The GDPR (General Data Protection Regulation) is a EU regulation on protection of personal data and unification of rules in this area within the framework of the European Union, which with the effect as of 25 May 2018 will be replaced with the Czech Act No. 101//2000 Coll. on Personal Data Protection and will be binding in the Czech Republic and directly applicable. It applies to all entities processing information on individuals – EU citizens, no matter where they are located geographically (employers, service providers, operators of websites and e-shops). It will affect the public sector (banks, insurance companies, hospitals) and small and medium-sized enterprises, too.

Significant changes

·         the actual term “personal data“ is made more accurate and extended to include also  technical data such as e-mail address, IP address, Cookies and so-called genetic and biometric data.

·         exact regulation of conditions for obtaining consent to data processing. The consent must be explicit, unambiguous, unconditional and withdrawable any time.

·         personal data can be processed to the necessary extent and for a limited time only. For the whole time of the processing, the entities must be able to prove the degree and level of security.

·         there is no more the so-called notification duty – the duty to notify the Office for Personal Data Protection of the beginning of personal data processing;


Failure to meet the conditions can be penalized by sanctions that are several times higher than before and may even spell doom for the perpetrator in some cases: amounting up to EUR 20,000,000 (approximately CZK 535 million) or 4% of the total annual revenues worldwide, whichever is higher.


New duties of data controllers, the compliance of which falls within responsibility of data controllers

Novelties include for example a principal emphasize on the information duty, the right to data portability, the right to be forgotten, the duty to carry out Data Protection Impact Assessment – DPIA for selected processing types or to appoint Data Protection Officers – DPOs.

·         the duty to report events of breach of personal data security

Data controllers have a duty  to report each event of breach of personal data security to the supervisory authority without undue delay, within 72 hours after becoming aware of the breach, unless such event poses no risk for rights and duties of an individual. In the event of a high risk for an individual it is also necessary to report the breach to the subject affected by the breach of protection.

·         the duty to appoint a Data Protection Officer (DPO). In case of public administration, state-owned enterprises and companies engaged in systematic monitoring of individuals  (e.g. public authorities and offices, municipalities, hospitals and private clinics, insurance companies and banks, utility providers) there is another duty, namely to appoint a Data Protection Officer. The job of a DPO includes supervision over activities of such entities as to their compliance with the GDPR, communication with the Office for Personal Data Protection and performance of internal activities such as internal audits or trainings.


Services provided by our law firm in connection with the GDPR


·         analysis of the present situation and preparedness for the GDPR, proposal for necessary changes and implementation of the GDPR according to the client´s individual needs

·         legal revision of documents used in relation to data subjects, especially revision of contracts with clients, obtaining of consents of data subjects, informing

·         processing or revision of internal guidelines or other internal documents of clients regulating personal data protection

·         mandatory consulting with a supervisory authority in connection with important processing of personal data

·         in-company training of employees or managers

·         inspection of legal tools used for data transfer to a foreign country