1. Governing Texts

1.1. Legislation

The financial sector is one of the largest controllers and processors of personal data. The effort to collect as much information as possible about the client in order to improve the quality of the services provided or to minimise the risks associated with providing certain financial services using automated technologies (such as scoring systems when granting the credit loan) might result in a breach of the data minimisation principle. Therefore, processing data by financial institutions is subject to permanent and thorough supervision of the Office for Personal Data Protection ('UOOU'), which pays particular attention to the use of modern technologies in communication with clients. Using modern technologies in the financial sector is a common practice, which has its undeniable advantages, but over the last couple of years we have witnessed that the trend of misuse of these technologies has clearly increased. The most common case of a breach of data protection regulations in the financial sector relates to the requirement of obtaining the client's consent as a precondition of signing up to a service, despite the fact that personal data of a client should be processed solely to comply with specific financial regulations.

The following EU legislation, among others, is applicable:

• the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is applicable to financial services with regard to their personal data processing activities;
• the Payment Services Directive (Directive (EU) 2015/2366) ('PSD2'); and
• the Fourth Anti-money Laundering Directive (Directive (EU) 2015/849) ('the Fourth AML Directive');
• the Fifth Anti-Money Laundering Directive (Directive (EU) 2018/843) ('the Fifth AML Directive'); and
• the Sixth Anti-Money Laundering Directive (Directive (EU) 2018/1673) ('the Sixth AML Directive').

The European Data Protection Board ('EDPB') has issued the following relevant Opinion:

• Opinion 4/2019 on the draft Administrative Arrangement for the Transfer of Personal Data between the European Economic Area ('EEA') Financial Supervisory Authorities and non-EEA Financial Supervisory Authorities;
• Guidelines 06/2020 on the Interplay of the Second Payment Services Directive and the GDPR; and
• Letter regarding the PSD2 Directive.

The Article 29 Working Party ('WP29') has issued the following relevant guidance:

• Opinion 14/2011 on Data Protection Issues related to the Prevention of Money Laundering and Terrorist Financing;
• Opinion 1/2006 on the Application of EU Data Protection Rules to Internal Whistleblowing Schemes in the Fields of Accounting, Internal Accounting Controls, Auditing Matters, Fight against Bribery, Banking and Financial Crime ('WP29 Opinion on Whistleblowing');
• Letter of the Chair of the Article 29 Working Party to FATCA; and
• Guidelines on Transparency under Regulation 2016/679 ('the Guidelines On Transparency').

The European Banking Authority ('EBA') has issued, among others, the following relevant guidance:

• Recommendations on Outsourcing to Cloud Service Providers (20 December 2017);
• Guidelines on Major Incident Reporting under Directive (EU) 2015/2366 (PSD2) (27 July 2017); 
• Guidelines on Reporting Requirements for Fraud Data under Article 96(6) PSD2;
• Guidelines on ML/TF Risk Factors under Articles 17 and 18(4) of Directive (EU) 205/84;
• Final Report on EBA Guidelines on Outsourcing Arrangements ('the EBA Guidelines on Outsourcing'); and
• Guidelines on ICT and Security Risk Management.

National Legislation

The applicable Czech law is to a great extent the implementation of EU regulations and directives on personal data protection. Act No. 110/2019 Coll. on Personal Data Processing ('the Act') adapts and specifies the principles and requirements set out in the GDPR as well as processing of personal data beyond EU law, suchas, data processing related to immigration. In addition, the Act transposes the Data Protection Directive with Respect to Law Enforcement (Directive (EU) 2016/680) (Commission Implementing Decision of 28 June 2021 pursuant to Directive (EU) 2016/680 of the European Parliament and of the Council on the Adequate Protection of Personal Data by the United Kingdom) into domestic law and sets out the requirements for the processing of personal data for criminal 'law enforcement purposes'.

