Gauging the GDPR in the Czech Republic

Gauging the GDPR in the Czech Republic

Interviews
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

On May 25, 2018, the General Data Protection Regulation finally came into effect, imposing new requirements on organizations within the European Union and on those outside the EU that offer goods or services to EU data subjects or monitor their behavior. To learn more about the state of readiness in one such country, we spoke to Schoenherr attorney and Data Protection specialist Eva Bajakova in Prague.

CEELM: Eva, has the GDPR been fully adopted into Czech law? Were the changes from previous Czech law substantial?

E.B.: On May 25, 2018, the GDPR became directly applicable in the EU, plus Iceland, Norway, and Liechtenstein. In order to better link Czech law with the GDPR, some partial aspects of the GDPR will be regulated in a new Czech Data Processing Act, a draft of which has been finalized, but which awaits parliamentary approval and signing by the president. The act was not passed in time, which is likely to lead to some legal uncertainty.

The GDPR represents the greatest change in Data Protection law in the last 20 years. The GDPR introduces higher privacy standards. What was considered merely good practice under current legislation has become mandatory under the GDPR. And of course there are some new obligations too, such as the obligation to notify the supervisory authority of a personal data breach, and (for some) the obligation to designate a data protection officer. After May 25, 2018, infringers may be fined up to EUR 20 million or 4% of the undertaking’s total worldwide turnover, whichever is higher.

CEELM: What were the highest fines ever imposed by the Czech supervisory authority under the previous regime? 

E.B.: The record fine imposed by the Czech Office for Personal Data Protection was CZK 4.25 million (approximately EUR 167,000) in May 2017 on a spammer company. However, spamming is regulated by special legislation. The highest fine ever imposed based on the old Data Protection Act was CZK 3.6 million (approximately EUR 140,000) in April 2016 on a mobile operator whose employee allegedly stole the personal data of 1.2 million customers. Such fines seem ridiculously low when compared to the maximum fine for data breaches under the GDPR.

CEELM: What’s the general level of readiness of companies in the Czech market?

E.B.: It’s a work in progress. According to data published by the Czech Chamber of Commerce in March 2018, over 80% of Czech companies knew that they needed to implement the GDPR. The survey was conducted in late January and early February, with 580 companies of all sizes taking part. Still, with almost 500,000 companies in the Czech Republic the overall level of readiness is difficult to estimate. My estimation is that the majority of active companies are at least partially GDPR-compliant.     

CEELM: What particular aspects of GDPR compliance are companies pushing back against the most?

E.B.: When implementing the GDPR, many companies find that their internal data processing procedures need to be adjusted to process only what is necessary and to comply with the “need to know” principle. Unfortunately, some companies are also discovering that they cannot rely on consent for personal data processing gained under the previous legislation. They then have to invest a lot of time and effort in obtaining new consents that are GDPR compliant. 

CEELM: What’s your personal view of the GDPR, and on the issue of data privacy in general? Do you believe the GDPR represents an appropriate balance of various interests, or does it go beyond what is necessary?

E.B.: Prior to March 2018, nobody had heard of Cambridge Analytica. I believe that the recent data misuse scandals, like the one involving that company, show that a better legal framework is needed. One of the main goals of the GDPR is to give people more control over their personal data, which is a good and reasonable aim. 

I see the GDPR as a compromise in some ways. It targets all types of companies – large Internet companies (including social networks) as well as small businesses. Of course, for smaller businesses, the GDPR can mean too much paperwork. On the other hand, time will show how efficiently the GDPR can regulate the biggest Internet players and if an extra layer of regulatory tools should be added for them.     

CEELM: What steps has Schoenherr taken in the Czech Republic to help keep clients informed and prepared?

E.B.: Schoenherr has published several detailed newsletters about the GDPR. My colleagues in Prague have also discussed the GDPR at business breakfasts for our clients. GDPR-related topics are very popular throughout Schoenherr’s CEE network. It is a bulky piece of legislation and clients want to know how to deal with it effectively. Currently, we are involved in numerous GDPR projects, some of them covering various European jurisdictions. It is very rewarding work with great international reach. 

CEELM: Will you be continuing these sorts of efforts to help non-compliant firms deal with potential inspections or potential penalties?

E.B.: Absolutely. Schoenherr will closely monitor how the GDPR is enforced in practice. We are prepared to update and alert our clients.     

CEELM: The GDPR is really sucking the air out of the room at the moment, but are there any other issues you and your team are paying attention to right now?

E.B.: My colleagues are paying very close attention to a recent amendment to the Czech Republic’s Public Register Act establishing a new register of ultimate, beneficial owners. The aim of the new law is to clearly disclose corporate ownership structures. Czech companies are obliged to register their beneficial owners by January 1, 2019. For trusts, the deadline is postponed until January 1, 2021.

CEELM: Finally, if you had to give one piece of advice to clients who are only starting the process of becoming compliant now, what would it be?

E.B.: To think about who is most likely to complain to the supervisory authority. This is a good way to prioritize what needs to be done. The Czech Office for Personal Data Protection often initiates its inspections based on a complaint.   

This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.