The European Union’s new General Data Protection Regulation (“GDPR”) is hailed as a revolutionary change in the field of personal data protection. The Technology Agency of the Czech Republic (“TA CR”) has been implementing GDPR (on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) since mid-2017. Our Legal Department and Security Director have been coordinating with individual departments and units in order to ensure compliance with the obligations related to personal data protection, retention and use.
The first legal ground is a statutory licence, i.e. a statutory obligation related to the processing of personal data, a major part of which is personal data that the TA CR is authorised to process on the basis of a statutory licence under Act 130/2002 Coll. – we have a number of obligations by law and in order to meet them we need personal data regarding projects and related activities (Section 26 provides details on data retention – the retention of data on R&D&I call for proposals).
The TA CR has prepared a personal data processing consent form, which contains all the particulars required by GDPR and is available to all TA CR personnel (this is a general form that needs to be updated for each particular case). In preparing the personal data processing consent form we analysed the personal data and the agenda the form will be used for. The consent form will be used where the agenda and related data collection are outside the scope of any legal ground (e.g. personal data is collected as part of the INKA innovation capacity mapping project where the TA CR retains the name and contact details of a legal entity’s contact person, in this case the contact person either consents to the processing of personal data or the file on the legal entity will not contain such contact details). The TA CR informs the data subjects who have given consent to data processing of the following rights:
- The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability,
- The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based
- on consent before its withdrawal,
- The existence of the right to lodge a complaint with a supervisory authority,
- The right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, the data controller’s notification obligation regarding rectification or erasure of personal data or restriction of processing, and the data subject’s right not to be subject to any decision based solely on automated processing.
All of the above rights also apply to the data that the TA CR collected and processed prior to the GDPR effective date and continues to collect and process on the basis of the data subject’s consent after the GDPR effective date. The Personal Data Protection Officer referred to below must be contacted in order to exercise these rights.
Another legal ground is the use of personal data arising out of a contractual relationship; any such relationship naturally requires identifying the person entering into a contract with the TA CR, and therefore all personal data serving this purpose fall within this legal ground. In this respect, the Legal Department demands that natural persons be identified using a combination of their first name, surname, date of birth and address of residence rather than by their personal identification number. This legal ground applies to personal data of experts and evaluators after the conclusion of a framework agreement with the TA CR.
Experts and other evaluators are an exception here. As the TA CR does not have a statutory licence to retain and process their personal data, such data is processed on the basis of a TA CR legitimate reason. This legal ground also applies to all ISTA system users. The TA CR legitimate interest lies in the fact that the ISTA system, which stores an evaluator database, is used for the administration of research, experimental development and innovation projects supported by the TA CR and facilitates legal steps connected with project submission, evaluation and administration; therefore it is necessary to identify system users, both recipients and evaluators. In order to comply with the requirements for impartial and professional evaluation as set out in Act 130/2002 Coll., on support for research, experimental development and innovation, the TA CR must also identify the evaluators on their inclusion into the database. The ISTA system will display information on data processing and the reasons therefor. The ISTA system has advanced security features that prevent any unauthorised use of data subjects’ personal data and keeps a log of all activities performed in the system (including the display of specific information). The legal ground in the form of a legitimate reason may also apply to a TA CR activity that is required by law or other regulation which does not specify the details of the process and circumstances associated with the activity and sets out, for example, only the result of such activity. Examples include the monitoring of access to the TA CR building, where the TA CR has, because of the information processed inside, a legitimate interest to know who is entering the building. There are also plans to apply pseudonymisation, as introduced by the Regulation, which may be used to develop the existing system of anonymisation of experts.