Although the Act is the only general domestic law on data protection, financial institutions are subject to extensive specific public law regulations, in particular, providing for, and obliging financial institutions to process a great amount of personal data of their clients when providing financial services to comply with their legal obligations arising out of the laws and regulations in the financial market area.

In particular, the Czech financial markets are regulated by:

• Act No. 253/2008 Coll., on Selected Measures against Legitimisation of Proceeds of Crime and Financing of Terrorism ('the AML/CFT Act');
• Act No. 256/2004 Coll. on Capital Market Business, as amended;
• Act No. 21/1992 Coll., on Banks ('the Act on Banks');
• Act No. 170/2018 Coll., on Insurance and Reinsurance Distribution (only available in Czech here) ('the IRD Act');
• Act No. 87/1995 Coll., on Credit unions and certain related measures and on the amendment of the Czech National Council Act No. 586/1992 Coll., on Income Taxes, as amended;
• Act No. 96/1993 Coll., on building savings and state support for building savings (only available in Czech here);
• Act No. 277/2009 Coll., on Insurance (only available in Czech here);
• Act No. 240/2013 Coll., on Management Companies and Investment Funds, as amended;
• Act No. 240/2000 Coll., on Crisis Management and on Amendment to Certain Acts (only available in Czech here);
• Act No. 370/2017 Coll., on Payments;
• Act No. 190/2014 Coll., on Bonds, as amended; and
• Act No. 257/2016 Coll., on Consumer Credit.

1.2. Supervisory authorities

The GDPR requires every Member State to establish a supervisory authority (Article 54 of the GDPR). In addition, the GDPR provides for a system of cooperation and transparency among all Member States' supervisory authorities in order to ensure consistent application of the GDPR throughout the EU.

2. Personal and Financial Data Management

The GDPR requires every Member State to establish a supervisory authority (Article 54 of the GDPR). In addition, the GDPR provides for a system of cooperation and transparency among all Member States' supervisory authorities in order to ensure consistent application of the GDPR throughout the EU.

The UOOU acts as as the supervisory authority for Czech Republic in accordance with the GDPR and the Act. Its main tasks are to monitor and enforce the application of data protection law, i.e. to act as a supervisory authority and to raise public awareness on personal data protection. The UOOU is responsible for the following:

• supervising the compliance with the obligations in the area of processing personal data;
• receiving suggestions and complaints about breaches of the obligations in the processing of personal data, and informs how the breaches are handled;
• investigating offences, among others, on the basis of information received from another supervisory or public authority; and
• imposing fines.

Furthermore, the Czech National Bank ('CNB') is the main supervisory authority for the financial market in the Czech Republic. It lays down rules safeguarding the stability of the banking sector, the capital market, the insurance industry, and the pension scheme industry. It regulates, supervises and, where appropriate, issues penalties for non-compliance with these rules. In order to support market participants, the CNB also issues many explanatory documents and guidelines in the form of official information and answers to enquiries.

The Ministry of Finance of the Czech Republic ('Ministry of Finance') is the government body that regulates financial markets and supervises the areas falling outside the scope of the Czech National Bank's authority.

The Financial Analytical Office supervises anti-money laundering activities.

2.1. Legal basis for processing

According to the GDPR, personal data must be processed in accordance with the principles of fairness, lawfulness and transparency (Article 5(1)(a) of the GDPR). In addition, processing shall only be lawful if (Article 6(1) of the GDPR):

• the data subject has given consent to the processing for one or more specific purpose;
• the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of a data subject prior to entering a contract;
• the processing is necessary for the compliance with a legal obligation to which the controller is subject;
• the processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data.

Moreover, under Article 9 of the GDPR, processing of special categories of personal data is prohibited unless one of the conditions in Article 9(2) applies.

In the financial sector, the legal grounds for the processing of personal data generally consists of:

• the data subject's consent;
• the preparation or performance of a contract;
• specific legal or regulatory obligations resting upon financial institutions; and
• the legitimate interests of the financial institution.

