Personal Data Processing

Learn the essentials of GDPR – who it applies to, when and how personal data can be processed, what your basic responsibilities are and how to manage cookies.

Please, pay special attention to the collection and processing of any personal data, because you may need to fulfil a large number of legal requirements. From drawing up legal documents, to ensuring technical safety of data processing, not only in the digital world but also in reality.

Apart from applicable national laws, there is also the well-known GDPR regulation established at the EU level. GDPR is considered as one of the most stringent regulations, even though a strong protection also exists in California – see our blog GDPR vs. CCPA for the differences. 

The GDPR always applies to you if:

  • your establishment is in the EU and you process personal data in relation to its activities (e.g. if you store personal data in a cloud with data centres located outside of the EU);
  • your establishment is no matter where and you process personal data of persons, who reside in the EU (not necessarily EU citizens) and:
    • your processing of personal data is related to the offering of goods or services to those persons in the EU (e.g. if an American company runs an e-shop in at least one language of a member country of the EU and supplies goods for persons in the EU); or 
    • your processing of personal data is related to the monitoring of their behaviour as far as their behaviour takes place in the EU (e.g. if you monitor and profile an EU user of your website by means of cookies to find what advertisements would be most suitable).

Astronomical fines up to EUR 20M or 4 % of world-wide turnover may be imposed for non-compliance with GDPR. However, in the case of smaller enterprises, warnings usually precede fines at lower rate levels. Up to 100 fines have been imposed in this respect in Slovakia with the average amount of app. EUR 3,700. The situation in the Czech Republic is similar as regards the number of fines is concerned, whilst the highest imposed fine reached app. EUR 10,000 (CZK 250,000). You can find a history of fines including details and country of issuing body here.

Personal data may only be processed if it falls under a legal basis for processing. Examples of legal bases:

  • Consent of the data subject – The consent should be provided unambiguously and obtained separately (e.g. by clicking on an active opt-in field (not predefined)). Nothing, but the wording of the consent should be specified (excluding any other unrelated text) and only one purpose of personal data processing should be mentioned in one consent.

Example of a consent:

  • Contractual obligation – Provided that personal data processing is necessary for the performance of a contract with your customer (e.g. you process personal data of your e-shop customers, which have been provided for the purpose of delivery of goods and the goods should be delivered in compliance with your general sales conditions), the consent is not required, since contractual obligation is considered as a separated legal basis.

  • Fulfilment of a legal obligation – Consent is not required if you are fulfilling a legal obligation (e.g. you register your employees at social insurance company or health insurance company).

2. How Can Personal Data be Processed? 

  • Personal data must be processed for the specific and explicit purpose it was collected for and must not be further processed in a manner which is incompatible with this purpose (e.g. the customer’s e-mail obtained for the purpose of communication in order to supply goods, must not be used for marketing purposes without other specific consent).

  • To the extent necessary to achieve the purpose of personal data collection (e.g. it is not necessary to collect data concerning health for an application designed to provide a communication platform).

  • Personal data are to be processed as long as it is necessary for the purposes of their collection (e.g. personal data of an unsuccessful job-seeker collected to occupy a specific working position should not be processed after the selection procedure is completed).

  • In a manner that guarantees their adequate safety (e.g with adequate organisational and technical security measures).

3. Your Main Responsibilities under GDPR

  • To draw-up principles of personal data processing (Privacy Policy) – an information material (often published on a website), which provides the data subject with comprehensible information on every important aspect of the matter, i.e. what types of data are processed, for what purpose, for how long processing occurs, who data shall be provided to, what are data subject’s rights, how they can get in touch with you to exercise them and so on. 

  • To implement technical and organisational measures in order to ensure the safety of personal data processing (e.g. encryption of company computers, pseudonymization of data, rules on the handling of physical data carriers, clean desk policy and so on.) – There should also be an internal material to describe and list these regulations.

  • Create a template of processing activities published by Office for Personal Data Protection of the Slovak Republic here or of the Czech Republic here, in which you capture the most important information on the flow of all personal data being processed.

  • If internal persons have access and authorisation to personal data, it is necessary to draw up authorisations with instructions on how to process personal data. Should external persons, the so called intermediaries work with the data (e.g. your accountants, owners of clouds where the app is placed or owners of payment gateways implemented into your web), it is necessary to conclude an intermediation contract.

  • In certain, more complex cases of personal data processing (e.g. if the data concerning the location or health of the user is monitored to a large extent through the application) it is also necessary:
    • to determine the person responsible for ensuring the lawfulness of the processing of personal data;
    • to assess the impact of planned processing activities in regard to personal data processing resulting in a written document; and 
    • discuss personal data processing with a competent authority.

A responsible person (DPO – Data Protection Officer) can be a natural or legal person, internal or external, who should be a person with relevant professional knowledge on legislation and procedures in the field of personal data protection (however, not necessarily a lawyer), ideally a person working in the field of IT and safety. A DPO is required when a company exceeds 100 employees or processing of special category data occurs on a large scale. Companies providing the services of a Data Protection Officer can be easily found online.

4. Cookies

Let’s not forget cookies, which are also considered as personal data. As a rule, apart from cookies which are necessary to make an application work, it is not possible to use cookies without an active user’s consent. This applies to your own (first party) as well as third party’s cookies (e.g. Google analytics). Therefore, the best solution is to set up a cookie window/banner, which pops up immediately after the website is visited or an application is launched, with the possibility to decide whether particular types of cookies are opted in to, divided according to their purposes (marketing, analytic, functional). The banner should also provide a link to your Privacy Policy to provide the user with further information about how their data is used. If the user does not opt for cookies, they should be off by default.

Posted