Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation - "GDPR", in English available here), entered into force on 24 May 2016 and has been directly applied in all EU Member States since 25 May 2018. The GDPR replaces, throughout the EU, the existing national rules implementing the previous data protection directive, which saw the light of day more than twenty years ago (Directive 95/46 / EC).


All business corporations and public institutions should become acquainted with the GDPR rules, set up internal processes, and create adequate documentation to avoid reputational risk and manifold sanctions that could be imposed under the previous legislation. The ten key changes under the GDPR are as follows:

1. New and broader definitions

  • Broader definitions: personal data, special categories of personal data ("sensitive data")
  • New concepts: data protection by design and by default, pseudonymisation, profiling, main establishment, representative, undertaking, binding corporate rules

2. Universal territorial application 

  • Redefinition of applicability of the regulation to effectively target controllers seated outside the EU

3. Consent to data processing

  • The GDPR defines consent to personal data processing in detail
  • Tightening of conditions for obtaining consent
  • Rules applying to minors

4. Expanding rights of data subjects

  • More and detailed rights for individuals: data portability, the right to be forgotten, the right to the first free copy of personal data, the right to restriction of personal data processing

5. Greater focus on security

  • Shifting of the responsibility for demonstrating GDPR compliance to the controller and the processor
  • Implementation of appropriate technical and organisational measures: pseudonymisation and encryption of personal data
  • Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services
  • Ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
  • Responsibility for selecting a suitable supplier (personal data processor)

6. Notification of incidents

  • Obligation to notify the Office for Personal Data Protection of data breaches without undue delay, no later than 72 hours after the controller has learned about it
  • Necessity to notify data subjects, with certain exceptions

7. Records of processing activities

  • Formal notification of personal data processing to the Office for Personal Data Protection replaced by a more detailed obligation to keep internal records on personal data processing
  • Smaller businesses benefit from exception in case of low risk processing activities

8. Data protection impact assessment and prior consultation

  • Obligation to assess impact on data protection where there is an increased risk to the data subjects' rights and, in more complex cases, to consult the Office for Personal Data Protection

9. Data Protection Officer

  • Obligation of the controller or the processor to appoint a "data protection officer" within the organisation or to outsource this activity, in certain high-risk cases (in terms of the quantity or nature of the personal data processed or technologies used)

10. Huge fines similar to sanctions for breach of competition law

  • A data breach may be fined up to € 20,000,000, or up to 4% of worldwide turnover, whichever is higher


How can we assist you?


Effectively ensuring compliance with such a complex regulation as the GDPR is undoubtedly very challenging. However, this is not the first challenge of its kind that our law firm has faced. Given our long-term experience, we will be fully at your disposal not only in technical but also in methodological terms. Our key experts are ready to provide you with maximum support in this difficult task.


In connection with THE GDPR we are ready to:

  • Ensure a personal data processing audit in your company (carry out a gap analysis) and compile a list of recommended further steps
  • Help you set up internal data processing processes
  • Help you assemble appropriate internal or contractual documentation, i.e. review or create:

                                – data protection directives, notices and guidelines   

                                – all documentation relating to a data subject

                                – data processing contracts

  • Advise you on adequate security of personal data
  • Help you with transferring personal data abroad
  • Cooperate with you to set up response mechanisms for potential data breaches, be part of your response team
  • Conduct training of staff who handle personal data

Ensuring compliance with the GDPR is only the first step – it is equally important to maintain this compliance with reasonable effort and funds spent. Our experts are ready to fully support you in complying with GDPR rules and related areas:

  • Monitoring of the development of legislation, case law and interpretative practice, and recommending changes
  • Providing training and e-learning
  • Supporting you in fulfilling specific obligations (e.g. drafting a DPIA, application of data subject rights, modification of procedures and documentation of changes in data processing)
  • Data breach - violation of data security
  • Support provided during supervisory activities carried out by the Office for Personal Data Protection
  • Representation in proceedings before the Office for Personal Data Protection, or before courts


We have set up a comprehensive advisory service for you to outsource to us the role of data protection officers (DPO). We have long-term experience in advising in the areas of privacy and information technology, so we have decided to offer DPO services and other long-term support in GDPR compliance in cooperation with the newly established company FairData Professionals a.s., which has full access to the know-how and experience of our law firm while maintaining independence of service.

We offer in particular the following services through FairData Professionals a.s.:

  • Outsourcing of DPO services for controllers and processors who must designate DPOs by law or voluntarily decide to designate a DPO
  • Professional support to DPOs designated from among client’s employees
  • Local support to foreign DPOs (appointed at the group level, for example)
  • Acting as a quasi-DPO, an unofficial DPO, who provides continuous support and monitors the compliance of the organisation with the GDPR
  • Acting as an EU representative pursuant to Article 27 of the GDPR for data controllers or processors not established but having relevant activities in the European Union
Further information is available at
Key Contacts
more ...
Copyright © 2011 - 2019 HAVEL & PARTNERS s.r.o. | website by Red Knight s.r.o.