May was challenging for many companies, the EU Regulation on the protection of personal data known as GDPR came into effect. Although companies mostly prepared in advance, analyzed processes, set new rules, approached customers or business partners with requests for new consents to the processing of personal data, there is still much to fine-tune. The threat of high fines, set uniformly for the entire EU: up to EUR 10 million or up to 2% of the group's worldwide annual turnover, is a deterrent for everyone.

The Office for the Protection of Personal Data (ÚOOÚ) also had a lot of work to do, as the authority authorized to apply the GDPR in our country, whose employees patiently answer questions. However, after 25 May 2018, UO-OU canceled its direct contacts with workers and introduced information lines that can be called and consulted at specified times, see here.

From the consultations with the ÚOOÚ, we conclude that the ÚOOÚ is trying to provide a friendly and reasonable interpretation of the GDPR, which is only good. The ÚOOU also publicly declares this "prudent" approach, especially "toward smaller municipalities and small entrepreneurs" on its website, where it emphasizes the function of consultation and prevention against repression. However, it is also clear that the interpretation of the ÚOOÚ differs in some issues from the interpretations of the competent authorities in other EU member states, especially in Germany, where legislation similarly strict as the GDPR has been applied for several years.

Although the ÚOOU is independent in the interpretation of the GDPR in the territory of the Czech Republic according to the GDPR, it is nevertheless part of the so-called European Body for the Protection of Personal Data, which was established in accordance with the GDPR and is obliged to coordinate the interpretation of the GDPR with other competent authorities of other EU member states. We therefore believe that it is good to be cautious and monitor the development of the interpretation of the GDPR. However, it is definitely necessary to be cautious if the data is transferred to another EU member state, especially from the beginning one cannot expect a uniform approach in interpretation in all EU member states.

It is therefore good to realize that on May 25, 2018, nothing ends, on the contrary, everything just begins. GDPR is starting to be applied in practice, the first court decisions, official interpretations, codes will be accepted. Only in the course of time will it become clear what the "correct" interpretation of its provisions is.

It is also necessary to realize that when processing personal data, according to the GDPR, it is primarily necessary to observe the 3 main principles of working with personal data, which are: minimization, expediency, justification. The processing of personal data will always be in violation of the GDPR if proper justification is not assigned to it. It is necessary to realize that, in principle, it will never be possible to answer questions about the processing of personal data in general, it will always be necessary to consider the specific circumstances of the processing of personal data, specific justification.

Specific example?

We received the following questions from our client:
Are our work contacts (phone number, e-mail address, company address) considered personal data that can only be processed on the basis of express consent?
Is the company phone number, email, address, etc. of the supplier personal data for the processing of which we need special consent? information about the supplier, but its company identification?
Can we communicate/pass on the contact of a colleague (telephone number of a work cell phone, work email address...) to a third party?

Documents such as product technical specifications etc. (both in written and electronic form) contain complete data about the supplier (name, address, telephone and email contact), can we pass these on to third parties or is this a violation of the GDPR?

The telephone consultation with ÚOOÚ was relatively simple: It concerns the processing of personal data on the basis of a contractual relationship, or employment relationship – it is the fulfillment of a contract, the fulfillment of work duties, special consent for processing of this type is not required. But soon after that, on 29/05/2018, just 4 days after the entry into force of the GDPR, the first European-wide court decision that applied the GDPR was published, from which it is clear that it will not be so simple....

The first GDPR court decision was issued by a German court - the Regional Court in Bonn - in the dispute between the ICANN registrar and EPAG. The court in Bonn said that when registering an Internet address, ICANN cannot require redundant contact addresses for specific employees, a contact for one employee is enough, the requirement to list more contacts to be published (for the WHOIS register) no longer meets the principle of minimizing the processing of personal data ... Although the decision is not final (ICANN appealed to a higher court), it nevertheless illustrates that not only German courts, but also companies operating in Germany are much more vigilant when processing personal data than here.

So let's take a look at the circumstances of the court decision of the Bonn Court, the original text of which can be found here.

ICANN is a non-profit company that coordinates the assignment of domain names and ensures that website names are not duplicated on the network (ie similar to CZ.NIC). Through an agreement between the parties, EPAG is mandated by ICANN to assign second-level registration to interested parties (so-called registrants).

For each assigned domain name, ICANN requires the registrar to collect and further process not only the name and contact information for the registrant of the domain name, but also 2 additional contact information - for the applicant's technical support and administrative support. According to ICANN rules, these 3 contacts, i.e. the personal data of 3 natural persons, are to be published on the WHOIS website platform. After the introduction of the GDPR, however, EPAG objected that there was no legal basis for the processing of personal data for technical and administrative purposes of domain registrants, and therefore, based on the GDPR, informed ICANN that it would no longer process such personal data. ICANN therefore filed a motion for preliminary injunction with the Land Court in Bonn, requesting that the court order EPAG to continue obtaining all 3 registrant contacts and make them available to ICANN.

The court in Bonn, however, did not agree with ICANN and decided that the processing of personal data for the technical and administrative support of the applicant violates the provisions of Article 5 paragraph 1 letter b) and c) GDPR, which establishes the principle of correctness and minimization. Specifically, it stipulates that personal data must be processed in relation to the data subject "correctly and in a legal and transparent manner" and must be "reasonable, relevant and limited to the necessary scope in relation to the purpose for which it is processed". For this reason, the court ruled that ICANN must be sufficient if only a single responsible person is published in the registry.
So what did we advise the client about the above questions?

Work contacts are also personal data, as a specific natural person can be identified through them. However, since these are work contacts with employees, it is necessary to realize that the processing of personal data of employees and their further use is related to the employment relationship of the employee and to the fulfillment of the employee's obligations arising from the employment relationship, which employees must "endure" to the relevant extent. In addition, each employee signed the processing and further use of personal data as part of the employment contract.

However, the disclosure of personal data could be illegal if it were an unauthorized disclosure of work contacts beyond what is necessary or necessary, or if it were discrimination against an employee, etc. It is therefore always necessary to assess each case of disclosure of employee contacts individually according to the circumstances and take into account consider the necessity or necessity of publishing any personal data.

The use of employee contacts is therefore of course possible and necessary, in some cases it will be a matter of fulfilling contractual obligations, but it is good to consider specific circumstances. If possible, or where appropriate, we would rather recommend setting up anonymous contact lines and not publishing the names of specific employees.

If providing contact to the supplier is part of the fulfillment of contractual obligations by the supplier, the personal data of the supplier's employees can be processed without further special restrictions. In other cases (e.g. when these supplier employees are invited to special marketing events, etc.) it may be appropriate to request explicit consent to the processing of this personal data (e.g. on the attendance sheet). It will therefore always depend on the extent or manner in which this personal data is used.

In general, we believe that these issues will always need to be approached with a degree of caution, especially given the risk of huge fines that the GDPR allows for imposition. We believe that there is a need to put a lot of emphasis on training employees, especially those in leadership positions, so that they are aware of the principles on which decisions should be made and which principles to follow and, in case of doubt, always consult an expert on these issues.

Mgr. Beata Sabolová LL.M., lawyer
Mgr. Jaroslav Hroza, attorney and partner