December 2023

1. Governing Texts

Act No. 110/2019 Coll. on Personal Data Processing ('the Act'), which implements the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), was adopted by the Parliament of the Czech Republic on March 3, 2019, signed by the President of the Republic on April 10, 2019, and published, and hence became applicable, on April 24, 2019, together with Act No. 111/2019 Coll. Amending Certain Acts in Connection with the Adoption of the Act on the Processing of Personal Data (only available to download in Czech here) ('the Amending Act'), which amends a further 39 legal acts.

1.1. Key acts, regulations, directives, bills

As established above the key legislation in the field of data protection in the Czech Republic is:

• the Act;
• the GDPR; and
• the Amending Act.

1.2. Guidelines

The Office for Personal Data Protection ('UOOU') is the main authority responsible for publishing guidelines, recommendations, and other documents on the protection of personal data in the form of opinions.

All such opinions are available on the UOOU's website (only available in Czech here); some of these are also available in English here (especially those released prior to the implementation of the GDPR). Areas concerned include:

• processing of personal data via recordings from cameras on unmanned aircraft;
• publication of personal data in the media;
• use of electronic cards;
• processing of personal data by e-shops;
• personal data processing in the context of clinical testing of drugs and other medical substances; and
• publication of personal data on the internet.

Please note that some of the UOOU's pre-GDPR opinions may no longer be applicable as a result of the GDPR.

Moreover, the UOOU has issued the following guidance:

• Frequently Asked Questions on DPO's (only available in Czech here) ('the DPO FAQs');
• Frequently asked questions on DPIAs (only available in Czech here); and
• Guidance on UOOU Consultation (only available in Czech here) ('the Consultation Guidance).

In addition, the UOOU issued the Methodology for DPIA only available for download in Czech here) on November 11, 2020. The methodology is intended to provide guidance to controllers or processors on how to carry out DPIA's and is one of the possible (and recommended) ways to ensure compliance with the GDPR (please see section on DPIA below for further information).

The UOOU also issued some guidelines regarding the processing of personal data in the context of the COVID-19 pandemic. In particular, the UOOU issued its opinions on the processing of personal data in relation to the following:

• the contact-tracing app introduced by the public authorities (only available in Czech here);
• mandatory testing of employees (only available in Czech here);
• administration and use of 'CovidPasses' (only available in Czech here) and related legislative changes (only available in Czech here); and
• records of customers led by certain providers of services for the purposes of contact tracing (only available in Czech here).

Most of the specific data processing activities in relation to COVID-19 performed especially by private sector bodies were based on extraordinary temporary administrative measures issued by the Ministry of Health. These measures are continuously issued, repealed, or amended with respect to the current pandemic situation. Therefore, the guidelines of the UOOU on these matters may undergo a relatively rapid development.

Generally speaking, the situation where protection of personal data was by some public and private entities seen as a burden to the effective combating against the pandemic and where national legislation evidently did not (and does not) provide clear rules on the relatively extensive processing of health-related personal data, the UOOU sought to find a fair balance between the protection of personal data and the effective fight against COVID-19. However, conflicting rules on the protection of personal data on one hand and protection of (individual or public) health on the other hand exist. Moreover, different public authorities responsible for the enforcement of different areas of law (e.g., labor inspectorates, public health administration, and the UOOU) do not coordinate their interpretation of the existing rules and may approach these questions differently. Therefore, in practice conflicting regulatory requirements may arise and a case-by-case approach and local legal advice is highly recommended.

Finally, the guidelines and opinions of the Article 29 Working Party and the European Data Protection Board ('EDPB') are applicable in the Czech Republic, including the following Opinion for the Czech Republic:

• Opinion 4/2018 on the draft list of the competent supervisory authority of the Czech Republic regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35(4) of the GDPR); and
• Opinion 11/2019 on the draft list of the competent supervisory authority of the Czech Republic regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) of the GDPR).

1.3. Case law

There has been no significant local case law directly connected with the GDPR since its implementation in the Czech Republic. The UOOU does, however, publish the most important judgments of both the highest Czech courts, as well as EU courts and the European Court of Human Rights on its website (only available in Czech here).

Constitutional Court decision on retention of traffic and location data

The Constitutional Court ('the Court'), in Case No. 161/2019 of 14 May 2019 (only available in Czech here), upheld current legislation, following challenges to the constitutionality of provisions related to the retention of traffic and location data and their subsequent provision to law enforcement and intelligence authorities, which in light of Court of Justice of the European Union ('CJEU') case law, the appellants argued, could be perceived as potentially infringing upon Charter of Fundamental Rights of the European Union.

In particular, the contested legislation, Section 97(3) and (4) of Act No. 127/2005 Coll. of 22 February 2005 on Electronic Communications and on Amendment to Certain Related Acts, required electronic communications services to keep 'data packets' (including information on each telephone connection, text message, internet connection or email correspondence) of all clients for a period of six months.

The Court, rejecting the challenge to the contested legislation, established in its summary that, the rapid development of information technologies cannot be stopped or slowed down by any legal regulation; the reach of the internet and other electronic communications networks is not limited to national borders, it is a global phenomenon that is difficult for national legislators to deal with. Furthermore, the Court found it is necessary to deal with the fact that the active involvement of individuals creates an inexhaustible amount of various data (metadata), and the risk of their misuse increases exponentially - the means of personal data protection need to be adapted, and the obligation to collect and store traffic and location data, can only be tolerated for a reasonable period of time.