With regards to industry-specific laws and regulations, many acts include legal obligations for financial institutions to process personal data, by way of identification, verification, reporting, or data retention obligations.

According to Act No. 370/2017 Coll., on Payments, which implements the PSD2 in the Czech Republic, persons authorised to provide payment services and payment system participants or operators may process personal data without the consent of the data subjects if the processing is solely for the purposes of preventing, investigating, and detecting payment fraud.

2.2. Privacy notices and policies

Pursuant to Article 5(1)(a) of the GDPR and the principle of transparency, concerned data subjects must be provided with certain information (typically referred to as a privacy notice or privacy policy). According to Articles 13 and 14 of the GDPR, such information must include, for example, the controller's identity and the contact details of the controller, the categories of personal data processed and the purposes of the processing, the recipients of the data, retention periods, and information concerning the existence of the data subject's rights. There are no additional sector-specific requirements for financial entities to provide customers with corresponding information.

In the Czech Republic, there are no sector specific requirements for financial institutions when it comes to the notice of privacy policies. Therefore, the general rules apply.

Data subjects need to be clearly informed about:

• who the institution is (contact details and the contact details of the data protection officer ('DPO'), if any),
• why the institution will use data subject's personal data (i.e. the purposes);
• the categories of personal data concerned;
• the legal basis for processing the data subject's personal data;
• how long the personal data will be kept;
• who else may receive it;
• whether the data subject's personal data will be transferred to a recipient outside the EU;
• that the data subject has the right to a copy of their data (right of access to personal data) and other basic data protection rights;
• the right to lodge a complaint to the UOOU;
• the right to withdraw their consent at any time; and
• if automated decision-making will take place and the logic involved, including its consequences (where applicable).

The Act No. 480/2004 Coll. on Certain Information Society Services and on Amendment to Certain Acts (only available in Czech here) ('the Information Society Services Act') sets out some additional requirements which apply to the advertising targeted to customers (not only limited to natural persons as set out under the GDPR).

Commercial advertising may only be distributed with the prior consent of the person to whom this communication is to be distributed. Prior consent is not required if the communication is sent to existing customers under condition that the advertisement relates to the same, or similar goods or services as already provided to those customers in the past.

The Information Society Services Act prohibits sending advertisement by e-mails and/or text messages to both the natural and legal persons if:

• such e-mail or text message is not clearly and distinctly identified as a business message (preferably in the subject of email/text message);
• the identity of the sender is concealed; or
• the sender does not use a valid e-mail address and/or phone number through which the customers may directly reply that they do not wish to receive the business messages any longer.

2.3. Data security and risk management

Taking into account the costs of implementation, nature, scope, context and purposes of processing, as well as the level of risk to the rights and freedoms of natural persons, data controllers and processors in the financial sector must implement technical and organisational measures to ensure a level of security appropriate to the risk (Article 32 of the GDPR).

The GDPR introduces the institution of a DPO. The DPO is a person who is not responsible for the processing of personal data, i.e. the controller or the processor. However, a DPO helps ensure that the processing of personal data complies with the GDPR.

According to Article 37 of the GDPR, the controller and the processor must appoint a DPO in each case where:

• processing is carried out by a public authority or public body, except for courts acting within their judicial powers;
• the main activities of the controller or processor consist of processing operations which, by their nature, scope, or purposes require extensive regular and systematic monitoring of data subjects; or
• the controller's or processor's main activities consist of large-scale processing of special categories of (sensitive) data and personal data relating to criminal convictions and offences.

2.4. Data retention/record keeping

Personal data must not be retained in a form which permits the identification of the data subject for longer than what is necessary (Article 5(1)(e) of the GDPR). The period for which the personal data is stored should be limited to a minimum and time limits should be established by the controller for erasure or a periodic review (Recital 39 of the GDPR).

Pursuant to Section 21(2) of the Act on Banks, a bank and a branch of a foreign bank are required to keep separate records of transactions for the account of the customer and transactions for the account of the bank or foreign bank. Banks and branches of foreign banks are obliged to keep the documents on the transactions for at least ten years.

