{"id":117,"date":"2026-01-20T00:00:00","date_gmt":"2026-01-19T23:00:00","guid":{"rendered":"https:\/\/helloblog.io\/cs\/gdpr-checklist-pro-majitele-webu\/"},"modified":"2026-01-20T00:00:00","modified_gmt":"2026-01-19T23:00:00","slug":"gdpr-checklist-pro-majitele-webu","status":"publish","type":"post","link":"https:\/\/helloblog.io\/cs\/gdpr-checklist-pro-majitele-webu\/","title":{"rendered":"GDPR checklist pro majitele web\u016f: praktick\u00fd a kompletn\u00ed tah\u00e1k (v\u010detn\u011b WordPressu)"},"content":{"rendered":"\n

GDPR (General Data Protection Regulation) pat\u0159\u00ed mezi nejtvrd\u0161\u00ed a z\u00e1rove\u0148 nejucelen\u011bj\u0161\u00ed pravidla ochrany soukrom\u00ed na sv\u011bt\u011b. A nen\u00ed to t\u00e9ma jen pro korpor\u00e1ty: i mal\u00fd blog, e\u2011shop nebo SaaS projekt \u0159e\u0161\u00ed osobn\u00ed \u00fadaje (t\u0159eba e\u2011mail, IP adresu, faktura\u010dn\u00ed \u00fadaje, identifik\u00e1tory cookies). Jakmile zpracov\u00e1v\u00e1\u0161 osobn\u00ed \u00fadaje osob v EU, GDPR se t\u011b t\u00fdk\u00e1 \u2013 i kdy\u017e firmu provozuje\u0161 mimo EU.<\/p>\n\n\n\n

Riziko nen\u00ed jen teoretick\u00e9. Za poru\u0161en\u00ed pravidel mohou padat pokuty a\u017e do v\u00fd\u0161e 20 milion\u016f EUR nebo 4 % celosv\u011btov\u00e9ho ro\u010dn\u00edho obratu<\/strong> (podle toho, co je vy\u0161\u0161\u00ed). Vedle pokut mohou \u00fa\u0159ady na\u0159\u00eddit omezen\u00ed zpracov\u00e1n\u00ed, v\u00fdmaz dat nebo i z\u00e1kaz ur\u010dit\u00fdch operac\u00ed s daty.<\/p>\n\n\n\n

\n\n

Pozn\u00e1mka k odpov\u011bdnosti<\/h4>\n\n\n

Tenhle \u010dl\u00e1nek je praktick\u00fd checklist a pr\u016fvodce implementac\u00ed \u2013 nen\u00ed to pr\u00e1vn\u00ed poradenstv\u00ed. U slo\u017eit\u011bj\u0161\u00edch p\u0159\u00edpad\u016f (profilov\u00e1n\u00ed, citliv\u00e1 data, mezin\u00e1rodn\u00ed p\u0159enosy) d\u00e1v\u00e1 smysl konzultace s pr\u00e1vn\u00edkem nebo specialistou na privacy.<\/p>\n\n<\/div>\n\n\n\n

Co p\u0159esn\u011b je GDPR (a kdy se t\u011b t\u00fdk\u00e1)<\/h2>\n\n\n\n

GDPR<\/strong> je evropsk\u00e9 na\u0159\u00edzen\u00ed o ochran\u011b osobn\u00edch \u00fadaj\u016f \u00fa\u010dinn\u00e9 od 25. kv\u011btna 2018<\/strong>. Definuje pravidla pro to, jak organizace osobn\u00ed \u00fadaje sb\u00edraj\u00ed, pou\u017e\u00edvaj\u00ed, ukl\u00e1daj\u00ed a sd\u00edl\u00ed. Plat\u00ed nejen pro subjekty usazen\u00e9 v EU, ale i pro ty mimo EU, pokud zpracov\u00e1vaj\u00ed osobn\u00ed \u00fadaje rezident\u016f EU.<\/p>\n\n\n\n

Nejd\u0159\u00edv si ujasni roli: Controller vs. Processor<\/h2>\n\n\n\n

V praxi se hodn\u011b v\u011bc\u00ed l\u00e1me na tom, jestli jsi Data Controller<\/strong> (spr\u00e1vce) nebo Data Processor<\/strong> (zpracovatel). A klidn\u011b m\u016f\u017ee\u0161 b\u00fdt oboj\u00ed \u2013 typicky u SaaS, kdy pro vlastn\u00ed marketing vystupuje\u0161 jako spr\u00e1vce, ale pro z\u00e1kazn\u00edka zpracov\u00e1v\u00e1\u0161 data jako zpracovatel.<\/p>\n\n\n\n

