GDPR (General Data Protection Regulation) patr\u00ed medzi najpr\u00edsnej\u0161ie a z\u00e1rove\u0148 najkomplexnej\u0161ie pravidl\u00e1 ochrany osobn\u00fdch \u00fadajov. Ak sprac\u00fava\u0161 osobn\u00e9 \u00fadaje obyvate\u013eov E\u00da \u2013 \u010di u\u017e prev\u00e1dzkuje\u0161 mal\u00fd blog, e\u2011shop alebo SaaS \u2013 GDPR sa \u0165a t\u00fdka bez oh\u013eadu na to, kde m\u00e1\u0161 firmu alebo servery.<\/p>\n\n\n\n
Riziko nie je len reputa\u010dn\u00e9. V pr\u00edpade nedodr\u017eania m\u00f4\u017eu pokuty dosiahnu\u0165 a\u017e 20 mili\u00f3nov \u20ac alebo 4 % z celosvetov\u00e9ho ro\u010dn\u00e9ho obratu<\/strong> (pod\u013ea toho, \u010do je vy\u0161\u0161ie). Okrem pok\u00fat m\u00f4\u017eu \u00farady nariadi\u0165 aj obmedzenie sprac\u00favania, z\u00e1kaz sprac\u00favania alebo vymazanie d\u00e1t.<\/p>\n\n\n\n Toto je technicko-procesn\u00fd checklist pre weby a online slu\u017eby. Nie je to pr\u00e1vne poradenstvo. Pri \u0161pecifick\u00fdch situ\u00e1ci\u00e1ch (napr. citliv\u00e9 \u00fadaje, ve\u013ek\u00e9 objemy, profilovanie) je rozumn\u00e9 rie\u0161i\u0165 veci s kvalifikovan\u00fdm pr\u00e1vnikom alebo DPO.<\/p>\n\n<\/div>\n\n\n\n GDPR je nariadenie E\u00da \u00fa\u010dinn\u00e9 od 25. m\u00e1ja 2018<\/strong>, ktor\u00e9 nastavuje pravidl\u00e1, ako organiz\u00e1cie m\u00f4\u017eu zbiera\u0165, pou\u017e\u00edva\u0165, uklada\u0165 a zdie\u013ea\u0165 osobn\u00e9 \u00fadaje. Plat\u00ed pre firmy v E\u00da aj mimo nej \u2013 rozhoduj\u00face je, \u010di sprac\u00fava\u0161 osobn\u00e9 \u00fadaje \u013eud\u00ed v E\u00da.<\/p>\n\n\n\n V praxi sa ve\u013ea probl\u00e9mov za\u010d\u00edna t\u00fdm, \u017ee si firma nespr\u00e1vne ur\u010d\u00ed, \u010di je Data Controller<\/strong> (prev\u00e1dzkovate\u013e) alebo Data Processor<\/strong> (sprostredkovate\u013e). M\u00f4\u017ee\u0161 by\u0165 aj oboje \u2013 napr\u00edklad ke\u010f sprac\u00fava\u0161 d\u00e1ta vlastn\u00fdch z\u00e1kazn\u00edkov (controller), ale z\u00e1rove\u0148 hostuje\u0161 alebo sprac\u00fava\u0161 d\u00e1ta pre in\u00e9ho klienta (processor).<\/p>\n\n\n\n Sk\u00f4r ne\u017e za\u010dne\u0161 \u201eod\u0161krt\u00e1va\u0165\u201c, oplat\u00ed sa dr\u017ea\u0165 v hlave princ\u00edpy, pod\u013ea ktor\u00fdch sa posudzuje prakticky v\u0161etko:<\/p>\n\n\n\n Ni\u017e\u0161ie je checklist rozdelen\u00fd do oblast\u00ed. Pri ka\u017edom bode je uveden\u00e9, \u010di sa typicky t\u00fdka controllera, processora alebo oboch \u2013 a je pripojen\u00fd aj relevantn\u00fd \u010dl\u00e1nok GDPR, ktor\u00fd sa v praxi pou\u017e\u00edva ako opora pri auditoch.<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Potrebn\u00e9 je ma\u0165 preh\u013ead \u201e\u010do presne dr\u017e\u00ed\u0161\u201c \u2013 re\u00e1lne typy \u00fadajov (napr. meno, adresa, rodn\u00e9 \u010d\u00edslo\/ID, e\u2011mail, IP adresa pod\u013ea kontextu), odkia\u013e sa ber\u00fa, komu ich poskytuje\u0161, na ak\u00fd \u00fa\u010del ich sprac\u00fava\u0161 a ako dlho ich uchov\u00e1va\u0161.