News

Personal data in business – essential change beyond the horizon

Do you vigorously protect you privacy or you rather do not care so much? Are you ready to “pay” for the consumption of various on-line services and benefits or you rather reach for your wallet to buy the feeling of privacy? Do you spend your nights sleepless and worrying about the Big Brother or you accepted the oversight of public authorities for the security sake?

Than you could find interesting that the EU adopted a new regulation on personal data protection no. 2016/679 (the “Regulation”), which sets down the unified rules for all member states. Compared with the existing directive, the extent of the Regulation was tripled (more than 100 pages of text), co something must have changed, right?

The Regulation will limit businessmen (a) domiciled in EU who process personal data anywhere including outside the EU, (b) incorporated outside of the EU who process the data of EU citizens in relation with offering them goods or services and (c) monitoring the behavior of EU citizens taking place in the EU territory including social networks or internet browsers.

Furthermore, the basic principles of personal data processing remain in general unchanged – transparency, explicit and legitimate purpose, minimizing the impact on privacy, i.e. the smallest possible scope of the processed data and duration of the processing. The businessmen, as data controllers, will be obliged to adopt “all reasonable measures” to ensure that the data are correct, updated if necessary and to ensure both their integrity and confidentiality. In order to do so, they will have to implement such technical and organizational measures, which are adequate to risks stemming from their possible leak.

In addition, the existing legal framework for the unlimited data transfers within the EU remains intact, to other countries only upon stringent conditions fulfilled. The businessmen processing data in more member states should newly be subject mainly to the regulator at his main establishment unless his relevant activity affects only another EU member state or people living there (employees, etc.). As a result, the parallel supervision by more regulators interpreting the different national laws differently, will end together with undesirable duplicity and legal uncertainty.

Moreover, Czech businessmen systematically monitoring specific people at a large scale or processing sensitive data will newly be obliged to appoint so called personal data inspector; This has been obligatory so far only in some EU member states, such as Slovakia. An employee or external consultant reporting to top management will have to be hired for the job, which will mean a significant extra cost.

Finally, the amount of fines will depend on the significance of the misconduct, i.e. its gravity, duration or culpability. Nevertheless, the maximum fine according to the Regulation rose up to 4% of the worldwide turnover of the sinner or EU 20 million, whichever is higher in each particular case. This means a fundamental increase compared to the existing relatively moderate Czech law (approx. EUR 370,000) and benevolent approach of the Czech regulator (fines usually amounting to hundreds or thousands EUR at maximum).

Author: Stanislav Bednář, Associate/Attorney, DLA Piper Prague