    \n\n
  • Data Controllers (spr\u00e1vci):<\/strong> ur\u010duj\u00ed, pro\u010d<\/em> a jak<\/em> se osobn\u00ed \u00fadaje zpracov\u00e1vaj\u00ed. Nesou hlavn\u00ed odpov\u011bdnost za soulad s GDPR.<\/li>\n\n\n
  • Data Processors (zpracovatel\u00e9):<\/strong> t\u0159et\u00ed strany, kter\u00e9 zpracov\u00e1vaj\u00ed data pro spr\u00e1vce (nap\u0159. hosting, e\u2011mailing, analytika, helpdesk). Mus\u00ed m\u00edt odpov\u00eddaj\u00edc\u00ed technick\u00e1 a organiza\u010dn\u00ed opat\u0159en\u00ed.<\/li>\n\n\n
  • Data Subjects (subjekty \u00fadaj\u016f):<\/strong> fyzick\u00e9 osoby, jejich\u017e \u00fadaje zpracov\u00e1v\u00e1\u0161. GDPR chr\u00e1n\u00ed jejich pr\u00e1va.<\/li>\n\n<\/ul>\n\n\n\n

    7 princip\u016f GDPR, kter\u00e9 se propisuj\u00ed do v\u0161eho<\/h2>\n\n\n\n
      \n\n
    1. Z\u00e1konnost, korektnost a transparentnost:<\/strong> zpracov\u00e1vej leg\u00e1ln\u011b a srozumiteln\u011b vysv\u011btli, co s daty d\u011bl\u00e1\u0161.<\/li>\n\n\n
    2. \u00da\u010delov\u00e9 omezen\u00ed (purpose limitation):<\/strong> sb\u00edrej data jen pro konkr\u00e9tn\u00ed legitimn\u00ed \u00fa\u010dely.<\/li>\n\n\n
    3. Minimalizace dat:<\/strong> ber jen minimum, kter\u00e9 opravdu pot\u0159ebuje\u0161.<\/li>\n\n\n
    4. P\u0159esnost:<\/strong> udr\u017euj data aktu\u00e1ln\u00ed a opraviteln\u00e9.<\/li>\n\n\n
    5. Omezen\u00ed ulo\u017een\u00ed (storage limitation):<\/strong> neukl\u00e1dej d\u00e9le, ne\u017e je nutn\u00e9.<\/li>\n\n\n
    6. Integrita a d\u016fv\u011brnost:<\/strong> chra\u0148 data p\u0159ed neopr\u00e1vn\u011bn\u00fdm p\u0159\u00edstupem vhodn\u00fdmi opat\u0159en\u00edmi.<\/li>\n\n\n
    7. Odpov\u011bdnost (accountability):<\/strong> mus\u00ed\u0161 b\u00fdt schopn\u00fd dolo\u017eit, \u017ee pravidla dodr\u017euje\u0161.<\/li>\n\n<\/ol>\n\n\n\n

      Kompletn\u00ed GDPR compliance checklist (pro weby a online slu\u017eby)<\/h2>\n\n\n\n

      N\u00ed\u017ee je checklist rozd\u011blen\u00fd do oblast\u00ed. U ka\u017ed\u00e9ho bodu uv\u00e1d\u00edm, na koho typicky dopad\u00e1 (Data Controller<\/strong>, Data Processor<\/strong>) a p\u0159id\u00e1v\u00e1m p\u0159esn\u00e9 odkazy na \u010dl\u00e1nky GDPR, proto\u017ee p\u0159i auditu je to \u010dasto to prvn\u00ed, co se \u0159e\u0161\u00ed.<\/p>\n\n\n\n

      Data<\/h3>\n\n\n\n

      1) M\u00e1\u0161 seznam v\u0161ech typ\u016f osobn\u00edch \u00fadaj\u016f, jejich zdroj, sd\u00edlen\u00ed, \u00fa\u010del a dobu uchov\u00e1n\u00ed<\/h4>\n\n\n\n

      Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

      Jde o praktick\u00fd invent\u00e1\u0159 toho, jak\u00e9 \u201esloupce\u201c osobn\u00edch \u00fadaj\u016f dr\u017e\u00ed\u0161 (nap\u0159. jm\u00e9no, adresa, e\u2011mail, rodn\u00e9 \u010d\u00edslo, identifik\u00e1tory za\u0159\u00edzen\u00ed), odkud se berou, komu je p\u0159ed\u00e1v\u00e1\u0161, pro\u010d je pot\u0159ebuje\u0161 a jak dlouho je dr\u017e\u00ed\u0161.<\/p>\n\n\n\n

      Reference:<\/strong> GDPR Article 30<\/strong> \u2013 Records of processing activities<\/p>\n\n\n\n

      2) M\u00e1\u0161 seznam m\u00edst, kde osobn\u00ed \u00fadaje ukl\u00e1d\u00e1\u0161, a popsan\u00e9 datov\u00e9 toky<\/h4>\n\n\n\n

      Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

      Nejde jen o datab\u00e1ze (t\u0159eba MySQL), ale i o offline \u00falo\u017ei\u0161t\u011b (pap\u00edr, exporty, lok\u00e1ln\u00ed soubory). D\u016fle\u017eit\u00e9 jsou i vazby: odkud kam data te\u010dou (web \u2192 CRM \u2192 e\u2011mailing \u2192 \u00fa\u010detnictv\u00ed atd.).<\/p>\n\n\n\n

