GDPR for businesses, or briefly on GDPR.

Despite the fact, that a little more than a month has passed since the GDPR or the Law on the protection of personal data has entered into force, however, there are still many questions regarding its application in practice. The situation is deteriorated by increasing number of articles, various interpretations, as well as the huge fines we can read everywhere – up to 20 million euros, or from 2% to 4% of the total annual turnover in a case of violation of the obligations of companies in applying the provisions of the GDPR.

To whom does the GDPR law apply? Should be such provisions mentioned in a labor contract? Is it necessary to prescribe it in Contractual Terms and Conditions and how?

Even though there are tones of information in English regarding the GDPR, still I have decided to make a brief article on this topic with the accent on the Czech legislation.

Jurisdiction and application.

The GDPR law applies to companies in the EU territory, as well as to the EU citizens if there is a case of the collection of their personal data. As well as to those controllers or processors, that are not established in the EU, but involved in the monitoring processes within the EU (par 24 GDPR).

Legal acts:

The relevant authority in the Czech Republic – is the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, hereinafter as a UOOU).

What is it about?

Personal data protection is not a new thing, however, one of the new things here is that now it is not only about the automatic processing of personal data, but also not-automatic ones.

What are the personal data? These are personal, anonymous and sensitive data, according to which it is possible to identify a particular person. These are biometric data, genetic data, even IP address. Also, data, which are stored in the recording device, images or sounds, if on the basis of these records could be directly or indirectly identified a specific or particular person.

What does it mean for an entrepreneur? For the most entrepreneurs it is now the duty to inform their client, as well as the employee:

–    That there is a collection of personal data

–    How the personal data are being collected and processed, and

–    What happens with the personal data, or the aims of the personal data collection

In this case, the client, or the provider of the personal data, must give a consent to the collection and processing of his/her personal data. Specifically, par 32 or article 4 par 11 of the GDPR states that the consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication to the processing of personal data relating to this person providing personal data – by statement or other explicit confirmation of his/her consent.  At the same time, by freely given consent means the possibility to refuse to provide it, or to give the consent to the specific areas for the collection and processing of personal data, and so – without losing the opportunity to conclude a contract. Also in accordance with the provisions of this law, there is the possibility, or the ‘right to be forgotten’ (para 65 of GDPR). In other words, the ability of the subject to withdraw his or her consent, by requiring the controller to delete his/her personal data.

How to be in compliance with it?

Many companies act as follows – on their web pages, they add provisions of the so-called “Privacy Policy”, where is described some aspects of the above requirements of the law.

Significantly high sanctions can be avoided by the carefully updating existing contract documentation (customer contracts, internal rules, or contracts for personal data processing, etc), as well as to carry out a proper recording of information about all processed data.

However, there are situations, where the requirement of consent can be unreasonable, or even illegal. For example, when consent is required to fulfill a legal obligation, as a legitimate requirement from the employer to provide the employee’s data to the social security administration.

Is it necessary to prescribe it in the labor/employment contract? How necessary is it, if the data are required to report to the state? It is another matter – what kind of data is it, and what these data are going to be used for? Will be the balance kept between the parties in labor relations, with the grant of the freely given consent? In accordance with the article 6 par 1 (b) and (c), and article 5 par 1 (b), (c), (d), the employer collects and processes personal data of employees to fulfill legal obligations, and only within the extent corresponding to this goal.

Further, in general terms, the obligation for the processing of personal data are listed in the par 13 (1) of the Czech Act on the protection of personal data. And again, the main idea is clarified – that controllers and processors should not allow unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transmission, other unauthorized processing, as well as other misuses of personal data. In case of violation of this obligation, the controllers must inform the Office for personal data protection within 72 hours (also article 33 of GDPR).

Transfer of personal data inside and outside of the EU.

GDPR has harmonized the legal framework in the EU, so the company operating in this territory, for example, in the Czech Republic, falls under the same conditions for the protection of personal data, even if the company will expand its activities, for example, to/in Germany or another EU member state.

The Act on the protection of personal data and on an amendment to some acts (101/2000 Coll., or the Czech Act), in paragraph 27 governs the conditions, under which personal data can be transferred to other countries. First of all, it is not allowed to restrict the free movement of personal data within the EU. The transfer of personal data to countries outside the EU is also without restrictions, but on the basis of an international treaties ratified by the parliament of the Czech Republic (for example, the convention for the protection of individuals with regard to automatic processing of personal data), and also in accordance with the rules of the EU. Also, outside the EU, data can be only transmitted, if the European Commission determines that the specified country corresponds to a certain level of personal data protection.

One of the most commonly used tools for transferring personal data to the third countries – is the standard contractual terms. The advantage of transfer based on the application of Standard Contractual Terms is that if it will become part of the provisions of the service contract, there is no need to ask the Office for personal data protection for permission to transfer data to third countries, at the same time, it will meet the requirements of the law on the protection of personal data.

Detailed information.

Where to get? On the webpage of the Czech Office for Personal Data Protection (also in English)

The Ministry of Industry and Trade issued a Guide for the preparation of small and medium-sized businesses to GDPR–236691/

On the webpage of the European Commission

And to find the appropriate authority department for the protection of personal data in the EU member states:

(c) Elmira Lyapina, LL.M., Ph.D.

Disclaimer about the nature of the information contained in this article.

The information provided in this article is the general information, and does not constitute legal advice, and may be not valid in a particular situation. To obtain qualified legal consultancy, you should contact a lawyer with the provision of the necessary documents regarding the case. For example, by email:

This article was prepared on the basis of an analysis of legislative regulations for 04.07.2018. Therefore, while using such information, should be considered the changes to be made to the legislation after that. This article was published the first time on July, 4, 2018, on the web page