Selected Issues from the Dark Side of the General Data Protection Regulation

Issue: 4/2018

Eva Daniela Cvik

Czech University of Life Sciences, Fakulty of Economics and Management, Department of Law, Kamýcká 129, 160 00 Praguje 6 – Suchdol, Czech Rebublic.

Michal Malý

Czech University of Life Sciences, Fakulty of Economics and Management, Department od Economics, Kamýcká 129, 160 00 Praguje 6 – Suchdol, Czech Rebublic, Email:

Radka MacGregor Pelikánová

University of West Bohemia, of West Bohemia in Pilsen, Faculty of Law, Department of Business Law, Sady Pětatřicátníků 14, 306 14 Pilsen, Czech Republic. Email:

The Regulation (EU) 2016/679 on the protection of personal data (GDPR) was enacted in 2016 and applies from 25th May 2018 in the entire EU. The GDPR is a product of an ambitious reform and represents a direct penetration of the EU law into the legal systems of the EU member states. The EU works on the enhancement of awareness about the GDPR and points out its bright side. However, the GDPR has its dark side as well, which will inevitably have a negative impact. Hence, the goal of this paper is twofold – (i) to scientifically identify, forecast, and analyze selected problematic aspects of the GDPR and its implementation, in particular for Czech municipalities, and (ii) to propose recommendations about how to reduce, or even avoid, their negative impacts. These theoretic analyses are projected to a Czech case study focusing on mu-nicipalities, which offers fresh primary data and allows a further refining of the pro-posed recommendations. An integral part of the performed analyses is also a theoretic forecast of expenses linked to the GDPR, which municipalities will have to include in their mandatory expenses and mid-term prognostic expectations regarding the impact on the budgets of these municipalities from Central Bohemia. The GDPR, like Charon, is at the crossing, the capacity and knowledge regarding its application is critical for operating in the EU in 2018. It is time both to admit that the GDPR has its dark side and to present real and practical recommendations about how to mitigate it.

DOI: 10.2478/revecp-2018-0020
JEL: O33, M15, K29, D82
Keywords: Controller v. processor; Data protection officer; GDPR; Transparency

ARREDA, P.E. (1996). The Socratic Method. Harvard Law Review. 109(5),  pp. 911-922.

AUWERMEULEN Van der, B. (2017). How to attribute the right to data portability in Europe: A comparative analysis of legislations. Computer Law & Security Review. 33, pp. 57-72. DOI: 10.1016/j.clsr.2016.11.012

BALCERZAK, A.P. (2015). Europe 2020 Strategy and Structural Diversity Between Old and New Memember States. Application of Zero Unitarization Method for Dynamic Analysis in the Years 2004-2013. Economics & Sociology. 8(2), pp. 190-210. DOI: 10.14254/2071-789X.2015/8-2/14

BALCERZAK, A.P. (2016). Technological Potential of European Economy. Proposition of Measurement with Application of Multiple Criteria Decision Analysis. Montenegrin Journal of Economics. 12(3), pp. 7-17. DOI: 10.14254/1800-5845.2016/12-3/1

BARNARD-WILLIS, D., PAUNER CHULVi, Ch., Hert de, P. D. (2016.) Data protection authority perspectives on the impact of data protection reform on cooperation in the EU. Computer Law & Security Review, 32(4), pp. 587-598. DOI: 10.1016/j.clsr.2016.05.006

BOLOGNO, L., BISTOLFI, C. (2017). Pseudonymization and impacts of Big (personal/anonymous) Data processing in the transition from the Directive 95/46/EC to the new EU General Data Protection Regulation. Computer Law & Security Review. 33(2), pp. 171-181. DOI: 10.1016/j.clsr.2016.11.002.

CHIRITA, A.D. (2014). A legal-historical review of the EU competition rules. International and comparative law quarterly. 63 (2), pp. 281-316. DOI: 10.1017/S0020589314000037

CRADOCK, E., STALLA-BOURDILLON, S., MILLARD, D. (2017). Nobody puts data in a corner? Why a new approach to categorizing personal data is required for the obligation to inform. Computer Law & Security Review. 33, pp. 142-158. DOI: 10.1016/j.clsr.2016.11.005

CUSTERS, B., DUCHESNE, R., SEARS, A.M., et al. (2018). A comparison of data protection legislation and policies across the EU. Computer Law & Security Review. 34(2), pp. 234-243. DOI:  10.1016/j.clsr.2017.09.001