      Reference:<\/strong> GDPR Article 30<\/strong> \u2013 Records of processing activities<\/p>\n\n\n\n

      3) M\u00e1\u0161 ve\u0159ejn\u011b dostupn\u00e9 Privacy Policy, kter\u00e9 popisuje procesy kolem osobn\u00edch \u00fadaj\u016f<\/h4>\n\n\n\n

      Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

      Privacy Policy by m\u011blo pokr\u00fdvat, jak data zpracov\u00e1v\u00e1\u0161, a ide\u00e1ln\u011b obsahovat (nebo odkazovat na) typy osobn\u00edch \u00fadaj\u016f, kter\u00e9 dr\u017e\u00ed\u0161, a kde se nach\u00e1z\u00ed.<\/p>\n\n\n\n

      Reference:<\/strong> GDPR Article 30<\/strong> \u2013 Records of processing activities<\/p>\n\n\n\n

      4) V Privacy Policy uv\u00e1d\u00ed\u0161 pr\u00e1vn\u00ed titul (lawful basis), pro\u010d data zpracov\u00e1v\u00e1\u0161<\/h4>\n\n\n\n

      Plat\u00ed pro: Data Controller<\/em><\/p>\n\n\n\n

      Mus\u00ed b\u00fdt jasn\u00e9, na jak\u00e9m pr\u00e1vn\u00edm z\u00e1klad\u011b data zpracov\u00e1v\u00e1\u0161 \u2013 nap\u0159\u00edklad pln\u011bn\u00ed smlouvy.<\/p>\n\n\n\n

      Reference:<\/strong> GDPR Article 6<\/strong> \u2013 Lawfulness of processing<\/p>\n\n\n\n

      Accountability & management<\/h3>\n\n\n\n

      5) M\u00e1\u0161 jmenovan\u00e9ho Data Protection Officer (DPO), pokud je to povinn\u00e9<\/h4>\n\n\n\n

      Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

      DPO (pov\u011b\u0159enec pro ochranu osobn\u00edch \u00fadaj\u016f) je povinn\u00fd jen ve t\u0159ech situac\u00edch:<\/p>\n\n\n\n

        \n\n
      1. Zpracov\u00e1n\u00ed prov\u00e1d\u00ed org\u00e1n ve\u0159ejn\u00e9 moci nebo ve\u0159ejn\u00fd subjekt (mimo soudy, pokud jednaj\u00ed v soudn\u00ed pravomoci).<\/li>\n\n\n
      2. Hlavn\u00ed \u010dinnosti vy\u017eaduj\u00ed pravideln\u00e9 a systematick\u00e9 monitorov\u00e1n\u00ed subjekt\u016f \u00fadaj\u016f ve velk\u00e9m rozsahu (dle povahy\/rozsahu\/\u00fa\u010delu).<\/li>\n\n\n
      3. Hlavn\u00ed \u010dinnosti spo\u010d\u00edvaj\u00ed ve zpracov\u00e1n\u00ed ve velk\u00e9m rozsahu zvl\u00e1\u0161tn\u00edch kategori\u00ed \u00fadaj\u016f (citliv\u00e1 data) dle Article 9<\/strong> a osobn\u00edch \u00fadaj\u016f o odsouzen\u00edch a trestn\u00fdch \u010dinech dle Article 10<\/strong>.<\/li>\n\n<\/ol>\n\n\n\n

        Pokud DPO pot\u0159ebuje\u0161, m\u011bl by m\u00edt znalost GDPR pravidel i intern\u00edch proces\u016f pr\u00e1ce s osobn\u00edmi \u00fadaji.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 37<\/strong> \u2013 Designation of the data protection officer<\/p>\n\n\n\n

        6) Zvy\u0161uje\u0161 pov\u011bdom\u00ed u decision maker\u016f o GDPR pravidlech<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

        Kl\u00ed\u010dov\u00ed lid\u00e9 (v\u010detn\u011b t\u011bch, kdo rozhoduj\u00ed o produktech, marketingu a n\u00e1kupech n\u00e1stroj\u016f) mus\u00ed m\u00edt aktu\u00e1ln\u00ed p\u0159ehled o pravidlech ochrany dat.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 25<\/strong> \u2013 Data protection by design and by default<\/p>\n\n\n\n

        7) Technick\u00e1 bezpe\u010dnost je aktu\u00e1ln\u00ed<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

        U SaaS typicky pom\u00e1h\u00e1 jet podle security checklist\u016f, aby byla implementovan\u00e1 odpov\u00eddaj\u00edc\u00ed technick\u00e1 opat\u0159en\u00ed.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 25<\/strong> \u2013 Data protection by design and by default<\/p>\n\n\n\n

        8) \u0160kol\u00ed\u0161 zam\u011bstnance (data protection awareness)<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Processor<\/em><\/p>\n\n\n\n

