Get free access to
Our legislation updates make it easy for you to keep on top of the latest changes affecting your business. Receive our articles, opinions, tips, industry news, country profiles, regional overviews and studies, latest events and even more, directly into your mailbox.
Check out our Newsroom to see what is included!
We will send you only relevant information we consider may be of your interest and treat your personal data in compliance with our Privacy policy and GDPR statement.
Unable to subscribe? Try this page.
EU data protection legislation was amended in May 2016 and Regulation 2016/679 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is directly applicable in all EU countries from 25 May 2018.
The law applies to all sectors and types of business that process personal data, regardless of whether or not the processing takes place on the territory of the European Union (to the extent that the goods and/or services of the data controllers are also addressed to persons within the EU).
As the regulation imposes a unique set of rules, a good understanding of the content and impact it generates is necessary, and companies need to review their current data protection compliance programmes to identify problems and implement changes in their business.
Our GDPR compliance guide summarizes the main aspects including types of personal data and their processing conditions, appointment of a data protection officer, data transfer outside of the EU, sanctions and more.
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) was published in the Official Journal of the European Union, L 119/1 series.
The reasons for adoption:
This Regulation entered into force on the twentieth day following that of its publication in the Official Journal of the European Union and applies from 25 May 2018. Furthermore, the Regulation imposed a single set of rules directly applicable in all Member States of the European Union and replaced Directive 95/46/EC and, therefore, the provisions of Law no. 677/2001.
In Czech legislation, the directly applicable Regulation is followed by Act No. 110/2019 Coll., on the processing of personal data. This Act regulates certain issues that are left to be regulated by national legislation.
In Hungarian legislation, the directly applicable Regulation is followed by Act No. 38/2018., on the processing of personal data. This Act modified the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information in accordance with the Regulation.
As part of the changes adapting to GDPR Act of 10 May 2018 on the Protection of Personal Data was introduced in Poland.
In Romanian legislation, the Regulation was implemented by Law No 190/2018. Law No 190/2018 is a law regulating the measures implementing Regulation (EU) 2016/679 on the protection of personal data. The law entered into force on 31 July 2018. The law sets out the powers and competences of the national supervisory authority, as well as the sanctions applicable in case of breach of the provisions of the Regulation. The Law applies to all natural and legal persons processing personal data in Romania.
As part of the changes adapting to GDPR Act No. 18/2018 Coll. on protection of personal data was introduced in Slovakia.
Any information relating to an identified or identifiable natural person is considered personal data. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.
In other words, any data that allows a person’s identity to be compromised directly or indirectly by a third party.
The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership and the processing of genetic data, biometric data for the unique identification of a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited for GDPR compliance.
Article 9 of the Regulation lists the exceptions to the prohibition of processing sensitive data. They will only be processed to the extent that there are legal grounds for processing, set out exhaustively in the Regulation.
To maintain GDPR compliance, the data must be:
Legal data processing is done under the following conditions:
In addition to the existing rights in GDPR compliance (right to be informed, right to request data portability between controllers, right to object, right to object to profiling), the Regulation brought four new rights of the data subject:
According to the Regulation, children need specific protection of personal data, as they may be less aware of the risks, consequences, safeguards involved and their rights regarding the processing of personal data.
This specific protection should apply, in particular, to the use of children’s personal data for marketing purposes or for the creation of personality or user profiles and to the collection of children’s personal data when using services offered directly to them. The consent of the holder of parental responsibility should not be required in the context of prevention or counselling services offered directly to children.
As children need specific protection, any information and communication, where the processing concerns a child, should be expressed in simple and clear language for GDPR compliance, so that the child can easily understand it.
Where the child is under 16 years of age, such processing is lawful only if and to the extent that such consent is given or authorised by the holder of parental responsibility over the child.
The controller and the processor must appoint a data protection officer whenever necessary for GDPR compliance:
A group of companies may appoint a single data protection officer supervising GDPR compliance, provided that he or she is easily accessible by each of the companies.
The transfer of personal data to a third country or an international organisation may take place when the Commission has decided that the third country, a territory or one or more specified sectors of that third country or international organisation ensures an adequate level of protection. Transfers made under these conditions do not require special authorisations.