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 30 \u2013 Records of processing activities<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Nie je to len datab\u00e1za typu MySQL\/PostgreSQL. Zapo\u010d\u00edtaj aj offline \u00falo\u017eisk\u00e1 (papier, exporty, CSV v zdie\u013eanom disku, logy, helpdesk). Zmysel je vedie\u0165 vysvetli\u0165, kadia\u013e d\u00e1ta te\u010d\u00fa \u2013 od formul\u00e1ra, cez CRM, e\u2011mailing, analytiku a\u017e po z\u00e1lohy.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 30 \u2013 Records of processing activities<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Privacy Policy m\u00e1 pop\u00edsa\u0165 v\u0161etky procesy spojen\u00e9 so sprac\u00favan\u00edm osobn\u00fdch \u00fadajov. Dokument by mal obsahova\u0165 (alebo aspo\u0148 odkazova\u0165 na) typy \u00fadajov, ktor\u00e9 dr\u017e\u00ed\u0161, a kde ich dr\u017e\u00ed\u0161.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 30 \u2013 Records of processing activities<\/p>\n\n\n\n Plat\u00ed pre: Data Controller<\/em><\/p>\n\n\n\n Nesta\u010d\u00ed nap\u00edsa\u0165, \u017ee \u201esprac\u00favame \u00fadaje\u201c. Potrebuje\u0161 uvies\u0165 pr\u00e1vny d\u00f4vod (lawful basis), napr\u00edklad plnenie zmluvy.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 6 \u2013 Lawfulness of processing<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Data Protection Officer (DPO) je povinn\u00fd len v troch scen\u00e1roch:<\/p>\n\n\n\n Ak DPO potrebuje\u0161, mus\u00ed rozumie\u0165 GDPR usmerneniam a z\u00e1rove\u0148 ma\u0165 preh\u013ead o intern\u00fdch procesoch, kde sa osobn\u00e9 \u00fadaje pou\u017e\u00edvaj\u00fa.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 37 \u2013 Designation of the data protection officer<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n K\u013e\u00fa\u010dov\u00ed \u013eudia musia ma\u0165 aktu\u00e1lne znalosti o ochrane \u00fadajov. V praxi to znamen\u00e1 pravideln\u00fd refresh a jasn\u00e9 pravidl\u00e1 \u201ekto m\u00f4\u017ee rozhodn\u00fa\u0165 o \u010dom\u201c (napr. zavedenie nov\u00e9ho trackingu, nov\u00fd newsletter tool, nov\u00e9 integra\u010dn\u00e9 webhooky).<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 25 \u2013 Data protection by design and by default<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Najm\u00e4 pri SaaS je rozumn\u00e9 za\u010da\u0165 security checklistami a ma\u0165 pod kontrolou z\u00e1kladn\u00e9 technick\u00e9 opatrenia (hardening, patchovanie, pr\u00edstupy, logging).<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 25 \u2013 Data protection by design and by default<\/p>\n\n\n\n Plat\u00ed pre: Data Processor<\/em><\/p>\n\n\n\n Ve\u013ea incidentov vznik\u00e1 t\u00fdm, \u017ee niekto s pr\u00edstupom k intern\u00fdm syst\u00e9mom nalet\u00ed soci\u00e1lnemu in\u017einierstvu alebo sprav\u00ed \u201enevinn\u00fa\u201c chybu. \u0160kolenie m\u00e1 by\u0165 praktick\u00e9: phishing, pr\u00e1ca s exportmi, zdie\u013eanie pr\u00edstupov, pr\u00e1ca s ticketmi obsahuj\u00facimi osobn\u00e9 \u00fadaje.