11 pieces of advice and recommendations to get the better of the personal data protection regulation

The General Data Protection Regulation or the GDPR was one of the most discussed topics last year. Its compulsory implementation in practice, which occurred in May 2018, was preceded by stormy debates, careful preparations of stakeholders and uncertainty about the practical consequences the regulation would produce. At a business breakfast held at the end of the last week, we assessed the first six months of the GDPR’s implementation. We have selected the 11 most interesting pieces of advice and recommendations to help you find out whether the steps you have taken are in line with the regulation and what to do to achieve compliance.

1. Initial analysis

Obtaining all relevant information from companies is the first important step for accurate GDPR implementation. “We meet with major companies, talk to them and inquire what data they collect, for what purpose and in what systems”, explains Ján Kuklinca, attorney-at-law at Deloitte Legal, and adds: “Small companies sometimes prefer a more economical way of status mapping, such as completing questionnaires. The third option is a combination of the two previous alternatives“. Based on the data collected, Deloitte provides its clients with its recommendations.

2. Documentation for individuals should be written understandably

Texts are often produced by lawyers, sentences are complex and long, sometimes taking ten lines. However, firms should try to express themselves briefly and provide understandable information. “A summary should be provided at the beginning to make it clear that a company wants to be transparent. Try to see yourselves in an addressee’s place and make the information understandable for him or her. Images and pictograms are also recommended. When providing their consent, people should know what they are signing up to”, advises Martina Heřmanová, attorney-at-law at Deloitte Legal.

3. Documentation distribution to separate categories

“We recommend dividing information on processing into separate categories of individuals, namely information for customers, suppliers and HR“, says Ján Kuklinca. The format of any privacy policy (personal data protection principles/information) should always be adjusted depending on how a company communicates with the individual groups and when it contacts them.

4. Records on processing activities

Today, any controller should have a document containing records on personal data processing activities. Its form is not strictly defined; it depends, for example, on the size of the company. It is important that all activities performed by the company be recorded in the document. “The Office for Personal Data Protection considers such a document to be a ‘Holy Grail’: it is likely to be the first document to be examined during an audit“, says Martina Heřmanová and highlights the need to update the records on an ongoing basis.

5. Controller’s internal regulations

It is crucial for any controller to have internal regulations in place to treat personal data. All employees should know what to do with personal data, whom to address if something is not clear in a relevant company or how to solve any security incidents. “We also recommend introducing shredding and filing guidelines and plans”, states Martina Heřmanová and adds: “A number of companies lack these documents although the rules on destroying, archiving and administering physical and data documents had been required by Czech legal regulations before the GDPR’s effective date”.

6. What other organisational measures to introduce?

It is well advised to arrange e-learnings or training sessions for employees to be aware of all measures relating to the GDPR. Setting up IT systems to facilitate the GDPR-related processes is another recommended step. Firms also appoint a Data Protection Officer (DPO) or a contact person. “In our experience, it should be a person knowledgeable of what is going on in a company and having unlimited access to records on processing activities rather than just a formally appointed individual”, stated Ján Kuklinca.

7. Consent with personal data processing

Under certain circumstances, consents are necessary measures required for the company to process personal data. Before, consents with personal data processing were part of contracts. This approach is, however, not considered to be a voluntary consent. Consents thus cannot be part of contracts or business terms, they should always be provided separately. This relates to another topic, which is collecting excessive consents, ie even if there are other legal grounds, such as processing required to perform a contract, meeting statutory requirements or legitimate interest of a controller. “Obtaining consents should be the last option“, recommends Martina Heřmanová, attorney-at-law at Deloitte.

8. Position of a third party processor

A processor is simply an entity to which the controller provides personal data to process it depending on the controller’s authorisation and instructions. The relation between a controller and a processor is subject to a contract under Article 28 of the GDPR. “We often see that our clients have concluded this type of contract with another controller, which is not correct. The two entities provide data to one another but each controls it independently“, explains Martina Heřmanová.

9. Call records

When recording calls, there are various situations. The first one is simply a call to an advice line. Although the call is recorded there is no systematic approach of searching the information on who the caller was and the tape is not used to improve the quality of services. This is not personal data processing and there is no need to obtain any consent with personal data processing. The second situation includes calls in which a company (often a financial institution) identifies the calling person by a phone number and allocates the record to that person. This is personal data processing and the issue whether and how to obtain the calling person’s consent should be solved. The consent should be received through an active step taken by the calling person, such as pressing a button.

10. Cookies

In order to solve cookies under the Czech legal environment only, the Office for Personal Data Protection has stated that it is sufficient to inform on a company’s website that the relevant company uses cookies and how it does so. However, if the company’s owner is from abroad, this approach might not be sufficient. An active consent with the use of cookies is usually required.

11. Selection procedure

In practice, employers often keep CVs of job applicants who were not successful in selection procedures for an excessive period and address them to offer them other jobs. If a company wants to keep a CV in its records it should obtain an applicant’s consent first.

The article is part of dReport – January 2019, Legal news.

GDPR dReport newsletter

Rising prices of construction material complicate the public procurement process and performance of public contracts

In early September, the Czech Ministry of Regional Development and the Office for the Protection of Competition issued an opinion on the price increase of construction material. This way, the authorities respond to the rising prices of reinforcing steel, thermal insulation, scrap iron and other material by tens or even hundreds of per cent. The reason for the price rise is a lack of the mentioned goods on the market and related long delivery times. The authors of the opinion present possible solutions to the problems that can arise in the public procurement market as a result of this situation. 

22. 9. 2021

Private financial institutions are the new supervisors of environmental regulation. The courts’ approach is also changing

Regulations in the area of environmental law are constantly increasing, which means that sustainability is an increasingly important topic that directly affects individuals, companies and states. However, oversight of compliance with the new rules is no longer exercised only by environmental inspection authorities, but also by private financial institutions. The courts whose decisions directly affect the corporate and state responsibility for climate change have also adopted a new approach to this issue. Read about the most important events in environmental law in Q2 of 2021 and get acquainted with regulatory news that will affect the future of sustainable business throughout the European Union. 

28. 7. 2021

The EU wants to achieve climate neutrality by 2050, then it will aim for negative emissions

The existential threat resulting from climate change demands that the EU as well as its member states heighten their ambitions and intensify their measures. This is reflected not only in the EU’s approach to the European Climate Law and in the constant collection and analysis of data (referring to carbon rates, for example), but also in a change of the judicial ruling practice. In a recent ground-breaking verdict, a Dutch court ordered a private company to adjust its activities with regard to the need for tackling climate change. 

28. 7. 2021