HOW DID THE PERSONAL DATA PROTECTION CHANGE IN THE LAST TWO YEARS?

Even though in the last weeks our attention has been focused mainly on the situation regarding the COVID-19, which became the topic no. 1 for the majority of entrepreneurs and citizens, we would like to remind ourselves the month of May 2018. Many of us remember it as a month “of personal data.”

The EU regulation no. 2016/679, better known as the “GDPR Regulation,” will on 25. May 2020 celebrate two years since it became valid. This regulation has completely changed the conception of the protection of personal data of natural persons within the EU.

Two years ago, the word “GDPR” was used here, there, and everywhere. It brought several new obligations, from information obligations in relation to the persons concerned, the evaluation of the lawfulness of the processed personal data, to the implementation of new internal safety processes in order to increase the protection of personal data.

Email mailboxes were flooded with a huge amount of notices, in which companies requested people to repeatedly send them the consent to receiving newsletters.

We learned what the word “cookies” means. The high fines that the Office for personal data protection of the Slovak republic may impose as a guarantee of the personal data protection in Slovakia became a scarecrow.

Even though that the “boom” regarding the GDPR Regulation gradually passed away, the protection of personal data and the obligations, which the Regulation brought, remained. Thus, let´s remind ourselves what this GDPR Regulation brought and how the personal data protection has changed in the two years of its validity.

The GDPR Regulation in short

•   specified the definition of “personal data”;
•  adjusted the obligation to provide understandable and easily accessible information about the processing of their personal data to the concerned persons;
•  defined the principles of processing of personal data and determined clear legal basis for their processing;
•  closely specified the content and formal requirements of the consent to the processing of personal data (you can read about these in our older article);
•  imposed the obligation to process personal data only for specific, clearly defined purposes;
•  limited the automated processing of personal data and profiling;
•   increased the safety and protection in processing of personal data (standard – “data protection by default” and specific protection – “data protection by design”);
•  increased the control of natural persons over their personal data.

In Slovakia, it led to the adoption of a separate act on the protection of personal data, which is published as the Act no. 18/2018 Coll. on personal data protection and amending and supplementing certain Acts.

Personal data protection after two years. Was it a positive change?

Undoubtedly, the GDPR Regulation constitutes the biggest reorganization of the requirements on the processing and the protection of personal data adopted within the EU.

Undeniably, after its adoption increased the liability of the companies for the provision of better protection of the personal data processed, as well as the awareness of people about their rights regarding the processing of their personal data. Natural persons thus acquired better control over which of their personal data is processed and by whom.

The fact that the GDPR Regulation did not remain only in the theoretical level is confirmed by the numerous fines that have been imposed within the last two years for its breach in the individual EU member states.

For instance, we mention Austria, where an Austrian mail company got a fine of 18 million Euros for the breach, or the United Kingdom and the fine imposed on a British airlines in the amount of 183 million Pounds, France, where Google LLC got a fine of 50 million. In the Czech Republic, there was a case of breach of the personal data protection with a high fine of 1,5 million of Czech Crowns. In Slovakia, such a high fine has not been imposed yet.

Despite the GDPR Regulation being valid for two years, the interpretation of its provision is still being clarified (for instance, the decision of the Court of Justice of EU on what the consent with the use of “cookies” should look like). However, it is undeniable that its adoption meant a significant contribution to the personal data protection.