Czech Republic - Data Protection Overview
1. Governing Texts
Act No. 110/2019 Coll. on Personal Data Processing ('the Act'), which implements the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), was adopted by the Parliament of the Czech Republic on 3 March 2019, signed by the President of the Republic on 10 April 2019, and published, and hence became applicable, on 24 April 2019, together with Act No. 111/2019 Coll. Amending Certain Acts in Connection with the Adoption of the Act on the Processing of Personal Data (only available to download in Czech here) ('the Amending Act'), which amends a further 39 legal acts.
As established above the key legislation in the field of data protection in the Czech Republic is:
- the Act;
- the GDPR; and
- the Amending Act.
The Office for Personal Data Protection ('UOOU') is the main authority responsible for publishing guidelines, recommendations, and other documents on the protection of personal data in the form of opinions.
All such opinions are available on the UOOU's website (only available in Czech here); some of these are also available in English here (especially those released prior to the implementation of the GDPR). Areas concerned include:
- processing of personal data via recordings from cameras on unmanned aircraft;
- publication of personal data in the media;
- use of electronic cards;
- processing of personal data by e-shops;
- personal data processing in the context of clinical testing of drugs and other medical substances; and
- publication of personal data on the internet.
Please note that some of the UOOU's pre-GDPR opinions may no longer be applicable as a result of the GDPR.
Moreover, the UOOU has issued the following guidance:
- Frequently Asked Questions on DPO's (only available in Czech here) ('the DPO FAQs');
- Frequently asked questions on DPIAs (only available in Czech here); and
- Guidance on UOOU Consultation (only available in Czech here) ('the Consultation Guidance).
In addition, the UOOU issued the Methodology for DPIA only available for download in Czech here) on 11 November 2020. The methodology is intended to provide guidance to controllers or processors on how to carry out DPIA's and is one of the possible (and recommended) ways to ensure compliance with the GDPR (please see section on DPIA below for further information).
The UOOU also issued some guidelines regarding the processing of personal data in the context of the COVID-19 pandemic. In particular, the UOOU namely issued its opinions on processing of personal data in relation to the following:
- the contact-tracing app introduced by the public authorities (only available in Czech here);
- mandatory testing of employees (only available in Czech here);
- administration and use of 'CovidPasses' (only available in Czech here) and related legislative changes (only available in Czech here); and
- records of customers led by certain providers of services for the purposes contact tracing (only available in Czech here).
Most of the specific data processing activities in relation to COVID-19 performed especially by private sector bodies were based on extraordinary temporary administrative measures issued by the Ministry of health. These measures are continuously issued, repealed, or amended with respect to the current pandemic situation. Therefore, also the guidelines of the UOOU on these matters may undergo a relatively rapid development.
Generally speaking, the situation where protection of personal data was by some public and private entities seen as a burden to the effective combating against the pandemic and where national legislation evidently did not (and does not) provide clear rules on the relatively extensive processing of health-related personal data, the UOOU sought to find a fair balance between the protection of personal data and the effective fight against COVID-19. However, conflicting rules on protection of personal data on one hand and protection of (individual or public) health on the other hand exist. Moreover, different public authorities responsible for the enforcement of different areas of law (e.g., labour inspectorates, public health administration and the UOOU) do not coordinate their interpretation of the existing rules and may approach these questions differently. Therefore, in practice conflicting regulatory requirements may arise and case-by-case approach and local legal advice is highly recommended.
Finally, the guidelines and opinions of the Article 29 Working Party and the European Data Protection Board ('EDPB') are applicable in the Czech Republic, including the following Opinion for Czech Republic:
- Opinion 4/2018 on the draft list of the competent supervisory authority of Czech Republic regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35(4) of the GDPR); and
- Opinion 11/2019 on the draft list of the competent supervisory authority of the Czech Republic regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) of the GDPR).
1.3. Case law
There have been no significant local case law directly connected with the GDPR since its implementation in the Czech Republic. The UOOU does, however, publish the most important judgments of both the highest Czech courts, as well as EU courts and the European Court of Human Rights on its website (only available in Czech here).
Constitutional Court decision on retention of traffic and location data
The Constitutional Court ('the Court'), in Case No. 161/2019 of 14 May 2019 (only available in Czech here), upheld current legislation, following challenges to the constitutionality of provisions related to the retention of traffic and location data and their subsequent provision to law enforcement and intelligence authorities, which in light of Court of Justice of the European Union ('CJEU') case law, the appellants argued, could be perceived as potentially infringing upon Charter of Fundamental Rights of the European Union.
In particular, the contested legislation, Section 97(3) and (4) of Act No. 127/2005 Coll. of 22 February 2005 on Electronic Communications and on Amendment to Certain Related Acts, required electronic communications services to keep 'data packets' (including information on each telephone connection, text message, internet connection or email correspondence) of all clients for a period of six months.
The Court, rejecting the challenge to the contested legislation, established in its summary that, the rapid development of information technologies cannot be stopped or slowed down by any legal regulation; the reach of the internet and other electronic communications networks is not limited to national borders, it is a global phenomenon that is difficult for national legislators to deal with. Furthermore, the Court found it is necessary to deal with the fact that the active involvement of individuals creates an inexhaustible amount of various data (metadata) and the risk of their misuse increases exponentially - the means of personal data protection need to be adapted, and the obligation to collect and store traffic and location data, can only be tolerated for a reasonable period of time.
