GDPR and Dotykačka


The new General Data Protection Regulation, known as GDPR, comes into force on May 25, 2018. For us, this regulation does not change anything because all personal data has been and will continue to be safe with Dotykačka, and our customers do not need to take any action in relation to it. You can find all important information in the general announcement below. See also GDPR features in Dotykačka.

Dotykačka ČR s.r.o is the controller and also processor of personal data that you, as a data subject, provide to us. The protection of personal data is very important to us, therefore we always process personal data in accordance with the legal regulations.

Our General Privacy Policy governs the use and storage of personal data. You can learn about our privacy policy in the General Privacy Policy document.

We may collect the following types of personal data about you:

  • Identification data such as your name and surname
  • Address details such as your postal address, telephone or e-mail

We need your personal data in order to:

  • Provide you with our POS system and other related services
  • Run your POS system
  • Inform you about the latest news in our POS system
  • Send you invoices and requests for payment
  • Provide you with additional services resulting from the current contractual relationship

You personal data is processed by Dotykačka ČR s.r.o. in the Czech Republic. The processing and storage of data is done through cloud services located in the Czech Republic or the EU.

No third parties have access to your personal data unless expressly required by law.

According to Czech and European law, we are obliged to keep documents for 10 years after the termination of the relationship, as stated in our Privacy Policy. After this period, your personal data will be irreversibly destroyed. Any personal data that we have available to provide marketing or information services will be retained until you notify us that you no longer wish to receive such information/services. For more information about how we handle personal data, please see our Privacy Policy.

If you believe that any of your personal data that we process is incorrect or incomplete, you may request to view, correct, or delete your personal data. Please contact us through our email address or through our data box.

If you wish to object to the way we have processed your personal data, please contact our Data Protection Officer at or in writing to Dotykačka ČR s.r.o., Plzeňská 3217/16, 150 00 Prague 5, Czech Republic. Our authorized employee will deal with your objection and will work with you to resolve it.

If you still feel that your personal data has not been handled appropriately according to the law, you can contact the Office for Personal Data Protection and file a complaint.

Dotykačka apps are prepared for GDPR!

The activities required by the GDPR legislation are available directly in the cash desk and in Dotykačka Cloud. This includes in particular customer anonymization and GDPR audit for access to the personal data of your customers.

GDPR in a nutshell: from when, for whom and how to deal with it.

GDPR is the abbreviation of the General Data Protection Regulation. But what is GDPR in reality? This more specific EU legislation will significantly increase the protection of the personal data of citizens. It is the EU General Regulation (GDPR) 2016/679 on data protection and privacy.
The GDPR regulation comes into effect on May 25, 2018.
GDPR concerns all companies and institutions, but also individuals and online services that process the data of users – citizens. It aims to protect the rights of EU citizens against the unauthorized processing of their data, including their personal data.
  • Implementation of deliberate and necessary data protection
  • Data protection impact assessment (Companies or institutions will have to develop it if they perform a systematic and extensive evaluation of personal data which is based on automated processing, including profiling. Typical examples are the activities of banks, insurance companies, leasing companies and other financial institutions.)
  • Designation of an independent DPO control function (Data Protection Officer)
  • Introduction of the so-called pseudonymization of personal data = processing personal data so that it can no longer be assigned to a particular person without the use of additional information which is kept separately and protected against reassignment to the original data.
  • Keeping records of processing activities (Exemptions from the requirement to keep records of processing operations can be applied to organizations with fewer than 250 employees, where the processing of personal data is not their principal activity, where there is no risk to the rights and freedoms of individuals, and where these organizations do not process sensitive data.)
  • Consultation of the supervisory body prior to the actual processing of personal data. There is also a new obligation to report violations of personal data protection to the supervisory authority and to the citizens affected by the violation.
  • Anyone who collects, processes, and retains personal data under the GDPR regulation must clearly define and specify the purpose of the data processing.
  • The data processing must be legitimate and must not be contrary to legal regulations or morals.
  • The processing should be fair, lawful, and transparent to the natural persons concerned. The processing information provided to the data subject must be clear, unambiguous, and intelligible – to the extent appropriate to the particular situation.
  • Both a controller and a processor of personal data must secure and protect the data by organizational and technical measures – to the extent corresponding to the processing risk.
  • Each data processing activity must be based on one of the basic reasons (legal titles for processing), which most often includes the performance of a contract, fulfilment of legal obligations or legal authorization, exercise of public authority, or processing on the basis of the consent of the person concerned.
  • Each processing activity in the public sector must have a clear legal basis; such processing cannot be replaced by consenting to the data processing.
  • The processing must not unnecessarily infringe upon privacy. Controllers must consider the justification and legitimacy of any sharing or disclosure of negative or otherwise sensitive data.
  • There is the obligation to erase personal data once the purpose of the processing has been fulfilled. Longer retention periods may be set by legal rules for archiving or for the specific use of data (State Statistical Service, sickness and pension insurance, etc.).
  • Within the EU, the unified protection of personal data is guaranteed in each member state as defined by the GDPR. Personal data may be transferred outside the European Union only if additional rules are met or under certain circumstances, such as the performance of a contract with the data subject.