The AML/CFT Act specifies how bank customers are to identify themselves. In the case of a natural person, this means ascertaining their name, birth number or date of birth, sex, permanent or other residence, verifying them from the identity card, if they appear therein, as well as verifying the conformity of the likeness with the image on the identity card, the number and period of validity of the identity card, and the authority or state that issued it; in the case of a natural person engaged in business, this also includes ascertaining their business name and identification number. However, this identification is only required for certain types of transactions.

Identification data, copies of documents, or an extract of relevant identification data from them, submitted for identification, must be kept by the obliged person for ten years after the termination of the relationship with the customer.

3. Financial Reporting and Money Laundering

When will the customer due diligence be applied?

Credit and financial institutions must perform customer due diligence ('CDD'):

• before carrying out a one-off trade outside a business relationship, at the latest when it is clear that the value of this trade exceeds €1,000, and at the same time, it is clear that this transaction reaches a value of at least €15,000 or is carried out with a politically exposed person or a person identified at a distance or with a transfer of funds of at least €1,000;
• in case of suspicious trade;
• in the event of establishment of a business relationship; or
• during the business relationship.

The legal requirements for CDD are set out in Article 9(2) of the AML/CFT Act according to which the following information must be obtained and evaluated:

• the purpose and intended nature of the business transaction or business relationship;
• the nature of the client's business;
• the identity of the beneficial owner and its verification from trusted sources;
• whether the beneficial owner is a politically exposed person or a person against whom the Czech Republic imposes international sanctions;
• determine the ownership and management structure of a client who is a legal entity or a trust fund;
• find out whether the person in the ownership or management structure is a person against whom the Czech Republic imposes international sanctions;
• information necessary for the ongoing monitoring of the business relationship, including the review of transactions carried out during that relationship;
• information necessary to review the sources of funds or other assets involved in the business or relationship;
• the origin of the property of a politically exposed person in the context of a business relationship with them; and
• whether the client is established in a high-risk third country or whether the business is related to such country.

Under certain conditions, instead of a standard client control, an enhanced CDD is performed in accordance with Article 9(a) of the AML/CFT Act or a simplified CDD in accordance with Article 13 of the AML/CFT Act.

Due diligence is not a static process and must be ongoing. The liable entity must review all transactions within the given business relationship. Based on these findings, the risk of AML/CFT changes. The due diligence must be performed in proportion to the AML/CFT risk.

The liable person must continuously update the information about the client in connection with the review of transactions, in accordance with Article 8(9) of the AML/CFT Act. It is also necessary to check and update the validity and completeness of the information obtained in the identification and control of the client. The liable person is obliged to keep the data set out in Article 16 of the AML/CFT Act for a period of ten years. However, there are exceptions, such as information and copies of documents obtained during the due diligence or records of the procedure for assessing and determining the client's risk profile, including the choice of appropriate measures applied to the client and in assessing facts related to suspicious transaction reporting.

Know your client

The obliged person must obtain sufficient information to be able to understand the AML/CFT risk posed by its client. In other words, the liable person must be able to determine the risk profile of the client. The greater the risk, the more information must be obtained.

The following questions are relevant:

• Who is the client?
• In which country is the client established? How risky is it? Is this a high-risk third country?
• Is the client a politically exposed person? If so, what is the origin of their property?
• Does the Czech Republic impose international sanctions on the client?
• What is the management and ownership structure of the client?
• Who is the real owner of the client, or the real owner of the transaction in the sense of Article 4(4)(b) of the AML/CFT Act?
• Is the natural person acting on behalf of the client or the beneficial owner of the client a politically exposed person or a person against whom the Czech Republic imposes international sanctions? Is another person in the client's ownership or management structure a person against whom the Czech Republic imposes international sanctions?
• Why does the client want to provide the product or service?
• Where do the funds (or other assets) to which the business or business relationship relates come from?
• What is the expected scope and form of business with the client, when entering into a business relationship with the client?
• What does the client do?
• What is the scope of the client's activities?
• Who are the client's main business partners?
• If the client already has a business relationship with the liable person or has already made transactions with them, what is the history of this business relationship or these transactions? Does the current transaction deviate from it?