        Hodn\u011b incident\u016f vznik\u00e1 \u201ep\u0159es \u010dlov\u011bka\u201c \u2013 n\u011bkdo s p\u0159\u00edstupem do intern\u00edch syst\u00e9m\u016f nev\u011bdomky pom\u016f\u017ee \u00fato\u010dn\u00edkovi. \u0160kolen\u00ed a intern\u00ed postupy jsou sou\u010d\u00e1st ochrany.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 25<\/strong> \u2013 Data protection by design and by default<\/p>\n\n\n\n

        9) M\u00e1\u0161 seznam sub\u2011processors a zmi\u0148uje\u0161 je v Privacy Policy<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Processor<\/em><\/p>\n\n\n\n

        Pokud vyu\u017e\u00edv\u00e1\u0161 sub\u2011processory (dal\u0161\u00ed dodavatele, kte\u0159\u00ed pro tebe zpracov\u00e1vaj\u00ed data), mus\u00ed o tom z\u00e1kazn\u00edci v\u011bd\u011bt a souhlasit s t\u00edm p\u0159ijet\u00edm Privacy Policy.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 28<\/strong> \u2013 Processor<\/p>\n\n\n\n

        10) Pokud p\u016fsob\u00ed\u0161 mimo EU, m\u00e1\u0161 z\u00e1stupce v EU<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

        Kdy\u017e m\u00e1\u0161 firmu mimo EU, ale sb\u00edr\u00e1\u0161 data ob\u010dan\u016f EU, m\u011bl bys m\u00edt jmenovan\u00e9ho z\u00e1stupce v n\u011bkter\u00e9m \u010dlensk\u00e9m st\u00e1t\u011b. \u00da\u0159ady ho mus\u00ed b\u00fdt schopn\u00e9 kontaktovat kv\u016fli z\u00e1le\u017eitostem zpracov\u00e1n\u00ed.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 27<\/strong> \u2013 Representatives of controllers or processors not established in the Union<\/p>\n\n\n\n

        11) Incidenty (data breaches) hl\u00e1s\u00ed\u0161 \u00fa\u0159adu i dot\u010den\u00fdm lidem<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

        Poru\u0161en\u00ed zabezpe\u010den\u00ed osobn\u00edch \u00fadaj\u016f se hl\u00e1s\u00ed do 72 hodin<\/strong> m\u00edstn\u00edmu dozorov\u00e9mu \u00fa\u0159adu. V ozn\u00e1men\u00ed typicky uv\u00e1d\u00ed\u0161, jak\u00e1 data unikla, jak\u00e9 jsou dopady a jak\u00e1 protiopat\u0159en\u00ed jsi zavedl. Pokud unikl\u00e1 data nebyla \u0161ifrovan\u00e1, m\u00e1\u0161 obvykle povinnost informovat i dot\u010den\u00e9 subjekty \u00fadaj\u016f.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 33<\/strong> \u2013 Notification of a personal data breach to the supervisory authority; GDPR Article 34<\/strong> \u2013 Communication of a personal data breach to the data subject<\/p>\n\n\n\n

        12) Se v\u0161emi Processory, kter\u00fdm p\u0159ed\u00e1v\u00e1\u0161 data, m\u00e1\u0161 smlouvu<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller<\/em><\/p>\n\n\n\n

        Smlouva m\u00e1 obsahovat explicitn\u00ed instrukce pro ukl\u00e1d\u00e1n\u00ed\/zpracov\u00e1n\u00ed dat. M\u00e1 popisovat p\u0159edm\u011bt a dobu zpracov\u00e1n\u00ed, povahu a \u00fa\u010del zpracov\u00e1n\u00ed, typ osobn\u00edch \u00fadaj\u016f a kategorie subjekt\u016f \u00fadaj\u016f, plus povinnosti a pr\u00e1va spr\u00e1vce. Typicky sem spad\u00e1 t\u0159eba smlouva s hostingem. Stejn\u00e9 po\u017eadavky plat\u00ed i tehdy, kdy\u017e processor zapoj\u00ed sub\u2011processora.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 28<\/strong> \u2013 Processor; GDPR Article 29<\/strong> \u2013 Processing under the authority of the controller or processor<\/p>\n\n\n\n

        Nov\u00e1 pr\u00e1va (praktick\u00e1 vymahatelnost na webu)<\/h3>\n\n\n\n

        13) U\u017eivatel\u00e9 si um\u00ed jednodu\u0161e vy\u017e\u00e1dat p\u0159\u00edstup ke sv\u00fdm dat\u016fm<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

        M\u011bl by existovat jasn\u00fd proces, jak vy\u0159izuje\u0161 \u017e\u00e1dosti o p\u0159\u00edstup (DSAR).<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 15<\/strong> \u2013 Right of access by the data subject<\/p>\n\n\n\n

        14) U\u017eivatel\u00e9 si um\u00ed jednodu\u0161e opravit\/aktualizovat \u00fadaje<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

        Pot\u0159ebuje\u0161 mechanismus, kter\u00fdm lze opravit nep\u0159esn\u00e1 data.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 16<\/strong> \u2013 Right to rectification<\/p>\n\n\n\n

