Česky English
Office for Personal Data Protection
Topics
Basic links OFFICE OPINIONS AND DECISIONS OF THE OFFICE PRESS RELEASE MEDIA CONTACT
Path: Home> Main menu> GDPR (General Regulation)> Basic Information> General Regulation (GDPR) in brief
GDPR (General Regulation)
General Regulation (GDPR) in brief
Basic information
General Regulation (GDPR) On the protection of personal data in a concise and clear manner
briefly
Basic guide to protection Although the protection of personal data in our country has been in force since 1992, although the authority established by the Personal Data Protection Act controls
data obligations imposed by this law for almost two decades, for many who did not worry about the law as if it were
Ten Mistakes A New Thing.
Questions and Answers on Under the influence of a campaign unleashed around the General Data Protection Regulation (GDPR), mainly for the purpose of winning a series
The General Regulation (GDPR) of the consultancy companies wonder what news the bloody Brussels is coming up with again. The campaign is accompanied by a number
The role of the ÚOOÚ incorrect and misleading information, disseminated in the media and also in some lectures. For many, they are
also the terms used by the law, such as "processing of personal data", which are operations with personal data, are unclear
Obligations of administrators carried out and only covered by this protection. So not on every use of any person's data in any situation, how
The instructions of the European Corps are often mistaken for those who identify the protection of personal data with the protection of personality under the Civil Code.
Other similar concepts are, for example, the "data subject", the data subject, the "controller", who is the
(EDPB) personal data, either at its own discretion or because it is its legal duty, and the "processor", which is
someone else whom the administrator entrusts to him by contract.
Right to information
Let us therefore try, without using these terms and with still permissible simplification in four points, to describe the basic
needs to be done to protect personal data and what new is added to the general data protection regulation.
Poradna
1. Reason
Protection Officer In order to collect and use information about a category of people, such as our customers or employees,
of personal data we have to have a (legal) reason. Very often it is the contracts we conclude with them. Employment contracts with
employees, sales or other contracts with customers.
Obviously published Such a reason is of course the law that imposes it, eg when keeping records of citizens by state authorities, but also when
accounting and payroll information in a private company. In some cases, the reason may be to protect our rights, e.g.
if the camera is guarding our valuable property from a thief or vandal. Other times it may be in the public interest in information about certain
Legislation for persons, in particular publicly known or publicly active.
However, such information and its use cannot unduly interfere with their private life. If we do not find any of
for these reasons, and yet we would like to get data about people, such as what goods they prefer,
they should be asked to agree to keep such data. But we have to remember that consent is voluntary,
Supervisory and decision-making activities cannot be made conditional upon the conclusion of a contract, and when the customer revokes it, he has the right to have such data deleted.
Commercial Communication When a customer has already bought or ordered something from us, we do not need to obtain their consent to send us another offer of our goods
or services, most often sent to his email. However, as soon as they reply that they do not want such commercial communication, sending is required
Abandon quotes at its address. Unless there is any other reason for publication in the database of stored personal data, eg.
employee contact information for contact with customers is also required to disclose personal information
agreement. There are special reasons to be able to obtain and use categories of data that could be
Schengen (information systems abused to discriminate against people, eg health data).
EU)
2. Principles
ORG information system We should always realize first of all why we need or want to get data about some people. It is then necessary
to come up with a request to provide data so that we don't unnecessarily record information about those people that we actually have
We do not need publications. The scope of the data should therefore be minimal in order to achieve what we have set ourselves. We should take care of
that the data obtained are accurate and that their accuracy is verified. Possibility to verify the accuracy of the identity card data concerned
persons are not excluded, however, copying the ID card and passport is, with the exceptions stipulated by law, inadmissible.
Pro mládež
Recorded data cannot be used contrary to the original objective. For example, there is plenty on the camera record
visual information about all persons who entered the monitored area. They shall be kept for a reasonable period to:
eventually it was possible to provide the police with information about the offender. However, they cannot be used as unfounded
monitoring neighbors, perhaps just because someone did not clean their shoes, or to disproportionately control employees on
workplace.
Another principle is to have data as long as necessary. The time can vary a lot in different cases. From several
days of camera recording, when it is clear that nothing extraordinary happened at that time, up to decades at the statutory
storage of some documents, such as payroll sheets. The retention period does not always end
some activities, eg termination of employment or fulfillment of contractual arrangements. Both deadlines should be taken into account
provided for by law for the retention of certain documents, as well as any limitation periods for the possibility of bringing legal proceedings; and
in the case of paper documents also the retention period.
3. Information
Most misunderstandings and complaints arise because people do not receive enough information about why their personal information
they provide and what will happen to this data, to whom they will be passed. The data subject is therefore already in need of the data subject
provide such information to a person, preferably in writing, whether at the point where the data is obtained or otherwise
through the website.