The Court concluded that if a period of six months is not a manifestly disproportionate period, which was not proven in proceedings in terms of application practice or by comparison with a European standard, its role is not to replace the role of legislator and determine that a shorter period would suffice and reasonable one. The Court further highlighted that six months is the shortest deadline from the range prescribed by the (now invalid) data retention directive and does not deviate from the European standard.

Hence the Court focused on the storage period more than on the fact of bulk storage and collection, although it is necessary to add that a proper court order needs to be served before the provider may hand over any data to the law enforcement agency.

2. Scope of Application

2.1. Personal scope

The Act is divided into six titles.

Title I set out the scope of the Act. Title II contains provisions on personal data processing pursuant to the GDPR and applies to all controllers, processors, or data subjects, and includes specific provisions related to processing carried out by the press.

Title III of the Act contains provisions related to the processing of data related to the prevention, investigation, or detention of criminal offenses and protective measures ensuring the security of the Czech Republic. Title III applies to public authorities that operate according to special acts such as Act No. 273/2008 on the Police of the Czech Republic, except for the intelligence service and municipal police.

Title IV of the Act contains provisions for the processing of personal data that is excluded from the scope of EU law and which concerns the security and defense of the Czech Republic, i.e. the processing of personal data that takes place within the intelligence services.

Title V of the Act stipulates the competence of the UOOU, whilst Title VI outlines applicable penalties for violations of the Act.

2.2. Territorial scope

The Act does not stipulate territorial exceptions and is valid without restrictions in the entire territory of the Czech Republic.

2.3. Material scope

Section 2 of the Act provides that the Act is applicable to:

• personal data processing pursuant to the GDPR;
• personal data processing by the competent authorities for the purpose of prevention, investigation, or detection of criminal offenses, prosecution of criminal offenses, execution of criminal penalties and protective measures, ensuring the security of the Czech Republic and ensuring public policy and national security, including the search for persons and objects;
• personal data processing in ensuring defense and security interests of the Czech Republic; and
• other processing of personal data that form or are intended to form part of a filing system or that are processed wholly or partly by automated means, other than personal data processing by a natural person in the course of a purely personal or household activity.

Title II of the Act, which applies to all persons, contains, among others, the following specific provisions:

• capacity of a child to grant consent (Section 7 of the Act);
• limitation of certain rights and obligations (Section 11 of the Act);
• exemption from the obligation to communicate a data breach to data subjects (Section 12 of the Act);
• obligation to design a data protection officer ('DPO') by public authorities (Section 14) of the Act;
• processing of data for scientific or historical research (Section 16 of the Act); and
• processing of data for academic, artistic, or literary expression (Section 17 of the Act).

Title III, which applies to authorities such as the police (not including the municipal police), contains, among others, the following specific provisions:

• the scope of information that must be provided to the data subject (Section 27 of the Act);
• the right to refuse the data subject's request if it endangers the performance of a task in the area of prevention, investigation, or detection of criminal offenses, legitimate interests of a third party, etc. (Section 28 of the Act);
• general obligations of such authority and Data Protection by Design (Section 32 of the Act);
• rules for involvement of another processor (Section 34 of the Act);
• use of automated logging (Section 36 of the Act); and
• in cases of high risk of unauthorized interference with the rights and freedoms of the data subject, the authority's obligation is to consult the process with the UOOU (Section 38 of the Act).

Title IV, which applies to authorities such as intelligence services, contains, among others, the following specific provisions:

• the obligation to take technical and organizational measures preventing unlawful or accidental access to personal data (Section 46 of the Act); and
• modified data access right – the data subject has the right to request an explanation regarding the data processing (Section 49 of the Act)

Title V, which addresses the establishment and operation of the UOOU, contains, among others, the following specific provisions:

• conditions for appointment of President and Vice-presidents (Section 52);
• tasks and powers of the UOOU (Section 54 of the Act);
• possibility to use information from the public administration information system (Section 55 of the Act);
• authorization to access information (Section 58 of the Act); and
• confidentiality of employees (Section 59 of the Act).

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The main and only official authority regarding personal data protection in the Czech Republic is the UOOU. In addition to the GDPR, the UOOU also supervises personal data processing falling into the scope of the Law Enforcement Directive (Directive (EU) 2016/680) ('the Law Enforcement Directive').

3.2. Main powers, duties and responsibilities

The UOOU is an independent body set up to:

• supervise the legal obligations laid down for the processing of personal data;
• deal with initiatives and complaints from citizens concerning a breach of the law; and
• provide consultancy in personal data protection.

Pursuant to the GDPR and the Act, the main powers, duties, and responsibilities of the UOOU follow the general provisions under Article 58 of the GDPR and are further specified by the Act. With regard to the data processing pursuant to the GDPR, the UOOU must:

• pursuant to Article 58(1)(d) of the GDPR, require the data processor to further clarify and correct unlawful processing;
• inform both data processors and data controllers about the fact that the intended data processing can lead to a violation of their duties;
• submit the criteria pursuant to Articles 41(3), 42(5) or 43(1)(b) of the GDPR;
• order the certification body to withdraw a certification issued pursuant to Articles 42 and 43 of the GDPR;
• approve draft codes of conduct, unless a particular code of conduct violates the GDPR; and
• provide remote access to standard data protection clauses adopted pursuant to Articles 28(8) and 46(2)(d) of the GDPR.