The suspicious transaction is reported in accordance with Article 18 of the AML/CFT Act. A situation where a client refuses to be inspected may (but also may not) constitute a suspicious transaction. In such a case, the submission of a suspicious transaction notification is at the discretion of the liable person.

4. Banking Secrecy and Confidentiality

Information covered by banking secrecy may be shared by the bank with persons authorised to perform banking supervision. It is also not a breach of bank secrecy to disclose data about a client and their business in case of filing a criminal complaint, in fulfilling the reporting obligation under the AML/CFT Act or Act No. 69/2006 Coll., on Carrying Out of International Sanctions ('the Act on International Sanctions'), or in fulfilling the obligation to pass on data according to Act No. 300/2016 Coll., on the Central Register of Accounts (only available in Czech here).

The bank must report on matters covered by banking secrecy only upon written request of:

• a court for the purposes of civil proceedings;
• a law enforcement authority;
• tax administrators under the conditions of Act No. 280/2009 Coll., Tax Code (only available to download in Czech here);
• the financial arbitrator deciding the dispute;
• the Financial Analytical Unit under the conditions laid down by the AML/CFT Act or the Act on International Sanctions;
• social security authorities in matters of social security premiums and contributions to the state employment policy owed by the client, including debt on premiums, penalties, and fines; health insurance authorities in proceedings on overpayment of health insurance benefits, recourse compensation, and debt on fines; social security bodies or municipal authorities of extended municipalities or authorised municipal authorities in matters of overpayment on social security benefits and debt on fines; or state social support bodies in matters of overpayment on state social support benefits, which the client is obliged to return, which also applies to the recovery of this premium, contribution, and overpayment;
• health insurance companies in matters concerning public health insurance premiums owed by the client, which also applies to the collection of this premium;
• a bailiff entrusted with the execution;
• the Labour Office of the Czech Republic ('the Labour Office') in the matter of proceedings on the return of funds provided to clients from the state budget, which also applies to the recovery of these funds;
• intelligence services for the purpose of performing a specific task within its competence pursuant to the law regulating the activities of the intelligence services of the Czech Republic with the consent of a judge, whereby the provisions of the law governing the activities of the intelligence services of the Czech Republic apply to request the report;
• the Office for the Supervision of the Management of Political Parties and Political Movements for the purposes of supervision pursuant to the law governing associations in political parties and political movements;
• the National Security Office, the intelligence service, or the Ministry of the Interior of the Czech Republic, when conducting security proceedings pursuant to a special law;
• the Police of the Czech Republic for the purpose of searching for a wanted or missing person, or preventing and detecting specific threats in the field of terrorism pursuant to the Act No. 283/1991 Coll., regulating the Police of the Czech Republic;
• the General Inspection of Security Forces ('GIBS') for the purpose of searching for the wanted person according to the Act No. 341/2011 Coll., on General Inspection of Security Forces (only available in Czech here); or
• the Ministry of Finance under the conditions laid down by the Act No. 58/1995 Coll., on Insurance and Financing of Exports with State Support and on Supplement to Act No. 166/1993 Coll., on the Supreme Audit Office, as amended (only available in Czech here).

