Return to the Newsroom
COMPANY FORMATION OVERVIEWS 2024
Read more
Mailchimp - subscribe form sidebar

GDPR compliance guide | eBook

May 21, 2024
This article is also available in
Romanian

EU data protection legislation was amended in May 2016 and Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is directly applicable in all EU countries from 25 May 2018.

The law applies to all sectors and types of business that process personal data, regardless of whether or not the processing takes place on the territory of the European Union (to the extent that the goods and/or services of the data controllers are also addressed to persons within the EU).

As the regulation imposes a unique set of rules, a good understanding of the content and impact it generates is necessary, and companies need to review their current data protection compliance programmes to identify problems and implement changes in their business.

Our GDPR compliance guide summarizes the main aspects including types of personal data and their processing conditions, appointment of a data protection officer, data transfer outside of the EU, sanctions and more.

Download our GDPR compliance guide or read more below

General provisions

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) was published in the Official Journal of the European Union, L 119/1 series.

The reasons for adoption:

  • The principles and rules relating to the protection of natural persons with regard to the processing of their personal data should, regardless of the nationality or place of residence of natural persons, respect their fundamental rights and freedoms, and in particular their right to the protection of personal data;
  • The Regulation seeks to contribute to the achievement of an area of freedom, security and justice and of an economic union, to economic and social progress, to the consolidation and convergence of economies within the internal market and to the well-being of individuals;
  • To defend the right to private, family and private life with regard to the processing of personal data.

This Regulation entered into force on the twentieth day following that of its publication in the Official Journal of the European Union and applies from 25 May 2018. Furthermore, the Regulation imposed a single set of rules directly applicable in all Member States of the European Union and replaced Directive 95/46/EC and, therefore, the provisions of Law no. 677/2001.

In Czech legislation, the directly applicable Regulation is followed by Act No. 110/2019 Coll., on the processing of personal data. This Act regulates certain issues that are left to be regulated by national legislation.

In Hungarian legislation, the directly applicable Regulation is followed by Act No. 38/2018., on the processing of personal data. This Act modified the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information in accordance with the Regulation.

As part of the changes adapting to GDPR Act of 10 May 2018 on the Protection of Personal Data was introduced in Poland.

In Romanian legislation, the Regulation was implemented by Law No 190/2018. Law No 190/2018 is a law regulating the measures implementing Regulation (EU) 2016/679 on the protection of personal data. The law entered into force on 31 July 2018. The law sets out the powers and competences of the national supervisory authority, as well as the sanctions applicable in case of breach of the provisions of the Regulation. The Law applies to all natural and legal persons processing personal data in Romania.

As part of the changes adapting to GDPR Act No. 18/2018 Coll. on protection of personal data was introduced in Slovakia.

Personal data

Any information relating to an identified or identifiable natural person is considered personal data. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Data with normal protection level

  • Name
  • First name
  • E-mail address
  • Phone number
  • Bank account number
  • Date of birth
  • Personal identification number etc.

In other words, any data that allows a person’s identity to be compromised directly or indirectly by a third party.

Sensitive data

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership and the processing of genetic data, biometric data for the unique identification of a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited.

  • Genetic data
    • Defined in international documents as data relating to the hereditary characteristics of a person or to the hereditary pattern of such characteristics relating to a group of persons in a family, genetic data are personal data within the meaning of Directive 95/46/EC, as they allow the identification of the person concerned, highlighting his/her uniqueness.
  • Biometric date
    • The biometric data included in electronic documents are the facial image in digital format and the papillary impressions of two fingers in digital format.
  • Data on a person’s health
    • Personal data relating to the physical or mental health of an individual, including the provision of healthcare services, which reveal information about the individual’s health.
  • Other special data:
    • Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership.

Article 9 of the Regulation lists the exceptions to the prohibition of processing sensitive data. They will only be processed to the extent that there are legal grounds for processing, set out exhaustively in the Regulation.