The Court concluded that if a period of six months is not a manifestly disproportionate period, which was not proven in proceedings in terms of application practice or by comparison with a European standard, its role is not to replace the role of legislator and determine that a shorter period would suffice and reasonable one. The Court further highlighted that six months the shortest deadline from the range prescribed by the (now invalid) data retention directive and does not deviate from the European standard.
Hence the Court focused on the storage period more than on the fact of bulk storage and collection, although it is necessary to add that a proper court order needs to be served before the provider may hand over any data to law enforcement agency.
2. Scope of Application
The Act is divided into six titles.
Title I set out the scope of the Act. Title II contains provisions on personal data processing pursuant to the GDPR and applies to all controllers, processors, or data subjects, and includes specific provisions related to processing carried out by the press.
Title III of the Act contains provisions related to the processing of data related to prevention, investigation, or detention of criminal offences and protective measures ensuring the security of the Czech Republic. Title III applies to public authorities that operate according to special acts such as Act No. 273/2008 on the Police of the Czech Republic, except for the intelligence service and municipal police.
Title IV of the Act contains provisions the processing of personal data that is excluded from the scope of EU law and which concerns the security and defence of the Czech Republic, i.e. the processing of personal data that takes place within the intelligence services.
Title V of the Act stipulates the competence of the UOOU, whilst Title VI outlines applicable penalties for violations of the Act.
The Act does not stipulate territorial exceptions and is valid without restrictions in the entire territory of the Czech Republic.
Section 2 of the Act provides that the Act is applicable to:
- personal data processing pursuant to the GDPR;
- personal data processing by the competent authorities for the purpose of prevention, investigation, or detection of criminal offences, prosecution of criminal offences, execution of criminal penalties and protective measures, ensuring security of the Czech Republic and ensuring public policy and national security, including search for persons and objects;
- personal data processing in ensuring defence and security interests of the Czech Republic; and
- other processing of personal data that form or are intended to form part of a filing system or that are processed wholly or partly by automated means, other than personal data processing by a natural person in the course of a purely personal or household activity.
Title II of the Act, which applies to all persons, contains, among others, the following specific provisions:
- capacity of a child to grant consent (Section 7 of the Act);
- limitation of certain rights and obligations (Section 11 of the Act);
- exemption from the obligation to communicate a data breach to data subjects (Section 12 of the Act);
- obligation to design a data protection officer ('DPO') by public authorities (Section 14) of the Act;
- processing of data for scientific or historical research (Section 16 of the Act); and
- processing of data for academic, artistic, or literary expression (Section 17 of the Act).
Title III, which applies to authorities such as the police (not including the municipal police), contains, among others, the following specific provisions:
- the scope of information which must be provided to the data subject (Section 27 of the Act);
- the right to refuse the data subject's request if it endangers the performance of a task in the area of prevention, investigation, or detection of criminal offences, legitimate interests of a third party, etc. (Section 28 of the Act);
- general obligations of such authority and Data Protection by Design (Section 32 of the Act);
- rules for involvement of another processor (Section 34 of the Act);
- use of automated logging (Section 36 of the Act); and
- in cases of high risk of unauthorised interference with the rights and freedoms of the data subject, the authority's obligation to consult the process with the UOOU (Section 38 of the Act).
Title IV, which applies to authorities such as intelligence services, contains, among others, the following specific provisions:
- the obligation to take technical and organisational measures preventing unlawful or accidental access to personal data (Section 46 of the Act); and
- modified data access right – the data subject has the right to request an explanation regarding the data processing (Section 49 of the Act)
Title V, which addresses the establishment and operation of the UOOU, contains, among others, the following specific provisions:
- conditions for appointment of President and Vice-presidents (Section 52);
- tasks and powers of the UOOU (Section 54 of the Act);
- possibility to use information from the public administration information system (Section 55 of the Act);
- authorisation to access information (Section 58 of the Act); and
- confidentiality of employees (Section 59 of the Act).
3.1. Main regulator for data protection
The main and only official authority regarding personal data protection in the Czech Republic is the UOOU. In addition to the GDPR, the UOOU also supervises personal data processing falling into the scope of the Law Enforcement Directive (Directive (EU) 2016/680) ('the Law Enforcement Directive').
3.2. Main powers, duties and responsibilities
The UOOU is an independent body set up to:
- supervise the legal obligations laid down for the processing of personal data;
- deal with initiatives and complaints from citizens concerning a breach of law; and
- provide consultancy in personal data protection.
Pursuant to the GDPR and the Act, the main powers, duties and responsibilities of the UOOU follow the general provisions under Article 58 of the GDPR and are further specified by the Act. With regard to the data processing pursuant to the GDPR, the UOOU must:
- pursuant to Article 58(1)(d) of the GDPR, require the data processor to further clarify and correct unlawful processing;
- inform both data processors and data controllers about the fact that the intended data processing can lead to a violation of their duties;
- submit the criteria pursuant to Article 41(3), 42(5) or 43(1)(b) of the GDPR;
- order the certification body to withdraw a certification issued pursuant to Article 42 and 43 of the GDPR;
- approve draft codes of conduct, unless a particular code of conduct violates the GDPR; and
- provide remote access to standard data protection clauses adopted pursuant to Article 28(8) and Article 46(2)(d) of the GDPR.
