Which measures need to be taken to ensure accurate data protection?

It is especially important to set appropriate technical and organisational measures, such as preparation of an internal personal data protection policy, introducing appropriate security measures, ie a hierarchy of authorised employees’ access to personal data, password-protected access to databases, automatic logout, lock-up premises etc.

It is also important to maintain records on personal data processing and assess impacts on personal data protection. Furthermore, it will be necessary to revise relationships with contractual partners processing personal data for the employer as part of the provision of services. Among other things, the GDPR places new requirements in terms of the content of processing agreements.

Main recommendation: What is the ideal manner of setting measures in line with the GDPR?

Make sure that personal data are processed by the HR department on a legitimate basis, ie based on determined legal bases, and that the rights of data subjects are observed as appropriate and exercised by employers if necessary.

What the date 25 May 2018 entails? Certainly a nice spring day but predominantly the date on which the General Data Protection Regulation (GDPR) becomes effective, defining:

• Legal bases for personal data processing;
• Rights of data subjects;
• Duties of controllers and processors; and
• Data protection officer (DPO).

Failure to comply with all statutory requirements may result in supervision by authorities and sanctions: The Personal Data Protection Office may impose a fine of up to EUR 20 million, or 4% of the total worldwide turnover. Aside from that, compliance with statutory duties may also be supervised by labour inspectorates controlling whether the employee’s privacy has not been invaded at workplace. This involves, for example, e-mail monitoring, use of CCTVs etc. Penalties of up to CZK 1 million may be imposed due to violation.

What is the major point of focus for HR departments?

With respect to the GDPR, employers must ensure that the HR department only processes personal data in the necessary scope in line with determined legal bases and for a specific purpose. Concurrently, we recommend that personal data processing primarily takes place on legal bases other than a consent.

How will the new regulation affect sharing personal contact information among colleagues, such as the date of birth because of a birthday party?

This will usually depend on how the information was obtained by the respective colleague. That is whether the date of birth was disclosed to the colleague for employment purposes and whether the relevant employee gave their consent to disclosing such data within the organisation, such as on the intranet.

Failure to comply with the rules is subject to potential sanctions. How will compliance with the GDPR be controlled?

The existing draft of the so-called “Adaptation Act” assumes that the Personal Data Protection Office (the “Office”) will proceed under the existing Control Rules. We believe that after the GDPR and the Adaptation Act have taken effect, inspections by the Personal Data Protection Office should not substantially differ from the current practice. It may also be assumed that the Office will make inspections on a random basis as well as based on complaints, as has been the common practice so far.

Nevertheless, as the Office’s restructuring is planned due to the GDPR as part of the Adaptation Act, it is now impossible to accurately determine how inspections will be realised. The current wording of the Adaptation Act no longer includes the function of inspectors. The Office’s structure will newly include the Chairman and two Vice-chairmen. The current inspectors should complete their term of office under the existing legislation with subsequent inspections being realised by the Office’s public servants with appropriate qualifications.