Processing conditions

The data will be:

  • Processed lawfully, fairly and transparently in relation to the data subject (lawfulness, fairness and transparency);
  • Collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes (“purpose limitation”);
  • Adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation);
  • Accurate and, where necessary, kept up to date; every step must be taken to ensure that personal data which are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”);
  • Kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data are processed (“storage limitations”);
  • Processed in a way that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or accidental damage, by taking appropriate technical or organisational measures (“integrity and confidentiality”).

Data processing conditions

Legal data processing is done under the following conditions:    

  • The data subject has consented to the processing of his/her personal data for one or more specific purposes;
  • The processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
  • The processing is necessary for compliance with a legal obligation incumbent on the controller;
  • The processing is necessary to protect the vital interests of the data subject or of another natural person;
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
  • The processing is necessary for the purposes of legitimate interests pursued by the controller or a third party, except where the interests or fundamental rights and freedoms of the data subject require the protection of personal data, in particular where the data subject is a child.

New data subject rights brought by the Regulation

In addition to the existing rights (right to be informed, right to request data portability between controllers, right to object, right to object to profiling), the Regulation brought four new rights of the data subject:

  • Right of access to data – the right to obtain from the controller information about what information it processes, its purpose, etc.
  • Right to have the data rectified– the right to obtain from the controller the rectification of inaccurate personal data concerning him/her.
  • Right to have the data be erased (right to be forgotten) – the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.
  • Right to restrict the processing – the right to obtain the restriction of the data used by the controller or the transfer of data.

Specific provisions relating to minors

According to the Regulation, children need specific protection of personal data, as they may be less aware of the risks, consequences, safeguards involved and their rights regarding the processing of personal data.

This specific protection should apply, in particular, to the use of children’s personal data for marketing purposes or for the creation of personality or user profiles and to the collection of children’s personal data when using services offered directly to them. The consent of the holder of parental responsibility should not be required in the context of prevention or counselling services offered directly to children.

As children need specific protection, any information and communication, where the processing concerns a child, should be expressed in simple and clear language so that the child can easily understand it.

Where the child is under 16 years of age, such processing is lawful only if and to the extent that such consent is given or authorised by the holder of parental responsibility over the child.

Appointment of a DPO

Appointment of a data protection officer

The controller and the processor must appoint a data protection officer whenever necessary:

  • The processing is carried out by a public authority or body, with the exception of courts acting in their judicial capacity;
  • The main activities of the controller or the person authorised by the controller consist of processing operations which, by their nature, their scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale;
  • The main activities of the controller or of the person authorised by the controller consist in the processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.

A group of companies may appoint a single data protection officer, provided that he or she is easily accessible by each of the companies.

Responsibilities of the Data Protection Officer

  • Informing and advising the controller or the processor’s authorised representative and the employees involved in the processing on their obligations under the Regulation and other provisions of Union or national law relating to data protection;
  • Monitoring compliance with the Regulation, other provisions of Union or national law relating to data protection and the policies of the controller or the processor with regard to the protection of personal data, including the allocation of responsibilities and awareness-raising and training actions to staff involved in processing operations, and related audits;
  • Providing advice on request in terms of data protection impact assessment and monitoring its functioning;
  • Cooperation with the supervisory authority;
  • Assuming the role of point of contact for the supervisory authority on processing-related matters, including prior consultation and, where appropriate, consultation on any other matter.

Data transfer outside of EU

The transfer of personal data to a third country or an international organisation may take place when the Commission has decided that the third country, a territory or one or more specified sectors of that third country or international organisation ensures an adequate level of protection. Transfers made under these conditions do not require special authorisations.

In the absence of a decision, the controller or processor may transfer personal data to a third country or international organisation only if the controller or the processor has provided adequate safeguards and provided that there are enforceable rights and effective remedies for data subjects.

Mapping data

As of 25 May 2018, all operators in the public system, persons authorised by operators, and operators in the private system with more than 250 employees are obliged to map the processing of personal data carried out. This obligation is provided for in Article 30 of the Regulation.

The obligation to map is also necessary for employees below the above mentioned threshold, if the processing that the controller carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional or the processing includes special categories of data or personal data relating to criminal convictions and offences.

