On whose head will the responsibility for GDPR compliance fall?
Four months have already passed since the GDPR came into force. Have you managed to successfully implement it in your company, or have you not yet fully completed the implementation? And do you know on whose head all the responsibility actually falls?
It's amazing how quickly and inexorably time flies. Slowly, the countdown timers to Christmas are starting to jump out at us. At the same time, it's been four months since the GDPR came into force. Have you been able to successfully implement it in your company, or have you not yet fully completed the implementation? And do you know on whose head all the responsibility actually falls?
The truth is that you won't find a concrete answer to this question in the text of the GDPR itself. You will have to delve into the Czech legislation, which in the end tells you that the statutory body is responsible for implementing the GDPR within the scope of its legal obligations.
The statutory body will be responsible
Unless the statutory body is an expert in the area of data protection and regulation, then that person, who will have the relevant expertise and knowledge, must be carefully selected. If you underestimate this step, you run the unnecessary risk of the company incurring damage (e.g. fines) as a result of improper implementation of the GDPR, or the company may be subject to criminal liability.
When, as a statutory body, you choose a professional from a pool of recognised and respected specialists, you need not be overly concerned that you have breached your duty as long as you have acted in good faith, in an informed manner and in the company's defensible interests. In the event that you have your GDPR professional selected, then remember that failure to follow instructions or recommendations can result in far more severe penalties.
What about criminal liability?
The Criminal Code has been penalising the unauthorised handling of personal data since 2016 - so it's nothing new in our country. In general, companies can be subject to various penalties for committing a criminal offence, ranging from a ban on activity, a fine, publication of the judgment, to the dissolution of the company.
When is it a corporate offence?
If there is indeed a problem, it is good to know that in order for a company to be punished for a criminal offence, either a member of the statutory body or another person in a managerial position must have fulfilled the offence. Sometimes we can also see that a company is penalised for the actions of an ordinary employee. In most cases, the facts are fulfilled within the scope of the employee's duties, where the superiors did not take sufficient measures to prevent the problem from occurring.
In further consideration of the offence, the seriousness of the offence itself also matters. A situation where the personal data of one person is unlawfully disclosed to one recipient will be viewed differently from a situation where the personal data of multiple persons is disclosed, for example, on the internet.
It is definitely better to pay enough attention to the GDPR and its implementation, as this will save you possible unpleasantness later on. If you don't know your way around GDPR, contact our team of experts. In the end, you will find that the cost of proper implementation and compliance is the least you can do when comparing the amount of penalties and fines.