The Czech Data Protection Authority inspected a company’s data processing activities and identified discrepancies between the information presented in privacy policies and the reality of the situation. In sections devoted to providing information on recipients of personal data, the company published a list of processors, but by reviewing the respective contracts between the company and those alleged processors, the Data Protection Authority discovered that they were actually controllers.
In spite of the fact that the penalty was more a symbolic gesture than anything else, it shows the increasing tendency of the Data Protection Authority not to tolerate even minor infringements. Businesses should therefore, pay attention to all of the GDPR requirements, including the transparency principle, which, if observed properly, should serve as a showcase of up-to-date and accurate data processing activities. This is no less true for employment-related data processing, which is the sign of an honest relationship between an employer and its workers.
Key Action Points for Human Resources and In-house Counsel