined CZK 1.3 billion by the French data protection authority for misconduct in handling its users' personal data.
How to avoid GDPR fines?
Seemingly very simple: comply with the GDPR! Sometimes it can be tricky, even if you do regular training and make sure you follow all the rules. If you want to be really sure that you are compliant with the current legislation, conduct a GDPR audit.
If you want to make sure in the future and take the worry out of data protection, we'll make sure you're GDPR compliant with everything from training and passing Data Protection Authority checks to DPO services. Don't hesitate to contact us, we have guided more than 150 clients through GDPR issues and would be happy to guide you too.