With regard to Title III of the Act, which implements the Law Enforcement Directive, the UOOU:
- supervises compliance with obligations stipulated by the Act in the course of the processing of personal data;
- verifies the lawfulness of data processing based on notification according to Article 29 of the Act;
- accepts notifications and petitions concerning the suspicion of a breach of the obligations stipulated by the Act in the course of the processing of personal data and informs on it;
- imposes sanctions in the case of determining that the obligations referred to in the Act were breached;
- provides consultation in the area of personal data protection;
- methodically guides the controllers and the processors in the course of the processing of personal data;
- informs the public about the risks, rules, assurances and rights with regard to personal data processing;
- notifies the controller or the processor of their duties with regard to personal data processing;
- compiles and publishes an annual report on its activities;
- ensures fulfilment of requirements following from international treaties binding the Czech Republic, and from directly applicable law of the EU;
- issues, on its own initiative, opinions to the Parliament, on the proposed legislation in the field of personal data protection, if such legislation is not proposed by the Government of the Czech Republic; and
- co-operates with the EDPB, co-operates with similar authorities in other countries, with institutions of the EU and with bodies of international organisations operating in the area of personal data protection.
4. Key Definitions
Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4(7) of the GDPR).
Personal data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).
Sensitive data: Personal data, which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of unique identification of a natural person, data concerning health or data concerning sex life, sexual orientation, and data relating to criminal convictions and offences or related security measures (Section 66(6) of the Act).
Health data: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status (Article 4(15) of the GDPR).
Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4(14) of the GDPR).
Pseudonymisation: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (Article 4(5) of the GDPR).
5. Legal Bases
The Act does not implement any new rules in relation to consent as a legal basis for processing.
The Act does not implement any new rules in relation to contractual relations as a legal basis for processing.
The Act does not implement any new rules in relation to legal obligations to which the controller is subject as a legal basis for processing.
The Act does not implement any new rules in relation to the protection of the interest of the data subject as a legal basis for processing.
The Act does not implement any new rules in relation to the carrying out of a task in the public interest as a legal basis for processing.
The Act does not implement any new rules in relation to legitimate interests as a legal basis for processing.
The Act does not implement any new rules in relation to legal bases for processing. The Amending Act does, however, amend the Act No. 499/2004 Coll. on Archiving and Records Management and on the Amendment of Selected Acts (a consolidated version of which is only available in Czech here), and provides for a new statutory basis for the processing of special categories of personal data (the legal bases are 'legal obligations' and 'public interest').
An interesting deviation from the GDPR (originating in the previous privacy act, Act No. 101/2000 Coll., on the Protection of Personal Data) are specific legal bases for controllers pursuant Title IV of the Act (i.e. competent authorities ensuring the defence and security interests of the Czech Republic), in addition to the legal bases provided for by the GDPR. In particular, Section 43(3) of the Act provides for the following specific legal grounds for processing data for the purpose of ensuring the defence and security interests of the Czech Republic:
- the personal data was already legally published;
- the processing is for the purpose of providing information about publicly active person (with respect to her public position); and
- the processing is carried out solely and exclusively for archiving purposes.
The Act does not create special principles and processing is therefore governed by GDPR principles. However, the Act does emphasise the principle of transparency of the processing based on the legal obligation and tasks carried out in the public interest, as implied from Section 5 and 8 of the Act.
The Act also provides for principles relating to the processing of data provided for the purpose of prevention, investigation, or detection of criminal offences. Specifically, the Act provides that the controller shall:
- determine a specific purpose of personal data processing in connection with performance of the task;
- implement measures ensuring that personal data are accurate in relation to the nature and purpose of the processing; and
- keep personal data in a form enabling identification of the data subject only for the period necessary for achieving the purpose of their processing.
7. Controller and Processor Obligations
The registration of personal data processing with the UOOU is no longer required in the Czech Republic since the entry into force of the GDPR, which cancelled this obligation. In addition, the Act does not set out any particular data processing activities that would require registration, e.g., with regard to the processing of sensitive data.
The Czech Republic does, however, use the option of restricting particular rights of data subjects in the case of processing based on Article 23 of the GDPR, i.e., for the purposes of national security, public order, criminal prosecution, or more generally, to safeguard the protection of rights and freedoms of others or the enforcing of civil law claims (so-called 'protected interests', for more detailed information see section on key definitions below). In such cases, the restriction/suspension of certain rights of data subjects shall be notified to the UOOU by either the data processor or the data controller. Similar notification of the limitation of data subjects' rights is also applicable in case of data breaches i.e., if the controller intends not to notify the data subject pursuant to Article 34 of the GDPR (despite the inapplicability of any exemption therein), due to invoking the protected interest. The notifications can be made either ad hoc or generally for future cases, and must always be accompanied with information and reasoning as listed in Article 23(2) of the GDPR.
Pursuant to Article 37(7) of the GDPR, the contact details of an organisation's DPO must be communicated to the UOOU. It is not, however, a formal registration.
Neither the Act nor any other law stipulates a restriction regarding the transfer of data outside the EU/EEA. The applicable restrictions are set out in Chapter V of the GDPR.
The Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (7 June 2021) ('Decision 2021/914') should be newly used by both controllers and processors if they transfer personal data in accordance with Article 46(2)(c) of the GDPR.
There are no national variations from the GDPR.
The UOOU published a template Data Processing Records for small enterprises and sole entrepreneurs (only available in Czech here).
DPIA Processing List
The UOOU, pursuant to Article 35(5) of the GDPR, published, on 8 January 2020 an updated List of the categories of processing operations for which a Data Protection Impact Assessment is required ('the DPIA Processing List'). The DPIA Processing List does not provide a list of the types of processing that would require a DPIA to be carried out, but rather sets out criteria for deciding the level of risk to the rights and freedoms of data subjects connected with particular processing operations. These criteria include:
- processing including monitoring of the data subjects;
- processing of critical data, data enabling direct identification and/or data of highly personal nature;
- processing of personal data which can expose the data subjects to a threat from the environment;
- processing of personal data on a large scale;
- processing involving monitoring of publicly accessible areas;
- processing which can be influenced by the data subject only to a limited extent;
- processing of publicly accessible personal data;
- processing within technologically complex or advanced infrastructures or platforms;
- processing with a link to another controller or processor; and
- processing applying use of innovative technological or organisational solutions.
Please note that the DPIA Processing List contains additional requirements regarding every criterion in order to determine whether the DPIA must be carried out or not.
The UOOU has also issued its list of processing operations which do not require a DPIA to be carried out (only available in Czech here) ('the DPIA Whitelist). However, the UOOU states that the DPIA Whitelist is not definitive and will be subject to further amendments with respect to newly obtained practical knowledge from the market and technological development.
Czech Republic has not made use of the possibility of Article 36(5) of the GDPR to expand the situations that would require prior consultation.
Pursuant to Section 10 of the Act, a controller is not required to carry out a DPIA if it is required by law to perform such data processing. Otherwise, there are no national specifications with regard to either the DPIA or the prior consultation with the UOOU.
The DPIA Whitelist provides that the following seven operations of processing do not require the performance of DPIA:
- processing of personal data of employees with their permanent place of employment within the territory of the Czech Republic carried out exclusively within the territory of the Czech Republic in order to comply with a legal obligation in the areas of accounting, payroll and personnel accounting, social and health insurance (the permanent place of employment means the place of employment at which the employee stays for more than four hours per shift);
- processing of employees' data with their permanent place of their employment in the territory of the Czech Republic if such processing does not contain also processing of biometric data, evaluation and scoring of the data subjects or systematic monitoring of the data subjects (HR agenda in this context does not include whistleblowing);
- processing of customers' data carried out entirely within the territory of the Czech Republic concerning a business activity (including loyalty cards, organising events, sending newsletters etc.), carried out exclusively in the Czech language and not containing processing of special categories of personal data, evaluation, scoring or systematic monitoring of the data subjects (with the exception provided under point 4 of the DPIA Whitelist) (the business activity shall be therefore considered to be aimed predominantly or exclusively on the Member State language of which is used;
- processing carried out in connection with a customer's single visit of a web page, including profiling of the customer based on their choices of particular goods or services chosen from the offer of that web page of the controller. Such processing must not include processing of special categories of data, data of highly personal nature and must not aim at processing of personal data of vulnerable data subjects as a target group;
- processing carried out by persons providing health care services who are not in an employment relationship (i.e. health care provider as a sole entrepreneur) using the personal data exclusively in order to provide the health care services to the data subject (Recital 91 of the GDPR). Such processing must not include systematic transfers of the personal data to third countries, the processing must not include the engagement of any processor for certain processing activities nor shall the patients' personal data be shared/interconnected between two or more physicians;
- processing carried out by individual attorneys and/or notaries who are not in an employment relationship using the personal data necessary exclusively for the purpose of providing of the legal services to the data subject (Recital 91 of the GDPR). Such processing must not include systematic transfers of the personal data to third countries, the processing shall not include the engagement of any processor for certain processing activities nor shall the clients' personal data be shared/interconnected between two or more lawyers; and
- processing carried out by sole proprietors providing social services who are not in an employment relationship using the personal data exclusively in order to provide the social services. Such processing must not include systematic transfers of the personal data to third countries, the processing must not include the engagement of any processor for certain processing activities nor shall the clients' personal data be shared/interconnected between two or more providers of social services.
Please note that this is an overview and a detailed case-by-case assessment is necessary. The White List is also subject to further amendments by the UOOU.
In addition, the UOOU published on 11 November 2020
- the Guidance on DPIAs in draft legislation (only available in Czech here) ('the DPIA Guidance for Legislative Bodies'); and
- Methodology for DPIAs (only available in Czech here) ('the Methodology').
DPIA Guidance for Legislative Bodies
The DPIA Guidance for Legislative Bodies is a general manual for institutions preparing legislative measure that includes processing of personal data. The clear purpose of it is to ensure that any controller that will eventually rely upon such legislation may avail itself of the exemption provided for in the Article 35(10) of the GDPR (or the much broader exemption under Section 10 of the Act). So far, the UOOU has not challenged any processing carried out without a DPIA based on this exemption and it remains to be seen whether, for example, courts will use the guidance as a criterion for assessing the legality and conditions of the processing in the future.