        15) Automaticky ma\u017ee\u0161 data, kter\u00e1 u\u017e nepot\u0159ebuje\u0161<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

        Maz\u00e1n\u00ed by nem\u011blo b\u00fdt ru\u010dn\u00ed ritu\u00e1l jednou za rok. P\u0159\u00edklad: automaticky odstranit data z\u00e1kazn\u00edk\u016f, kte\u0159\u00ed neobnovili smlouvu.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 5<\/strong> \u2013 Principles relating to processing of personal data<\/p>\n\n\n\n

        16) U\u017eivatel\u00e9 si um\u00ed jednodu\u0161e vy\u017e\u00e1dat v\u00fdmaz (right to be forgotten)<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

        Mus\u00ed\u0161 m\u00edt proces pro \u017e\u00e1dosti o v\u00fdmaz.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 17<\/strong> \u2013 Right to erasure (‘right to be forgotten’)<\/p>\n\n\n\n

        17) U\u017eivatel\u00e9 si um\u00ed vy\u017e\u00e1dat omezen\u00ed zpracov\u00e1n\u00ed<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

        U\u017eivatel\u00e9 maj\u00ed pr\u00e1vo omezit, jak data zpracov\u00e1v\u00e1\u0161.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 18<\/strong> \u2013 Right to restriction of processing<\/p>\n\n\n\n

        18) U\u017eivatel\u00e9 si um\u00ed vy\u017e\u00e1dat p\u0159ed\u00e1n\u00ed dat (data portability)<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

        P\u0159enositelnost znamen\u00e1 dodat data ve strukturovan\u00e9m, b\u011b\u017en\u011b pou\u017e\u00edvan\u00e9m, strojov\u011b \u010diteln\u00e9m form\u00e1tu \u2013 u\u017eivateli nebo t\u0159et\u00ed stran\u011b.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 20<\/strong> \u2013 Right to data portability<\/p>\n\n\n\n

        19) U\u017eivatel\u00e9 mohou snadno vzn\u00e9st n\u00e1mitku proti profilov\u00e1n\u00ed \/ automatizovan\u00e9mu rozhodov\u00e1n\u00ed<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller<\/em><\/p>\n\n\n\n

        T\u00fdk\u00e1 se jen p\u0159\u00edpad\u016f, kdy d\u011bl\u00e1\u0161 profilov\u00e1n\u00ed nebo automatizovan\u00e9 rozhodov\u00e1n\u00ed, kter\u00e9 m\u016f\u017ee m\u00edt na \u010dlov\u011bka dopad.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 22<\/strong> \u2013 Automated individual decision-making, including profiling<\/p>\n\n\n\n

        Souhlas (Consent)<\/h3>\n\n\n\n

        20) Pokud jede\u0161 na souhlas, mus\u00ed b\u00fdt svobodn\u00fd, konkr\u00e9tn\u00ed, informovan\u00fd a odvolateln\u00fd<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller<\/em><\/p>\n\n\n\n

        Kdy\u017e na webu sb\u00edr\u00e1\u0161 osobn\u00ed \u00fadaje na z\u00e1klad\u011b souhlasu, mus\u00ed b\u00fdt viditeln\u011b dostupn\u00e1 Privacy Policy a mus\u00ed b\u00fdt jasn\u00e9, \u017ee u\u017eivatel souhlas\u00ed s podm\u00ednkami. Souhlas vy\u017eaduje aktivn\u00ed \u00fakon \u2013 p\u0159edza\u0161krtnut\u00e9 checkboxy jsou nep\u0159\u00edpustn\u00e9<\/strong>.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 7<\/strong> \u2013 Conditions for consent<\/p>\n\n\n\n

        21) Privacy Policy je napsan\u00e9 jasn\u011b a srozumiteln\u011b<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller<\/em><\/p>\n\n\n\n

        Text nesm\u00ed skr\u00fdvat z\u00e1m\u011br, m\u00e1 b\u00fdt jednoduch\u00fd a pochopiteln\u00fd. U slu\u017eeb pro d\u011bti m\u00e1 b\u00fdt pochopiteln\u00fd i jim (co nejv\u00edc plain language). Pokud tohle nespln\u00ed\u0161, m\u016f\u017ee to zneplatnit souhlas \/ dohodu.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 7.2<\/strong> \u2013 Conditions for consent<\/p>\n\n\n\n

        22) Odvol\u00e1n\u00ed souhlasu je stejn\u011b snadn\u00e9 jako jeho ud\u011blen\u00ed<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller<\/em><\/p>\n\n\n\n

        U\u017eivatel by nem\u011bl absolvovat slo\u017eit\u011bj\u0161\u00ed cestu, ne\u017e kdy\u017e souhlas d\u00e1val.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 7.3<\/strong> \u2013 Conditions for consent<\/p>\n\n\n\n

