What do you have to do as an entrepreneur because of GDPR. U v ptek zane pay

For entrepreneurs, GDPR does not necessarily mean fundamental changes. With the appropriate modification of the existing internal regulations of the company, the transition does not have to be difficult or difficult. Experts for Technet.cz wrote advice on everything a hunter should remember with the new regulation.

The first length of our speculator on GDPR, which enlightened even a layman that even this new regulation will not deny him the opportunity to take on the web, for example photos from a concert or street, you can find here.

We asked those experts who are interested in the protection of personal data to ask the current questions about GDPR. AnswerIt is a series for the protection of personal data, Jana Pattynov and Pierstone, lawyers, Frantiek Nonnemann from MONETA Money Bank a Vladan Rmi from MAFRA.

4.How should the internal regulations be implemented by the entrepreneur in connection with the GDPR?

Rmi:I think that one should first think about how to combine my existing internal regulations with the GDPR and whether it is not enough to adjust them (eg regulations laying down technical and organizational measures to protect personal data according to the current Act 101/2000 Coll.) . What will make you new will be determined by an internal regulation determining how to proceed in the event of a so-called data breach, ie a breach of secured personal data. It is therefore important for you to think about the possible rights of archived and filed data in all companies, as well as about some underlying organizational regulation, which would determine the competencies of individual persons within the process of personal data protection. Of course, great attention should be paid to the renewal of IT security and security of personal data in general.

Nursemann: This is bad, especially on the subject of the controller’s activity and the extent and risk of processing personal data, which he performs. In the case of an organization that expands the processing of personal data, profile, and processing of sensitive personal data (health status, national and ethnic origin, biometric data, etc.), it is necessary, in my opinion, to comprehensively describe how the responsibility for all related agendas is divided. , as well as for the fulfillment and documentation of individual obligations under the GDPR. Wrong for the decision of the administrator, whether to adjust all these aspects in one internal regulation, or whether to adjust some points in separate regulations, e.g. selection and processing of personal data, the establishment and competence of the commission for the protection of personal data, information security, etc.

account: It cannot be paused that every entrepreneur in the position of administrator should adopt internal regulations for the protection of personal data. GDPR is a so-called performance based regulation, which means that the regulation applies to addresses depending on the spectrum of its activities, ie small businesses will usually fulfill the most basic obligations, while the main address of GDPR are the managers such as banks, telephone operators, hospitals, social Wed, etc., who will have to fulfill the fifth duty. Thus, even the special internal regulations governing the processing of personal data within the organization must have only those organizations for which it is with regard to their processing activities that they do next. Therefore, there is no obligation for anyone to draw up a directive for employees regarding their personal processing of personal data.

Pattynov: I agree with colleagues. In addition to the mandatory information processing for organizations with more than 250 employees, I consider the longest simple guideline for employees with basic rules for dealing with personal data, archiving and shredding the tax of first steps. Organizations should not forget the impact assessment (DPIA). DPIA bv often omitted nap. for processing related to the monitoring use of IT tools by employees.

5.How do you understand the guidelines of WP29 (WP29 is a group of supervisory authorities from individual EU member states), are they all believed, even if they are extensive? And how will their practical benefits be?

Pattynov: Leads are beneficial, but contain very conservative deposits, often in excess of GDPR requirements. Lawyers are thus confronted with more stringent requirements, nor could they predict how these more stringent requirements will stand up to a possible judicial inquiry.

Rmi: WP29 guides are definitely beneficial, but I can’t help but feel that they often suffer from altered tunneling syndrome. It should give more protection to the development of society and take into account the practical side of things and costs that may be incurred by companies in the need to apply all measures that are expected (and which sometimes have no support in GDPR).

Nursemann: Especially at the new institutes, which have a GDPR pin, it is certainly very important that the supervisory authorities will publish how they will issue them. There are two particularly critical remarks on the approach of WP29: on the one hand, there have been no leads on a number of key points in the GDPR, and there will be no publication in the activities of the GDPR or the issue. And the second reminder is my personal feeling that WP29 goes beyond what the European legislature has accepted in some guidelines, and you can first try to impose new responsibilities beyond what is, of course, unacceptable. However, the Czech supervisory authorities, even in extreme cases the first courts, will correct this approach.

account: Vodka WP29, resp. from 25 May 2018 to the Corps, are an important part of the entire GDPR ecosystem. They would not be the first in the sense of the first regulation, the GDPR itself will provide them in the sense that it assumes their issuance. In addition, they are the result of the work of representatives of individual supervisory boards, so they are relatively important in this respect. I see their practical contribution mainly in the detailed information, it is used primarily by organizations that have a mandatory appointment for the protection of personal data, or those organizations for which it is important with regard to their activities. Whether the leads are extensive, let’s see and in practice according to the procedure of supervisory councils. He notes that he has the first right to judicial protection before the first decision of the supervisory board. Even in the case of the presumption that the decision of the supervisory board is based on a given extensive deposit in the guidelines.

6.The relationship to the ePrivacy Directive is now due to GDPR something to change to the use of cookies, how they work in the mode of ePrivacy Directive, respectively. check on electronic communications?

Rmi: Cookies are such a bruise today. Although the data obtained from cookies, if they are not connected with specific identified data, are at most so-called pseudonymous data (ie relatively safe), then one of them has long been publicly known. In addition, the development of cookies is mainly due to the local implementation of the ePrivacy Directive, which is relatively benevolent.

Personally, I would like to place more emphasis on cookies, especially on fulfilling the information obligations given to entities. The possibility of using cookies (or agreeing with them) is probably still presumed from the browser settings. In the other case, it makes sense to wait for the final wording of the new ePrivacy tool, which will replace the current directive. Of course, it cannot be ruled out that other EU countries will stop making a written contribution to these rules.

account: The issue of cookies is not fully easy to grasp today, as cookies can be used for various elements, which is due to the obsolescence of legislation. The situation with the so-called technical cookies is the clearest, which is used so that the web pages are displayed correctly, etc., these can be used without the user’s consent. For other types of cookies, e.g. advertising, the so-called opt-in principle should apply, where the user agrees to their use. The GDPR does not significantly interfere in the issue of cookies, as it is a separate area that is the subject of other regulations (Act 127/2005 Coll., On electronic communications, or at the European level it is the so-called ePrivacy Directive). On the one hand, it is possible that cookies are sometimes left over from magpie. They are always wrong in the way they are used.

Nursemann: Not in my opinion. GDPR is not the only first regulation, and if the law on electronic communications is the way to work with cookies, this transposition of the ePrivacy Directive would not be completely accurate, then it is a special first right that takes precedence. The most effective, and from the point of view of the performance of public power and the fairest, is, in my opinion, to wait for the approval of ePrivacy instructions, and then to explain the relationship to GDPR and the consequences for practice.

Pattynov: I agree, cookies are subject to the first law, which in relation to the GDPR I consider a special right, whether it is an existing right or in the future the introduction of ePrivacy. That is why we are so quick to proceed in this area according to the existing law and then implement the direct ePrivacy.

Pokraovn tomorrow.