The effective day of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), is approaching inexorably. Both controllers and processors have been getting ready, professional conferences have been organized countrywide with the media attention ever growing.
Similar pace, at which the interest in GDPR intensifies, is observed by the Czech DPA also for inaccuracies and misleading or even mistaken information concerning this general regulation.
The present list of repeated mistakes and inaccuracies has been compiled as a result of the Czech DPA experiences gathered at different professional events as well as the observations drawn from the publicly available sources. The order of topics respects the systemic structure of the General Data Protection Regulation (hereinafter “GDPR“) and does not express their weight.
1. Reference of GDPR as a Directive
No matter how harmless inaccurate denotation might often be, proper reference to the form of the legislation that will newly govern the data protection legal framework cannot be abandoned. Essential argument for the proper denotation of this new piece of legislation (effective as of 25 May 2018) that will replace in prevailing extent the existing Act No. 101/2000 Coll., on the Protection of Personal Data and on Amendment to Some Acts (hereinafter “Data Protection Act”), is the applicability defined just by the type (denomination of the kind) of the respective legislation. Generally – with partial deviations – can be said that a regulation is directly applicable in its entire extent throughout the whole European Union, contrary to a directive that sets objectives to be met by all EU member states leaving however a certain margin for the individual countries as to the formulation of national laws and to the ways of achieving the set objectives. GDPR is an example of such a regulation that offers the member states a certain maneuvering space for establishing their own rules, including more detailed specification of some conditions.
Referring to GDPR as to a directive is not only incorrect, but could even be misleading with regard to the fact that a directive has really been adopted along with the General Data Protection Regulation, i.e. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA. Both documents vary in the scope of applicability and altogether they establish a new framework for personal data protection in the European Union.
2. Calling GDPR a revolution in data subject´s rights and controller´s obligations
To interpret GDPR as an EU legal act triggering revolution was meaningful at the period of its drafting and negotiating which started in 2012 and finished in 2016.
In fact, one of the essential features of GDPR is continuity – the regulation follows, in terms of objectives and principles the Directive 95/46/EC whilst at the same time pursues the purpose of overcoming the present fragmentation of the practical approach to personal data protection in the EU by way of consistent and unambiguous implementation of the relevant rules. It becomes obvious from a simple comparison between the regulation and the Directive 95/46/EC that the same definitions of key notions are applied (personal data, data subject, processing - Article 2 of Directive 95/46/EC and Article 4 of GDPR) as well as similarly formulated principles of processing (Articles 5 and 6 of GDPR and Articles 6 and 7 of Directive 95/46/EC). The rules for those who process personal data, i.e. controllers and processors, are more detailed and accurate than they were in the Directive 95/46/EC and in the Personal Data Protection Act. Several new obligations are imposed on controllers – notification of data breaches to the supervisory authority as well as to data subjects, or the duty, for certain controllers, to appoint a data protection officer. Contrary to the general formulation of obligations related to data security provided by the Article 13 of the current Data Protection Act, the GDPR accentuates “technical measures”, namely technologies like pseudonymisation and encryption, restoring of accessibility, regular testing and evaluation of effectiveness of the measures introduced. The obligations of controllers and processors reflect the principles of privacy by design and privacy by default that simultaneously are applied, for instance, in the area of data protection impact assessments.
Also the rights of those whose personal data are to be protected, i.e. data subjects pursuant Directive 95/46/EC, have stayed preserved and even regulated in more detail. The only real novelty is the right to data portability pursuant Article 20 of GDPR. As an innovation in the area of the data subject´s rights currently in the Czech Republic is presented the right to erasure pursuant Article 17 of GDPR, often mentioned under the alternative denotation “right to be forgotten“. This right however is not new in the EU member states; it is already provided by Article 14 of Directive 95/46/ES and it can be found in the Czech Data Protection Act too, namely. Data subjects in the Czech Republic make use of this right following Article 21(1),(2) as a common practice.
3. Definition of “personal data“ is allegedly extended
This opinion appears most frequently as a statement that personal data are solely identification data, or as the case may be, information identifying directly a data subject. It uses to be supported by the European Court of Justice judgment which states that dynamic IP address represents personal data in the meaning of Directive 95/46/EC. Nevertheless, it is just this judgment that delivers an evidence that, personal data are not limited to the scope of data directly identifying a data subject. Personal data are defined by GDPR as all information about identified or identifiable natural person.
Legal definition of personal data cannot be a pure enumeration, as the number of personal data types is by nature open and personal data appear unlimitedly not only as items linked to ever emerging new data subjects, but also in connection with new data processing technologies, as for example the internet-supported solutions. IP address has always been personal data if related to an identified or identifiable person, not solely as from the time of the EU Court of Justice judgment, but already since the first operational use of IP address. GDPR does not contain the condition of systematic nature of personal data protection anymore.