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 25 \u2013 Data protection by design and by default<\/p>\n\n\n\n Plat\u00ed pre: Data Processor<\/em><\/p>\n\n\n\n Ak vyu\u017e\u00edva\u0161 \u010fal\u0161\u00edch dod\u00e1vate\u013eov, ktor\u00ed sprac\u00favaj\u00fa d\u00e1ta (sub-processors), z\u00e1kazn\u00edk o tom mus\u00ed vedie\u0165 a s\u00fahlasi\u0165 s t\u00fdm t\u00fdm, \u017ee akceptuje tvoje z\u00e1sady.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 28 \u2013 Processor<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Ak podnik\u00e1\u0161 mimo E\u00da a zbiera\u0161 d\u00e1ta ob\u010danov E\u00da, potrebuje\u0161 ur\u010di\u0165 z\u00e1stupcu v niektorom \u010dlenskom \u0161t\u00e1te. Tento z\u00e1stupca rie\u0161i ot\u00e1zky s\u00favisiace so sprac\u00favan\u00edm a mus\u00ed by\u0165 kontaktovate\u013en\u00fd aj lok\u00e1lnym \u00faradom.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 27 \u2013 Representatives of controllers or processors not established in the Union<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n \u00danik osobn\u00fdch \u00fadajov mus\u00ed\u0161 nahl\u00e1si\u0165 pr\u00edslu\u0161n\u00e9mu dozorn\u00e9mu org\u00e1nu do 72 hod\u00edn<\/strong>. V hl\u00e1sen\u00ed m\u00e1 by\u0165 jasn\u00e9, ak\u00e9 d\u00e1ta unikli, ak\u00e9 s\u00fa d\u00f4sledky a ak\u00e9 protiopatrenia si prijal. Ak d\u00e1ta neboli \u0161ifrovan\u00e9, typicky mus\u00ed\u0161 incident ozn\u00e1mi\u0165 aj dotknut\u00fdm osob\u00e1m (data subjects).<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 33 \u2013 Notification of a personal data breach to the supervisory authority; GDPR Article 34 \u2013 Communication of a personal data breach to the data subject<\/p>\n\n\n\n Plat\u00ed pre: Data Controller<\/em><\/p>\n\n\n\n Zmluva m\u00e1 obsahova\u0165 explicitn\u00e9 pokyny k ukladaniu a sprac\u00favaniu d\u00e1t: predmet a trvanie sprac\u00favania, povahu a \u00fa\u010del sprac\u00favania, typy osobn\u00fdch \u00fadajov, kateg\u00f3rie dotknut\u00fdch os\u00f4b a povinnosti\/pr\u00e1va controllera.<\/p>\n\n\n\n Typick\u00fd pr\u00edklad je hosting. Rovnak\u00e9 po\u017eiadavky platia aj vtedy, ke\u010f processor zapoj\u00ed sub-processora, aby mu pomohol plni\u0165 spracovate\u013esk\u00e9 \u010dinnosti pre controllera.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 28 \u2013 Processor; GDPR Article 29 \u2013 Processing under the authority of the controller or processor<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Mus\u00ed\u0161 ma\u0165 jasn\u00fd proces, ako vybavuje\u0161 \u017eiadosti o pr\u00edstup (access requests) \u2013 kto ich prij\u00edma, ako overuje\u0161 identitu, kde \u00fadaje n\u00e1jde\u0161 a v akom form\u00e1te ich poskytne\u0161.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 15 \u2013 Right of access by the data subject<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Potrebn\u00fd je mechanizmus na opravu nepresn\u00fdch \u00fadajov \u2013 typicky self\u2011service profil alebo jasn\u00fd support proces.