The Methodology, on the other hand, is for any controller who is required to carry out a DPIA. The documents seeks to answer the following questions:
- Why carry out a DPIA?
- Who should carry out the DPIA?
- When is the DPIA carried out?
- Does the DPIA need to be documented?
- How is the DPIA carried out?
The Methodology specifies the possible method (and content) of the DPIA, which is divided into four stages:
Stage 1: Collection of information on the processing of personal data, including the mechanisms applied by the controller to demonstrate compliance with the general regulation on personal data protection.
Stage 2: Analysis (based on the information according to the previous indent) of whether it is necessary to carry out a DPIA. The controller should consider the following:
- systematic description of the intended processing operations;
- assessment of the necessity and adequacy of the processing operations in terms of purposes;
- risk assessment for the rights and freedoms of data subjects;
- monitoring and updating DPIAs;
- the opinion of representatives of data subjects and independent experts;
- the opinion of the DPO;
- prior consultation with the UOOU; and
- clause on the approval of the DPIA by the responsible person of the administrator.
Stage 3: Performing the DPIA. This stage is supplemented by Annex 5 of the Methodology.
Stage 4: Monitoring compliance with measures and regular reviews of DPIAs.
In addition, the Methodology contains Annexes which state:
- examples of vulnerabilities;
- examples of threats; and
- examples of the focus of technical and organisational measures.
According to Annex 5, the controller has to assess the level of risk and, in principle, the risk level for individual threats to personal data can be between 1 (1x1x1) and 64 (4x4x4). Based on the established coefficients for the assessment of impacts, threats and vulnerabilities, the level of risk is calculated. The UOOU uses the following formula: risk = impact x threat level x vulnerability rate.
The guidelines of the UOOU related to the mandatory COVID-19-testing of employees include also a template of a risk assessment indicating whether a DPIA needs to be performed in the context of processing employees'COVID-19-tests data (only available in Czech here). The template indicates that generally (for SMEs) DPIA is not required. However, it is up to the controller to perform the risk assessment considering its own specifics of the processing of personal data.
Furthermore, the Consultation Guidance provides that the UOOU must provide prior consultation pursuant to Article 36 of the GDPR in case of high-risk processing, following a DPIA by the controller pursuant to Article 35 of the GDPR. In addition, the UOOU can provide simple advice on selected issues on data processing within its personnel capabilities (the Consultation Guidance).
In order for the UOOU to effectively address data processing issues in the consultation, DPOs and other persons must (the Consultation Guidance):
- identify and analyse the problem, describe the situation in more detail, and state the basic parameters of the relevant treatment;
- make suggestions for solutions to significant identified problems and formulate solutions not only by using provisions of the GDPR but also in accordance with the relevant specific legislation governing specific data processing;
- give the name and address of the controller and processor involved in the processing, describe their role and tasks, and document their contractual relationship;
- provide proof that they are authorised to act on behalf of the data controller or a trustee; and
- submit the relevant documents and information necessary to assess the processing in the context the of activities of the controller.
A legal person commits an infraction during processing of personal data by failing to perform a DPIA in accordance with Section 37 of the Act (Section 63(1)(k) of the Act).
The only difference from the GDPR is that pursuant to Section 14 of the Act, a DPO must also be designated by an authority set up by law which fulfils statutory tasks in the public interest, such as the Czech National Bank ('CNB') or the General Health Insurance Company of the Czech Republic and which would normally, according to the Act, fall outside the scope of 'public authority' under the GDPR.
Czech formal education is only required for DPOs in the civil service and in the self-governing territorial units. The activity of the DPOs in the civil service is to be performed in the field of personal data protection in accordance with the Government Order No. 302/2014 Coll., on the Catalogue of Administrative Activities (only available to download in Czech here) (the DPO FAQs).
The DPO does not have to be certified and a data controller may recruit a 'non-certified' individual who has sufficient legal knowledge of personal data protection and the GDPR (the DPO FAQs).
In the Czech Republic, organisations that designate a DPO are obliged to communicate their contact details to the UOOU. Notification can be made by sending an email to [email protected] and by including 'Notification of the DPO' in the email's subject box (the DPO FAQs).
The notification email must include the following information (the DPO FAQs):
- the name and address of the controller and processor;
- the DPO name and surname; and
- the DPO contact details.
The contact details of the DPO must always be communicated by the data controller or processor, not by the DPO, even if he/she is acting as a DPO for several other organisations (the DPO FAQs).
Section 12 of the Act provides for mitigation of the notification obligation in connection with data breaches. Specifically, the information provided to the data subject can be either restricted or postponed insofar as it is proportionate and necessary for the purposes mentioned in Section 11 of the Act i.e. for protected interests.
The UOOU issued an official Data Breach Notification Form which should be used for notifying any data breach (only available in Czech here).
Act No. 181 of 23 July 2014 On Cyber Security and Change of Related Acts ('the Act on Cybersecurity') provides additional data protection requirements and data breach notification duties for certain regulated entities, namely (Section 2 of the Act on Cybersecurity):
- electronic communications service providers and entities operating electronic communications networks;
- public authorities or natural and legal persons administrating important networks, unless being an administrator of a communications system;
- administrators of critical information infrastructure information systems;
- administrators of critical information infrastructure communication systems;
- administrators of important information systems;
- providers of basic services; and
- providers of digital services.
