The international law firm Taylor Wessing has been working intensively on the GDPR for more than a year. A number of queries have been reported in connection with its implementation as regards online shopping. Simply by browsing an e-shop via your mobile phone or computer, you have already provided them with valuable information about your preferences, even without making a purchase. The collection of such information is used to display so-called personalized ads, and sent not only to the e-shop but also to other entities with which the e-shop collects personal data. Guidance in this area is offered by Karin Pomaizlová, a partner of the law firm Taylor Wessing Praha.
All of this necessarily leads to a need for e-shop operators to process the personal data of their customers and obligations regarding security. In the sense of both the current law on the Protection of Personal Data and the GDPR, the e-shop operator is a so-called personal data administrator. Such administrator is any entity that specifically determines the purpose for and means of processing of personal data, and is responsible for the processing of them. The administrator is then primarily responsible for the processing of personal data, including also for processing personal data, in accordance with the law.
Pomaizlová adds: "If the administrator uses a third-party service to process he personal data, even if it only is a personal data storage service, he must enter into a written agreement with such service provider – as a personal data processor – also online. However, in practice this is not sufficient. In choosing a personal data processer, the administrator should proceed responsibly and make an assessment of the credibility and professionalism of such service provider, and the ability to safely secure the processing of personal data."
The GDPR, in contrast to the current Protection of Personal Data law, explicitly allows the administrator to use a subcontractor to process personal data. However, it must ensure that such subcontracter takes on the same obligations in this regards, and to the same extent, as has the administrator (e.g. the e-shop operator). If a subcontractor fails to fulfill its obligations, the administrator shall be held responsible for the performance of such subcontractor as if it had performed the processing of personal data itself. "The GDPR restricts the use of another subcontractor by the processor by first requiring the processor to obtain the consent of the processor. For this reason, it will be necessary to review and modify existing contracts between administrators and personal data processors," remarks Pomaizlová.
The Czech Republic is among the top five countries with the highest retail sales across the EU, which is to say it is an "e-shoping superpower". As the popularity of on-line purchases increases, so too does the importance of regulating the privacy of e-shop customers. The need to update and uniformly regulate personal data protection in the European Union resulted in the adoption of a unique piece of legislation with direct effect throughout the EU – the General Data Protection Regulation (GDPR). The regulation becomes enforceable from 25 May 2018, and the application of its provisions also applies to operators of online shops.