CVIK, E., MacGREGOR PELIKÁNOVÁ, R. (2016). Implementation of Directive 2014/17/EU and its Impact on EU and Member States Markets, from not only a Czech Perspectives. In: Kapounek, S., Krutilova V. (Eds.) 19th International Conference Enterprise and Competitive Environment (ECE) Brno. Procedia Social and Behavioral Sciences. 220, pp. 85-94. DOI: 10.1016/j.sbspro.2016.05.472

Czech Association of towns and villages - CATV (2018a). Český svaz měst a obcí - – S ochranou osobních údajů podle nového obecného nařízení (GDPR) by mohla pomoci Centra společných služeb. Retrieved from [Accessed: 28 May 2018]

Czech Association of towns and villages - CATV (2018b). Český svaz měst a obcí - – Pověřence pro ochranu osobních údajů podle tzv. GDPR by mohla pro obce zajistit Centra společných služeb. Retrieved from [Accessed: 28 May 2018]

Czech statistical office - CSO (2018). Český statistický úřad – Malý lexicon obcí. Retrieved from [Accessed: 28 May 2018]

DAVID, P.A., HALL, B.H., TOOLE, A.A. (2000). Is public R&D a complement or substitute for private R&D? A review of the econometric evidence. Research Policy. 29(4-5), pp. 497-529. DOI: 10.1016/S0048-7333(99)00087-6

EUROPEAN COMMISSION (2017). [online] Reform of EU data protection rules. Retrieved from [Accessed: 28 May 2018]

GELLERT, R. (2018). Understanding the notion of risk in the General Data Protection Regulation. Computer Law & Security Review. 34(2), pp. 279-288. DOI: 10.1016/j.clsr.2017.12.003

HERT de, P., PAPAKONSTANTINOU, V. (2016). The new General Data Protection Regulation: Still and sound system for the protection of individuals? Computer Law & Security Review. 32(2), pp. 179-194. DOI: 10.1016/j.clsr.2016.02.006

HERT de, P., PAPAKONSTANTINOU, V., MALGIERI, G., et al. (2018). The right to data portability in the GDPR: Towards user-centric interoperability of digital services. Computer Law & Security Review. 34(2), pp. 193-203. DOI: 10.1016/j.clsr.2017.10.003

IYKE, B.N. (2017). Does Trade Openness Matter for Economic Growth in the CEE Countries? Review of Economic Perspectives – Národohospodářský obzor. 17(1), pp. 3-24. DOI: 10.1515/revecp-2017-0001

JINDŘICHOVSKÁ, I., KUBÍČKOVÁ, D. (2017). The Role and Current Status of IFRS in the Completion of National Accounting Rules – Evidence from the Czech Republic. Accounting in Europe. 14(1–2), pp. 56–66. DOI: 10.1080/17449480.2017.1301671

JINDŘICHOVSKÁ, I., KUBÍČKOVÁ, D. (2016). Economic and Political Implications of IFRS Adoption in the Czech Republic, IN: Efobi, U., Nnadi M., Sailesh, T., Enrico, U, Iyoha, F.  Economics and Political Implications of International Financial Reporting Standards. IGI Global Hershey, PA 17033, USA.

KNAPP, V. (1995). Teorie práva. 1 vyd. Praha, CZ : C.H.Beck.

KRYSTLIK, J. (2017). With GDPR, preparation is everything. Computer Fraud & Security. 6, pp. 5-8. DOI: 10.1016/S1361-3723(17)30050-7

KUNER, Ch., JERKER, D., SVANTESSON, B. et al. (2017).The GDPR as a chance to break down borders. International Data Privacy Law. 7(4), pp. 213-232. DOI: 10.1093/idpl/ipx023

LINDQVIST, J. (2017). New challenges to personal data processing agreements: is the GDPR fit to deal with contract, accountability and liability in a world of the Internet of Things? International Journal of Law and Information Technology. 26(1), pp. 45–63, DOI: 10.1093/ijlit/eax024.

MacGREGOR PELIKÁNOVÁ, R. 2012. And the best top level domain for European enterprises is ... International And Comparative Law Review. 12(2), pp. 41-57.

MacGREGOR PELIKÁNOVÁ, R. (2013). Internet My Dearest, What Type of European Integration Is The Clearest? Acta Universitatis Agriculturae et Silviculturae Mendelianae Brunensis. 61(7), pp. 2475-2481.

MacGREGOR PELIKÁNOVÁ, R. (2014a). Selected current aspects and issues of European integration. Ostrava, CZ : Key Publishing.

