Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) was published in the Official Journal of the European Union, L 119/1 series.

The reasons for adoption:

• The principles and rules relating to the protection of natural persons with regard to the processing of their personal data should, regardless of the nationality or place of residence of natural persons, respect their fundamental rights and freedoms, and in particular their right to the protection of personal data;
• The Regulation seeks to contribute to the achievement of an area of freedom, security and justice and of an economic union, to economic and social progress, to the consolidation and convergence of economies within the internal market and to the well-being of individuals;
• To defend the right to private, family and private life with regard to the processing of personal data.

This Regulation entered into force on the twentieth day following that of its publication in the Official Journal of the European Union and applies from 25 May 2018. Furthermore, the Regulation imposed a single set of rules directly applicable in all Member States of the European Union and replaced Directive 95/46/EC and, therefore, the provisions of Law no. 677/2001.

In Czech legislation, the directly applicable Regulation is followed by Act No. 110/2019 Coll., on the processing of personal data. This Act regulates certain issues that are left to be regulated by national legislation.

In Hungarian legislation, the directly applicable Regulation is followed by Act No. 38/2018., on the processing of personal data. This Act modified the Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information in accordance with the Regulation.

As part of the changes adapting to GDPR Act of 10 May 2018 on the Protection of Personal Data was introduced in Poland.

In Romanian legislation, the Regulation was implemented by Law No 190/2018. Law No 190/2018 is a law regulating the measures implementing Regulation (EU) 2016/679 on the protection of personal data. The law entered into force on 31 July 2018. The law sets out the powers and competences of the national supervisory authority, as well as the sanctions applicable in case of breach of the provisions of the Regulation. The Law applies to all natural and legal persons processing personal data in Romania.

As part of the changes adapting to GDPR Act No. 18/2018 Coll. on protection of personal data was introduced in Slovakia.

Any information relating to an identified or identifiable natural person is considered personal data. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity.

Data with normal protection level

• Name
• First name
• E-mail address
• Phone number
• Bank account number
• Date of birth
• Personal identification number etc.

In other words, any data that allows a person’s identity to be compromised directly or indirectly by a third party.

Sensitive data

The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade-union membership and the processing of genetic data, biometric data for the unique identification of a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited for GDPR compliance.

• Genetic data: Defined in international documents as data relating to the hereditary characteristics of a person or to the hereditary pattern of such characteristics relating to a group of persons in a family, genetic data are personal data within the meaning of Directive 95/46/EC, as they allow the identification of the person concerned, highlighting his/her uniqueness.
• Biometric date: The biometric data included in electronic documents are the facial image in digital format and the papillary impressions of two fingers in digital format.
• Data on a person’s health: Personal data relating to the physical or mental health of an individual, including the provision of healthcare services, which reveal information about the individual’s health.
• Other special data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership.

Article 9 of the Regulation lists the exceptions to the prohibition of processing sensitive data. They will only be processed to the extent that there are legal grounds for processing, set out exhaustively in the Regulation.

According to the Regulation, children need specific protection of personal data, as they may be less aware of the risks, consequences, safeguards involved and their rights regarding the processing of personal data.

This specific protection should apply, in particular, to the use of children’s personal data for marketing purposes or for the creation of personality or user profiles and to the collection of children’s personal data when using services offered directly to them. The consent of the holder of parental responsibility should not be required in the context of prevention or counselling services offered directly to children.

As children need specific protection, any information and communication, where the processing concerns a child, should be expressed in simple and clear language for GDPR compliance, so that the child can easily understand it.

Where the child is under 16 years of age, such processing is lawful only if and to the extent that such consent is given or authorised by the holder of parental responsibility over the child.

Appointment of a data protection officer

The controller and the processor must appoint a data protection officer whenever necessary for GDPR compliance:

• The processing is carried out by a public authority or body, with the exception of courts acting in their judicial capacity;
• The main activities of the controller or the person authorised by the controller consist of processing operations which, by their nature, their scope and/or purposes, require regular and systematic monitoring of data subjects on a large scale;
• The main activities of the controller or of the person authorised by the controller consist in the processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.

A group of companies may appoint a single data protection officer supervising GDPR compliance, provided that he or she is easily accessible by each of the companies.

Responsibilities of the Data Protection Officer

• Informing and advising the controller or the processor’s authorised representative and the employees involved in the processing on their obligations under the Regulation and other provisions of Union or national law relating to data protection;
• Monitoring GDPR compliance with the Regulation, other provisions of Union or national law relating to data protection and the policies of the controller or the processor with regard to the protection of personal data, including the allocation of responsibilities and awareness-raising and training actions to staff involved in processing operations, and related audits;
• Providing advice on request in terms of data protection impact assessment and monitoring its functioning for GDPR compliance;
• Cooperation with the supervisory authority;
• Assuming the role of point of contact for the supervisory authority on processing-related matters, including prior consultation and, where appropriate, consultation on any other matter.

