Personal data – who cares?
Many legal concepts coming from international (particularly European) law feel somewhat unfamiliar in our little country, no matter whether they aim to protect minorities, the environment, intellectual property on the Internet, or personal data. Even if protective laws are implemented correctly, which is not always the case, the lack of local tradition and genuine public interest in these distant matters prevails. Consequently, this article is written for those of you who are not familiar with the basic rights safeguarding your personal data, and with the mirroring obligations of the companies and other entities processing the data.
The core of the protection lies in numerous obligations, which are imposed on persons (controllers) who in any way handle (process) information about specific people (personal data). To clarify, any information, which can be traced to specific living but in some cases also deceased individuals, is considered personal, such as a simple cell-phone number, birth number, most business e-mail addresses identifying a person by name, IP addresses, or a name with an address of permanent residence, (b) any manual or automatic operation with personal data is considered processing, which includes storage, modification, publishing, blocking or deleting, and (c) almost anybody, including various public authorities, can be considered a controller unless the processing is for purely private purposes or relates to significant security or financial interests of the Czech Republic.
In light of this broad understanding of the main principles almost any operation with information about specific people done by your company or employer will probably fall under data protection law. To avoid the administrative burden related to such activity, controllers will usually have to look into numerous exceptions from each obligation stipulated in the relevant law.
To begin with, a controller must clearly formulate the legitimate purpose of the processing and chose only such means and duration of processing which are absolutely indispensable to achieve such goals. For example, a company may decide to have the contact details of all its customers, suppliers and employees organized in one database. Because having such database is considered the processing of personal data, the company must make sure that the personal data are accurate, that they come from a legitimate source (public database or business card) and that they are deleted immediately after they are no longer needed, for example following dismissal or death.
The appropriate time for which the information may be stored differs according to specific circumstances; the data protection authorities may tell you that a tape from a camera surveillance system must be destroyed within three days (if the tapes are regularly checked) but also within several weeks (if the tape is retained to identify an intruder). This does not give you much legal certainty, which is why we are trying on behalf of our clients to get their specific situations assessed by the data protection authority unofficially (by telephone or e-mail). Although the officials are usually helpful, they admit that this situation may change soon as the amount of unofficial inquiries is constantly on the rise.
In addition, the controller is obliged to provide various information about the processing of the information to each data subject and to ask for their consent. Consent need not be in writing but the burden of proof is on the controller. So it is advisable to adopt specific policies if consent is give online (the so-called double-click policy) or by phone. Sensitive data, such as information on race, ethnic background, religious or political beliefs, health, criminal convictions, and biometric information, may be processed only if the consent is explicit. It is good practice to bear in mind that sensitive information can be present in photos (such as on identification documents or CVs), in extracts from criminal records, in medical reports (except for simple documents for employers stating fitness to work), fingerprints or voice records. On the other hand, marital status or birth numbers are not considered sensitive but their use is restricted by other specific laws.
The obligation for controllers to obtain informed consent would be impossible to fulfill in day to day life unless the law stipulated significant exceptions. I mention a few examples of processing which does not require informed consent: (i) processing required by law, which applies to employers operating with personal information on their employees for tax or social security purposes, (ii) processing necessary to fulfill a contract concluded with the relevant individual, such as a consumer loan, (iii) processing necessary to protect the legitimate interests of the controller, for example, when enforcing a debt, (iv) personal information was legitimately published, for example, in a telephone directory, and their further processing does not breach the right to privacy, and (v) customers’ consent with their contact details being used for the distribution of printed or electronic product offers is presumed until they withdraw their consent by opting out.
Going back to a previous example, it is difficult to assess the status of directories in which co-workers in one company share on-line their business contacts. I would say that implicit consent by people giving away their business cards or sending e-mails with their contact details can nowadays be presumed, as it involves not only use by a specific addressee but also by the whole of their company or organization. On the other hand, some experts distinguish between private business directories used by one person only and shared business directories. As a result, sharing business contacts in organizations could require obtaining informed consent from all people whose contact details are shared in the directory unless one of the specific exceptions applies. Needless to say, this strict approach could get some companies in trouble.
Furthermore, the data protection regulations distinguish controllers from so-called “processors,” who are usually hired by controllers to perform only specific operations with personal data. Processors are found usually among the providers of various outsourced services, such as accounting and web-hosting. In any case, the controller is obliged to conclude with the processor a written agreement specifying various details about the processing of personal data, including guarantees for the safety of the information. Unfortunately, the relevant statutory provisions have many gaps, for example, in respect of chains of processors or treatment of cloud-providers. These gaps can be subject to various conflicting interpretations, which is not helpful.
For brevity’s sake we cannot discuss in detail all other obligations on entities processing personal data and the related exceptions. It is enough to be aware that processing personal data often requires prior notification to the relevant authorities (the register is publicly available on the Internet), data must be adequately protected (specific internal written rules and “state of the art” technical protection is required), most data transfers abroad (including uploading personal data on a server accessible from a computer abroad) may require specific notification or even approval from the relevant authorities, and that data subjects have various rights towards the controller (access, explanations, and so on).
Finally, for breaches of these obligations fines of up to CZK 10,000,000 may be imposed. Specific remedies are also available for improper processing of personal data, which could completely destroy a business. Statutory liability lies particularly with the controller but can spill-over to participating processors. However, do not under estimate the negative PR effect of personal data violations, as recently seen with Google Street View (the futuristic-looking cars were intentionally designed not only to take photographs but also to collect information from local wi-fi networks, including passwords and online login details to various applications, and even personal e-mails) or the infamous Prague Opencard (Prague city hall previously required citizens to either agree with the use of their personal data by private companies or pay more for an anonymous card).
Are you beginning to pay attention to the protection of personal data? Not yet? Then please note that a draft of the new EU Regulation on Personal Data Protection is currently being discussed. This updated set of detailed and very prescriptive rules is giving more and more European companies a headache, particularly because it imposes brand new obligations upon controllers (data portability, privacy by default, privacy by design, right to be forgotten, obligatory data-inspector in larger companies) and penalties (up to 2 percent of worldwide turnover). This innovative piece of legislation, with far-reaching consequences, could come into force as early as 2014, so it is time to wake-up, perhaps join forces with the efforts of Czech AmCham and other associations around CICDP (Czech Industry Coalition for Data Protection) aimed at amending the draft, and definitely brace yourself for the impact. The future of personal data protection in Europe is bound to be bright, or at the least very interesting for either the good or the bad.
Bc. Mgr. er Mrg. Stanislav Bednář, Attorney-at-law permanently cooperating with PETERKA & PARTNERS