        23) U d\u011btsk\u00fdch dat ov\u011b\u0159uje\u0161 v\u011bk a \u0159e\u0161\u00ed\u0161 souhlas z\u00e1konn\u00e9ho z\u00e1stupce<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller<\/em><\/p>\n\n\n\n

        U d\u011bt\u00ed mlad\u0161\u00edch 16 let<\/strong> mus\u00ed\u0161 zajistit souhlas z\u00e1konn\u00e9ho z\u00e1stupce. Pokud se souhlas d\u00e1v\u00e1 p\u0159es web, m\u011bl bys se rozumn\u011b pokusit ov\u011b\u0159it, \u017ee ho opravdu d\u00e1v\u00e1 z\u00e1stupce (a ne d\u00edt\u011b).<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 8<\/strong> \u2013 Conditions applicable to child’s consent in relation to information society services<\/p>\n\n\n\n

        24) P\u0159i aktualizaci Privacy Policy informuje\u0161 st\u00e1vaj\u00edc\u00ed z\u00e1kazn\u00edky<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller<\/em><\/p>\n\n\n\n

        Typicky e\u2011mailem dop\u0159edu s jednoduch\u00fdm vysv\u011btlen\u00edm, co se zm\u011bnilo.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 7<\/strong> \u2013 Conditions for consent<\/p>\n\n\n\n

        Follow\u2011up (pravideln\u00e9 revize)<\/h3>\n\n\n\n

        25) Pravideln\u011b reviduje\u0161 politiky a zm\u011bny v tom, kam data te\u010dou<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller<\/em><\/p>\n\n\n\n

        Nejde jen o \u201ejednou nastavit a hotovo\u201c. Kontroluj zm\u011bny proces\u016f, efektivitu opat\u0159en\u00ed a tak\u00e9 zm\u011bny ve st\u00e1tech, do kter\u00fdch data pos\u00edl\u00e1\u0161 (a jejich re\u017eim ochrany).<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 25<\/strong> \u2013 Data protection by design and by default<\/p>\n\n\n\n

        Speci\u00e1ln\u00ed p\u0159\u00edpady<\/h3>\n\n\n\n

        26) V\u00ed\u0161, kdy mus\u00ed\u0161 ud\u011blat DPIA (Data Protection Impact Assessment)<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller<\/em><\/p>\n\n\n\n

        DPIA je na m\u00edst\u011b u vysoce rizikov\u00fdch zpracov\u00e1n\u00ed \u2013 typicky velk\u00fd rozsah, profilov\u00e1n\u00ed a dal\u0161\u00ed \u010dinnosti s vysok\u00fdm rizikem pro pr\u00e1va a svobody lid\u00ed.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 35<\/strong> \u2013 Data protection impact assessment<\/p>\n\n\n\n

        27) Data mimo EU pos\u00edl\u00e1\u0161 jen tam, kde je odpov\u00eddaj\u00edc\u00ed ochrana (nebo m\u00e1\u0161 SCC\/BCR)<\/h4>\n\n\n\n

        Plat\u00ed pro: Data Controller, Data Processor<\/em><\/p>\n\n\n\n

        P\u0159enosy mimo EU mus\u00ed\u0161 m\u00edt o\u0161et\u0159en\u00e9 a tyto p\u0159eshrani\u010dn\u00ed toky tak\u00e9 uv\u00e1d\u011bt v Privacy Policy. Pro zem\u011b bez odpov\u00eddaj\u00edc\u00ed ochrany se typicky pou\u017e\u00edvaj\u00ed Standard Contractual Clauses (SCCs)<\/strong> nebo Binding Corporate Rules (BCRs)<\/strong>.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 45<\/strong> \u2013 Transfers on the basis of an adequacy decision<\/p>\n\n\n\n

        Pr\u00e1va u\u017eivatel\u016f (Data Subject Rights) \u2013 co mus\u00ed\u0161 um\u011bt obslou\u017eit<\/h2>\n\n\n\n

        GDPR d\u00e1v\u00e1 lidem, jejich\u017e data zpracov\u00e1v\u00e1\u0161, konkr\u00e9tn\u00ed pr\u00e1va. Z implementa\u010dn\u00edho pohledu je d\u016fle\u017eit\u00e9, aby bylo jasn\u00e9: (1) jak \u017e\u00e1dost p\u0159ijme\u0161, (2) jak ov\u011b\u0159\u00ed\u0161 identitu, (3) jak data dohled\u00e1\u0161 nap\u0159\u00ed\u010d syst\u00e9my, (4) jak to cel\u00e9 zdokumentuje\u0161.<\/p>\n\n\n\n

        Right to transparent information<\/h3>\n\n\n\n

        Spr\u00e1vce m\u00e1 p\u0159ijmout vhodn\u00e1 opat\u0159en\u00ed a poskytnout informace o zpracov\u00e1n\u00ed stru\u010dn\u011b, transparentn\u011b, srozumiteln\u011b a snadno dostupn\u011b, jasn\u00fdm a jednoduch\u00fdm jazykem \u2013 obzvl\u00e1\u0161\u0165 pokud je informace ur\u010den\u00e1 d\u00edt\u011bti. Informace maj\u00ed b\u00fdt poskytnut\u00e9 p\u00edsemn\u011b nebo jin\u00fdmi prost\u0159edky, v\u010detn\u011b elektronick\u00fdch, pokud je to vhodn\u00e9.<\/p>\n\n\n\n