The transfer of personal data to a third country or an international organisation may take place when the Commission has decided that the third country, a territory or one or more specified sectors of that third country or international organisation ensures an adequate level of protection. Transfers made under these conditions do not require special authorisations.

In the absence of a decision, the controller or processor may transfer personal data to a third country or international organisation only if the controller or the processor has provided adequate safeguards and provided that there are enforceable rights and effective remedies for data subjects.

As of 25 May 2018, all operators in the public system, persons authorised by operators, and operators in the private system with more than 250 employees are obliged to map the processing of personal data carried out. This obligation is provided for in Article 30 of the Regulation.

The obligation to map data for GDPR compliance is also necessary for employees below the above mentioned threshold, if the processing that the controller carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional or the processing includes special categories of data or personal data relating to criminal convictions and offences.

This record of processing activities will include the following information:

• Name and contact details of the controller and, where applicable, the associated controller, the controller’s representative and the data protection officer;
• The purposes of the processing;
• Description of the categories of data subjects and categories of personal data;
• The categories of recipients to whom personal data have been or will be disclosed, including recipients in third countries or international organisations;
• If applicable, transfers of personal data to a third country or international organisation, including identification of the third country or international organisation concerned, documentation proving the existence of appropriate safeguards;
• Where possible, the expected deadlines for deletion of the different categories of data;
• Where possible, a general description of the technical and organisational security measures.

Records will be kept in writing, including in electronic format.

On request, the operator or the processor and, where applicable, the representative of the processor shall make the records available to the supervisory authority to fulfill GDPR compliance.

For data controllers operating in more than one EU Member State, the competent supervisory authority is that of the Member State where the data controller has its principal place of business.

The controller and the processor’s authorized persons have the obligation to notify the supervisory authority in case of a data security breach.

Notification shall be made within 72 hours of the Operator becoming aware of the breach. If there is a major risk to the rights and freedoms of the data subject (e.g. identity theft), the data subject will be notified as soon as possible.

Any person who has suffered material or non-material damage as a result of a breach of the Regulation has the right to obtain compensation from the operator or the processor for the damage suffered.

Any controller involved in processing operations shall be liable for the damage caused by its processing operations in breach of the Regulation. The processor is liable for the damage caused by processing only if he has not complied with the obligations of the Regulation, which are specifically incumbent on the processor, or has acted outside or contrary to the legal instructions of the controller.

The Regulation provides for severe administrative sanctions, and these can be up to EUR 10 million or 2% of international turnover for violations of the rules on unsolicited communications or up to EUR 20 million or 4% of international turnover for unlawful processing.

Furthermore, Member States shall lay down rules on other penalties applicable to infringements of the Regulation, in particular for infringements which are not subject to administrative fines, and shall take all measures necessary to ensure that they are implemented. Those penalties shall be effective, proportionate and dissuasive.

Supervision over the processing of personal data in the Czech Republic is carried out by an independent control authority – the Data Protection Authority (in Czech: „Úřad pro ochranu osobních údajů”). The Czech DPA monitors GDPR compliance with legal regulations and enforces them.

The National Authority for Data Protection and Freedom of Information  (hereinafter “the Authority” or “the NAIH”)  is responsible  for monitoring and promoting the enforcement in GDPR compliance of two fundamental rights: the right to the protection of personal data and the right to freedom of information (access to data of public interest and data accessible on public interest grounds) in Hungary, as well as promoting the free movement of personal data within the European Union. Based on constitutional provision, the Act CXII of 2011 on  the right to informational self-determination and on the freedom of information (hereinafter “the Act CXII of 2011”) , which  entered into force on 1 January 2012,  established the  Authority  and regulated its operation in detail. From an organisational perspective, the NAIH is an autonomous state administration organ; it may not be instructed in its functions and shall operate independently of other organs and of undue influence. The tasks of the NAIH may only be determined by an Act of Parliament.

In Poland, the authority designated to supervise the processing of personal data of controllers and to apply sanctions for non-compliance with the Regulation is the President of the Personal Data Protection Office, as an autonomous central public authority with general competence in the field of personal data protection.

In Romania, the authority designated to supervise the processing of personal data of controllers and to apply sanctions for non-compliance with the Regulation is the National Supervisory Authority for Personal Data Processing, as an autonomous central public authority with general competence in the field of personal data protection.

In Slovakia, the authority designated to supervise the processing of personal data of controllers and to apply sanctions for non-compliance with the Regulation is the Data Protection Authority for Personal Data Processing, as an autonomous central public authority with general competence in the field of personal data protection. On the other hand, it is necessary to point out that unauthorized handling of personal data can be also considered a criminal offense under certain circumstances.