GDPR
1. COMPLIANCE WITH THE EU PERSONAL DATA PROTECTION RULES
The states of the European Union have decided to jointly address data protection and the privacy of all their citizens. For this purpose, on April 27, 2016 the General Data Protection Regulation (GDPR), which will enter into force on May 25, 2018 was approved. The form of the regulation means that it is directly binding and applicable in all states of the European Union without the need to incorporate it into the national laws of the individual states.
Among other things, the reason for the regulation was to meet the new challenges of privacy, for example:
- in online marketing and trading with personal data;
- in sharing information on social networks;
- export of personal data to countries outside the European Union;
- new privacy rights for citizens in the digital area
2. SELECTED CHANGES INTRODUCED BY GDPR
We would like to remind that the adoption of the Regulation brings together rules across the EU and changes in conditions and rules also occur in the Slovak Republic. However, the area of protection of personal data is relatively extensively handled in the Slovak Republic even today. Therefore, we choose those areas with more significant changes compared to the current state.
Selected new duties or changes in the current ones:
I. extension of personal data term (e.g. email, IP address, cookies on websites);
II. an obligation to report violations or releases of personal data within 72 hours;
III. the right of natural persons to be forgotten (delete all registered personal data on request);
IV. tightening the conditions for granting consent to the processing of personal data;
V. extension the obligations for intermediary service providers;
VI. changes in photo processing and in the operation of camera systems;
Abolition of some current duties:
I. the notification and registration of information systems by the Office for the Protection of Personal Data is abolished; it is replaced by the record keeping obligation;
II. the obligation to draw up a security project, which is replaced by an obligation to assess the impact on the protection of personal data (security analysis), is cancelled;
3. SANCTIONS
The sanctions that may be imposed by the Office for the Protection of Personal Data are up to EUR 20 Mio or 4% of the worldwide turnover (including related companies), whichever of the calculated sanctions would be higher.
4. RESPONSIBLE PERSON - DPO (DATA PROTECTION OFFICER)
Even private companies may set up the position of the responsible person if their main activities concern the processing of personal data, which require a regular and systematic monitoring of the persons concerned to a wide extent. A person with legal expertise and data protection practices should help the controller or the processor monitor internal compliance with the GDPR Regulation. The company should publish their contact details and inform the Office about them.
5. DIGITAL RIGHTS OF EU CITIZENS IN DIGITAL ECONOMY
- The right to receive clear and comprehensible information about who processes the data of the citizen, what data is processed and for what purpose;
- The right to provide on request access to personal data that the organization has about a citizen;
- The right “to be forgotten”. A citizen can ask for the deletion of his or her personal data if he or she no longer wishes to process it;
- The right to ask one service provider to transfer the citizen's personal data to another service provider;
- If the citizen´s personal data is lost or stolen, he or she has the right to be informed.
6. RECOMMENDED STEPS TO ENSURE GDPR COMPLIANCE
Based on the above, we would like to point out a few steps that your company should take regarding the privacy and compliance with the GDPR Regulation:
I. Map the personal information that your company collects and processes;
II. perform a security analysis (what systems are used, processing risks, etc.);
III. enter into a personal data processing agreement (similar to ours), also with other intermediaries to whom you transfer personal information;
IV. if you also collect other personal information, such as those processed by law, make sure that it is collected only for a specific purpose and only for the time necessary to ensure that purpose, and that consent has been given to the data processed by all data subjects in accordance with the new law;
7. SAFETY OF E-MAIL COMMUNICATION
One of the areas of compliance with GDPR, which will definitely affect almost all enterprises and companies, and therefore we especially draw attention to it, is the sending of personal data through ordinary email communications.
GDPR requires personal data to be protected during transmission. In the case of electronic transmission, this means encryption of the transmitted data.
Usage of regular email is contrary to the following requirements across multiple sites:
- data is not encrypted during the transmission
- during Internet transmission it may be "caught"
- in the case of a typo in an email address, personal data may easily leak
- in emails, it is difficult to control that personal data is exchanged only between authorized persons on both sides,
- there are usually multiple copies of emails on multiple devices (server, PC client, mobile) and more opportunities for personal data leak
There are solutions to encrypt and secure data transmission by email but each of these solutions addresses only some of the above risks, while being challenging for technical implementation, time consuming or coordinating steps on both sides. We in VGD SLOVAKIA s.r.o. therefore decided to have another approach to comply with the GDPR requirements for the transfer of personal data.
We have created the VGD Slovakia client web portal (built on the Tulip platform). The portal also includes a shared data storage that will serve to upload files with personal data.
The clients of VGD SLOVAKIA will be individually informed about details of this solution.
We will provide you more detailed information.
