The first and second dl of the GDPR specimen can be found here and here.
We asked those experts who are interested in the protection of personal data to ask the current questions about GDPR. Answer It is a series for the protection of personal data, Jana Pattynov and Pierstone, lawyers, Frantiek Nonnemann from MONETA Money Bank a Vladan Rmi from MAFRA.
7.Where do you see room for stt / OO to contribute to an effective and cost-effective fulfillment of data protection obligations?
account: GDPR is a comprehensive first regulation that moved the protection of personal data during their processing into the field of trade. Therefore, I see space for the generalization of its rules so that the primaries did not make up for the need to study the rules and compose the regulation, but they had a simple guide to what they must follow. The Personal Data Protection Board responded to this request by issuing the Ten Processing Works for the Administrator, which outlines the most important obligations and principles on which the protection of personal data is based during processing. According to it, you can get general information from Basic Stocks to GDPR, available at www.uoou.cz. I recommend you to take these internet pages, because where you can find your information there. Although the body for the protection of personal data is not a regulator, but a supervisory body, there is a decisive space for the active activity of individual ministries or associations, associations of associations, which can help stakeholders to solve their typical problems. After the activities of the GDPR, there will also be room for the personal data protection council to demonstrate a reasonable approach to the exercise of supervisory powers (especially corrective powers), which the others have previously stated.
Rmi: There are big bikes in front of both OO and ministry ministers in the field of prevention and education. Unfortunately, they are not always recommended and the opinions of individual ministries in full are in line with the GDPR. N The Personal Data Protection Association has prepared critical remarks on several such materials. It would be very beneficial if the central authorities first issued their draft opinions on the GDPR to the professional public before the public debate, as the first OO started to do.
Nursemann: Unfortunately, not all ministries have been able to analyze their sectoral legislation over the past two years and prepare a proposal for the right where it is necessary for the application of GDPR as a direct result. Inaccuracy and inconsistency will have to be overcome by a deposit, which the first guarantee adrest does not first write. In my opinion, individual ministries should be more active in setting rules for the processing of personal data within their sector, because the personal data protection council is and will remain a supervisory board, not a regulator, and should not set rules for data processing in general. In accordance with the series, the representative for the protection of personal data will then be published by his representative in the past period with a two-pronged rational and fair deposit of regulations and related regulations.
Pattynov: I consider it important that large departments, the financial administration, hospitals, bicycles and other institutions have the opportunity to communicate transparently, how to handle the data of the citizen, and that the citizens get the court to protect their privacy. We have recent experience with the totalitarian regime and a related critical view of state institutions; GDPR is the folly to work on the court relationship between the citizen and the sttem. As far as OO is concerned, both citizens and private companies will critically assess the extent to which GDPR is enforced equally in the public and private sectors.
8.Do you agree with the proposed deadly reduction of sanctions for the state and self-government?
Rmi: From my point of view, this is beneficial, because the purpose of the regulation on personal data protection should be to protect the actual data in the process of dealing with them and not to meet the state budget. On the other hand, if fines are imposed for the state administration, it will be difficult to defend the practice where the entrepreneur would receive sanctions not for the public administration for the same type of GDPR violation.
Nursemann: No, I disagree. It is true that the question of whether the public sector and the public administration as such should be financially affected as a violation of the first financial affair is unambiguous, however, it should be assessed comprehensively and systematically, not on the basis of ad hoc media campaigns under one of the series of regulations governing public supervision. Moreover, if we look at the history of the personal data protection supervisory activities, we see that the highest sanctions for significant violations of the rules for the processing of personal data were often received by the first authorities.
Pattynov: From the point of view of the court entrepreneur in a fair legislative environment, it is irregular. The imposition of sanctions informs us that he may not be fully prepared to protect private citizens and does not want to take full responsibility in this area. Entrepreneurs who spend large sums of privacy will hardly accept that they do not want to carry the same burden. Understand that the community, had bikes and other organizations need help from the state. However, it would be more appropriate for the state to help these organizations protect their privacy, not to impose sanctions on them. Sanctions for large departments, such as the Ministry of the Interior and the Ministry of Finance are alarming. With these ministries, we can just expect that the protection of privacy can be ensured without exception and with full responsibility.
account: When the first standard is to be full, it must contain a sanction. The first sanction for a round is to force (force) the address to behave according to the rules set by the standard. Finann sanctions are generally among the longest sanctions that the first regulations contain. Therefore, I see no reason for some entities to be completely excluded from the possibility of imposing a financial sanction on them, as the first norm would lose the coercive force for them, which would be reflected in their lax approach to the fulfillment of obligations, which would be a negative phenomenon. Even in the case of a sharp reduction of fines, e.g. at a cost of 5,000 K. I see no reason for fines for self-government organizations and self-governments. 101/2000 Coll., On the protection of personal data, ie 10,000,000 K.
