New European regulation providing for the personal data protection

Compliance departments start dealing with the so-called general regulation on the protection of personal data (regulation (EU) 2016/679 of the European Parliament and of the Council), which is to apply with effect from May 25, 2018. Whereas the present regulation of the personal data protection was harmonized by Directive and thus differed in individual member states, the new regulation launches a unified European protection of personal data. The regulation will bring some interesting changes into Czech legislation, too. The existing reporting obligation of personal data administrator will be replaced by the obligation to record activities associated with personal data processing. There is also a new obligation imposed upon certain types of personal data processors to establish a controller for the protection of personal data. The controller should not receive any instructions regarding his/her activities. Although the regulation allows authorizing an employee to act as a controller, companies should delegate this function to external associates in order to maintain the controller’s independence. Clearly enough, establishment of newly specialized entities may be expected on the market. The regulation also provides for high sanctions in the case of a breach thereof (the maximum limit is EUR 20 million or 4% of annual global turnover). Therefore, it is recommended not to underestimate preparations for the new regulation to come into effect.