On 25 May 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (referred to as “GDPR“) entered into force. The GDPR is a Regulation and therefore directly applicable, just like Czech laws. Currently, the primary source of personal data protection is the GDPR.
The original Protection of personal data Act (Act No. 101/2000 Coll.) was replaced by Act No. 110/2019 Coll., on personal data processing. However, this Act no longer represents a complex regulation of this issue, it regulates only some partial and technical aspects of personal data.
Definition of key terms
Personal data
Personal data is information that makes it possible to identify a specific natural person. It can be one piece of data that enables the identification of a natural person (e.g. birth number) but also a combination of data that enables this identification (e.g. name and date of birth, name and photo of a person, e-mail address in the form name.surname@company.cz and the person’s permanent residence or also the person’s workplace and date of birth).
The most common personal data include:
- Name
- Address/Permanent residence
- Gender
- Age
- Birthdate
- Image of the person (e.g. photo in the person’s profile in the information system)
- Video recording or audio recording of the lecture
- E-mail, but also IP address
- Education data (e.g. academic degree, university)
The natural or legal person who decides on the processing of personal data, determines the purposes and means of this processing and is primarily responsible for the processing is called the controller. The person whose personal data is processed is then designated by law as the data subject.
Special categories of personal data
Special categories of personal data (formerly known as sensitive data) are a specific subcategory of personal data. A defining feature is the ability of this data to harm the data subject or to cause discrimination against him or her (e.g. data relating to sexual or political orientation, health status, membership in trade unions or political parties, racial origin, etc.).
The GDPR prohibits the processing of a special categories of personal data. However, there are exceptions to this general prohibition:
- The main exception for processing is the explicit consent of the data subject for one or more purposes. The consent of the data subject is therefore a sufficient reason for the processing of this sensitive personal data. Consent to the processing of special category of personal data is assessed more strictly than for ordinary personal data – the emphasis here is primarily on the word “explicitly“. While for simple consent it is not necessary to give consent in written form, in the case of special categories of personal data, written consent is required.
- The exercise of special rights of the controller or data subject in the field of labour law and law in the field of social security and social protection.
- If the processing is necessary to protect the vital interests of the data subject.
- The processing concerns personal data apparently previously published by the data subject.
Processing of personal data
Any operation or set of operations with personal data or sets of personal data is called Personal data processing. Personal data processing is defined very broadly and includes (among others):
- Collection of personal data
- Recording
- Arrangement
- Storage
- Adaptation or modification
- Searching
- Viewing
- Sharing or any other disclosure
- Erasure or destruction
The processing of personal data can only be carried out on the condition that the data controller has a relevant legal reason for doing so. Without relevant legal reason, processing is illegal and may result in a fine.
Reasons for processing personal data
The relevant reasons for the processing of personal data, which are customary on academic environment, will primarily include:
- Fulfillment of the contract obligation – for example the processing of personal data during scientific research based on the contract – in this case, it is the processing of personal data of the contractual counterparty.
- Fulfilling the administrator’s legal obligations – e.g. in human resources and payroll areas, in matters of asset management.
- Fulfilling the tasks of a public authority – processing personal data of students in situations in which the university acts as a public authority, e.g. awarding academic degrees in accordance with Act No. 111/1998 Coll., on universities.
- If none of the reasons above apply, it is possible to process personal data on the basis of consent to the processing of personal data.
Consent to the processing of personal data
In case the processing on another legal reason is not possible, it is allowed to process personal data based on the consent of the data subject. The GDPR has considerably tightened the requirements for this legal reason for processing. Currently, it is not possible to automatically require consent if the processing can be based on another reason.
If consent to processing is provided in writing, the request for its granting must be stated separately, i.e. on a separate sheet of paper. The request must not be part of other arrangements, it must stand alone.
Consent must be:
- Freely given – provided voluntarily and without pressure from the administrator.
- Specific – processing purposes are clearly defined.
- Informed – when giving consent, the data subject will receive information about how his personal data will be processed, by which administrator and how he can revoke his consent.
- Unequivocal – unequivocally expressed will of the data subject with the processing of personal data, e.g. “by continuing, you consent to the processing of personal data” is not enough; consent must be explicitly expressed – the wording “I agree to the processing of personal data”.
Scientific activity and processing of personal data
Considering personal data protection, academic area is given substantial advantage over other areas. Necessity for scientific purposes is thus a sufficient reason, for example, for further processing of personal data (i.e. different processing than for which the personal data were originally collected). For reasons of scientific research, it is also possible to store personal data longer than absolutely necessary.
Academic activity also has privileges in terms of the processing of a special category of personal data. If their processing is necessary for the purposes of scientific research, it is also permitted.
However, in the academic field, it is also necessary to respect the rule that consent to processing can only be presented to the data subject when it is not possible to rely on another legal reason for the processing, such as, for example, the fulfillment of the administrator’s legal obligations.
Anonymization and pseudonymization
It is possible to avoid the rules for working with personal data by changing the data so that they no longer allow the identification of a specific person. In that case, these data no longer fulfill the definition of personal data and it is possible to handle this data regardless of the legal rules for handling personal data. The data can be changed in the form of anonymization and pseudonymization.
Anonymization – irreversible modification of data in such a way that these data no longer enable the identification of a specific person.
Data anonymization can be achieved using several techniques:
- Randomization – data is replaced by random data. The data can be replaced by another random data (e.g. the name Libor to the name Kamil), or replaced by a meaningless code (e.g. s6g5rj4s6 or xxxxxx).
- Deletion of data – e.g. blacking out. However, this must be irreversible, i.e. done in a way that does not allow the original data to be discovered again. In the case of deleting data, it is also possible to delete the free space that remains after this data. The length of the omitted terms can provide some clue as to which term it is (e.g. an unusually long / short name).
- Generalization – generalization of the given data (e.g. for a specific date of birth of 15/03/1974, it is possible to generalize the data to March 1974, mark it only as 1974, or even more generally mark it as the 1970s); it is also possible to mark it with an interval (e.g. age between 20-30 years, born between 1990-2000, etc.).
- Grouping of data into larger groups – for example, from the specific data of two hundred specific people in Prague suffering from myopia, only the generalized data Prague – 200 is created. The identification of low-sighted people is not possible anymore.
Pseudonymization – a technique in which data is modified in such a way that, without the use of additional information, it is not possible to link this data to a concrete natural person.
For example, a procedure where specific people are assigned codes. These codes can be deciphered, but only with the help of a document where the codes are explained. Limited number of people have access to this document, as it is kept separate. There are also security measures to prevent the leakage of data from this document.Pseudonymization uses similar techniques to anonymization, but it is not full anonymization.
Attention! Pseudonymized data is still considered personal data and the risk of unauthorized processing must be excluded!
Related legislation:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR )
- Act No. 110/2019 Coll., on personal data processing