With regard to Title III of the Act, which implements the Law Enforcement Directive, the UOOU:

• supervises compliance with obligations stipulated by the Act in the course of the processing of personal data;
• verifies the lawfulness of data processing based on notification according to Article 29 of the Act;
• accepts notifications and petitions concerning the suspicion of a breach of the obligations stipulated by the Act in the course of the processing of personal data and informs on it;
• imposes sanctions in the case of determining that the obligations referred to in the Act were breached;
• provides consultation in the area of personal data protection;
• methodically guides the controllers and the processors in the course of the processing of personal data;
• informs the public about the risks, rules, assurances, and rights with regard to personal data processing;
• notifies the controller or the processor of their duties with regard to personal data processing;
• compiles and publishes an annual report on its activities;
• ensures fulfillment of requirements following from international treaties binding the Czech Republic, and from directly applicable law of the EU;
• issues, on its own initiative, opinions to the Parliament, on the proposed legislation in the field of personal data protection, if such legislation is not proposed by the Government of the Czech Republic; and
• co-operates with the EDPB, co-operates with similar authorities in other countries, with institutions of the EU, and with bodies of international organizations operating in the area of personal data protection.

4. Key Definitions

Data controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law (Article 4(7) of the GDPR).

Data processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller (Article 4(8) of the GDPR).

Personal data: Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person (Article 4(1) of the GDPR).

Sensitive data: Personal data, which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of unique identification of a natural person, data concerning health or data concerning sex life, sexual orientation, and data relating to criminal convictions and offenses or related security measures (Section 66(6) of the Act).

Health data: Personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about their health status (Article 4(15) of the GDPR).

Biometric data: Personal data resulting from specific technical processing relating to the physical, physiological or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data (Article 4(14) of the GDPR).

Pseudonymization: The processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person (Article 4(5) of the GDPR).

5. Legal Bases

5.1. Consent

The Act does not implement any new rules in relation to consent as a legal basis for processing.

5.2. Contract with the data subject

The Act does not implement any new rules in relation to contractual relations as a legal basis for processing.

5.3. Legal obligations

The Act does not implement any new rules in relation to legal obligations to which the controller is subject as a legal basis for processing.

5.4. Interests of the data subject

The Act does not implement any new rules in relation to the protection of the interest of the data subject as a legal basis for processing.

5.5. Public interest

The Act does not implement any new rules in relation to the carrying out of a task in the public interest as a legal basis for processing.

5.6. Legitimate interests of the data controller

The Act does not implement any new rules in relation to legitimate interests as a legal basis for processing.

5.7. Legal bases in other instances

The Act does not implement any new rules in relation to legal bases for processing. The Amending Act does, however, amend Act No. 499/2004 Coll. on Archiving and Records Management and on the Amendment of Selected Acts (a consolidated version of which is only available in Czech here), and provides for a new statutory basis for the processing of special categories of personal data (the legal bases are 'legal obligations' and 'public interest').

An interesting deviation from the GDPR (originating in the previous privacy act, Act No. 101/2000 Coll., on the Protection of Personal Data) is specific legal bases for controllers pursuant to Title IV of the Act (i.e. competent authorities ensuring the defense and security interests of the Czech Republic), in addition to the legal bases provided for by the GDPR. In particular, Section 43(3) of the Act provides for the following specific legal grounds for processing data for the purpose of ensuring the defense and security interests of the Czech Republic:

• the personal data was already legally published;
• the processing is for the purpose of providing information about the publicly active person (with respect to her public position); and
• the processing is carried out solely and exclusively for archiving purposes.

An additional aspect within the area of legal bases involves a general exemption related to compatibility considerations outlined in Article 6(4) of the GDPR. This exemption applies when the secondary purpose of the processing involves pursuing a 'protected interest' and the processing is deemed necessary and adequate to fulfill a legal obligation or perform a task in the public interest or as part of the controller's exercise of an official authority. The term 'protected interest' is defined as:

• defense or security interests of the Czech Republic;
• public order and internal security, prevention, search or detection of crime, prosecution of criminal offenses, execution of penalties and protective measures, ensuring the security of the Czech Republic or ensuring public order and internal security, including the search for persons and things;
• any other important objective of public interest of the European Union or a Member State of the European Union, in particular an important economic or financial interest of the European Union or a Member State of the European Union, including monetary, budgetary, fiscal, financial market, public health or social security matters;
• the protection of the independence of courts and judges;
• the prevention, detection, detection or prosecution of breaches of the ethical rules of regulated professions;
• supervisory, control, or regulatory functions related to the exercise of public authority in the cases referred to in the points above;
• the protection of the rights and freedoms of persons; or
• the enforcement of private law claims.

6. Principles

The Act does not create special principles and processing is therefore governed by GDPR principles. However, the Act does emphasize the principle of transparency of the processing based on the legal obligation and tasks carried out in the public interest, as implied from Sections 5 and 8 of the Act.

The Act also provides for principles relating to the processing of data provided for the purpose of prevention, investigation, or detection of criminal offenses. Specifically, the Act provides that the controller shall:

• determine a specific purpose of personal data processing in connection with the performance of the task;
• implement measures ensuring that personal data are accurate in relation to the nature and purpose of the processing; and
• keep personal data in a form enabling identification of the data subject only for the period necessary for achieving the purpose of their processing.

7. Controller and Processor Obligations

7.1. Data processing notification

The registration of personal data processing with the UOOU is no longer required in the Czech Republic since the entry into force of the GDPR, which canceled this obligation. In addition, the Act does not set out any particular data processing activities that would require registration, e.g., with regard to the processing of sensitive data.