Providers of basic services cover non-IT entities from various sectors, such as energy, transportation, banking and financial services, health services and chemical industry. Regulated entities are then, pursuant to Section 8 of the Act on Cybersecurity, obliged to report cybersecurity incidents (information security breaches in information systems, or security of services breach, or breach of integrity of electronic communication networks resulting from a cybersecurity event) to the National Security Authority, in some cases to the administrator of the national Computer Emergency Incident Response Team.
The Act does not change the current implementation of Article 4(2) of the ePrivacy Directive (2002/58/EC) (as amended). Pursuant to Section 88(2) of the Act of 22 February 2005 on Electronic Communications and on Amendment to Certain Related Acts, in the event that a breach of security occurs concerning the personal data of a natural person, the undertaking providing a publicly available electronic communications service is obliged to notify the UOOU of this fact without undue delay. This notification must contain a description of the outcome of the breach of security and the technical protection measures the undertaking has adopted or proposes adopting. In the event the breach of security concerning a user's personal data pursuant to Subsection 4 above may affect the privacy of a natural person in a particularly serious manner, or if the undertaking providing a publicly available electronic communications service has failed to adopt measures that would remedy this situation and which would be sufficient to protect the personal data at risk in accordance with the assessment made by the UOOU, it shall also notify the natural person concerned and the UOOU. In this notification, the undertaking must describe the nature of the breach of security concerning personal data, a recommendation to carry out interventions to mitigate the impact of the breach of security concerning personal data and a contact information site.
An undertaking providing a publicly available electronic communications service must make a summary of breaches of security concerning personal data, including information on the circumstances of the breach, its impact and measures adopted to remedy the situation.
The undertaking providing a public communications network must notify the Czech Telecommunication Office ('CTU') emergency call centres and the users, without undue delay, about any danger to the integrity and security of its network, its scope and reasons, including the remedial measures carried out or intended. The CTU can also decide to publish such information.
The Act stipulates specific retention period for electronic records (logs) in certain circumstances, including the following:
- When processing for the purposes of scientific or historical research or statistical purposes, the controller has to log at least all operations of collection, entering, alteration, and erasure the personal data, which will make it possible to determine and verify the identity of the person performing the operation, and retain such records for a period of at least two years from the operation (Section 16 of the Act).
- Authorities processing data for the purpose of prevention, investigation, or detection of criminal offences shall keep records regarding the handling of data subject's requests for a period of at least three years (Section 28 of the Act).
- If the authority processing data for the purpose of prevention, investigation, or detection of criminal offences performs automated personal data processing, it shall keep the records regarding the operations of collection, entering, alteration, combining, consultation, transfer, disclosure and erasure for a period of at least three years (Section 36 of the Act).,
In addition, Czech law contains additional provision regarding data retention in the following legislation:
- Act No. 563/1991 Coll., on Accounting (only available to download in Czech here);
- Act No. 582/1991 Coll., on the Organisation and Implementation of Social Security (only available to download in Czech here);
- Act No. 589/1992 Coll., on Social Insurance Premiums (only available to download in Czech here);
- Act No. 40/1995 Coll., Concerning Regulation of Advertising (only available to download in Czech here)
- Annex 1 to Act No. 499/2004 Coll., an Archiving and Filing Service (only available to download in Czech here);
- Act No 262/2006 Coll., the Labour Code (only available to download in Czech here); and
- Act No. 280/2009 Coll., Tax Code (only available to download in Czech here).
Pursuant to Section 7 of the Act, the age of the child required for consent to the processing of their personal data in relation to information society services without the necessity to obtain additional consent of the legal representative is lowered to a minimum age of 15 years. There are no specific additional national rules or regulations with regard to the processing of children's data.
Rules on the processing of special categories of data are set out by various pieces of legislation, such as:
- Act No. 148/1998 Coll., on the Protection of Classified Information (only available to download in Czech here);
- Act No. 18/1997 Coll., on Peaceful Utilisation of Nuclear Energy and Ionising Radiation (only available to download in Czech here);
- Act No. 38/1994 Coll., on Foreign Trade in Military Equipment (only available in Czech here);
- Act No. 455/1991 Coll., the Trade Licensing Act (only available in Czech here);
- Act No. 273/2008 Coll., on the Police of the Czech Republic (only available to download in Czech here);
- Act No. 140/1961 Coll., on Criminal Procedure (only available to download in Czech here);
- Act No. 283/1993 Coll., on State Prosecution (only available in Czech here);
- Act No. 269/1994 Coll., on the Registry of Criminal Records (only available in Czech here);
- Act No. 155/1995 Coll., on Pension Insurance (only available in Czech here);
- Act No. 187/2006 Coll., on Sickness Insurance (only available in Czech here);
- Act No. 48/1997 Coll., on Healthcare Insurance (only available in Czech here); and
- Act No. 372/2011 Coll., on Healthcare Services (only available in Czech here).
The Act does not introduce any additional conditions or limitations with regard to the processing of genetic data, biometric data or data concerning health, generally allowed by Article 9(4) of the GDPR. It does, however, regulate a special regime for the processing of special categories of personal data in the area of journalism, academics, art, and literary expression.
