The full title is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (General Data Protection Regulation). ).
The English abbreviation of the General Regulation, which can be found in professional texts or conversations, is GDPR (General Data Protection Regulation).
The General Regulation represents a new legal framework for the protection of personal data in the European area, which will directly set out the rules for the processing of personal data, including the rights of the data subject (natural person), from 25 May 2018. In the Czech legal environment, the General Regulation will, from 25 May 2018, replace Act No. 101/2000 Coll., On the protection of personal data and on the amendment of certain acts, resp. the law on personal data protection after its amendment will already regulate only some aspects concerning the Office for Personal Data Protection (eg its establishment, organization, etc.) and some partial issues necessary to complete the whole framework of personal data protection, which are not regulated by the General Regulation or it allows them to be adjusted at national level (or even provided that they are to be adjusted).
The General Regulation is characterized by its universal applicability in all European Union countries (and Iceland, Norway and Liechtenstein) and thus by its unifying effect, as uniform rules for the processing of personal data will apply in each EU country and the three listed. It was precisely to ensure greater uniformity of the rules of personal data protection that was one of the aims of the adoption of the General Regulation.
Why did the legal framework for personal data protection have to be revised?
The revision was launched on the grounds that the current legal framework, established by Directive 95/46 / EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, has ceased to apply at present, in particular as regards means of used for processing and also in terms of processing as such, which is far more complex than it was several decades ago (eg in the field of profiling, automation of personal data processing, etc.). At the same time, Directive 95/46 / EC did not achieve the required degree of regulatory harmonization in the individual countries of the European Union, which caused problems for administrators operating in several countries.
The aim of the General Regulation is to adapt the legal framework for the protection of personal data today, to achieve greater uniformity of the legal framework in all countries affected, to strengthen the data subject's rights and, last but not least, to achieve a uniform interpretation of the General Regulation and supervision by individual supervisory authorities.
What is the difference between a Regulation and a law?
As far as the determination of rights and obligations is concerned, there is no difference between a regulation and a law, both legal regulations directly set out obligations and rights for the addressees. A certain peculiarity of the regulation compared to the law is its Preamble, which contains so-called recitals, which are provisions preceding the actual text of the regulation and these provisions are in some cases an interpretation or to some extent an explanatory report on some provisions of the regulation's own text. When working with the regulation, it is therefore appropriate to monitor individual recitals, which, for example, relate to a specific article or institute of the regulation. It is also necessary to take into account that the entire legal framework will be completed by the Adaptation Act, which will amend Act No. 101/2000 Coll., On Personal Data Protection and on Amendments to Certain Acts, and which will also contain minor (permitted) derogations or special amendments to General Regulation.
Since when do we have to follow the GDPR?
Although the General Regulation is currently in force, it is not yet effective (applicable), ie it has already undergone the legislative process, it is therefore an approved valid document, but it will not enter into force until 25 May 2018. From this date, all entities involved in processing personal data will be governed by the General Regulation.
There is now a deadline for controllers and processors to bring their processing of personal data into line with the General Regulation on the date of application of the General Regulation.
What will happen to the current law on personal data protection?
The General Regulation sets out the rights and obligations in the processing of personal data. To this extent, it replaces Act No. 101/2000 Coll., On the Protection of Personal Data and on the Amendment of Certain Acts. The rights and obligations in the current Personal Data Protection Act will be replaced by the rights and obligations arising from the General Regulation. Following its amendment, the Personal Data Protection Act will regulate only certain aspects concerning the Office for Personal Data Protection (eg its establishment, organization, etc.) and some partial issues necessary to complete the entire personal data protection framework not regulated by the General Regulation or which the General Regulation allows for regulation at national level. In some respects, even the General Regulation foresees national legislation. These include, for example, aspects of the processing of personal data for the purposes of exercising freedom of expression, the right to information,
Who will have to comply with the General Regulation?
The general regulation will govern, in particular, the entity carrying out the processing of personal data in terms of obligations. Such an entity is called a personal data controller. The general regulation also governs the processor, which is the entity that processes personal data for the controller. As for the rights deriving from the General Regulation, they arise for a natural person, which is a data subject. Furthermore, the General Regulation will be governed by the supervisory authorities, ie the Office for Personal Data Protection, which will exercise the delegated powers in order to perform the set tasks.
What activities does the General Regulation not cover?
The activities of a natural person are excluded from the scope of the General Regulation [see Article 2 (2) (a)]. c) of the General Regulation], in which personal data are processed exclusively for personal or domestic activities.
Furthermore, processing carried out by competent authorities for the purpose of the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, including protection against and prevention of threats to public security, is excluded from the scope of the General Regulation. This is governed by Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data by the competent authorities for the prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties. movement of such data and repealing Council Framework Decision 2008/977 / JHA. As this is a directive, its implementation is necessary, which will generally be in Act No. 273/2008 Coll., On the Police of the Czech Republic and also in the amended Act No. 101/2000 Coll., On the protection of personal data and on the amendment of certain acts.