Are you sure that your documentation and established privacy procedures are in accordance with the GDPR, the interpretative guidelines and the new Act on Personal Data Processing?

Soon it will be a year since the GDPR came into effect. The interpretation of the GDPR and many practical issues are still the subject of new interpretative materials and guidelines issued by the Czech Office for Personal Data Protection (the “Czech DPA“) and the European Data Protection Board (formerly WP 29).

After major sanctions imposed in other EU countries (e.g. a EUR 50,000,000 fine by a supervisory authority in France), the Czech DPA has also initiated checks of GDPR compliance and imposed fines for violations (the highest fine so far being CZK 250,000).

Following the GDPR, the new Act on Personal Data Processing has been in force in the Czech Republic since 24 April 2019. Among other things, this Act introduces exceptions to some of the controller’s obligations under the GDPR, such as:

  • an exemption from the obligation to assess the compatibility of processing purposes;
  • exceptions to the controller’s obligation to inform data subjects about the processing and their rights; or
  • an exemption from the data protection impact assessment.

It is not always easy for controllers and processors to keep up with the current rules. On the other hand, the broad debate triggered by the introduction of the GDPR and freely available information about the GDPR have resulted in greater awareness among data subjects, who are increasingly exercising their rights with controllers and processors (often over and above their rights under the GDPR) or lodging complains to the Czech DPA, which can now be done via a simple online form available on its website. We can therefore expect a greater administrative burden for controllers and processors in this area as well as an increasing number of Czech DPA inspections.

Personal data protection and data privacy is one of our key practices at DELTA legal and our lawyers have also prepared a commentary on the GDPR for the Codexis law system. In case of your interest, we would be happy to conduct a GDPR audit focusing on the riskiest areas or a more targeted analysis according to your needs and wishes.