Furthermore, a bank is obliged to provide:

• at the written request of the social security authorities in the matter of proceedings on the return of the benefit credited to the client's account, identification data on its client, who is the owner of the account, persons authorised to handle funds on this account, and data on matters related to this account; the bank is also obliged to provide this information upon the written request of the Labour Office after the client's death;
• at the written request of the competent authority under Act No. 634/1992 Coll., on Consumer Protection, as amended (only available in Czech here) ('the Consumer Protection Act'), with an identification number or other unique account identifier, identification data about its client, who is or was the owner of this account, and details of the agent who was or is authorised to manage the funds in that account;
• the State Agricultural and Food Inspection Authority upon written request under the Act No. 146/2002 Coll., on the Czech Agriculture and Food Inspection Authority, as amended (only available in Czech here) ('State Agricultural and Food Inspection Act'), with an identification number or other unique account identifier, identification data about its client, who is the owner of this account, and details of the agent who is authorised to manage the funds in that account;
• the person authorised for the purpose of enforcing the decision, with the account number or other unique identifier of its client and the identification code of the bank or branch of the foreign bank and identification data of its client who is the account holder; the same obligation of the bank applies to a person who proves that has suffered damage as a result of their own erroneous disposition to a bank or a branch of a foreign bank and that without this information they cannot assert their right to issue unjust enrichment; and
• if the client is in default with the bank for more than 60 days or violates its obligations to the bank, the bank's obligation to maintain banking secrecy is limited so that the bank can publish information about the breach by the client no earlier than 30 days thereafter; the bank can publish only identification data of the client and the specification of the breached obligation.

5. Insurance

The IRD Act sets out basic rules for dealing with the customer in the insurance market.

Before entering into or substantially changing insurance, the insurance company or insurance agent must obtain information from the customer regarding the customer's requirements, objectives, and needs. Without obtaining such information (and very often this information includes special categories of personal data, such as age or health condition with respect to life insurance), the insurance company or insurance agent cannot carry out a thorough analysis of the client's need and recommend the client the appropriate insurance. Providing financial services, whilst not having enough information to provide them with professional care, constitutes an offence under the IRD Act. The CNB as the supervisory authority under the IRD Act may impose sanctions on insurance companies and insurance agents for not complying with the IRD Act, including revoking the authorisation to carry on insurance business.

Act No. 168/1999 on Liability Insurance for Damage Caused by Vehicle Operation and on Amendments to Certain Related Acts (Vehicle Liability Insurance Act) (only available in Czech here) ('Vehicle Liability Insurance Act'). The Vehicle Liability Insurance Act mentions, for example, the possibility for insurance companies to obtain data from the information system of the Czech Insurers' Bureau.

6. Payment Services

On 13 January 2018, the Law amending Act Act No. 370/2017 Coll., on Payments, as amended, and other related acts (only available to download in Czech here), which implemented the PSD2 in the Czech Republic, came into force.

The new Act brought regulation of so-called third parties, i.e. entities that use data from payment accounts with the user's consent or that allow a single third-party application to control several of the user's bank accounts.

Another important change is the introduction of rules for authorising electronic payments by means of strong authentication, i.e. using at least two of the three elements from the categories of knowledge, possession, or physical characteristics of the user (biometrics).

7. Data Transfers and Outsourcing

See Chapter V of the GDPR for the general requirements regarding transfers of personal data to third countries or international organisations.

The GDPR sets out the principle that the free movement of personal data in the EU is neither restricted, nor prohibited for the protection of natural persons in relation to the processing of personal data. However, this premise cannot be considered as a legal ground to transfer personal data to any controller or at any time.

The possibility of transferring personal data without restrictions in the EU relates to institutional security, i.e. it is expressed that the same high standards in relation to the legal framework for the protection of personal data in the processing of personal data applies in the countries of the EU and thus there is no need for additional institutional security. The controller must have a legal reason for the actual transfer to another controller, as the transfer is also one of the processing activities.

The controller must also have a legal reason if they transfer personal data to a country outside the EU, in which case the conditions for the transfer of personal data must also be met in terms of institutional security.

If the controller wishes to transfer personal data to another controller in a country outside the EU, institutional protection must be ensured, i.e. personal data cannot (with exceptions) be transferred to countries where sufficient legal protection of personal data is not ensured or the controller has not adopted instruments to ensure such protection during the transfer.