The Czech Republic does, however, use the option of restricting particular rights of data subjects in the case of processing based on Article 23 of the GDPR, i.e., for the purposes of national security, public order, criminal prosecution, or more generally, to safeguard the protection of rights and freedoms of others or the enforcing of civil law claims (so-called 'protected interests', for more detailed information see section on key definitions below). In such cases, the restriction/suspension of certain rights of data subjects shall be notified to the UOOU by either the data processor or the data controller. Similar notification of the limitation of data subjects' rights is also applicable in case of data breaches i.e., if the controller intends not to notify the data subject pursuant to Article 34 of the GDPR (despite the inapplicability of any exemption therein), due to invoking the protected interest. The notifications can be made either ad hoc or generally for future cases, and must always be accompanied with information and reasoning as listed in Article 23(2) of the GDPR.

Pursuant to Article 37(7) of the GDPR, the contact details of an organization's DPO must be communicated to the UOOU. It is not, however, a formal registration.

7.2. Data transfers

Neither the Act nor any other law stipulates a restriction regarding the transfer of data outside the EU/EEA. The applicable restrictions are set out in Chapter V of the GDPR.

The Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (7 June 2021) ('Decision 2021/914') should be newly used by both controllers and processors if they transfer personal data in accordance with Article 46(2)(c) of the GDPR.

7.3. Data processing records

There are no national variations from the GDPR.

The UOOU published a template Data Processing Records for small enterprises and sole entrepreneurs (only available in Czech here).

7.4. Data protection impact assessment

DPIA Processing List

The UOOU, pursuant to Article 35(5) of the GDPR, published, on 8 January 2020 an updated List of the categories of processing operations for which a Data Protection Impact Assessment is required ('the DPIA Processing List'). The DPIA Processing List does not provide a list of the types of processing that would require a DPIA to be carried out, but rather sets out criteria for deciding the level of risk to the rights and freedoms of data subjects connected with particular processing operations. These criteria include:

• processing including monitoring of the data subjects;
• processing of critical data, data enabling direct identification and/or data of a highly personal nature;
• processing of personal data which can expose the data subjects to a threat from the environment;
• processing of personal data on a large scale;
• processing involving monitoring of publicly accessible areas;
• processing which can be influenced by the data subject only to a limited extent;
• processing of publicly accessible personal data;
• processing within technologically complex or advanced infrastructures or platforms;
• processing with a link to another controller or processor; and
• processing applying the use of innovative technological or organizational solutions.

Please note that the DPIA Processing List contains additional requirements regarding every criterion in order to determine whether the DPIA must be carried out or not.

DPIA Whitelist

The UOOU has also issued its list of processing operations which do not require a DPIA to be carried out (only available in Czech here) ('the DPIA Whitelist). However, the UOOU states that the DPIA Whitelist is not definitive and will be subject to further amendments with respect to newly obtained practical knowledge from the market and technological development.

The Czech Republic has not made use of the possibility of Article 36(5) of the GDPR to expand the situations that would require prior consultation.

Pursuant to Section 10 of the Act, a controller is not required to carry out a DPIA if it is required by law to perform such data processing. Otherwise, there are no national specifications with regard to either the DPIA or the prior consultation with the UOOU.

The DPIA Whitelist provides that the following seven operations of processing do not require the performance of DPIA:

• processing of personal data of employees with their permanent place of employment within the territory of the Czech Republic carried out exclusively within the territory of the Czech Republic in order to comply with a legal obligation in the areas of accounting, payroll and personnel accounting, social and health insurance (the permanent place of employment means the place of employment at which the employee stays for more than four hours per shift);
• processing of employees' data with the permanent place of their employment in the territory of the Czech Republic if such processing does not contain also the processing of biometric data, evaluation and scoring of the data subjects, or systematic monitoring of the data subjects (HR agenda in this context does not include whistleblowing);
• processing of customers' data carried out entirely within the territory of the Czech Republic concerning a business activity (including loyalty cards, organizing events, sending newsletters, etc.), carried out exclusively in the Czech language and not containing processing of special categories of personal data, evaluation, scoring or systematic monitoring of the data subjects (with the exception provided under point 4 of the DPIA Whitelist) (the business activity shall be therefore considered to be aimed predominantly or exclusively on the Member State language of which is used;
• processing carried out in connection with a customer's single visit of a web page, including profiling of the customer based on their choices of particular goods or services chosen from the offer of that web page of the controller. Such processing must not include processing of special categories of data, data of a highly personal nature, and must not aim at the processing of personal data of vulnerable data subjects as a target group;
• processing carried out by persons providing health care services who are not in an employment relationship (i.e. health care provider as a sole entrepreneur) using the personal data exclusively in order to provide the health care services to the data subject (Recital 91 of the GDPR). Such processing must not include systematic transfers of personal data to third countries, the processing must not include the engagement of any processor for certain processing activities nor shall the patients' personal data be shared/interconnected between two or more physicians;
• processing carried out by individual attorneys and/or notaries who are not in an employment relationship using the personal data necessary exclusively for the purpose of providing of the legal services to the data subject (Recital 91 of the GDPR). Such processing must not include systematic transfers of the personal data to third countries, the processing shall not include the engagement of any processor for certain processing activities nor shall the clients' personal data be shared/interconnected between two or more lawyers; and
• processing carried out by sole proprietors providing social services who are not in an employment relationship using the personal data exclusively in order to provide the social services. Such processing must not include systematic transfers of the personal data to third countries, the processing must not include the engagement of any processor for certain processing activities nor shall the clients' personal data be shared/interconnected between two or more providers of social services.