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 16 \u2013 Right to rectification<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Mazanie by malo by\u0165 automatizovan\u00e9. Napr\u00edklad ak z\u00e1kazn\u00edk neobnov\u00ed zmluvu, d\u00e1ta by nemali zosta\u0165 ulo\u017een\u00e9 \u201enav\u017edy len pre istotu\u201c.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 5 \u2013 Principles relating to processing of personal data<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Implementuj proces na vybavenie \u017eiadost\u00ed o vymazanie. D\u00f4le\u017eit\u00e9 je, aby si vedel zmaza\u0165 d\u00e1ta naprie\u010d syst\u00e9mami (produk\u010dn\u00e1 DB, CRM, helpdesk, marketing n\u00e1stroje, exporty), a z\u00e1rove\u0148 vedel vysvetli\u0165 pr\u00edpadn\u00e9 z\u00e1konn\u00e9 v\u00fdnimky.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 17 \u2013 Right to erasure (‘right to be forgotten’)<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Dotknut\u00e1 osoba m\u00e1 pr\u00e1vo obmedzi\u0165 sprac\u00favanie \u2013 napr\u00edklad k\u00fdm prever\u00ed\u0161 sporn\u00fa spr\u00e1vnos\u0165 \u00fadajov.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 18 \u2013 Right to restriction of processing<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Prenosite\u013enos\u0165 znamen\u00e1, \u017ee vie\u0161 poskytn\u00fa\u0165 \u00fadaje v \u0161trukt\u00farovanom, be\u017ene pou\u017e\u00edvanom a strojovo \u010ditate\u013enom form\u00e1te \u2013 a to bu\u010f priamo osobe, alebo tretej strane.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 20 \u2013 Right to data portability<\/p>\n\n\n\n Plat\u00ed pre: Data Controller<\/em><\/p>\n\n\n\n Toto rie\u0161i\u0161 vtedy, ak rob\u00ed\u0161 profilovanie alebo automatizovan\u00e9 rozhodovanie, ktor\u00e9 m\u00f4\u017ee ma\u0165 dopad na \u010dloveka (napr. rozhodovanie o ponuke, pr\u00edstupe, cene).<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 22 \u2013 Automated individual decision-making, including profiling<\/p>\n\n\n\n Plat\u00ed pre: Data Controller<\/em><\/p>\n\n\n\n Ak sprac\u00favanie stoj\u00ed na s\u00fahlase, pou\u017e\u00edvate\u013e mus\u00ed ma\u0165 jasn\u00fd pr\u00edstup k inform\u00e1ci\u00e1m (link na Privacy Policy) a s\u00fahlas mus\u00ed by\u0165 dan\u00fd akt\u00edvnym \u00fakonom. Predza\u0161krtnut\u00e9 checkboxy nie s\u00fa pr\u00edpustn\u00e9.<\/strong><\/p>\n\n\n\n Reference:<\/strong> GDPR Article 7 \u2013 Conditions for consent<\/p>\n\n\n\n Plat\u00ed pre: Data Controller<\/em><\/p>\n\n\n\n Text nesmie skr\u00fdva\u0165 z\u00e1mer a m\u00e1 by\u0165 nap\u00edsan\u00fd jednoducho. Ak poskytuje\u0161 slu\u017eby de\u0165om, mus\u00ed by\u0165 zrozumite\u013en\u00fd aj pre ne \u2013 inak sa m\u00f4\u017ee sta\u0165, \u017ee s\u00fahlas bude spochybnite\u013en\u00fd.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 7.2 \u2013 Conditions for consent<\/p>\n\n\n\n Plat\u00ed pre: Data Controller<\/em><\/p>\n\n\n\n Pou\u017e\u00edvate\u013e nesmie ma\u0165 pocit, \u017ee odhl\u00e1si\u0165 sa je \u201ezlo\u017eitej\u0161ie ne\u017e prihl\u00e1si\u0165 sa\u201c.