In the absence of a decision, the controller or processor may transfer personal data to a third country or international organisation only if the controller or the processor has provided adequate safeguards and provided that there are enforceable rights and effective remedies for data subjects.
As of 25 May 2018, all operators in the public system, persons authorised by operators, and operators in the private system with more than 250 employees are obliged to map the processing of personal data carried out. This obligation is provided for in Article 30 of the Regulation.
The obligation to map data for GDPR compliance is also necessary for employees below the above mentioned threshold, if the processing that the controller carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional or the processing includes special categories of data or personal data relating to criminal convictions and offences.
This record of processing activities will include the following information:
Records will be kept in writing, including in electronic format.
On request, the operator or the processor and, where applicable, the representative of the processor shall make the records available to the supervisory authority to fulfill GDPR compliance.
For data controllers operating in more than one EU Member State, the competent supervisory authority is that of the Member State where the data controller has its principal place of business.
The controller and the processor’s authorized persons have the obligation to notify the supervisory authority in case of a data security breach.
Notification shall be made within 72 hours of the Operator becoming aware of the breach. If there is a major risk to the rights and freedoms of the data subject (e.g. identity theft), the data subject will be notified as soon as possible.
Any person who has suffered material or non-material damage as a result of a breach of the Regulation has the right to obtain compensation from the operator or the processor for the damage suffered.
Any controller involved in processing operations shall be liable for the damage caused by its processing operations in breach of the Regulation. The processor is liable for the damage caused by processing only if he has not complied with the obligations of the Regulation, which are specifically incumbent on the processor, or has acted outside or contrary to the legal instructions of the controller.
The Regulation provides for severe administrative sanctions, and these can be up to EUR 10 million or 2% of international turnover for violations of the rules on unsolicited communications or up to EUR 20 million or 4% of international turnover for unlawful processing.
Furthermore, Member States shall lay down rules on other penalties applicable to infringements of the Regulation, in particular for infringements which are not subject to administrative fines, and shall take all measures necessary to ensure that they are implemented. Those penalties shall be effective, proportionate and dissuasive.
Supervision over the processing of personal data in the Czech Republic is carried out by an independent control authority – the Data Protection Authority (in Czech: „Úřad pro ochranu osobních údajů”). The Czech DPA monitors GDPR compliance with legal regulations and enforces them.
The National Authority for Data Protection and Freedom of Information (hereinafter “the Authority” or “the NAIH”) is responsible for monitoring and promoting the enforcement in GDPR compliance of two fundamental rights: the right to the protection of personal data and the right to freedom of information (access to data of public interest and data accessible on public interest grounds) in Hungary, as well as promoting the free movement of personal data within the European Union. Based on constitutional provision, the Act CXII of 2011 on the right to informational self-determination and on the freedom of information (hereinafter “the Act CXII of 2011”) , which entered into force on 1 January 2012, established the Authority and regulated its operation in detail. From an organisational perspective, the NAIH is an autonomous state administration organ; it may not be instructed in its functions and shall operate independently of other organs and of undue influence. The tasks of the NAIH may only be determined by an Act of Parliament.
In Poland, the authority designated to supervise the processing of personal data of controllers and to apply sanctions for non-compliance with the Regulation is the President of the Personal Data Protection Office, as an autonomous central public authority with general competence in the field of personal data protection.
In Romania, the authority designated to supervise the processing of personal data of controllers and to apply sanctions for non-compliance with the Regulation is the National Supervisory Authority for Personal Data Processing, as an autonomous central public authority with general competence in the field of personal data protection.
In Slovakia, the authority designated to supervise the processing of personal data of controllers and to apply sanctions for non-compliance with the Regulation is the Data Protection Authority for Personal Data Processing, as an autonomous central public authority with general competence in the field of personal data protection. On the other hand, it is necessary to point out that unauthorized handling of personal data can be also considered a criminal offense under certain circumstances.
Market entry support | Corporate and secretarial services | Legal advisory | Advisory online portal | Online corporate and legal consulting | Fixed corporate and legal service packages
Sign up and get free access to our expert knowledge and valuable insights. You can unsubscribe from our mailing list anytime. Check also how we handle your data: Privacy policy | GDPR statement.
Already subscribed? Confirm your e-mail address below and receive your PDF directly in your inbox.