Legal news Deloitte Czech Republic. February 2018

Transcription

1 Legal news Deloitte Czech Republic February 2018

2 GDPR: Will You Also Be Affected by the New General Data Protection 2 Those who have read in the past two months media news concerning the forthcoming changes for businesses must have come across this obtrusive abbreviation all the time. However, the most important question is whether the new regulation will really mean the end of personal data protection as we know it, putting business in danger? Is this the onset of a revolution? For the sake of completeness, let us provide you with some facts about the new regulation first. The GDPR, ie Regulation (EU) 2016/679 of the European Parliament and the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) was adopted on 27 April 2016, taking effect as of 25 May The regulation will be directly enforceable in the European Union without the need for implementing legislation in individual EU member states. In August 2017, a draft of the Czech Personal Data Processing Act was published. The draft, prepared by the Ministry of the Interior in cooperation with the Office for Personal Data Protection, is to substitute the existing Act No. 101/2000 Coll., on Personal Data Protection. The authors made an effort not to duplicate individual articles of the GDPR in the draft, giving attention primarily to those areas in which the EU member states may use their own judgments in determining the appropriate legal regulation. Is everybody, or at least somebody, prepared for the new regulation? The question of whether at least somebody is prepared for the new regulation is rather tricky. Firstly, the GDPR will only take effect in May At present, GDPR compliance is not mandatory. Secondly, the GDPR interpretation practice is not yet available (and probably will not be in May 2018), ie an approach of individual authorities to the practical application of the GDPR. Therefore, if somebody declares that it is, or will be in May 2018, IN FULL COMPLIANCE WITH THE GDPR, it is only wishful thinking. Regardless of the time until the GDPR takes effect, it is not necessary to heavily emphasise that burying one s head in the sand is not the best approach. What is more, certain instances of the GDPR violation will be so obvious (such as website

3 3 content) that the Office for Personal Data Protection will detect them automatically. At the same time, it may also be anticipated that if you become subject to an inspection by the Office for Personal Data Protection and any violation of the GDPR is identified, it will be probably added to your credit when the Office for Personal Data Protection receives evidence that you at least started addressing personal data protection in line with the new regulation. It may be concluded that it is not yet late to prepare for the GDPR. It is just crucial to reach the right solution. At present, some companies need a GDPR solution for several tens of thousands of Czech crowns while other ones will have to pay a few dozen million. It is important that these two categories not be interchanged. Our experience indicates that clients are principally divided into two basic categories: clients that are already compliant with all personal data protection requirements defined by the existing legislation and those which have not been aware of personal data protection so far, or believed that this matter does not affect them. If you belong to the first category, the GDPR will only require minor changes in and updates of the established processes. Nevertheless, it is not an exception that businesses classified as non-compliant with the existing legislation often claim the contrary. Yet the truth will be brought to life after several questions asked by a lawyer. Explication of the basic terms Knowledge of the basic terms regarding personal data protection is a prerequisite for handling the GDPR. Below is a list of the essential terms to help you answer the question of whether the GDPR affects you as well. Personal data: any information relating to an identified or identifiable natural person ( data subject ) Controller: an entity which alone or jointly with others determines the purposes and means of the processing of personal data or which has a statutory duty to process personal data such as a business with a client or employee databases. Processor: an entity which processes personal data on behalf and according to the instruction of the controller such as an external company processing payroll records for a business with employees, or an external marketing agency administering a customer loyalty programme. Processing: any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, struc-

4 4 turing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction such as when a payroll accountant finds in an employee database data on a specific employee and prepares supporting documents for processing the wage for the previous month. Do not forget common sense With respect to serving small and medium-sized businesses, which are likely to read this article the most, personal data protection will primarily involve personal information, client databases, or more precisely marketing in general, and supplier databases, as well as security where CCTV and other monitoring devices are used. For simplicity s sake, the GDPR affects you when you answer yes to any of the questions listed below: 1. Do you have any employees? 2. Do you save contact information of clients or other thirds parties (such as names, telephone numbers etc)? 3. Have you installed a video surveillance system? The fact that you are subject to the GDPR will not necessary mean that you will have to invest your profits in various GDPR advisers. Nevertheless, it is a signal that you should at least make an overview of which personal data (ie any data whereby a specific person may be identified) are used in your business and why; how these data are archived and how (and whether) they are disposed of. In the case of small businesses and simple databases, the overview may be prepared by the business alone and subsequently consulted with a lawyer in view of the personal data compliance with the GDPR. As the next step, internal policies may be set up and the relevant software updated. In medium-sized enterprises, it will be necessary to engage an external provider to map the current processes whereby the measures ensuring GDPR compliance may only be determined after the as-is state has been analysed. As regards measures resulting from the above-referred analysis, it will always be essential to use your own judgment in deciding whether the measures are appropriate for your business activities rather than those of your advisor. It is not always required to turn all processes upside down, or on the contrary, arrive at a conclusion that you may not process any personal data at all.

5 5 Devil s advocate On the other hand, if we play the devil s advocate, it should be noted that the GDPR primarily aims to protect people from their personal data being misused for business purposes, rather than to be another worthless regulation from Brussels. Nobody is pleased about an box full of spam messages, a letterbox filled with product and service offerings from various publishers and personal data concerning our purchasing habits being exchanged among suppliers without our knowledge. The GDPR s objective is to prevent all of these undesirable phenomena which constitutes nothing but lucrative trading with people s privacy. The GDPR seems to be beneficial for citizens as well as an opportunity for business to set up their own databases so that the client and employee data cannot be misused by a third party. JUDr. Martin Bohuslav mbohuslav@deloittece.com Ondřej Chmela ochmela@deloittece.com GDPR Detective from CZK 30 thousand Getting acquainted with the GDPR is certainly not simple and those engaged in personal data processing may be confronted with complications, unclarity and obstacles. Sometimes, it may be a bit of a crime story. Therefore, Deloitte Legal developed an application entitled GDPR Detective online guide, which helps businesses navigate the new legal regulation.

6 Contacts If you are interested in obtaining additional information regarding the services provided by Deloitte Czech Republic, please contact our legal specialists: Ambruz & Dark Deloitte Legal s.r.o., advokátní kancelář Nile House Karolinská 654/ Praha 8 - Karlín Czech Republic Tel.: Fax: Subscribe to dreport and other newsletters and invitations here

7 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see to learn more about our global network of member firms. Deloitte provides audit, consulting, legal, financial advisory, risk advisory, tax and related services to public and private clients spanning multiple industries. Deloitte serves four out of five Fortune Global 500 companies through a globally connected network of member firms in more than 150 countries and territories bringing world-class capabilities, insights, and high-quality service to address clients most complex business challenges. To learn more about how Deloitte s approximately 245,000 professionals make an impact that matters, please connect with us on Facebook, LinkedIn, or Twitter. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the Deloitte Network ) is, by means of this communication, rendering professional advice or services. Before making any decision or taking any action that may affect your finances or your business, you should consult a qualified professional advisor. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this communication For information, contact Deloitte Czech Republic.