Czech Republic - National GDPR Implementation Overview
1.1. National implementing legislation of the GDPR
Act No. 110/2019 Coll. on the Processing of Personal Data (only available to download in Czech here) ('the Act'), which is implementing the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), was adopted by the Parliament on 3 March 2019, signed by the President of the Republic on 10 April 2019 and published and hence became applicable on 24 April 2019, together with Act No. 111/2019 Coll. Amending Certain Acts in Connection with the Adoption of the Act on the Processing of Personal Data (only available to download in Czech here) ('the Amending Act'), which amends a further 39 legal acts.
The Office for Personal Data Protection ('UOOU') is the main authority responsible for publishing guidelines, recommendations and other documents on the protection of personal data in the form of opinions.
All such opinions are available on UOOU's website (only available in Czech here), some (especially from before the implementation of the GDPR are also available in English here). Areas concerned include:
- processing of personal data via recordings from cameras on unmanned aircraft;
- publication of personal data in the media;
- use of electronic cards;
- processing of personal data by e-shops;
- personal data processing in the context of clinical testing of drugs and other medical substances; and
- publication of personal data on the internet.
Please note that some of the UOOU's opinions might not be applicable as a result of the GDPR. In addition, the guidelines and opinions of the Article 29 Working Party and the European Data Protection Board ('EDPB') are applicable in the Czech Republic.
1.3. Case Law
There has been no interesting development of case law since the implementation of the GDPR in the Czech Republic. The UOOU does, however, publish the most important judgments of both the highest Czech courts, as well as EU courts and the European Court of Human Rights on its website (only available in Czech here). At the end of 2018, Advocate General of the European Court of Justice, Michal Bobek, delivered his Opinion in Case C-40/17 Fashion ID GmbH & Co. KG v. Verbraucherzentrale NRW e.V., where he interconnects the provisions of the Directive 95/46/EC of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (23 November 1995) with the respective provisions of the GDPR (and thus argues for a continuous interpretation with regard to fundamental principles of data protection in the EU), but the Court of Justice of the European Union itself has not yet ruled on the matter.
2. DATA PROTECTION AUTHORITY | REGULATORY AUTHORITY
2.1. Main regulator for data protection
The main and only official authority regarding personal data protection in the Czech Republic is the UOOU. In addition to the GDPR, the UOOU also supervises personal data processing falling into the scope of the so-called Law Enforcement Directive (Directive (EU) 2016/680) ('the Law Enforcement Directive').
2.2. Main powers, duties and responsibilities
The UOOU is an independent body set up to:
- supervise the legal obligations laid down for the processing of personal data;
- deal with initiatives and complaints from citizens concerning a breach of law; and
- provide consultancy in personal data protection.
Pursuant to the GDPR and the Act, the main powers, duties and responsibilities of the UOOU follow the general provisions under Article 58 of the GDPR and are further specified by the Act. With regard to the data processing pursuant to the GDPR, the UOOU must:
- pursuant to Article 58(1)(d) of the GDPR, require the data processor to further clarify and correct unlawful processing;
- inform both data processors and data controllers about the fact that the intended data processing can lead to a violation of their duties;
- submit the criteria pursuant to Article 41(3), 42(5) or 43(1)(b) of the GDPR;
- order the certification body to withdraw a certification issued pursuant to Article 42 and 43 of the GDPR;
- approve draft codes of conduct, unless a particular code of conduct violates the GDPR; and
- provide remote access to standard data protection clauses adopted pursuant to Article 28(8) and Article 46(2)(d) of the GDPR.
With regard to Chapter III of the Act, which implements the Law Enforcement Directive, the UOOU:
- supervises compliance with obligations stipulated by the Act in the course of the processing of personal data;
- verifies the lawfulness of data processing based on notification according to Article 29 of the Act;
- accepts notifications and petitions concerning the suspicion of a breach of the obligations stipulated by the Act in the course of the processing of personal data and informs on it;
- imposes sanctions in the case of determining that the obligations referred to in the Act were breached;
- provides consultation in the area of personal data protection;
- methodically guides the controllers and the processors in the course of the processing of personal data;
- informs the public about the risks, rules, assurances and rights with regard to personal data processing;
- notifies the controller or the processor of their duties with regard to personal data processing;
- compiles and publishes an annual report on its activities;
- ensures fulfilment of requirements following from international treaties binding the Czech Republic, and from directly applicable law of the EU;
- issues, on its own initiative, opinions to the Parliament, on the proposed legislation in the field of personal data protection, if such legislation is not proposed by the Government; and
- co-operates with the EDPB, co-operates with similar authorities in other countries, with institutions of the EU and with bodies of international organisations operating in the area of personal data protection.
3.1. National requirements
The registration of personal data processing with the regulator is no longer required in the Czech Republic, due to the entry into force of the GDPR, which cancelled this obligation. In addition, the Act does not set out any particular data processing activities that would require registration i.e. with regard to the processing of sensitive data.