9.One of the cities that often deals with GDPR is the inability to contact business partners by e-mail newsletter without their consent. How to draw the state of GDPR?
account: One of the commercial communications is subject to the law of other regulations, not the GDPR. It’s a con. 480/2004 Coll., On some information services of the company, which is based on the European directive, which is abbreviated as ePrivacy directive and its purpose is to protect privacy in electronic communications and protect users from congested electronic contacts by commercial communications. First, in order not to overwhelm our electronic contacts, rules are set for their en.
As far as GDPR is concerned, it states that the processing of personal data in connection with direct marketing may be the correct name of the administrator. This interest will usually apply to customers. It is definitely necessary to avoid the business message to the contacts from the purchase of the database, because the purchase of the database itself does not entitle the customer to the business message. If a merchant receives an electronic contact in connection with the sale of a product or service, we may send a business message to that contact regarding his own products or services. He does not need consent to do so. You have to give the customer the opportunity to reject such a dream.
Pattynov: The core of this issue is the definition of business partners, ie who can be contacted with business offers without his consent. I consider the contacts of existing or former customers to be admissible. If an entrepreneur creates (or buys) a database of potential business partners and contacts them with the offer and newsletter, I consider it inadmissible. Of course, there is a situation between these extremes, contacts from business cards collected at conferences, contacts from an unknown source, etc. I recommend going through these contacts critically. If in the past these contacts did not cause business problems, it may be appropriate not to allow communication on them.
Nursemann: The GDPR does not happen in this way, because the first law based on the first of the two currencies of the ePrivacy Directive applies. That is the end. 480/2004 Sb. In general, it can be stated that the GDPR describes the processing of personal data for all marketing purposes as processing, which can, of course, to a certain extent be carried out on the basis of the right of the administrator, ie without the consent of the address of the marketing message.
Rmi: This issue is the primary guideline of ePrivacy and con. 480/2004 Sb. The current practice regarding sending an e-mail with offers of similar goods or business partners will not change anything and the so-called opt-out will suffice, ie the possibility to have the sending rejected at any time.
10.Recently, a certain amount of hysteria has developed around the GDPR. Do you think it is really a GDPR bubble? And if so, when will such a bubble burst?
account: About a year and a half ago, people started talking about the GDPR, especially in connection with the high sanctions that the GDPR can impose. This started the business with fear, when the fear of GDPR was fueled by information on how high fines this regulation imposes. Some people of the GDPR honored the people and without any prior knowledge and work in this area began to pretend to be the greatest experts on the GDPR. Although they did not pay attention to these areas before, ie they did not even know the con. 101/2000 Coll., On the protection of personal data, they did not even know the context and began to present the GDPR as a revolution (it should be noted that in basic principles and obligations, the GDPR is the same as the amendment to the 101/2000 Coll.). At the same time, there are types such as whether it is mandatory or where you must have a personal data protection authority, to which the personal data protection board responded by issuing a document called The Ten Mistakes. Thus, the set of fears began to develop slowly and we met in the consultant agenda with questions such as whether children will be allowed to sign a painted picture or what is true that the GDPR bans anonymous (smj sign and anonymous GDPR does not prohibit, it is only necessary pay attention to their suitable location).
Pattynov: It is as if a new and during a short period began to be enforced in any other area first. If e.g. so far, the regulations have not been enforced and suddenly high sanctions have been imposed for violating them, it would cause some panic. Experience from other strictly enforced areas, such as e.g. The first and second, show that these areas are very high. I think that in the future, privacy protection, as well as competition tax first, will play a big role in any transaction or structural new product.
Nursemann: This, to a large extent, this fact of hysteria is, in my view, caused mainly by two aspects. The first is that some subjects of personal data protection have not yet paid enough attention, even the previous regulations were directly ignored and are now frightened by the high sanctions imposed by the GDPR pin. Secondly, the fact that GDPR was used by a number of entities, often without any practical experience with the protection of personal data and information in general, to aggressively offer more and less meaningful services. The bubble will certainly burst, but the fact is that the protection of personal data as darkness has reached a different level and will be far from his attention.
Rmi: sten urit. On the other hand, this bubble was to some extent caused by the fact that so far the protection of personal data has not been given the attention it deserved. Out of this attention, however, one negative phenomenon actually brought with it – that the rising pendulum swerved to the other side, and to protect personal data, there are sometimes meaningless requirements that do not even correspond to the opinion of the supervisory body. I hope that after May 25, the situation will calm down and everyone will see that life goes on for a long time, that GDPR is in accordance with the regulations, but it cannot stop the company from running.
End of week series.