advokaciesvoboda

Základní povinnosti podle GDPR

Zpracováváte při Vaší (zpravidla obchodní) činnosti osobní údaje a můžete rozhodovat o prostředcích a účelu („purpose“) jejich zpracování? 

 

Potom jste „správce“ terminologií dle GDPR („controller„) a jste právně odpovědni za zákonnost zpracování a měli byste nejspíše mít zpracované i Podmínky ochrany osobních údajů (Privacy Policy).

  

Na okraj uveďme, že se GDPR výslovně nevztahuje na nakládání s osobními údaji „fyzickou osobou v průběhu výlučně osobních či domácích činností“ (čl. 2 odst. 1 písm. c) GDPR))! 

 

Správce má na základě GDPR poměrně rozsáhlé informační povinnosti ve vztahu k „subjektům údajů“, musí vysvětlit proč a jaká jejich data zpracovává a jaký je pro toto zpracování dán zákonný důvod (tzv. zásada transparentnosti dle GDPR). 

 

Zpravidla tedy správce musí vypracovat Podmínky zpracování osobních údajů (Privacy Policy), kde mj. i toto popíše. 

 

Mezi další povinnost správce patří také přijmout „vhodná technická a organizační opatření, aby zajistil a byl schopen doložit, že zpracování je prováděno v souladu s tímto nařízením“ (čl. 24 odst. 1 GDPR). 

 

Správce může při zpracování osobních údajů zapojit i další subjekty (právnické nebo fyzické osoby), které pro něj provádí určité úkoly. Pokud taková osoba pracuje s daty jen na základě pokynů od správce a pro jím určené účely, bude se jednat o „zpracovatele“ (processor“ – termín dle GDPR). Správce má odpovědnost za to, že použije jen takové zpracovatele, kteří garantují dostatečné technické a organizační opatření, aby zajistil dodržování požadavků GDPR.

 

Správce musí mít se zpracovatelem uzavřenou zpravidla písemnou smlouvu (Zpracovatelská smlouva nebo anglicky Data Processing Agreement) ve které vymezí mimo jiné alespoň: 

 

– předmět a doba trvání zpracovávání, 

– povaha a účel zpracovávání, 

– typ a kategorii osobních údajů, 

– práva a povinnosti správce.

 

What are the main responsibilities of the processor under GDPR?

Under the General Data Protection Regulation (GDPR), the controller is an important role with specific responsibilities related to the processing of personal data. The main responsibilities of a controller under GDPR include:

 

Determining the Purposes and Means of Processing: The controller is responsible for determining the purposes and means of processing personal data. This includes deciding why and how the data is collected, what data is collected, how it is stored, and how long it is retained.


Lawful Basis for Processing: The controller must establish a lawful basis for processing personal data. This involves identifying and documenting a legal justification for processing the data, such as the necessity of processing for the performance of a contract, compliance with a legal obligation, consent of the data subject, or legitimate interests pursued by the controller or a third party.


Providing Transparency and Information: The controller must provide clear and transparent information to data subjects regarding the processing of their personal data. This includes informing individuals about the purposes, legal basis, data retention periods, and their rights related to the processing.


Obtaining Consent: If the lawful basis for processing personal data is based on consent, the controller is responsible for obtaining valid consent from the data subject. Consent must be freely given, specific, informed, and unambiguous, and individuals must have the option to withdraw consent at any time.


Implementing Data Protection Measures: The controller is responsible for implementing appropriate technical and organizational measures to ensure the security and protection of personal data. This includes implementing measures to prevent unauthorized access, accidental loss, destruction, or damage to the data.


Data Subject Rights: The controller must facilitate the exercise of data subject rights, such as the right to access, rectify, erase, restrict processing, data portability, and object to processing. The controller is responsible for responding to data subject requests and ensuring the effective implementation of these rights.


Data Protection Impact Assessments (DPIAs): In certain circumstances, the controller is required to conduct a DPIA to assess and mitigate any potential risks to the rights and freedoms of data subjects arising from the processing of personal data.


Data Breach Notification: The controller has a responsibility to promptly notify the relevant supervisory authority and, in certain cases, affected individuals, in the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals.


It’s important to note that these responsibilities may vary based on the specific context and circumstances of the data processing activities. Additionally, some responsibilities may be shared or delegated to processors or other parties involved in the processing of personal data.

What must be contained in the Data Processing Agreement (DPA)?

A data processing agreement (DPA), also known as a data processing addendum or data processing agreement, is a legally binding contract that sets out the terms and conditions between the data controller and the data processor regarding the processing of personal data. While the specific requirements of a DPA may vary depending on the jurisdiction and the parties involved, there are several key elements that should typically be included in a data processing agreement. These elements are as follows:


  1. Purpose and Scope: The DPA should clearly state the purpose and scope of the data processing activities. It should specify the nature and categories of personal data being processed, the duration of processing, and any specific instructions from the data controller to the data processor.

  2. Roles and Responsibilities: The DPA should outline the roles and responsibilities of both the data controller and the data processor. It should define the respective obligations and duties of each party, including compliance with applicable data protection laws and regulations.

  3. Data Security and Confidentiality: The DPA should address the data security measures to be implemented by the data processor to ensure the confidentiality, integrity, and availability of the personal data. This may include provisions on encryption, access controls, data backups, and incident response procedures.

  4. Subprocessing: If the data processor intends to engage sub-processors to assist with the data processing activities, the DPA should include provisions related to subprocessing. This should cover the data processor’s responsibility to ensure that any sub-processors comply with the same data protection obligations.

  5. Data Subject Rights: The DPA should specify how data subject rights will be addressed, including the procedures for handling data subject requests, such as access, rectification, erasure, and objection to processing. It should define the data processor’s obligations to assist the data controller in responding to such requests.

  6. Data Breach Notification: The DPA should include provisions regarding data breach notification. It should specify the obligations of the data processor to promptly notify the data controller in the event of a personal data breach, including the content and timing of the notification.

  7. Data Transfers: If personal data is transferred outside of the European Economic Area (EEA) or any other restricted jurisdiction, the DPA should include appropriate safeguards, such as Standard Contractual Clauses (SCCs), to ensure that the transfer is lawful and complies with applicable data protection laws.

  8. Audit and Compliance: The DPA may include provisions that allow the data controller to conduct audits or assessments to ensure the data processor’s compliance with the terms of the agreement and applicable data protection requirements.

  9. Term and Termination: The DPA should specify the term of the agreement and the conditions under which it can be terminated, including provisions on data return or deletion after termination.


It’s important to note that a data processing agreement should be tailored to the specific circumstances and requirements of the parties involved, taking into account the applicable data protection laws and regulations.