Please note that this is an overview and a detailed case-by-case assessment is necessary. The White List is also subject to further amendments by the UOOU.

In addition, the UOOU published on November 11, 2020:

• the Guidance on DPIAs in draft legislation (only available in Czech here) ('the DPIA Guidance for Legislative Bodies'); and
• Methodology for DPIAs (only available in Czech here) ('the Methodology').

DPIA Guidance for Legislative Bodies

The DPIA Guidance for Legislative Bodies is a general manual for institutions preparing a legislative measure that includes the processing of personal data. The clear purpose of it is to ensure that any controller that will eventually rely upon such legislation may avail itself of the exemption provided for in Article 35(10) of the GDPR (or the much broader exemption under Section 10 of the Act). So far, the UOOU has not challenged any processing carried out without a DPIA based on this exemption and it remains to be seen whether, for example, courts will use the guidance as a criterion for assessing the legality and conditions of the processing in the future.

Methodology

The Methodology, on the other hand, is for any controller who is required to carry out a DPIA. The documents seek to answer the following questions:

• Why carry out a DPIA?
• Who should carry out the DPIA?
• When is the DPIA carried out?
• Does the DPIA need to be documented?
• How is the DPIA carried out?

The Methodology specifies the possible method (and content) of the DPIA, which is divided into four stages:

Stage 1: Collection of information on the processing of personal data, including the mechanisms applied by the controller to demonstrate compliance with the general regulation on personal data protection.

Stage 2: Analysis (based on the information according to the previous indent) of whether it is necessary to carry out a DPIA. The controller should consider the following:

• systematic description of the intended processing operations;
• assessment of the necessity and adequacy of the processing operations in terms of purposes;
• risk assessment for the rights and freedoms of data subjects;
• monitoring and updating DPIAs;
• the opinion of representatives of data subjects and independent experts;
• the opinion of the DPO;
• prior consultation with the UOOU; and
• clause on the approval of the DPIA by the responsible person of the administrator.

Stage 3: Performing the DPIA. This stage is supplemented by Annex 5 of the Methodology.

Stage 4: Monitoring compliance with measures and regular reviews of DPIAs.

In addition, the Methodology contains Annexes which state:

• examples of vulnerabilities;
• examples of threats; and
• examples of the focus of technical and organizational measures.

According to Annex 5, the controller has to assess the level of risk and, in principle, the risk level for individual threats to personal data can be between 1 (1x1x1) and 64 (4x4x4). Based on the established coefficients for the assessment of impacts, threats, and vulnerabilities, the level of risk is calculated. The UOOU uses the following formula: risk = impact x threat level x vulnerability rate.

The guidelines of the UOOU related to the mandatory COVID-19-testing of employees include also a template of a risk assessment indicating whether a DPIA needs to be performed in the context of processing employees'COVID-19-tests data (only available in Czech here). The template indicates that generally (for SMEs) DPIA is not required. However, it is up to the controller to perform the risk assessment considering its own specifics of the processing of personal data.

Prior consultation

Furthermore, the Consultation Guidance provides that the UOOU must provide prior consultation pursuant to Article 36 of the GDPR in case of high-risk processing, following a DPIA by the controller pursuant to Article 35 of the GDPR. In addition, the UOOU can provide simple advice on selected issues on data processing within its personnel capabilities (the Consultation Guidance).

In order for the UOOU to effectively address data processing issues in the consultation, DPOs, and other persons must (the Consultation Guidance):

• identify and analyze the problem, describe the situation in more detail, and state the basic parameters of the relevant treatment;
• make suggestions for solutions to significant identified problems and formulate solutions not only by using provisions of the GDPR but also in accordance with the relevant specific legislation governing specific data processing;
• give the name and address of the controller and processor involved in the processing, describe their role and tasks, and document their contractual relationship;
• provide proof that they are authorized to act on behalf of the data controller or a trustee; and
• submit the relevant documents and information necessary to assess the processing in the context the of activities of the controller.

Penalty

A legal person commits an infraction during the processing of personal data by failing to perform a DPIA in accordance with Section 37 of the Act (Section 63(1)(k) of the Act).

7.5. Data protection officer appointment

The only difference from the GDPR is that pursuant to Section 14 of the Act, a DPO must also be designated by an authority set up by law which fulfills statutory tasks in the public interest, such as the Czech National Bank ('CNB') or the General Health Insurance Company of the Czech Republic and which would normally, according to the Act, fall outside the scope of 'public authority' under the GDPR.

Professional qualifications

Czech formal education is only required for DPOs in the civil service and in the self-governing territorial units (municipal or regional governments).

The DPO does not have to be certified and a data controller may recruit a 'non-certified' individual who has sufficient legal knowledge of personal data protection and the GDPR (the DPO FAQs).

Notification

In the Czech Republic, organizations that designate a DPO are obliged to communicate their contact details to the UOOU. Notification can be made by sending an email to [email protected] and by including 'Notification of the DPO' in the email's subject box (the DPO FAQs).

The notification email must include the following information (the DPO FAQs):

• the name and address of the controller and processor;
• the DPO name and surname; and
• the DPO contact details.

The contact details of the DPO must always be communicated by the data controller or processor, not by the DPO, even if they are acting as a DPO for several other organizations (the DPO FAQs).