Pursuant to Section 16(2) of the Act, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation for journalistic purposes and the purposes of academic, artistic, or literary expression is primarily only allowed in anonymised form, unless the anonymisation would hamper achieving such purposes, or it is precluded by the legitimate interest of data subjects (such as participants in a clinical trial, depending on the accuracy of the processed results for a long time).
Personal data relating to criminal convictions and offences or related security measures may also be processed (in addition to the official authority purposes as presumed by Article 10 of the GDPR) for the purpose of exercising freedom of speech (i.e. appropriate journalistic, academic and literary expression).
The requirements stipulated by Article 28 of the GDPR apply. The parties may use Decision 2021/914 on standard contractual clauses for the transfers of personal data to third countries in accordance with Art. 28(6) of the GDPR.
8. Data Subject Rights
Article 23 of the GDPR and Section 11 of the Act provide for limitations in respect of data controllers' obligations as set out in Articles 12-22 of the GDPR. The rights of data subjects, as well as the obligation to notify a personal data breach, can be restricted or their performance postponed in order to safeguard:
- defence or security of the Czech Republic;
- public order or internal security;
- prevention, search for or detection of criminal activities, prosecution of criminal offences or enforcement of criminal penalties;
- another important public interest objective of the EU or a Member State, in particular an important economic or financial interest of the EU or a Member State, including monetary, budgetary and fiscal matters, public health and social security;
- protection of the independence of the judiciary and of judicial proceedings;
- monitoring, inspection or regulatory functions related, even occasionally, to the exercise of official authority in the cases referred to in bullet points (1) to (5);
- protection of rights and freedoms of persons; or
- enforcement of private law claims.
Such restrictions must be notified by either the data processor or the data controller to the UOOU without undue delay.
Unless the Act prescribes otherwise, the right of access based on Article 15 of the GDPR may be restricted or its performance postponed if it is necessary and proportionate to safeguard the rights and legitimate interests of another person.
Notification of a personal data breach to the data subject may also be restricted or postponed if it is necessary and proportionate for safeguarding the interests explained above.
The Czech Republic has also decided to apply the exemption provided for in Article 85 of the GDPR for the processing for journalistic purposes and the purposes of academic, artistic or literary expression. Such limitations include the protection of the data processor's identity, source of information (the data subject must not be allowed to require the information on the source of information) or the restriction of the right to object to processing.
Various exemptions in the case of processing for journalistic, academic and artistic purposes with regard to the processor's identity and the source of information exist under the Act. With regard to processing for journalistic, academic, and artistic purposes carried out via remote access, the duty to inform on rectification and erasure can be fulfilled by referring to the last update of content.
Sectoral regulations also provide for specific conditions for and exceptions from the right to information on the processing of personal data by the CNB, processing of personal data in the field of anti-money laundering ('AML'), tax law and cybersecurity.
According to the Section 19(2) of the Act, a controller who processes personal data for journalistic purposes or the purposes of academic, artistic or literary expression, may exclude access to personal data in justified cases, especially if a legitimate purpose of personal data processing would otherwise be endangered or frustrated or if the provision of access would involve disproportionate effort. Articles 14 (2)(f) and 15 (1)(g) of the GDPR shall not apply to personal data processing for journalistic purposes or the purposes of academic, artistic or literary expression (Section 19(3) of the Act).
If the rights to erasure or rectification are exercised with respect to personal data processed for journalistic purposes or the purposes of academic, artistic or literary expression, other legal regulations shall apply.
In particular, according to Section 89 of Act. No. 89/2012 Coll., Civil Code, an image, or audio or video recording may, without the consent of an individual, also be reasonably made or used for scientific or artistic purposes and for print, radio, television or similar coverage.
In addition, Section 35 et seq. of the Act No. 231/2001 Coll., on Radio and Television Broadcasting and on Amendment to Other Acts provides that if any announcement containing any factual information affecting the honour, dignity, or privacy of a natural person or the good name or reputation of any legal person was made public in radio or television broadcasting, then such a natural person or legal person shall have the right to request that a reply be broadcast by the radio or television broadcaster. The radio or television broadcaster shall broadcast such a reply upon such a natural person's or legal person's request.
Lastly, Section 10 of the Act No. 46/2000 Coll., on the Rights and Duties in Issuing Periodical Press and Amending Some Other Laws (only available to download in Czech here) similarly provides for the rights mentioned above.
Sectoral regulations also provide for specific conditions for and exceptions from the right to erasure for the processing of personal data in the field of AML, cybersecurity and financial guarantee funds.
Please see section on the right to rectification above.
With regard to processing for journalistic, academic and artistic purposes, the right to restriction of processing may only apply if the data controller no longer requires particular personal data.
Sectoral regulations also provide specific conditions for and exceptions from the right to the restriction of processing by the CNB, processing in the field of social security, building loans, public health insurance, financial guarantee funds, AML, tax law, pension funds, cybersecurity, and supervision of games of chance.
There are no national variations from the GDPR.
Sectoral regulations also provide for specific conditions for and exceptions from the rules on automated decision-making, including profiling carried out by the CNB, profiling in the field of public health insurance, financial guarantee funds, tax law, pension funds and the supervision of games of chance.
The Act does not envisage any new rights of the data subject.