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 7.3 \u2013 Conditions for consent<\/p>\n\n\n\n Plat\u00ed pre: Data Controller<\/em><\/p>\n\n\n\n Pri de\u0165och mlad\u0161\u00edch ako 16 rokov mus\u00ed\u0161 zabezpe\u010di\u0165 s\u00fahlas z\u00e1konn\u00e9ho z\u00e1stupcu. Ak sa s\u00fahlas d\u00e1va cez web, mal by si sa rozumne pok\u00fasi\u0165 overi\u0165, \u017ee ho naozaj dal rodi\u010d\/z\u00e1stupca (a nie die\u0165a).<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 8 \u2013 Conditions applicable to child’s consent in relation to information society services<\/p>\n\n\n\n Plat\u00ed pre: Data Controller<\/em><\/p>\n\n\n\n Napr\u00edklad e\u2011mailom ozn\u00e1mi\u0161, \u017ee sa z\u00e1sady menia, a \u013eudskou re\u010dou vysvetl\u00ed\u0161, \u010do sa zmenilo.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 7 \u2013 Conditions for consent<\/p>\n\n\n\n Plat\u00ed pre: Data Controller<\/em><\/p>\n\n\n\n GDPR compliance sa \u010dasom rozpadne, ak nerob\u00ed\u0161 pravideln\u00fa \u00fadr\u017ebu: zmeny v procesoch, nov\u00e9 n\u00e1stroje, zmeny v sprac\u00favan\u00ed a aj to, kam sa d\u00e1ta pren\u00e1\u0161aj\u00fa (najm\u00e4 mimo E\u00da).<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 25 \u2013 Data protection by design and by default<\/p>\n\n\n\n Plat\u00ed pre: Data Controller<\/em><\/p>\n\n\n\n DPIA (Data Protection Impact Assessment) sa typicky rie\u0161i pri ve\u013ekoplo\u0161nom sprac\u00favan\u00ed, profilovan\u00ed a \u010fal\u0161\u00edch \u010dinnostiach s vysok\u00fdm rizikom pre pr\u00e1va a slobody \u013eud\u00ed. Ak do tejto kateg\u00f3rie spad\u00e1\u0161, DPIA nie je \u201enice to have\u201c, ale o\u010dak\u00e1van\u00fd krok.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 35 \u2013 Data protection impact assessment<\/p>\n\n\n\n Plat\u00ed pre: Data Controller, Data Processor<\/em><\/p>\n\n\n\n Ak posiela\u0161 d\u00e1ta mimo E\u00da, v Privacy Policy m\u00e1 by\u0165 tak\u00e9to cezhrani\u010dn\u00e9 pr\u00fadenie d\u00e1t priznan\u00e9. Pri prenosoch do kraj\u00edn bez primeranosti (non-adequate) sa pou\u017e\u00edvaj\u00fa Standard Contractual Clauses (SCCs)<\/strong> alebo Binding Corporate Rules (BCRs)<\/strong>.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 45 \u2013 Transfers on the basis of an adequacy decision<\/p>\n\n\n\n Ni\u017e\u0161ie s\u00fa pr\u00e1va, ktor\u00e9 m\u00e1 ka\u017ed\u00e1 dotknut\u00e1 osoba (data subject). Aj ke\u010f ako v\u00fdvoj\u00e1r \u010dasto rie\u0161i\u0161 najm\u00e4 technick\u00fa implement\u00e1ciu, tieto body sa premietaj\u00fa do procesov podpory, exportov, mazania aj do textov na webe.<\/p>\n\n\n\n Controller m\u00e1 prija\u0165 primeran\u00e9 opatrenia, aby poskytol inform\u00e1cie o sprac\u00favan\u00ed stru\u010dne, transparentne, zrozumite\u013ene a \u013eahko pr\u00edstupne, jasn\u00fdm a jednoduch\u00fdm jazykom \u2013 zvl\u00e1\u0161\u0165, ak s\u00fa inform\u00e1cie ur\u010den\u00e9 die\u0165a\u0165u. Inform\u00e1cie maj\u00fa by\u0165 poskytnut\u00e9 p\u00edsomne alebo in\u00fdmi prostriedkami vr\u00e1tane elektronick\u00fdch.