A summary of the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) at the Technology Agency of the Czech Republic (“TA CR”): The TA CR Office has been implementing GDPR since mid-2017. There has been extensive cooperation between the Legal Department and the Security Director, followed by cooperation with individual departments and units, in order to analyse personal data collection, retention and use. In order to bring its personal data processing practices into line with GDPR, the TA CR Office has used all available sources; in addition to the Regulation, the TA CR conducted a detailed analysis of and adopted the Article 29 Working Party Guidelines (“WP29”) that, albeit not binding, outline how EU bodies expect GDPR to be interpreted. Other sources included Practical Commentary on GDPR – General Data Protection Regulation (NULÍČEK, M., DONÁT, J., NONNEMANN, F., LICHNOVSKÝ, B., TOMÍŠEK, J. GDPR. General Data Protection Regulation. Practical Commentary. Praha: Wolters Kluwer ČR, 2017. 544 pages), which was used in particular in connection with the consent of data subjects to personal data processing. Selected employees also received training at GDPR Academy seminars and attended a lecture organised by the Faculty of Law of Charles University in Prague. The most important step in preparations for ensuring compliance of our personal data processing practices with GDPR was the analysis of the types of personal data present at the TA CR and identification of individual legal grounds allowing the TA CR to process such personal data. A) The first legal ground is a statutory licence, i.e. a statutory obligation related to the processing of personal data, a major part of which is personal data that the TA CR is authorised to process on the basis of a statutory licence under Act 130/2002 Coll. – we have a number of obligations by law and in order to meet them we need personal data regarding projects and related activities (Section 26 provides details on data retention – the retention of data on R&D&I call for proposals). B) Experts and other evaluators are an exception here. As the TA CR does not have a statutory licence to retain and process their personal data, such data is processed on the basis of a TA CR legitimate reason. This legal ground also applies to all ISTA system users. The TA CR legitimate interest lies in the fact that the ISTA system, which stores an evaluator database, is used for the administration of research, experimental development and innovation projects supported by the TA CR and facilitates legal steps connected with project submission, evaluation and administration; therefore it is necessary to identify system users, both recipients and evaluators. In order to comply with the requirements for impartial and professional evaluation as set out in Act 130/2002 Coll., on support for research, experimental development and innovation, the TA CR must also identify the evaluators on their inclusion into the database. The ISTA system will display information on data processing and the reasons therefor. The ISTA system has advanced security features that prevent any unauthorised use of data subjects’ personal data and keeps a log of all activities performed in the system (including the display of specific information). The legal ground in the form of a legitimate reason may also apply to a TA CR activity that is required by law or other regulation which does not specify the details of the process and circumstances associated with the activity and sets out, for example, only the result of such activity. Examples include the monitoring of access to the TA CR building, where the TA CR has, because of the information processed inside, a legitimate interest to know who is entering the building. There are also plans to apply pseudonymisation, as introduced by the Regulation, which may be used to develop the existing system of anonymisation of experts. C) The TA CR has also prepared a personal data processing consent form, which contains all the particulars required by GDPR and is available to all TA CR personnel (this is a general form that needs to be updated for each particular case). In preparing the personal data processing consent form we analysed the personal data and the agenda the form will be used for. The consent form will be used where the agenda and related data collection are outside the scope of any legal ground (e.g. personal data is collected as part of the INKA innovation capacity mapping project where the TA CR retains the name and contact details of a legal entity’s contact person, in this case the contact person either consents to the processing of personal data or the file on the legal entity will not contain such contact details). The TA CR informs the data subjects who have given consent to data processing of the following rights:
- The existence of the right to request from the controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability.
- The existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
- The existence of the right to lodge a complaint with a supervisory authority.
- The right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, the data controller’s notification obligation regarding rectification or erasure of personal data or restriction of processing, and the data subject’s right not to be subject to any decision based solely on automated processing.
All of the above rights also apply to the data that the TA CR collected and processed prior to the GDPR effective date and continues to collect and process on the basis of the data subject’s consent after the GDPR effective date. The Personal Data Protection Officer referred to below must be contacted in order to exercise these rights. D) Another legal ground is the use of personal data arising out of a contractual relationship; any such relationship naturally requires identifying the person entering into a contract with the TA CR, and therefore all personal data serving this purpose fall within this legal ground. In this respect, the Legal Department demands that natural persons be identified using a combination of their first name, surname, date of birth and address of residence rather than by their personal identification number. This legal ground applies to personal data of experts and evaluators after the conclusion of a framework agreement with the TA CR. The Security Director in cooperation with the Legal Department has conducted an analysis, producing an extensive table which specifies, and has been extended to include, the following categories for each item of personal data processed by the TA CR. The categories we process are: the place where personal data is processed, data processing controller, controller’s name and legal position, software, software administrator, cryptographic protection, what personal data is processed, what type of information the data represents, persons with access to personal data, the legal ground to process personal data, internal rules, the role of the TA CR (controller/processor), retention period, whether we have the data subject’s consent, whether consent has been given, is required and can be withdrawn, physical protection of personal data and a cell for information about submission of personal data outside the EU. This is followed by the Risk Analysis section, which examines the scope of potential misuse according to the TA CR Risk Analysis. Thanks to the cooperation with other departments and units of the TA CR Office, the table already contains most of the information required. The table was also discussed by our Security Director and Internal Auditor. In accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council, our Data Protection Officer maintains records of and monitors those TA CR activities that involve personal data in order to meet the statutory obligations regarding the maintenance of records and data protection.
The Data Protection Officer’s contact details are: dpo@tacr.cz (Jana Duchková, Jaroslav Šuchman), FairData Professionals a.s., Na Florenci 1332/23, 110 00 Praha 1
It is essential for the TA CR to categorise the personal data being processed and identify the individual legal grounds allowing the TA CR to process such personal data.