This record of processing activities will include the following information:

  • Name and contact details of the controller and, where applicable, the associated controller, the controller’s representative and the data protection officer;
  • The purposes of the processing;
  • Description of the categories of data subjects and categories of personal data;
  • The categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or international organisations;
  • If applicable, transfers of personal data to a third country or international organisation, including identification of the third country or international organisation concerned, documentation proving the existence of appropriate safeguards;
  • Where possible, the expected deadlines for deletion of the different categories of data;
  • Where possible, a general description of the technical and organisational security measures.

Records will be kept in writing, including in electronic format.

On request, the operator or the processor and, where applicable, the representative of the processor shall make the records available to the supervisory authority.

One-stop shop

For data controllers operating in more than one EU Member State, the competent supervisory authority is that of the Member State where the data controller has its principal place of business.

Data security breaches

The controller and the processor’s authorized persons have the obligation to notify the supervisory authority in case of a data security breach.

Notification shall be made within 72 hours of the Operator becoming aware of the breach. If there is a major risk to the rights and freedoms of the data subject (e.g. identity theft), the data subject will be notified as soon as possible.

The right for compensation and liability

Any person who has suffered material or non-material damage as a result of a breach of the Regulation has the right to obtain compensation from the operator or the processor for the damage suffered.

Any controller involved in processing operations shall be liable for the damage caused by its processing operations in breach of the Regulation. The processor is liable for the damage caused by processing only if he has not complied with the obligations of the Regulation, which are specifically incumbent on the processor, or has acted outside or contrary to the legal instructions of the controller.

Severe sanctions

The Regulation provides for severe administrative sanctions, and these can be up to EUR 10 million or 2% of international turnover for violations of the rules on unsolicited communications or up to EUR 20 million or 4% of international turnover for unlawful processing.

Furthermore, Member States shall lay down rules on other penalties applicable to infringements of the Regulation, in particular for infringements which are not subject to administrative fines, and shall take all measures necessary to ensure that they are implemented. Those penalties shall be effective, proportionate and dissuasive.

Supervision over the processing of personal data in the Czech Republic is carried out by an independent control authority – the Data Protection Authority (in Czech: „Úřad pro ochranu osobních údajů”). The Czech DPA monitors compliance with legal regulations and enforces them.

The National Authority for Data Protection and Freedom of Information  (hereinafter “the Authority” or “the NAIH”)  is responsible  for monitoring and promoting the enforcement of two fundamental rights: the right to the protection of personal data and the right to freedom of information (access to data of public interest and data accessible on public interest grounds) in Hungary, as well as promoting the free movement of personal data within the European Union. Based on constitutional provision, the Act CXII of 2011 on  the right to informational self-determination and on the freedom of information (hereinafter “the Act CXII of 2011”) , which  entered into force on 1 January 2012,  established the  Authority  and regulated its operation in detail. From an organisational perspective, the NAIH is an autonomous state administration organ; it may not be instructed in its functions and shall operate independently of other organs and of undue influence. The tasks of the NAIH may only be determined by an Act of Parliament.

In Poland, the authority designated to supervise the processing of personal data of controllers and to apply sanctions for non-compliance with the Regulation is the President of the Personal Data Protection Office, as an autonomous central public authority with general competence in the field of personal data protection.

In Romania, the authority designated to supervise the processing of personal data of controllers and to apply sanctions for non-compliance with the Regulation is the National Supervisory Authority for Personal Data Processing, as an autonomous central public authority with general competence in the field of personal data protection.

In Slovakia, the authority designated to supervise the processing of personal data of controllers and to apply sanctions for non-compliance with the Regulation is the Data Protection Authority for Personal Data Processing, as an autonomous central public authority with general competence in the field of personal data protection. On the other hand, it is necessary to point out that unauthorized handling of personal data can be also considered a criminal offense under certain circumstances.

COMPANY FORMATION OVERVIEWS 2024
Read more
Mailchimp - subscribe form sidebar
downloadcrosschevron-leftarrow-leftarrow-right