MacGREGOR PELIKÁNOVÁ, R. (2014b). The (DIS)harmony of opinions regarding domain names in the Czech Republic. Scientific Papers of the University of Pardubice, Series D: Faculty of Economics and Administration. 21(32), pp. 73-84

MacGREGOR PELIKÁNOVÁ, R. (2017). European Myriad of Approaches to Parasitic Commerical Practices. Oeconomia Copernicana,. 8(2), pp. 167-180. DOI: 10.24136/oc.v8i2.11

MacGREGOR PELIKÁNOVÁ, R., CÍSAŘOVÁ, J., BENEŠ, M. (2017). The misleading perception of the purpose of the protection against misleading advertising by the EU law and its impact on the Czech Republic. Lawyer Quarterly. 7(3), pp. 145-161

MARTÍNEZ-MARTÍNEZ, D.F. (2018). Unification Of Personal Data Protection In The European Union: Challenges And Implications. Profesional de la Informacion.27(1), pp. 185-194.

MALATRAS, A., SANCHEZ, I., Beslay, L., et al. (2017). Pan-European personal data breaches: Mapping of current practices and recommendations to facilitate cooperation among Data Protection Authorities. Computer Law & Security Review. 33, pp. 458-469. DOI: 10.1016/j.clsr.2017.03.013

MATEJKA, J. (2013). Internet jako object práva – Hledání rovnováhy autonomie a soukromí. Praha, CZ : CZ NIC.

Ministry of Finance of the Czech Republic - MF (2017). Ministerstvo financí ČR - Monitor – Informační portál [online]. Retrieved from: [Accessed: 28 May 2018]

PAKŠIOVÁ, R. (2016).  Understanding of corporate social responsibility in large companies in Slovakia within the context of a sustainable development. In Economic policy in the European union member countries. International scientific conference. Karviná : School of Business Administration in Karvina, SU in Opava, pp. 516-525.

PIEKARCZYK, A. (2016). Contemporary organization and a perspective on integration and development. Oeconomia Copernicana. 7(3), pp. 467-483.  DOI: 10.12775/OeC.2016.027

PORMEISTER, K. (2017). Genetic data and the research exemption: is the GDPR going too far? International Data Privacy Law. 7(2), pp. 137-146. DOI: 10.1093/idpl/ipx006

RAAB, Ch., SZEKELY, I. (2017). Data protection authorities and information technology. Computer Law & Security Review. 33, pp. 421-433. DOI: 10.1016/j.clsr.2017.05.002

SILVERMAN, D. (2013). Doing Qualitative Research – A Practical Handbook. 4th Edition, London, UK : SAGE.

Staníčková, M., Melecký, L., Navrátil, B. (2013). Measuring the Student Research Projects' Efficiency Using DEA Method. In: Efficiency and Responsibility in Education 2013 - ERiE: proceedings of the 10th international conference. Prague: Czech University of Life Sciences Prague, 2013, pp. 573-580.

TANKARD, C. (2016). What the GDPR means for businesses. Network Security. 6, pp. 5-8. DOI: 10.1016/S1353-4858(16)30056-3

TIKKINEN-PIRI, Ch., ROHUNEN, A., MARKULA, J. (2017). EU General Data Protection Regulation: Changes and implications for personal data collecting companies. Computer Law & Security Review (in press). DOI: 10.1016/j.clsr.2017.05.015

TUREČKOVÁ, K., NEVIMA, J. (2016). The Perils of Drawing from European Funds in Public Education. In: Proceedings of the 11th International Scientific Conference Public Administration 2016. Pardubice: University of Pardubice, Faculty of Economics and Administration, pp. 273-282. ISBN 978-80-7560-040-0.

VIVANT, M. (2016). Building a Common Culture IP? International Revue of Intellectual Property and Competition law. 47(3), pp. 259-261. DOI: 10.1007/s40319-016-0472-y

VOKOUN, M. (2017). Characteristic of the innovation activities of firms in Europe: a critical review of international differences. Review of Economic Perspectives – Národohospodářský obzor. 17(3), pp. 239-262. DOI: 10.1515/revecp-2017-0013

ZERLANG, J. (2017). GDPR: a milestone in convergence for cyber-security and compliance. Network Security. 6, pp. 8-11. DOI: 10.1016/S1353-4858(17)30060-0

ZUIDERVEEN BORGESIUS, F.J (2016). Singling out people without knowing their names – Behavioural targeting, pseudonymouos data, and the new Data Protection Regulation. Computer Law & Security Review. 32, pp. 256-271. DOI: 10.1016/j.clsr.2015.12.013