Please, pay special attention to the collection and processing of any personal data, because you may need to fulfil a large number of legal requirements. From drawing up legal documents, to ensuring technical safety of data processing, not only in the digital world but also in reality.
Apart from applicable national laws, there is also the well-known GDPR regulation established at the EU level. GDPR is considered as one of the most stringent regulations, even though a strong protection also exists in California – see our blog GDPR vs. CCPA for the differences.
The GDPR always applies to you if:
- your establishment is in the EU and you process personal data in relation to its activities (e.g. if you store personal data in a cloud with data centres located outside of the EU);
- your establishment is no matter where and you process personal data of persons, who reside in the EU (not necessarily EU citizens) and:
- your processing of personal data is related to the offering of goods or services to those persons in the EU (e.g. if an American company runs an e-shop in at least one language of a member country of the EU and supplies goods for persons in the EU); or
- your processing of personal data is related to the monitoring of their behaviour as far as their behaviour takes place in the EU (e.g. if you monitor and profile an EU user of your website by means of cookies to find what advertisements would be most suitable).
Astronomical fines up to EUR 20M or 4 % of world-wide turnover may be imposed for non-compliance with GDPR. However, in the case of smaller enterprises, warnings usually precede fines at lower rate levels. Up to 100 fines have been imposed in this respect in Slovakia with the average amount of app. EUR 3,700. The situation in the Czech Republic is similar as regards the number of fines is concerned, whilst the highest imposed fine reached app. EUR 10,000 (CZK 250,000). You can find a history of fines including details and country of issuing body here.
1. Legal Basis for Personal Data Processing
Personal data may only be processed if it falls under a legal basis for processing. Examples of legal bases:
- Consent of the data subject – The consent should be provided unambiguously and obtained separately (e.g. by clicking on an active opt-in field (not predefined)). Nothing, but the wording of the consent should be specified (excluding any other unrelated text) and only one purpose of personal data processing should be mentioned in one consent.
Example of a consent:
- Contractual obligation – Provided that personal data processing is necessary for the performance of a contract with your customer (e.g. you process personal data of your e-shop customers, which have been provided for the purpose of delivery of goods and the goods should be delivered in compliance with your general sales conditions), the consent is not required, since contractual obligation is considered as a separated legal basis.
- Fulfilment of a legal obligation – Consent is not required if you are fulfilling a legal obligation (e.g. you register your employees at social insurance company or health insurance company).
2. How Can Personal Data be Processed?
- Personal data must be processed for the specific and explicit purpose it was collected for and must not be further processed in a manner which is incompatible with this purpose (e.g. the customer’s e-mail obtained for the purpose of communication in order to supply goods, must not be used for marketing purposes without other specific consent).
- To the extent necessary to achieve the purpose of personal data collection (e.g. it is not necessary to collect data concerning health for an application designed to provide a communication platform).
- Personal data are to be processed as long as it is necessary for the purposes of their collection (e.g. personal data of an unsuccessful job-seeker collected to occupy a specific working position should not be processed after the selection procedure is completed).
- In a manner that guarantees their adequate safety (e.g with adequate organisational and technical security measures).
3. Your Main Responsibilities under GDPR
- To implement technical and organisational measures in order to ensure the safety of personal data processing (e.g. encryption of company computers, pseudonymization of data, rules on the handling of physical data carriers, clean desk policy and so on.) – There should also be an internal material to describe and list these regulations.
- Create a template of processing activities published by Office for Personal Data Protection of the Slovak Republic here or of the Czech Republic here, in which you capture the most important information on the flow of all personal data being processed.
- If internal persons have access and authorisation to personal data, it is necessary to draw up authorisations with instructions on how to process personal data. Should external persons, the so called intermediaries work with the data (e.g. your accountants, owners of clouds where the app is placed or owners of payment gateways implemented into your web), it is necessary to conclude an intermediation contract.
- In certain, more complex cases of personal data processing (e.g. if the data concerning the location or health of the user is monitored to a large extent through the application) it is also necessary:
- to determine the person responsible for ensuring the lawfulness of the processing of personal data;
- to assess the impact of planned processing activities in regard to personal data processing resulting in a written document; and
- discuss personal data processing with a competent authority.