7.6. Data breach notification

Section 12 of the Act provides for mitigation of the notification obligation in connection with data breaches. Specifically, the information provided to the data subject can be either restricted or postponed insofar as it is proportionate and necessary for the purposes mentioned in Section 11 of the Act i.e. for 'protected interests' (see section on legal bases in other instances above).

The UOOU issued an official Data Breach Notification Form which should be used for notifying any data breach (only available in Czech here).

Cybersecurity

Act No. 181 of 23 July 2014 On Cyber Security and Change of Related Acts ('the Act on Cybersecurity') provides additional data protection requirements and data breach notification duties for certain regulated entities, namely (Section 2 of the Act on Cybersecurity):

• electronic communications service providers and entities operating electronic communications networks;
• public authorities or natural and legal persons administrating important networks, unless being an administrator of a communications system;
• administrators of critical information infrastructure information systems;
• administrators of critical information infrastructure communication systems;
• administrators of important information systems;
• providers of basic services; and
• providers of digital services.

Providers of basic services cover non-IT entities from various sectors, such as energy, transportation, banking, and financial services, health services, and chemical industry. Regulated entities are then, pursuant to Section 8 of the Act on Cybersecurity, obliged to report cybersecurity incidents (information security breaches in information systems, or security of services breaches, or breaches of integrity of electronic communication networks resulting from a cybersecurity event) to the National Cyber and Information Security Agency, in some cases to the administrator of the national Cyber Security Response Team.

These rules are going to be adapted to new rules provided for in the Directive (EU) 2022/2555 (NIS2 Directive) by 2024.

Electronic communications

The requirement of Article 4(3) of the ePrivacy Directive (2002/58/EC) (as amended) is pursuant to Section 88(4) of the Act of 22 February 2005 on Electronic Communications and on Amendment to Certain Related Acts (as amended), implemented by referring to data breach procedures in accordance with the GDPR, i.e. rules regarding the notification to the UOOU and data subjects pursuant to Articles 33 and 34 apply.

7.7. Data retention

The Act stipulates a specific retention period for electronic records (logs) in certain circumstances, including the following:

• When processing for the purposes of scientific or historical research or statistical purposes, the controller has to log at least all operations of collection, entering, alteration, and erasure the personal data, which will make it possible to determine and verify the identity of the person performing the operation, and retain such records for a period of at least two years from the operation (Section 16 of the Act).
• Authorities processing data for the purpose of prevention, investigation, or detection of criminal offenses shall keep records regarding the handling of data subject's requests for a period of at least three years (Section 28 of the Act).
• If the authority processing data for the purpose of prevention, investigation, or detection of criminal offenses performs automated personal data processing, it shall keep the records regarding the operations of collection, entering, alteration, combining, consultation, transfer, disclosure, and erasure for a period of at least three years (Section 36 of the Act).,

In addition, Czech law contains additional provisions regarding data retention for example in the following legislation:

• Act No 563/1991 Coll., on Accounting (only available to download in Czech here);
• Act No 582/1991 Coll., on the Organisation and Implementation of Social Security (only available to download in Czech here);
• Act No 589/1992 Coll., on Social Insurance Premiums (only available to download in Czech here);
• Act No 40/1995 Coll., Concerning Regulation of Advertising (only available to download in Czech here)
• Annex 1 to Act No. 499/2004 Coll., an Archiving and Filing Service (only available to download in Czech here);
• Act No 262/2006 Coll., the Labour Code (only available to download in Czech here);
• Act No 280/2009 Coll., Tax Code (only available to download in Czech here); and
• Act No 171/2003 Coll., on the Protection of Whistleblowers (only available to download in Czech here).

7.8. Children's data

Pursuant to Section 7 of the Act, the age of the child required for consent to the processing of their personal data in relation to information society services without the necessity to obtain additional consent of the legal representative is lowered to a minimum age of 15 years. There are no specific additional national rules or regulations with regard to the processing of children's data.

7.9. Special categories of personal data

Rules on the processing of special categories of data are set out by various pieces of legislation, such as:

• Act No. 148/1998 Coll., on the Protection of Classified Information (only available to download in Czech here);
• Act No. 18/1997 Coll., on Peaceful Utilisation of Nuclear Energy and Ionising Radiation (only available to download in Czech here);
• Act No. 38/1994 Coll., on Foreign Trade in Military Equipment (only available in Czech here);
• Act No. 455/1991 Coll., the Trade Licensing Act (only available in Czech here);
• Act No. 273/2008 Coll., on the Police of the Czech Republic (only available to download in Czech here);
• Act No. 140/1961 Coll., on Criminal Procedure (only available to download in Czech here);
• Act No. 283/1993 Coll., on State Prosecution (only available in Czech here);
• Act No. 269/1994 Coll., on the Registry of Criminal Records (only available in Czech here);
• Act No. 155/1995 Coll., on Pension Insurance (only available in Czech here);
• Act No. 187/2006 Coll., on Sickness Insurance (only available in Czech here);
• Act No. 48/1997 Coll., on Healthcare Insurance (only available in Czech here); and
• Act No. 372/2011 Coll., on Healthcare Services (only available in Czech here).

The Act does not introduce any additional conditions or limitations with regard to the processing of genetic data, biometric data, or data concerning health, generally allowed by Article 9(4) of the GDPR. It does, however, regulate a special regime for the processing of special categories of personal data in the areas of journalism, academics, art, and literary expression.