Other rights that people can exercise if you store and use their personal information are also to be respected. Right to
they have to provide information about their data not only at the moment of their provision, but they can also ask questions later. if
this does not affect the rights of other persons, everyone has the right to provide a copy of his data. However, you can request for another copy
reasonable fee. Other rights include the right to correct inaccurate data, the right to object, eg against another
sending marketing offers, as well as the right to delete data, but only if there is no other reason to keep it.
4. Security
If you only have people's data on paper documents and not on your computer, they are protected only if they are kept
in the form of registration of natural persons.
Paper documents must be kept in a locked desk drawer or locked when not in use.
the closet and not left in an unlocked room if the person who is to work with it leaves it. The data stored in
a computer or other electronic device can only be accessed by someone who is correctly based on the correct password
authorized to work with certain data. For larger and more complex systems, it is also necessary to make electronic records that:
allows you to identify and verify when, who, and for what reason, the data, the so-called logs.
Safety rules should also be observed for electronic means used on various journeys, such as
not to be left unattended in a car. Personal data must also be adequately secured during transmission
by electronic means. It is necessary to realize that common email communication is not very secure. Sometimes it even
compared to the postcard equivalent. In some cases, it is appropriate to choose a safer form of transmission
information, eg by encrypting them. The encrypted file can also be sent by less secure forms of communication. It is always necessary
consider the desirability of sending unsecured documents containing larger pensions of personal data (or sensitive)
through freemail services. However, this does not mean that it would never be possible to use the freemail service, for example if
it is only a simple agreement with the customer or sending any risky information.
If you pass on personal information, such as your customers or employees, to someone else to work with for you and
instead of you, you need to sign a contract with him to commit to protecting your data as much as you do. Without such a contract you would
for the transfer of data to other persons outside the company or organization, they must have obtained the consent of the person concerned, if not
a request by the police or other state authority that has the right to request the data necessary for its activities and is obliged to do so
to provide them.
5. What has been added to the General Data Protection Regulation (GDPR) since 25 May 2018?
For a smaller company that only keeps records of contracts with its customers and records of employees, not so much.
Activity logs - all
It will be necessary to keep a record of the activities carried out with the personal data. It is advisable to prepare a form with
enter in the boxes the information required by Article 30 of the GDPR (record of contracts, records of employees,
or discount program for customers, etc.). This should not take more than 10-15 minutes.
Reporting Security Violations - Everyone
The second generally applicable obligation is to report cases of personal data breaches to the Office for Personal Protection
data pursuant to Article 33 of the GDPR (within 72 hours of the detection of such an incident). Serious incidents with
the expected serious consequences, not when one paper is accidentally loaded from another paper-based register into another drawer,
where it can be found in an hour. If a data leak occurs, for example, in a bank where you have money deposited,
as a result, the bank will be obliged to notify you, and in extreme cases by public announcement of such
serious incident.
Codes and certificates - voluntarily
If, in some sectors, such as business, the same or very similar activities with personal data occur,
a code of conduct may be drawn up, for example, by a professional association. Signing up for such a code illustrates the desire to be
in accordance with the general regulation, but is not compulsory, as well as a personal data protection certificate that will be possible
but it will also not be mandatory.
Privacy Officer - Just Someone
Authorities and other bodies that decide on citizens' rights, including schools, will have to appoint protection officers
personal data, a person who will address this issue and draw attention to any shortcomings. It's supposed, that
will understand the privacy issues in the industry. The assignee may be both the employee and the employee
externista. This makes it possible to use the possibility that a single agent can carry out such an activity for several offices,
schools, but also hospitals, because they will also be obliged to appoint a commissioner in terms of a large amount of data on
health status of patients in the hospital information system. But the assistant cannot be the head of the organization or department
computer science because it would be in conflict of interest.
Impact assessment and consultation with the Office - just someone
Like the appointment of a trustee, there is no impact assessment on personal data protection and prior consultation with the Office for Data Protection
the protection of personal data by the obligations generally applicable, it concerns those who intend to carry out large-scale risky personal data
operations involving, for example, the extensive profiling of people via the Internet for marketing purposes
detailed information about their private life, or the risk lies in the use of new technologies used,
eg a large amount of patient health data. The list of these operations will be the Office for Personal Protection
data published.
Penalties - always proportionate
Flagrant violations of general obligations imposed in such risky large-scale operations
the volume of data, usually by large multinationals, may be subject to the maximum sanction imposed by the general regulation,
reaching significant amounts. It is nonsense to scare a smaller company or school with such sanctions, as is the extravagance
amounts substantially in excess of the amount of fines imposed by the Office for Personal Data Protection imposed on external audits are in accordance with
non-guaranteeing regulations. Any penalties for breach of the obligations of the General Regulation will be proportionate as yet;
in any case, they cannot be liquidated.
Context
Placing: Document folders> Sitemap> Main menu> GDPR (General Regulation)> Basic Information> General Regulation (GDPR)
briefly
View current documents archive of documents documents including archive
Sign In | Site map Mobile version About the site Terms of use of the Office logo Cookies | RSS | Contact
Copyright © 2013 Office for Personal Data Protection. All rights reserved.
web & design WEBHOUSE®, content management system vismo®