Law: Act No. 110/2019 Coll. on Personal Data Processing ('the Act') and the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')
Regulator: Office for Personal Data Protection ('UOOU')
Summary: The Act is the main piece of privacy regulation in Czechia and transposes the GDPR. The Act establishes the UOOU as the supervisory authority regarding data protection, designating the UOOU with supervisory responsibilities, including performing audits, publishing Standard Contractual Clauses ('SCCs'), investigating complaints in relation to breaches of obligations laid down by law, and imposing fines. Article 89(3) of the Act No. 127/2005 Coll. Of 22 February 2005 on Electronic Communications and on Amendment to Certain Related Acts ('the Electronic Communications Act') implements the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) ('the ePrivacy Directive'). Czechia has, since the 2009 amendment of the ePrivacy Directive, retained the 'opt-out' system, meaning that the Electronic Communications Law does not reflect the 'opt-in' consent requirement under the amended ePrivacy Directive. In relation to Data Protection Impact Assessments ('DPIA'), the UOOU has issued both a list of activities which require a DPIA (i.e. a blacklist) and a list of activities which do not require a DPIA (only available in Czech here).