The European Commission may decide that a particular country ensures an adequate level of protection of personal data. In such case, no specific authorisation is required, and no administrative obstacles are imposed on the transfer of personal data.

In the absence of a decision on the adequacy of the level of protection of personal data in a given country by the Commission, personal data may only be transferred to a third country if the receiving controller has provided appropriate safeguards and provided that enforceable data subject rights and effective legal protection for the data subject are available. These appropriate safeguards include, in particular, Binding Corporate Rules ('BCRs’) and Standard Contractual Clauses ('SCCs').

Apart from the above-mentioned cases and instruments for the transfer of personal data, personal data can be transferred to a third country if at least one of the conditions listed in Article 49(1) of the GDPR is met, for example in the case of informed explicit consent of the data subject or if such transfer is necessary for the performance of a contract between the data subject and the data controller.

As regards to the financial sector, the legislation does not prevent a bank from outsourcing certain activities to another person. However, it is essential to manage the associated risks and comply with other related obligations:

• the bank only transfers bank secrecy data to the outsourcer for the purpose of ensuring the performance of the outsourced activity itself, i.e. within the scope of the activity for the bank and within the limits of the bank's business;
• the bank must take all appropriate measures to prevent any shortcomings or damage, in the use of outsourcing as a result of a breach of its obligations. More specifically, measures must be taken to prevent the unauthorised disclosure or use of any information relating to the client;
• the contract between the bank and the outsourcing provider must also contain 'terms and conditions for the safeguarding of protected information, in particular where the outsourcing provider comes into contact with confidential or other protected information about the obliged person or its clients, including a clear obligation on the outsourcing provider to treat protected information appropriately'; and
• the bank must establish and maintain policies and procedures for evaluating and influencing the level of operational risk undertaken, including model risk and outsourcing risk, and including consideration of infrequent significant events.

For the reasons stated above, the client's consent is not required for the transfer of data under outsourcing.

8. Breach Notification

As a general rule, it is mandatory for a data controller to notify the competent supervisory authority of any suffered personal data breach (Article 33(1) of the GDPR). For further information on general data breach requirements, see EU – GDPR – Data Breach.

There are no specific requirements for financial institutions, therefore general breach notification requirements apply.

If a personal data breach occurs, the controller must report the breach to the supervisory authority, the UOOU, without undue delay and preferably within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Therefore, only incidents that pose a risk to the rights and freedoms of natural persons are reported, not minor matters that are not risky.

For example, the use of pseudonymisation or encryption may eliminate the potential risk altogether and therefore relieve the controller of the need to report the case to the supervisory authority. However, the level of risk must always be assessed, even if pseudonymisation or encryption has been used.

In the notification, the data controller must describe the nature of the breach, the measures taken, and the likely consequences, and also provide the contact details of the DPO, if one has been appointed.

Where a security breach poses a high risk to the rights and freedoms of the data subject, the controller is obliged to notify the data subject of the incident. The controller does not have to do so if it has applied precautionary measures that render personal data unreadable to any unauthorised person (e.g. encryption or leaked pseudonymised data without a link to the data subject) or has applied follow-up measures to ensure that the high risk is no longer likely to occur. The obligation to notify the data subject of a security incident to the controller will not arise even if it would require disproportionate effort. However, in such a case, data subjects must be informed in an equally effective manner by means of a public notice.

9. Fintech

At the EU level, there is currently no harmonised framework for FinTech regulation. In March 2018 the European Commission adopted an action plan on FinTech in addition to publishing discussion papers on the same. Further to this, in September 2020 the European Commision followed up on this with a 2020 Action plan on FinTech including a strategy on an integrated EU payments market. The plan and strategy were included in the European Commission's digital finance package. Moreover, many EU financial regulators have signalled support for the development of a more comprehensive regulatory FinTech framework. 

In the Czech Republic, we can speak of the absence of a special legal regulation, as is the case, for example, in other legal sectors. The Czech Republic has not yet come up with a special legal regime for Fintech companies. At the time of writing, no legislative change with regard to Fintech issues is planned for the future.

