Regulation - GDPR


The General Data Protection Regulation (GDPR) has been approved and will enter into effect on May 25, 2018. GDPR will replace the Act no. 122/2013 Z.z. on Privacy policy, which is to be deleted. Since it is a regulation, it is thus immediately enforceable.

Such enhanced protection however, goes hand in hand with numerous new obligations for companies processing personal data.

Although GDPR will have the greatest impact on large companies processing large amounts of personal data such as banks, pharmaceuticals, telecommunications and energy companies, a significant amount of new obligations will also affect small and medium-sized businesses such as e-shops or marketing companies. This is because GDPR will apply to anyone who processes personal data. It can be concluded that today there is hardly any company that does not work with personal data. If you have employees or customers, it is very likely that you process personal information.


GDPR recognizes following personal data:

  • name and surname

  • the photo

  • e-mail address

  • telephone number

  • account number

  • fingerprint

  • IP address

  • localization data

  • voice

The GDPR will concern both operators and intermediaries

Although the Personal Data Protection Act applies to companies that process personal data on their behalf - operators (ie they process "own" personal data such as company employees or own customers) as well as companies processing data for other companies - Intermediaries (e.g., cloud storage companies, companies that perform wage schedules or outsourced call centers for third parties).


Obligation to report the incident to the regulator

In accordance with the Personal Data Protection Act, companies processing personal data do not currently have the obligation to report incidents of personal data breach. GDPR however introduces such an obligation. The obligation to report incidents will involve almost any violation of personal data (eg, the exchange of envelopes for two different persons). Such information shall be announced to the Authority without undue delay, but no longer than 72 hours from the moment the incident occurred.


By May 2018, each company should develop an internal plan for reporting and subsequently addressing incidents involving privacy violations.


Not only lower but also the upper-executive bodies of companies (such as board of directors or associates) should address the compliance with GDPR. Fines for GDPR violations are as follows:

  • A fine of upto 20 milionov EUR or 4% of the worldwide annual turnover in the previous financial year in case of a company, whichever sum is higher. Such a fine will be imposed, for example, in the following cases:

    • when consent processing conditions have not been met, or

    • when the principles of data transfer outside the European Union were violated.

  • A fine of upto 10 milionov EUR or 2% of the worldwide annual turnover in the previous financial year in case of a company, whichever sum is higher. Such a fine will be imposed, for example, in the following cases:

    • incomplete agreement with an intermediary who does not meet the conditions under GDPR,

      For example, tracking a person's behavior through tracking or profiling (for the purposes of taking a decision about that person or for analyzing or anticipating personal preferences, behavior and attitudes of that person), respectively outside the European Economic Area (EEA) countries.
    • failure to ensure adequate security of the processed personal data (with e.g. encryption among other things),

    • failure to notify personal data breach,

    • failure to name the responsible person in those cases where GDPR requires it.


Companies assuming that GDPR would remove the requirement to enter into multilateral contracts prior to any transfer of data outside the EU would find that GDPR did not change that bureaucracy.

Of course, it is still true that the transmission of personal data should be understood as a relatively wide range of situations.

These include not only a situation where an EU official sends a PDF document containing personal data to a colleague in Asia, but also if a US person gets access (e.g. through a password) to employee data or to EU clients (for example through a web portal).

Personal data may also be transferred to recipients in third countries outside the EU/EEA. The transmission conditions vary according to whether or not the receiving country to which the personal data are transmitted guarantees an adequate level of protection.


Encryption solutions by Salutis Systems, a.s.

You will meet a large number of GDPR requirements by encrypting personal data in your systems! Our solutions are professional, easy to deploy and unbeatably-encrypt encrypt data transfer within the internal corporate network, USB keys, files, hard drives, removable media and corporate communication.

Contact us for more information