GDPR and the processing of personal data
TheGDPR, or General Data Protection Regulation, is a regulation that aims to strengthen and unify data protection for all EU citizens and give them greater control over their personal data. The GDPR thus applies to all organisations that process EU citizens’ personal data (e.g. e-shops, government institutions, hospitals, etc.). The key principles of the GDPR include fair and lawful processing, purpose limitation and data minimisation, and retention of personal data.
It applies that you must be informed before processing personal data. So you must receive information about, for example, its purposes, the types of personal data collected, the recipients and the data protection rights of those individuals.
Are you solving a similar problem?
Are you dealing with an issue related to the processing of personal data?
Contact an Affordable Advocate. We will review your case and draft legal services to resolve it within 24 hours. Then, if you decide to put it in our hands, you get the drafting free of charge.
I want to help
- When you order, you know what you will get and how much it will cost.
- We handle everything online or in person at one of our 5 offices.
- We handle 8 out of 10 requests within 2 working days.
- We have specialists for every field of law.
What are your rights under the GDPR
The GDPR gives you a number of rights that serve to control and protect your personal data. Specifically, these include:
1. The right to information about the processing of personal data
This includes the right to be clearly informed about why your data is needed, how long it will be kept and who has access to it. This means that the data processor must provide transparent information, communicate clearly and comply with other conditions relating to the processing of personal data.
2. Right of access
You have the right to ask for a copy of the information an organisation holds about you (in most cases free of charge). This allows you to check what personal data is being processed and whether the processing is lawful.
3. Right to rectification
If information is inaccurate or incomplete, you can ask for it to be updated.
4. Right to erasure (“right to be forgotten”)
This right allows you to request the erasure of your personal data. However, this only applies in certain circumstances, for example when the data is no longer needed or when the processing was based on consent that has been withdrawn.
5. Right to restriction of processing
This allows you to ‘freeze’ the processing of your personal data in certain circumstances (for example, during a data accuracy check or an objection to processing).
6. Right to data portability
This gives you control over your personal data by allowing you to transfer it from one service to another. This right promotes competitiveness and innovation by making it easier to move to a new platform or service, for example.
7. Right to object
In certain cases, you have the right to object to the processing of your data. This applies in particular to situations where your personal data is processed for marketing purposes.
8. The right not to be subject to automated decisions
You have the right not to be subject to decisions based solely on automated processing, including profiling, where these activities have a significant impact on you. This includes situations where such decisions could lead to legal effects or similarly significant impacts.
Withdrawal of consent to the processing of personal data
Under the GDPR, withdrawing consent to the processing of personal data is possible at any time and must be as simple as giving consent. These are the basic applicable principles:
- Theability to withdraw consent at any time: the GDPR allows you to withdraw consent to the processing of personal data at any time. There is no time limit for withdrawing consent, so you can do so immediately after giving consent or at any time thereafter.
For the processing of personal data, it should be borne in mind that your consent does not always have to be explicit. In some cases, it is implicit. For example, when you order a service for which you must provide your personal data. In this case, your mere interest in the service is taken as consent to the processing of your personal data.
- Ease of withdrawal: the processor of your personal data must ensure that the process of withdrawing consent is as easy as giving it. This may involve being able to withdraw consent in the same way that consent was given, withdrawing it via a website, or even via a simple link or button in an email communication.
- Clarity of information: you should already be informed of the possibility and method of withdrawing consent when you give it. The information should be clear, accessible and not hidden in general or commercial terms and conditions.
- Immediate cessation: Once consent has been withdrawn, the data processor must immediately stop processing personal data for the purposes for which consent was given, unless there is another legal ground for processing (e.g. record keeping for the purposes of contracts). However, it should be borne in mind that withdrawal of consent does not have retroactive effects. This means that any processing that took place on the basis of consent before its withdrawal remains valid.
How to do this in practice
As we have already mentioned, revocation should be simple with clearly accessible instructions for everyone. In practice, however, this is sometimes not the case. So, if you want to withdraw your consent to the processing of personal data but don’t know how to do it, there is a general method that applies to everyone.
The simplest way is to send an email or letter withdrawing your consent. In it, please include your name, contact details and a description of the consent you wish to withdraw. If you have one, attach a copy of any document or communication in which you originally provided consent.
Once you have sent your request, you should receive an acknowledgementfrom the organisation. The data processor should then accept your request and stop processing your personal data. The timeframe for responding can vary, but the GDPR requires that requests are processed without undue delay. If you do not receive a response, you have the option to lodge a complaint with the Data Protection Authority.
Personal data processing contract
If you are a personal data processor yourself (e.g. you own an e-shop) and are thinking about delegating this duty to someone else, you may have already come across the term processing contract. This governs the relationship between the controller (i.e. the one who determines the purposes and means of processing personal data – you) and the processor (the one who processes personal data on behalf of the controller – the third party). This contract should cover all relevant aspects of the processing of personal data to ensure that it is protected and processed in accordance with the GDPR.
Tip na článek
Tip: Many businesses have used templates on the internet to meet their legal obligations under the GDPR and have adapted their documents and terms and conditions accordingly. However, this is not nearly enough to get everything right and not get fined by the Data Protection Authority. Rather, choose the more reliable route of a GDPR audit for businesses. With Affordable Advocate, everything is done simply, online, tailored to what you need, and at a predetermined price. We handle most cases within five working days.
So what should not be missing from the contract?
- Subject matter and duration of processing: a description of the specific purpose of the processing, including the nature and purpose of the processing and the duration of the processing.
- Types of personal data and categories of subjects: A detailed description of the types of personal data processed and the categories of subjects (e.g. employees, customers, etc.).
- Obligations and rights of the controller: A clear definition of the rights and obligations of the controller, including its responsibility for compliance with data protection law.
- Obligations of the processor: These include the obligation to process personal data only on the instructions of the controller, to ensure the security of the data processed, to maintain confidentiality and to assist the controller in complying with its data protection obligations (e.g. in case of an erasure request)
- Involvement of an additional processor: Conditions for allowing additional processors and requirement for approval by the controller.
- Security measures: Description of technical and organisational measures to protect personal data.
- Transfer of data to third countries: Conditions and safeguards for transfers of data outside the European Union.
- Audits and inspections: The right of the controller to carry out audits and inspections and the obligation of the processor to cooperate.
- Penalty: The contract may also provide for a penalty for breach of obligations.
- Termination of contract: Procedures for erasure or return of personal data after termination of services.