4. It is better to have blanket data subject´s consent rather than to deal with individual legal purposes
Such a statement has its origins in misunderstanding and underestimation of the data subject´s consent. Consent by a natural person whose personal data are to be processed by a controller has been a key feature of the European data protection model since the very beginning. It can however not be applied where other legal purposes for processing do exist (and consent cannot be exchanged for them), for example contractual relationships, fulfilling obligations or protection of rights or legally protected interests. GDPR regards data subject´s consent for one or more processing purposes as one of the six conditions of legality whereas the regulation explicitly provides conditions of provisions thereof. The data subject´s consent can be withdrawn any time.
Blanket obtaining of data subject´s consent for all processing operations carried out for different purposes would be in contradiction to several provisions of GDPR – starting with obligation to collect personal data for certain, explicitly expressed and legitimate purposes, and ending with the transparency principle and the freedom of consent in relation to contractual relationship between controller and data subject.
5. Encryption is obligatory
GDPR does not impose the obligation to adopt specific measures to secure data processing.
By contrast, in establishing the controller´s and processor´s obligations to safeguard personal data, GDPR explicitly refers to the state of the art, the implementation costs of the technical and organisational measures adopted, nature, extent, context and purposes of the processing as such, and also to the estimated risks for the rights and freedoms the processing operation might bring along. The obligation itself then includes implementation of appropriate technical and organisational measures as well as adoption of necessary guarantees effective throughout the whole lifecycle of the processing. Encryption is regarded as one of the appropriate measures. In the process of security assessment, risks should namely be taken into account that are related to the processing operations like incidental or unlawful destruction, loss, alteration, unlawful disclosure of personal data as well as unauthorized access to these data.
6. Almost all controllers, if not each of them, must have a data protection officer
The data protection officer (hereinafter “DPO”) is one of the new instruments of personal data protection introduced by GDPR. Controllers are obliged to appoint DPO under one of the following conditions: data processing is carried out by public authority or body, except for courts acting in their judicial capacity; the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale; the core activities of the controller or the processor consist of processing on a large scale of special categories of data.
Controllers or processors are not obliged to appoint a DPO in other cases. In other words, controllers carrying out other processing operations must not have a DPO.
7. Data protection officer must possess a certificate
Pursuant GDPR, controllers are obliged to appoint a DPO on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks. There is no prescribed specific form for the verification of the professional qualities, neither there is a set form how to obtain the certification externally. GDPR does not provide for establishing a form of verification of qualities or other parameters concerning the qualification, neither it enables the European Commission or the member states to provide such conditions by a legal act. Once a DPO has been appointed, the controller or processor must provide the DPO with resources necessary to maintain professional knowledge.
It is obvious that in case the controller´s processing is, partly at least, subject to confidentiality, the DPO must meet the conditions established by the relevant legal regulations.
8. GDPR imposes on data protection officers high and difficult-to-fulfil demands
GDPR imposes on the subject who appoints the DPO an obligation that is not much clear – to do so on the basis of the professional qualities of such person by specifying further: “on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to [the regulation]”. The issue is explained in detail, among others, in the guidelines issued by the Article 29 Working Party available in English or Czech at www.uoou.cz.
Interpretation of demands posed on DPO is solely the task of the appointing controller or processor as well as the permanent support of the DPO´s activities in term of necessary resources and means.
9. Controller cannot assign tasks to DPO
It is not true. This statement has its origin in shifting the meaning of the provision that controller or processor are obliged to ensure that DPO does not receive any instructions regarding the exercise of the tasks pursuant GDPR and that DPO is not dismissed or penalised.
Controller or processor may, of course, impose tasks and obligations, even those not established by GDPR but related to this regulation, e.g. to participate in the testing, assessing, or evaluating measures for data security on the part of controller. This is just the purpose of the provision not allowing that such an activity result in the DPO´s conflict of interests.
10. Controllers and controllers are threatened by fines calculated on the basis of their turnover
GDPR provides that for any breach of the regulation sanctions should be imposed, including administrative fines, either in addition or instead of measures imposed by the supervisory authority. Whilst authorities in the Czech Republic as well as in some other member countries do impose fines, in other EU countries (for example Denmark) it is not the case so far. Currently, the upper limit of administrative fines at the Czech DPA is CZK10,000,000, but in the past (until 31 December 2004), it had reached even the double of this amount. The highest fine imposed so far for the detected and evidenced infringement of obligations did not reach even the half of the possible rate.
The utmost limit of fines is new, but as it is repeatedly stated in the GDPR recitals, fines shall be effective in each individual case, appropriate, and discouraging. GDPR, at the same time, respects the principles of administrative sanctioning, including criteria for setting the amount of fines and conditions to assign responsibility as well as the exoneration from (release from the penalty).