For Fintech companies, the CNB's activities in the area of authorisation and approval procedures are very important. The CNB, as a financial market supervisor, issues authorisations to most entities that provide services on the financial market.

Cryptocurrencies

Czech law does not stipulate for special rules which directly apply to cryptocurrencies. Since cryptocurrencies are a relatively new phenomenon, there is still a limited judicial and regulatory practice in this area.

Pursuant to regulatory guidelines of the CNB, cryptocurrencies in the Czech Republic are not classified as financial instruments, non-cash money, electronic money, securities, or derivates. Cryptocurrencies, however, fulfil the legal definition of 'a thing' (i.e. a movable, intangible object) under Czech law (as stipulated pursuant to Section 489 of Act No. 89/2012 Coll., the Civil Code, as amended ('the Civil Code'): 'A thing in a legal sense is everything that is different from a person and serves the needs of people'. Due to this reason, cryptocurrencies are subject to private rights and are legally suitable for trading.

Activities with cryptocurrencies are subject to Czech regulations only if these activities fulfil criteria of a regulated activity under Czech law.

The Czech jurisdiction is thus quite liberal in relation to regulation of crypto-activities and many crypto-projects have been successfully launched in the Czech Republic (such as a crypto exchange 'Simplecoin', crypto 'ATMs', and other projects).

10. Enforcement

The GDPR provides for administrative fines of up to (Article 83 of the GDPR):

• €10 million, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, for infringing provisions on the obligations of a controller, processor, certification body or monitoring body; and
• €20 million, or in the case of an undertaking, up to 4% of the total worldwide annual turnover for the preceding financial year, whichever is higher, for infringing provisions on the basic principles for processing, data subjects’ rights, transfer of personal data to a recipient in a third country or international organisation, or non-compliance with an order or a limitation on processing by the supervisory authority.

The division into two groups of administrative fines reflects the importance of the obligation breaches, with the higher group containing obligations whose breach is expected to have a higher impact on the data protection rights guaranteed by the GDPR. The lower rate includes, for example, breaches of provisions relating to records of processing activities or Data Protection Impact Assessments ('DPIAs'), while the higher rate includes, for example, breaches of obligations governing the principles and lawfulness of processing, the conditions of consent to the processing of personal data, the conditions for processing special categories of personal data, and the rights of the data subject.

The imposition of administrative fines must be effective, proportionate, and dissuasive. Administrative fines must be imposed according to the circumstances of each individual case.

It is therefore essential that not every infringement of the GDPRR is subject to a fine, but the controller whose processing operations have infringed the GDPR may be admonished or ordered to comply with the data subject's request. The controller may also be ordered, among others, to bring the processing into compliance with the GDPR.

Thus, it is not true that every infringement of the GDPR will constitute the imposition of an administrative fine.

11. Additional Areas of Interest

As mentioned in section 1.2, the CNB is the main financial supervisory authority. In this regard, the CNB must record and publish details of all financial entities providing financial services in the Regulated Institutions and Registered Financial Market Entities List (accessible here).

Furthermore, the CNB has recently focused its attention on client call recording, in relation to which it repeatedly confirmed that 'the obligation to record telephone conversations with customers in the case of all investment services, such recording will be a necessary condition for the proper fulfilment of the financial institutions' duty to act prudently'. In addition, if financial institutions misuse personal data of their clients, such misuse may not only constitute a breach of the GDPR and the Act, but may also constitute a breach of the  'professional care principle', which applies to financial institutions in all areas of the financial market. Such misconduct would be subject to sanction proceedings conducted by the CNB and subject to offence penalties imposed by the CNB. Such penalties might be very high and similarly to the GDPR, and might be calculated as a percentage from the turnover for the preceding financial year of a financial institution.

Kamila Seberova Counsel
[email protected]
Wolf Theiss, Prague