Section 61 of the Act classifies as an administrative offence the unlawful publication of personal data where the prohibition of disclosure is stipulated by law (currently only Act No. 141/1961 Coll., Criminal Procedure Code (only available in Czech here) which bans unlawful publishing of wiretapping records/transcripts). Fines may amount to approx. €40,000 and a maximum fine of approx. €200,000 is provided if this administrative offence is carried out through print, film, radio, television, publicly accessible computer network or other similarly effective means.
Section 61(3) of the Act provides, in accordance with Article 83(7) of the GDPR, that no sanction shall be imposed on public authorities and bodies established in the Czech Republic.
The general rules on sanctions provided by the GDPR apply in the remaining cases.
No new criminal penalties are planned to be introduced.
In 2021, there were more than 50 cases that ended with a fine being issued, which is still below average of the rate usual before the GDPR entered into force. Since then, the highest fine imposed solely for breach of the GDPR rules amounted to approximately €19,000 with the total amount of fines issued by the UOOU being €111,000 (2018-2020). However, the UOOU stated publicly that it was willing to give the controllers a grace period after the GDPR came into effect. This period seems to be over now. Already in the first quarter of 2021 the UOOU issued fines amounting in total to €135,000 with the highest individual fine amounting to €25,000. That might not seem to be a lot in an EU-wide comparison but it clearly shows a trend in the enforcement policy of the UOOU.
The highest fine imposed by the UOOU ever topped €230,000 for sending unsolicited commercial communication. The UOOU applied a novel approach as it not only focused on the complaints filed, but also examined the entire marketing campaign consisting of e-mails sent to almost 500,000 recipients. According to the UOOU, the company only referred to the established procedures for obtaining consents, but actually did not have any proof of the specifically granted consents of the addressees in question to the sending of commercial communications. Thus, the unusually high sanction was reflecting a systematic malpractice and not just the particular amount of possibly affected addressees. The case is currently pending before the courts.
For the year 2022, the authors would point out the following decisions and enforcement actions as the most noticeable in the Czech Republic:
In the aftermath of the COVID-19 pandemic the UOOU fined the Ministry of the Interior CZK 975,000 (approx. €40,000) for processing of personal data of persons in ordered quarantine by the Police of the Czech Republic. The UOOU saw as problematic mainly the lack of proper legal basis for such processing and the indiscriminate manner of the processing. The relevant legal provision only allows processing of certain sensitive categories of personal data (including health data) when it is necessary for the purpose of investigating a particular crime or offence. Czech Police, however, processed personal data about every quarantined person in the country regardless of whether any investigation of crime or administrative offence was initiated. The decision was appealed in courts and the case is still pending. One of the interesting aspects is the amount of the fine which is in the Czech context rather high. But from the perspective of effective enforcement, in our opinion, it should be welcomed. Secondly, it is worth noting that the fine was not imposed under the GDPR but under the Act which also implements the Directive 2016/680 (the so-called Law Enforcement Directive). When adapting the Czech legal order to the GDPR, the Czech legislator made full use of Article 83(7) of the GDPR and excluded public bodies from the fining competence of the UOOU. So in case of other public body than law enforcement, the fine could not be imposed. However, under the part of the Act implementing the Law Enforcement Directive the fining competence of the UOOU vis-à-vis public bodies is not excluded but the amount of fine is limited to a maximum of CZK 10 million (approx. €400,000).
The notion of 'public body' within the meaning of Article 83(7) of the GDPR and Section 62(5) of the Act was also under scrutiny in a case decided in last instance by the Czech Supreme Administrative Court ('SAC') earlier this year. In the case at hand the SAC was deciding upon a fine imposed by the UOOU for not complying with the requirement to introduce sufficient technical and organisational measures to secure personal data by a public hospital. Importantly, the SAC decided that even though the hospital is funded from public insurance scheme and performs tasks in the public interest it cannot be regarded as a public authority or body. The SAC saw as decisive that the hospital is formally a joint-stock company (although entirely owned by the South-bohemian Region) managing its own assets and is not directly financed from public resources. Before the judgement this was far from obvious, and this decision is therefore the first step towards a clearer delineation of the term 'public authority or body'.
In the area of processing of personal data in employment relationships, the UOOU was assessing a case where an employer installed fake CCTV cameras 'monitoring' the employees. Since there was in fact no video image taken the UOOU decided that no breach of the GDPR could have occurred. However, it referred the case to the competent Labour Inspectorate which decided that even though the employees were not actually monitored the 'cameras' in that particular case created an undue pressure on the employees. Creating such excessive pressure by the employer was found in breach of the respective provisions of the Labour Code.
The UOOU also focused in the first half of 2022 on the topic of cookies and cookie-banners on the Czech internet. The UOOU found the following main deficiencies:
- use of non-technical cookies without consent;
- disproportionately long duration of cookies in relation to their purpose;
- absence of an opt-out option for non-technical cookies in the first layer of the cookie banner;
- poor categorisation of cookies;
- absence of information on the specific cookies used;
- difference in the visibility of the buttons for agreeing and disagreeing to the use of non-technical cookies;
- incorrect classification of cookies;
- information about cookies in a foreign language; and
- cookie banner makes it difficult or impossible to read the website.
The UOOU stated that it primarily approaches the respective data controllers with the request to remedy the situation. If no remedial steps are taken without undue delay, however, financial fines will be imposed.