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 12<\/p>\n\n\n\n Ak zbiera\u0161 \u00fadaje priamo od \u010dloveka (napr. cez formul\u00e1r), mus\u00ed dosta\u0165 aspo\u0148 tieto inform\u00e1cie:<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 13<\/p>\n\n\n\n Ak \u00fadaje nez\u00edskava\u0161 priamo od \u010dloveka (napr. ich dostane\u0161 od partnera), mus\u00ed\u0161 poskytn\u00fa\u0165 podobn\u00fd bal\u00edk inform\u00e1ci\u00ed, vr\u00e1tane kateg\u00f3ri\u00ed dotknut\u00fdch \u00fadajov a zdroja.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 14<\/p>\n\n\n\n \u010clovek m\u00e1 pr\u00e1vo z\u00edska\u0165 potvrdenie, \u010di sa jeho \u00fadaje sprac\u00favaj\u00fa, a pr\u00edstup k inform\u00e1ci\u00e1m vr\u00e1tane:<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 15<\/p>\n\n\n\n Dotknut\u00e1 osoba m\u00e1 pr\u00e1vo bez zbyto\u010dn\u00e9ho odkladu opravi\u0165 nepresn\u00e9 \u00fadaje a doplni\u0165 ne\u00fapln\u00e9 \u00fadaje.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 16<\/p>\n\n\n\n Vymazanie mus\u00ed\u0161 umo\u017eni\u0165, ak nastane niektor\u00e1 z t\u00fdchto situ\u00e1ci\u00ed:<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 17<\/p>\n\n\n\n Obmedzenie sprac\u00favania sa uplatn\u00ed, ke\u010f:<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 18<\/p>\n\n\n\n Controller m\u00e1 ozn\u00e1mi\u0165 opravu, vymazanie alebo obmedzenie sprac\u00favania ka\u017ed\u00e9mu pr\u00edjemcovi, ktor\u00e9mu boli \u00fadaje poskytnut\u00e9 \u2013 pokia\u013e to nie je nemo\u017en\u00e9 alebo by to nevy\u017eadovalo neprimeran\u00e9 \u00fasilie.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 19<\/p>\n\n\n\n Osoba m\u00e1 pr\u00e1vo dosta\u0165 svoje \u00fadaje v \u0161trukt\u00farovanom, be\u017ene pou\u017e\u00edvanom a strojovo \u010ditate\u013enom form\u00e1te a m\u00e1 pr\u00e1vo prenies\u0165 ich k in\u00e9mu controllerovi bez prek\u00e1\u017eok.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 20<\/p>\n\n\n\n Osoba m\u00f4\u017ee z d\u00f4vodov s\u00favisiacich s jej konkr\u00e9tnou situ\u00e1ciou kedyko\u013evek namieta\u0165 sprac\u00favanie zalo\u017een\u00e9 na opr\u00e1vnen\u00fdch z\u00e1ujmoch alebo verejnom z\u00e1ujme \u2013 vr\u00e1tane profilovania.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 21<\/p>\n\n\n\n Osoba m\u00e1 pr\u00e1vo neby\u0165 predmetom rozhodnutia zalo\u017een\u00e9ho v\u00fdlu\u010dne na automatizovanom sprac\u00favan\u00ed (vr\u00e1tane profilovania), ak m\u00e1 pr\u00e1vne \u00fa\u010dinky alebo na \u0148u podobne v\u00fdznamne vpl\u00fdva.<\/p>\n\n\n\n Reference:<\/strong> GDPR Article 22<\/p>\n\n\n\n Ak pou\u017e\u00edva\u0161 na webe nevyhnutn\u00e9 vs. nevyhnutn\u00e9 (non-essential) cookies, pri t\u00fdch nevyhnutn\u00fdch to b\u00fdva o opr\u00e1vnenom z\u00e1ujme \/ technickej potrebe, ale pri marketingov\u00fdch a analytick\u00fdch \u010dasto potrebuje\u0161 v\u00fdslovn\u00fd s\u00fahlas pred aktiv\u00e1ciou<\/strong>.