Pursuant to Section 16(2) of the Act, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation for journalistic purposes and the purposes of academic, artistic, or literary expression is primarily only allowed in anonymizedanonymized form, unless the anonymizationanonymization would hamper achieving such purposes, or it is precluded by the legitimate interest of data subjects (such as participants in a clinical trial, depending on the accuracy of the processed results for a long time).



Personal data relating to criminal convictions and offensesoffenses or related security measures may also be processed (in addition to the official authority purposes as presumed by Article 10 of the GDPR) for the purpose of exercising freedom of speech (i.e. appropriate journalistic, academic, and literary expression).

7.10. Controller and processor contracts

The requirements stipulated by Article 28 of the GDPR apply. The parties may use Decision 2021/914 on standard contractual clauses for the transfers of personal data to third countries in accordance with Article 28(6) of the GDPR.

8. Data Subject Rights

Article 23 of the GDPR and Section 11 of the Act provide for limitations in respect of data controllers' obligations as set out in Articles 12-22 of the GDPR. The rights of data subjects, as well as the obligation to notify a personal data breach, can be restricted or their performance postponed in order to safeguard:

• defense or security of the Czech Republic;
• public order or internal security;
• prevention, search for, or detection of criminal activities, prosecution of criminal offenses or enforcement of criminal penalties;
• another important public interest objective of the EU or a Member State, in particular, an important economic or financial interest of the EU or a Member State, including monetary, budgetary, and fiscal matters, public health, and social security;
• protection of the independence of the judiciary and of judicial proceedings;
• monitoring, inspection, or regulatory functions related, even occasionally, to the exercise of official authority in the cases referred to in bullet points 1 to 5;
• protection of rights and freedoms of persons; or
• enforcement of private law claims.

Such restrictions must be notified by either the data processor or the data controller to the UOOU without undue delay.

Unless the Act prescribes otherwise, the right of access based on Article 15 of the GDPR may be restricted or its performance postponed if it is necessary and proportionate to safeguard the rights and legitimate interests of another person.

Notification of a personal data breach to the data subject may also be restricted or postponed if it is necessary and proportionate for safeguarding the interests explained above.

The Czech Republic has also decided to apply the exemption provided for in Article 85 of the GDPR for the processing of journalistic purposes and the purposes of academic, artistic, or literary expression. Such limitations include the protection of the data processor's identity, source of information (the data subject must not be allowed to require the information on the source of information), or the restriction of the right to object to processing.

8.1. Right to be informed

Various exemptions in the case of processing for journalistic, academic, and artistic purposes with regard to the processor's identity and the source of information exist under the Act. With regard to processing for journalistic, academic, and artistic purposes carried out via remote access, the duty to inform on rectification and erasure can be fulfilled by referring to the last update of content.

Sectoral regulations also provide for specific conditions for and exceptions from the right to information on the processing of personal data by the CNB, processing of personal data in the field of anti-money laundering ('AML'), tax law, and cybersecurity.

8.2. Right to access

According to Section 19(2) of the Act, a controller who processes personal data for journalistic purposes or the purposes of academic, artistic, or literary expression, may exclude access to personal data in justified cases, especially if a legitimate purpose of personal data processing would otherwise be endangered or frustrated or if the provision of access would involve disproportionate effort. Articles 14 (2)(f) and 15 (1)(g) of the GDPR shall not apply to personal data processing for journalistic purposes or the purposes of academic, artistic, or literary expression (Section 19(3) of the Act).

8.3. Right to rectification

If the rights to erasure or rectification are exercised with respect to personal data processed for journalistic purposes or the purposes of academic, artistic, or literary expression, other legal regulations shall apply.

In particular, according to Section 89 of the Act. No. 89/2012 Coll., Civil Code, an image, or audio or video recording may, without the consent of an individual, also be reasonably made or used for scientific or artistic purposes and for print, radio, television or similar coverage.

In addition, Section 35 et seq. of the Act No. 231/2001 Coll., on Radio and Television Broadcasting and on Amendment to Other Acts provides that if any announcement containing any factual information affecting the honor, dignity, or privacy of a natural person or the good name or reputation of any legal person was made public in radio or television broadcasting, then such a natural person or legal person shall have the right to request that a reply be broadcast by the radio or television broadcaster. The radio or television broadcaster shall broadcast such a reply upon such a natural person's or legal person's request.

Lastly, Section 10 of the Act No. 46/2000 Coll., on the Rights and Duties in Issuing Periodical Press and Amending Some Other Laws (only available to download in Czech here) similarly provides for the rights mentioned above.

8.4. Right to erasure

Sectoral regulations also provide for specific conditions for and exceptions from the right to erasure for the processing of personal data in the field of AML, cybersecurity and financial guarantee funds.

Please see section on the right to rectification above.

8.5. Right to object/opt-out

With regard to processing for journalistic, academic, and artistic purposes, the right to restriction of processing may only apply if the data controller no longer requires particular personal data.

Sectoral regulations also provide specific conditions for and exceptions from the right to the restriction of processing by the CNB, processing in the field of social security, building loans, public health insurance, financial guarantee funds, AML, tax law, pension funds, cybersecurity, and supervision of games of chance.

8.6. Right to data portability

There are no national variations from the GDPR.

8.7. Right not to be subject to automated decision-making

Sectoral regulations also provide for specific conditions for and exceptions from the rules on automated decision-making, including profiling carried out by the CNB, profiling in the field of public health insurance, financial guarantee funds, tax law, pension funds, and the supervision of games of chance.

8.8. Other rights

The Act does not envisage any new rights of the data subject.