        Reference:<\/strong> GDPR Article 12<\/strong><\/p>\n\n\n\n

        Right to receive specific information when personal data are collected directly<\/h3>\n\n\n\n

        Pokud data sb\u00edr\u00e1\u0161 p\u0159\u00edmo od \u010dlov\u011bka, mus\u00ed dostat konkr\u00e9tn\u00ed informace, v\u010detn\u011b:<\/p>\n\n\n\n

          \n\n
        1. Toto\u017enost a kontaktn\u00ed \u00fadaje spr\u00e1vce<\/li>\n\n\n
        2. Kontaktn\u00ed \u00fadaje DPO (pokud se uplatn\u00ed)<\/li>\n\n\n
        3. \u00da\u010dely zpracov\u00e1n\u00ed a pr\u00e1vn\u00ed z\u00e1klad<\/li>\n\n\n
        4. Opr\u00e1vn\u011bn\u00e9 z\u00e1jmy spr\u00e1vce (pokud se uplatn\u00ed)<\/li>\n\n\n
        5. P\u0159\u00edjemci nebo kategorie p\u0159\u00edjemc\u016f osobn\u00edch \u00fadaj\u016f<\/li>\n\n\n
        6. Informace o p\u0159ed\u00e1v\u00e1n\u00ed do t\u0159et\u00edch zem\u00ed<\/li>\n\n<\/ol>\n\n\n\n

          Reference:<\/strong> GDPR Article 13<\/strong><\/p>\n\n\n\n

          Right to receive specific information when personal data are not collected directly<\/h3>\n\n\n\n

          Pokud data z\u00edsk\u00e1\u0161 z jin\u00fdch zdroj\u016f ne\u017e p\u0159\u00edmo od subjektu \u00fadaj\u016f, mus\u00ed\u0161 poskytnout obdobn\u00e9 informace, v\u010detn\u011b kategori\u00ed dot\u010den\u00fdch osobn\u00edch \u00fadaj\u016f a zdroje dat.<\/p>\n\n\n\n

          Reference:<\/strong> GDPR Article 14<\/strong><\/p>\n\n\n\n

          Right of access<\/h3>\n\n\n\n

          U\u017eivatel m\u00e1 pr\u00e1vo z\u00edskat potvrzen\u00ed, zda jeho data zpracov\u00e1v\u00e1\u0161, a tak\u00e9 p\u0159\u00edstup k informac\u00edm:<\/p>\n\n\n\n

            \n\n
          • \u00fa\u010dely zpracov\u00e1n\u00ed<\/li>\n\n\n
          • kategorie dot\u010den\u00fdch osobn\u00edch \u00fadaj\u016f<\/li>\n\n\n
          • p\u0159\u00edjemci, kter\u00fdm data byla nebo budou zp\u0159\u00edstupn\u011bna<\/li>\n\n\n
          • pl\u00e1novan\u00e1 doba uchov\u00e1n\u00ed<\/li>\n\n\n
          • existence pr\u00e1v na opravu, v\u00fdmaz, omezen\u00ed a n\u00e1mitku<\/li>\n\n\n
          • pr\u00e1vo podat st\u00ed\u017enost u dozorov\u00e9ho \u00fa\u0159adu<\/li>\n\n\n
          • informace o zdroji dat (pokud nebyla z\u00edsk\u00e1na od subjektu)<\/li>\n\n\n
          • existence automatizovan\u00e9ho rozhodov\u00e1n\u00ed v\u010detn\u011b profilov\u00e1n\u00ed<\/li>\n\n<\/ul>\n\n\n\n

            Reference:<\/strong> GDPR Article 15<\/strong><\/p>\n\n\n\n

            Right to rectification<\/h3>\n\n\n\n

            Pr\u00e1vo na opravu nep\u0159esn\u00fdch \u00fadaj\u016f bez zbyte\u010dn\u00e9ho odkladu a dopln\u011bn\u00ed ne\u00fapln\u00fdch \u00fadaj\u016f.<\/p>\n\n\n\n