<\/p>\n\n\n\n Cookie banner mus\u00ed sp\u013a\u0148a\u0165 tieto po\u017eiadavky:<\/p>\n\n\n\n Scrollovanie alebo pas\u00edvne spr\u00e1vanie nie je s\u00fahlas. S\u00fahlas mus\u00ed by\u0165 akt\u00edvny \u00fakon.<\/p>\n\n<\/div>\n\n\n\n Ka\u017ed\u00fd formul\u00e1r, ktor\u00fd zbiera osobn\u00e9 \u00fadaje (kontakt, objedn\u00e1vka, registr\u00e1cia, dopyt), m\u00e1 ma\u0165 GDPR-friendly UX aj texty:<\/p>\n\n\n\n Pri WordPress weboch sa GDPR l\u00e1me hlavne na pluginoch a integr\u00e1ci\u00e1ch. Technicky m\u00f4\u017ee\u0161 ma\u0165 pekn\u00fa Privacy Policy, ale ak plugin potichu posiela d\u00e1ta tretej strane, je probl\u00e9m.<\/p>\n\n\n\nD\u00f4le\u017eit\u00e9<\/h4>\n\n\n
\u010co je GDPR a na koho sa vz\u0165ahuje<\/h2>\n\n\n\n
Najprv si ujasni rolu: controller vs. processor<\/h2>\n\n\n\n
\n\n
7 princ\u00edpov GDPR, ktor\u00e9 sa ti bud\u00fa vraca\u0165 v ka\u017edom audite<\/h2>\n\n\n\n
\n\n
Kompletn\u00fd GDPR compliance checklist<\/h2>\n\n\n\n
1) D\u00e1ta (invent\u00fara, toky, dokument\u00e1cia)<\/h3>\n\n\n\n
M\u00e1\u0161 zoznam v\u0161etk\u00fdch typov osobn\u00fdch \u00fadajov, zdroj, \u00fa\u010del, zdie\u013eanie a dobu uchov\u00e1vania<\/h4>\n\n\n\n
M\u00e1\u0161 zoznam miest, kde osobn\u00e9 \u00fadaje uklad\u00e1\u0161, a vie\u0161 pop\u00edsa\u0165 tok d\u00e1t medzi nimi<\/h4>\n\n\n\n
M\u00e1\u0161 verejne dostupn\u00e9 z\u00e1sady ochrany osobn\u00fdch \u00fadajov (Privacy Policy) a pokr\u00fdvaj\u00fa cel\u00fd \u017eivotn\u00fd cyklus d\u00e1t<\/h4>\n\n\n\n
V Privacy Policy m\u00e1\u0161 uveden\u00fd pr\u00e1vny z\u00e1klad, pre\u010do \u00fadaje sprac\u00fava\u0161<\/h4>\n\n\n\n
2) Zodpovednos\u0165 a riadenie (accountability & management)<\/h3>\n\n\n\n
M\u00e1\u0161 ur\u010den\u00fa zodpovedn\u00fa osobu \/ DPO, ak to tvoja situ\u00e1cia vy\u017eaduje<\/h4>\n\n\n\n
\n\n
Decision makeri vedia, \u010do GDPR vy\u017eaduje (a ich vedomosti s\u00fa aktu\u00e1lne)<\/h4>\n\n\n\n
Technick\u00e9 zabezpe\u010denie je aktu\u00e1lne a primeran\u00e9<\/h4>\n\n\n\n
T\u00edm je vy\u0161kolen\u00fd na ochranu \u00fadajov (najm\u00e4 ak si processor)<\/h4>\n\n\n\n
M\u00e1\u0161 zoznam sub-processors a Privacy Policy ich pou\u017e\u00edvanie explicitne spom\u00edna<\/h4>\n\n\n\n
Ak si mimo E\u00da, m\u00e1\u0161 ur\u010den\u00e9ho z\u00e1stupcu v E\u00da<\/h4>\n\n\n\n
Incidenty (data breaches) vie\u0161 nahlasova\u0165 \u00faradu aj dotknut\u00fdm osob\u00e1m<\/h4>\n\n\n\n
S ka\u017ed\u00fdm processorom, ktor\u00e9mu odovzd\u00e1va\u0161 d\u00e1ta, m\u00e1\u0161 zmluvu (DPA) s jasn\u00fdmi pokynmi<\/h4>\n\n\n\n
3) Nov\u00e9 pr\u00e1va pou\u017e\u00edvate\u013eov (praktick\u00e9 procesy, nie len text na webe)<\/h3>\n\n\n\n
Pou\u017e\u00edvate\u013e vie jednoducho po\u017eiada\u0165 o pr\u00edstup k svojim \u00fadajom<\/h4>\n\n\n\n
Pou\u017e\u00edvate\u013e vie svoje \u00fadaje opravi\u0165 a udr\u017eiava\u0165 presn\u00e9<\/h4>\n\n\n\n
\u00dadaje, ktor\u00e9 u\u017e nepotrebuje\u0161, sa automaticky ma\u017e\u00fa<\/h4>\n\n\n\n
Pou\u017e\u00edvate\u013e vie jednoducho po\u017eiada\u0165 o vymazanie (right to be forgotten)<\/h4>\n\n\n\n