9. Penalties

Section 61 of the Act classifies as an administrative offense the unlawful publication of personal data where the prohibition of disclosure is stipulated by law (currently only Act No. 141/1961 Coll., Criminal Procedure Code (only available in Czech here) which bans unlawful publishing of wiretapping records/transcripts). Fines may amount to approx. €40,000 and a maximum fine of approx. €200,000 is provided if this administrative offense is carried out through print, film, radio, television, publicly accessible computer network, or other similarly effective means.

Section 61(3) of the Act provides, in accordance with Article 83(7) of the GDPR, that no sanction shall be imposed on public authorities and bodies established in the Czech Republic.

The general rules on sanctions provided by the GDPR apply in the remaining cases.

9.1 Enforcement decisions

In 2021, there were more than 50 cases that ended with a fine being issued, which is still below the average of the rate usual before the GDPR entered into force. Since then, the highest fine imposed solely for breach of the GDPR rules amounted to approximately €19,000 with the total amount of fines issued by the UOOU being €111,000 (2018 to 2020). However, the UOOU stated publicly that it was willing to give the controllers a grace period after the GDPR came into effect. This period seems to be over now. Already in the first quarter of 2021, the UOOU issued fines amounting in total to €135,000 with the highest individual fine amounting to €25,000. That might not seem to be a lot in an EU-wide comparison but it clearly shows a trend in the enforcement policy of the UOOU.

The highest fine imposed by the UOOU ever topped €230,000 for sending unsolicited commercial communication. The UOOU applied a novel approach as it not only focused on the complaints filed, but also examined the entire marketing campaign consisting of e-mails sent to almost 500,000 recipients. According to the UOOU, the company only referred to the established procedures for obtaining consents, but actually did not have any proof of the specifically granted consents of the addressees in question to the sending of commercial communications. Thus, the unusually high sanction was reflecting a systematic malpractice and not just the particular amount of possibly affected addressees. The case is currently pending before the courts.

For the year 2022, the authors would point out the following decisions and enforcement actions as the most noticeable in the Czech Republic:

In the aftermath of the COVID-19 pandemic the UOOU fined the Ministry of the Interior CZK 975,000 (approx. $43,600) for processing of personal data of persons in ordered quarantine by the Police of the Czech Republic. The UOOU saw as problematic mainly the lack of proper legal basis for such processing and the indiscriminate manner of the processing. The relevant legal provision only allows processing of certain sensitive categories of personal data (including health data) when it is necessary for the purpose of investigating a particular crime or offence. Czech Police, however, processed personal data about every quarantined person in the country regardless of whether any investigation of crime or administrative offence was initiated. The decision was appealed in courts and the case is still pending. One of the interesting aspects is the amount of the fine which is in the Czech context rather high. But from the perspective of effective enforcement, in our opinion, it should be welcomed. Secondly, it is worth noting that the fine was not imposed under the GDPR but under the Act which also implements the Directive 2016/680 (the so-called Law Enforcement Directive). When adapting the Czech legal order to the GDPR, the Czech legislator made full use of Article 83(7) of the GDPR and excluded public bodies from the fining competence of the UOOU. So in case of other public body than law enforcement, the fine could not be imposed. However, under the part of the Act implementing the Law Enforcement Directive the fining competence of the UOOU vis-à-vis public bodies is not excluded but the amount of fine is limited to a maximum of CZK 10 million (approx. $447,230).

The notion of 'public body' within the meaning of Article 83(7) of the GDPR and Section 62(5) of the Act was also under scrutiny in a case decided in last instance by the Czech Supreme Administrative Court ('SAC') earlier this year. In the case at hand the SAC was deciding upon a fine imposed by the UOOU for not complying with the requirement to introduce sufficient technical and organisational measures to secure personal data by a public hospital. Importantly, the SAC decided that even though the hospital is funded from public insurance scheme and performs tasks in the public interest it cannot be regarded as a public authority or body. The SAC saw as decisive that the hospital is formally a joint-stock company (although entirely owned by the South-bohemian Region) managing its own assets and is not directly financed from public resources. Before the judgement this was far from obvious, and this decision is therefore the first step towards a clearer delineation of the term 'public authority or body'.

In the area of processing of personal data in employment relationships, the UOOU was assessing a case where an employer installed fake CCTV cameras 'monitoring' the employees. Since there was in fact no video image taken the UOOU decided that no breach of the GDPR could have occurred. However, it referred the case to the competent Labour Inspectorate which decided that even though the employees were not actually monitored the 'cameras' in that particular case created an undue pressure on the employees. Creating such excessive pressure by the employer was found in breach of the respective provisions of the Labour Code.

The UOOU also focused in the first half of 2022 on the topic of cookies and cookie-banners on the Czech internet. The UOOU found the following main deficiencies:

• use of non-technical cookies without consent;
• disproportionately long duration of cookies in relation to their purpose;
• absence of an opt-out option for non-technical cookies in the first layer of the cookie banner;
• poor categorisation of cookies;
• absence of information on the specific cookies used;
• difference in the visibility of the buttons for agreeing and disagreeing to the use of non-technical cookies;
• incorrect classification of cookies;
• information about cookies in a foreign language; and
• cookie banner makes it difficult or impossible to read the website.

Following an initial soft approach required the respective data controllers to remedy the situation, the UOOU started issuing fines for non-compliance. In the first seven months of 2023, fines totaling CZK 4.4 million (approx. $196,780) were imposed, with the highest single penalty of CZK 898,000 ($40,160) for illegal marketing cookies use.