            Reference:<\/strong> GDPR Article 16<\/strong><\/p>\n\n\n\n

            Right to erasure (“right to be forgotten”)<\/h3>\n\n\n\n

            Pr\u00e1vo na v\u00fdmaz nastupuje zejm\u00e9na, kdy\u017e:<\/p>\n\n\n\n

              \n\n
            1. Data u\u017e nejsou pot\u0159ebn\u00e1 pro p\u016fvodn\u00ed \u00fa\u010del.<\/li>\n\n\n
            2. Odvol\u00e1\u0161 souhlas a neexistuje jin\u00fd pr\u00e1vn\u00ed d\u016fvod ke zpracov\u00e1n\u00ed.<\/li>\n\n\n
            3. Vznesl(a) jsi n\u00e1mitku a neexistuj\u00ed p\u0159eva\u017euj\u00edc\u00ed opr\u00e1vn\u011bn\u00e9 d\u016fvody.<\/li>\n\n\n
            4. Data byla zpracov\u00e1na protipr\u00e1vn\u011b.<\/li>\n\n\n
            5. Data se mus\u00ed vymazat kv\u016fli spln\u011bn\u00ed pr\u00e1vn\u00ed povinnosti.<\/li>\n\n\n
            6. Data byla z\u00edsk\u00e1na v souvislosti se slu\u017ebami informa\u010dn\u00ed spole\u010dnosti nab\u00eddnut\u00fdmi d\u00edt\u011bti.<\/li>\n\n<\/ol>\n\n\n\n

              Reference:<\/strong> GDPR Article 17<\/strong><\/p>\n\n\n\n

              Right to restriction of processing<\/h3>\n\n\n\n

              Pr\u00e1vo na omezen\u00ed zpracov\u00e1n\u00ed typicky nast\u00e1v\u00e1, kdy\u017e:<\/p>\n\n\n\n

                \n\n
              1. Rozporuje\u0161 p\u0159esnost dat (na dobu ov\u011b\u0159en\u00ed).<\/li>\n\n\n
              2. Zpracov\u00e1n\u00ed je protipr\u00e1vn\u00ed a m\u00edsto v\u00fdmazu chce\u0161 omezen\u00ed.<\/li>\n\n\n
              3. Spr\u00e1vce data u\u017e nepot\u0159ebuje, ale ty je pot\u0159ebuje\u0161 pro pr\u00e1vn\u00ed n\u00e1roky.<\/li>\n\n\n
              4. Vznesl(a) jsi n\u00e1mitku a \u010dek\u00e1 se na ov\u011b\u0159en\u00ed opr\u00e1vn\u011bn\u00fdch d\u016fvod\u016f.<\/li>\n\n<\/ol>\n\n\n\n

                Reference:<\/strong> GDPR Article 18<\/strong><\/p>\n\n\n\n

                Right to be notified regarding rectification, erasure, or restriction<\/h3>\n\n\n\n

                Spr\u00e1vce m\u00e1 ozn\u00e1mit opravu, v\u00fdmaz nebo omezen\u00ed ka\u017ed\u00e9mu p\u0159\u00edjemci, kter\u00e9mu byly \u00fadaje zp\u0159\u00edstupn\u011bny \u2013 pokud to nen\u00ed nemo\u017en\u00e9 nebo nep\u0159im\u011b\u0159en\u011b n\u00e1ro\u010dn\u00e9.<\/p>\n\n\n\n

                Reference:<\/strong> GDPR Article 19<\/strong><\/p>\n\n\n\n

                Right to data portability<\/h3>\n\n\n\n

                Pr\u00e1vo z\u00edskat osobn\u00ed \u00fadaje ve strukturovan\u00e9m, b\u011b\u017en\u011b pou\u017e\u00edvan\u00e9m a strojov\u011b \u010diteln\u00e9m form\u00e1tu a p\u0159edat je jin\u00e9mu spr\u00e1vci bez p\u0159ek\u00e1\u017eek.<\/p>\n\n\n\n

                Reference:<\/strong> GDPR Article 20<\/strong><\/p>\n\n\n\n

                Right to object<\/h3>\n\n\n\n

                Pr\u00e1vo vzn\u00e9st n\u00e1mitku kdykoliv (s ohledem na konkr\u00e9tn\u00ed situaci) proti zpracov\u00e1n\u00ed zalo\u017een\u00e9mu na opr\u00e1vn\u011bn\u00fdch z\u00e1jmech nebo ve\u0159ejn\u00e9m z\u00e1jmu, v\u010detn\u011b profilov\u00e1n\u00ed.<\/p>\n\n\n\n

                Reference:<\/strong> GDPR Article 21<\/strong><\/p>\n\n\n\n

                Right not to be subject to automated decision-making<\/h3>\n\n\n\n

                Pr\u00e1vo neb\u00fdt p\u0159edm\u011btem rozhodnut\u00ed zalo\u017een\u00e9ho v\u00fdhradn\u011b na automatizovan\u00e9m zpracov\u00e1n\u00ed (v\u010detn\u011b profilov\u00e1n\u00ed), kter\u00e9 m\u00e1 pr\u00e1vn\u00ed \u00fa\u010dinky nebo podobn\u011b v\u00fdznamn\u011b ovliv\u0148uje.<\/p>\n\n\n\n

                Reference:<\/strong> GDPR Article 22<\/strong><\/p>\n\n\n\n

                Praktick\u00e9 implementa\u010dn\u00ed kroky (co na webu re\u00e1ln\u011b ud\u011blat)<\/h2>\n\n\n\n

                1) Zabezpe\u010d web a infrastrukturu<\/h3>\n\n\n\n