Pou\u017e\u00edvate\u013e vie po\u017eiada\u0165 o obmedzenie sprac\u00favania<\/h4>\n\n\n\n
Pou\u017e\u00edvate\u013e vie po\u017eiada\u0165 o prenosite\u013enos\u0165 \u00fadajov (data portability)<\/h4>\n\n\n\n
Pou\u017e\u00edvate\u013e vie namieta\u0165 proti profilovaniu a automatizovan\u00e9mu rozhodovaniu<\/h4>\n\n\n\n
4) S\u00fahlas (consent) \u2013 ke\u010f na \u0148om stoj\u00ed sprac\u00favanie<\/h3>\n\n\n\n
S\u00fahlas je dobrovo\u013en\u00fd, konkr\u00e9tny, informovan\u00fd a odvolate\u013en\u00fd<\/h4>\n\n\n\n
Privacy Policy je nap\u00edsan\u00e1 jasne a zrozumite\u013ene<\/h4>\n\n\n\n
Odvolanie s\u00fahlasu je rovnako jednoduch\u00e9 ako jeho udelenie<\/h4>\n\n\n\n
Pri sprac\u00favan\u00ed \u00fadajov det\u00ed overuje\u0161 vek a vy\u017eaduje\u0161 s\u00fahlas z\u00e1konn\u00e9ho z\u00e1stupcu<\/h4>\n\n\n\n
Pri aktualiz\u00e1cii Privacy Policy informuje\u0161 existuj\u00facich z\u00e1kazn\u00edkov<\/h4>\n\n\n\n
5) Follow-up: pravideln\u00e9 rev\u00edzie<\/h3>\n\n\n\n
Pravidelne reviduje\u0161 politiky, ich efekt\u00edvnos\u0165 a zmeny v krajin\u00e1ch, kam te\u010d\u00fa d\u00e1ta<\/h4>\n\n\n\n
6) \u0160peci\u00e1lne pr\u00edpady<\/h3>\n\n\n\n
Vie\u0161, kedy mus\u00ed\u0161 robi\u0165 DPIA pri vysokorizikovom sprac\u00favan\u00ed<\/h4>\n\n\n\n
Prenos d\u00e1t mimo E\u00da rob\u00ed\u0161 len do kraj\u00edn s primeranou ochranou (alebo pou\u017e\u00edva\u0161 SCC\/BCR)<\/h4>\n\n\n\n
Pr\u00e1va dotknut\u00fdch os\u00f4b (User Rights \/ Data Subject Rights) \u2013 \u010do mus\u00ed\u0161 vedie\u0165 pokry\u0165<\/h2>\n\n\n\n
Pr\u00e1vo na transparentn\u00e9 inform\u00e1cie<\/h3>\n\n\n\n
Pr\u00e1vo na inform\u00e1cie pri priamom zbere osobn\u00fdch \u00fadajov<\/h3>\n\n\n\n
\n\n
Pr\u00e1vo na inform\u00e1cie pri nepriamom zbere osobn\u00fdch \u00fadajov<\/h3>\n\n\n\n
Pr\u00e1vo na pr\u00edstup (access)<\/h3>\n\n\n\n
\n\n
Pr\u00e1vo na opravu (rectification)<\/h3>\n\n\n\n
Pr\u00e1vo na vymazanie (right to be forgotten)<\/h3>\n\n\n\n
\n\n
Pr\u00e1vo na obmedzenie sprac\u00favania<\/h3>\n\n\n\n
\n\n
Pr\u00e1vo by\u0165 informovan\u00fd o oprave, vymazan\u00ed alebo obmedzen\u00ed u pr\u00edjemcov<\/h3>\n\n\n\n
Pr\u00e1vo na prenosite\u013enos\u0165 \u00fadajov<\/h3>\n\n\n\n
Pr\u00e1vo namieta\u0165<\/h3>\n\n\n\n
Pr\u00e1vo neby\u0165 predmetom v\u00fdlu\u010dne automatizovan\u00e9ho rozhodovania<\/h3>\n\n\n\n
Praktick\u00e9 implementa\u010dn\u00e9 kroky pre web (od security po marketing)<\/h2>\n\n\n\n
1) Zabezpe\u010d web (minimum, ktor\u00e9 by malo by\u0165 samozrejmos\u0165ou)<\/h3>\n\n\n\n
\n\n
2) Cookie consent banner (spr\u00e1vne, nie len \u201eaby nie\u010do bolo\u201c)<\/h3>\n\n\n\n
\n\n
Pozn\u00e1mka k s\u00fahlasu<\/h4>\n\n\n
3) Rev\u00edzia formul\u00e1rov na webe<\/h3>\n\n\n\n
\n\n
4) S\u00fahlas pre marketingov\u00e9 e\u2011maily<\/h3>\n\n\n\n
\n\n
5) Pripravenos\u0165 na \u00fanik d\u00e1t (data breach)<\/h3>\n\n\n\n
\n\n
WordPress \u0161pecifik\u00e1: \u010do si postr\u00e1\u017ei\u0165 na typickom webe<\/h2>\n\n\n\n
\n\n