The Office for Personal Data Protection has compiled the ten most common mistakes or misleading claims on the General Data Protection Regulation (GDPR).

  1. Referring to the General Regulation as a directive – referring to the General Regulation as a directive on the protection of personal data is not only incorrect, but can also be misleading. While a regulation is valid throughout the European Union and is directly applicable, a directive, on the contrary, as a legal act setting out the objective that all EU Member States have to fulfill leaves it to the Member States to lay down their own national laws and achieve them.
  2. Calling the General Regulation a revolution in the rights of data subjects and the obligations of controllers – it is no novelty in data protection in the EU member states; the right exists under Article 14 of Directive 95/46/EC, and in the Czech legal order it has been part of the Personal Data Protection Act since its approval in 2000. Data subjects in the Czech Republic normally exercise their rights under Article 21, Sections 1 and 2.
  3. The definition of personal data is extended – the General Regulation defines personal data as any information about an identified or identifiable natural person; the Personal Data Protection Act defines it as any information concerning a determined or determinable data subject.
  4. It is better to have a blanket consent from the data subject than to deal with individual legitimate reasons – in the General Regulation, the consent of the data subject with the processing for one or more specific purposes is one of the six legal conditions for the lawfulness of the processing, and the Regulation explicitly regulates the conditions for obtaining it. Any obtaining of a blanket consent from the data subject for any processing that a controller will perform for various purposes would thus be in contradiction with several provisions of the General Regulation. The data subject may also withdraw their consent at any time.
  5. Encryption is mandatory – the General Regulation does not impose an obligation to use a specific measure to safeguard the processing. The obligation itself includes the introduction of appropriate technical and organizational measures with respect to whether the measures are state of the art, the cost of adopting these measures, and implementing individual technical and organizational measures to safeguard personal data. Encryption is among the appropriate measures.
  6. Every controller, or almost every controller, must have a Data Protection Officer – a controller is obligated to appoint a DPO subject to one of the following three conditions:
    1. Processing is carried out by a public authority or a public body, with the exception of courts acting within their jurisdiction.
    2. The principal activities of a controller or a processor consist of processing operations which, due to their nature, scope or purpose, require the extensive regular and systematic monitoring of data subjects.
    3. The principal activities of a controller or a processor consist of the extensive processing of specific categories of data and personal data relating to criminal convictions and offenses. In other cases, neither a controller nor a processor have the obligation to appoint a Data Protection Officer.
  7. ​The DPO must have a certificate – there is no specific form of verification or proof of the professional qualities prescribed, nor is there a form of any externally obtained certificate. It is understood that a controller who performs part of the processing of personal data under the protection of classified information must fulfill the conditions set by the relevant legal regulations.
  8. The General Regulation places high, difficult to meet demands on Data Protection Officers – some controllers and processors have the impression that a suitable candidate cannot be found at the moment.  In general, there are several ways to find the right officer, including sharing a DPO with other controllers where only part of the working time pool is necessary to perform the function of a Data Protection Officer, as well as outsourcing a DPO or using the external support services of a DPO.
  9. A controller cannot assign tasks to a Data Protection Officer – a controller or a processor may assign tasks, of course, even tasks and responsibilities other than those determined by the General Regulation and directly related to the General Regulation, e.g. to participate in testing, assessing and evaluating the arrangements to safeguard personal data for the controller.
  10. Controllers and processors may now face significant fines based on their turnovers – the General Regulation stipulates that sanctions, including administrative fines, should be imposed for any violation of the General Regulation, in addition to or instead of the measures imposed by the supervisory authority. The upper limit of the fines is new, but the fines are to be effective, proportionate, and dissuasive in each individual case. At the same time, the General Regulation respects the principles of administrative punishment, including the criteria for setting the amount of fines and the conditions for determining responsibility and exoneration.

Liable subjects that violate the GDPR rules, are non-compliant or unprepared for the new regulation, may face significant fines that can even be liquidating.

The maximum fine is € 20,000,000 or 4% of the company’s global annual turnover (whichever is higher), and its amount will depend on a number of factors, such as the nature, severity, and duration of the violation, the number of injured citizens, the extent of the damage, and many more, irrespective of the size of the subject. A high fine may be imposed on a smaller company with ten employees as well as on a large multinational corporation.

In addition to imposing administrative fines, controllers or processors of personal data may be exposed to actions brought by natural persons claiming material or non-material damages. Last but not least, companies are exposed to a loss of trust due to the mishandling of personal data.

GDPR – calculator and training

If you already feel overwhelmed with the masses of theoretical information about the GDPR and still do not know how to deal with it in practice, you can visit one of the practical all-day training courses that are currently available on the market, or fill in one of the online GDPRcalculators to guide you quickly through the GDPR requirements tailored to your company.