The Czech Republic, however, uses the option of restricting particular rights of data subjects in the case of processing based on Article 23 of the GDPR i.e. for the purposes of national security, public order, criminal prosecution or more generally, to safeguard the protection of rights and freedoms of others or the enforcing of civil law claims (so-called 'protected interests', for more detailed information see section 4 below). In such cases, the restriction/suspension of certain rights of data subjects shall be notified to the UOOU by either the data processor or the data controller. Similar notification of the limitation of data subjects' rights is also applicable in case of data breaches i.e. if the controller intends not to notify the data subject pursuant to Article 34 of the GDPR (despite the inapplicability of any exemption therein), due to invoking the protected interest. The notifications can be made either ad hoc or generally for future cases, and must always be accompanied with information and reasoning as listed in Article 23(2) of the GDPR.
Pursuant to Article 37(7) of the GDPR, the contact details of an organisation's data protection officer ('DPO') must be communicated to the UOOU. It is not, however, a formal registration.
4. DATA SUBJECT RIGHTS
Article 23 of the GDPR and Section 11 of the Act provide for limitations in respect of data controllers' obligations as set out in Articles 12-22 of the GDPR. The rights of data subjects, as well as the obligation to notify a personal data breach, can be restricted or their performance postponed in order to safeguard:
- defence or security of the Czech Republic;
- public order or internal security;
- prevention, search for or detection of criminal activities, prosecution of criminal offences or enforcement of criminal penalties;
- another important public interest objective of the EU or a Member State, in particular an important economic or financial interest of the EU or a Member State, including monetary, budgetary and fiscal matters, public health and social security;
- protection of the independence of the judiciary and of judicial proceedings;
- monitoring, inspection or regulatory functions related, even occasionally, to the exercise of official authority in the cases referred to in bullet points (1) to (5);
- protection of rights and freedoms of persons; or
- enforcement of private law claims.
Such restrictions must be notified by either the data processor or the data controller to the UOOU without undue delay.
Unless the Act prescribes otherwise, the right of access based on Article 15 of the GDPR must be restricted or its performance postponed if it is necessary and proportionate to safeguard the rights and legitimate interests of the other person.
Notification of a personal data breach to the data subject must also be restricted or postponed if it is necessary and proportionate for safeguarding the interests explained above.
The Czech Republic has also decided to apply the exemption provided for in Article 85 of the GDPR for the processing for journalistic purposes and the purposes of academic, artistic or literary expression. Such limitations include the protection of the data processor's identity, source of information (the data subject must not be allowed to require the information on the source of information) or the restriction of the right to object to processing.
Various exemptions in the case of processing for journalistic, academic and artistic purposes with regard to the processor's identity and the source of information exist under the Act. With regard to the processing for journalistic, academic and artistic purposes carried out via remote access, the duty to inform on rectification and erasure can be fulfilled by referring to the last update of content.
The sectoral regulations also provide for specific conditions for and exceptions from the right to information on the processing of personal data by the Czech National Bank ('CNB'), processing of personal data in the field of anti-money laundering ('AML'), tax law and cybersecurity.
The sectoral regulations also provide for specific conditions for and exceptions from the right to erasure for the processing of personal data in the field of AML, cybersecurity and financial guarantee funds.
With regard to the processing for journalistic, academic and artistic purposes, the right to restriction of processing must only apply if the data controller no longer requires particular personal data.
The sectoral regulations also provide specific conditions for and exceptions from the right to the restriction of processing by the CNB, processing in the field of social security, building loans, public health insurance, financial guarantee funds, AML, tax law, pension funds, cybersecurity and supervision of games of chance.
No variations currently included.
The sectoral regulations also provide for specific conditions for and exceptions from the rules on automated individual decision making, including profiling carried out by the CNB, automated individual decision making, including profiling in the field of public health insurance, financial guarantee funds, tax law, pension funds and the supervision of games of chance.
5.1. National regulation of the processing of children's data and age of consent
Pursuant to Section 7 of the Act, the age of the child required for consent to the processing of his or her personal data in relation to information society services without the necessity to obtain additional consent of the legal representative is lowered to a minimum age of 15 years. There are no specific additional national rules or regulations with regard to the processing of children's data.
6.1. National regulation concerning the processing of special categories of data and criminal conviction data
Rules on the processing of special categories of data are set out by various pieces of legislation, such as:
- Act No. 148/1998 Coll., on the Protection of Classified Information (only available to download in Czech here);
- Act No. 18/1997 Coll., on Peaceful Utilisation of Nuclear Energy and Ionising Radiation (only available to download in Czech here);
- Act No. 38/1994 Coll., on Foreign Trade in Military Equipment (only available in Czech here);
- Act No. 455/1991 Coll., the Trade Licensing Act (only available in Czech here);
- Act No. 273/2008 Coll., on the Police of the Czech Republic (only available to download in Czech here);
- Act No. 140/1961 Coll., on Criminal Procedure (only available to download in Czech here);
- Act No. 283/1993 Coll., on State Prosecution (only available in Czech here);
- Act No. 269/1994 Coll., on the Registry of Criminal Records (only available in Czech here);
- Act No. 155/1995 Coll., on Pension Insurance (only available in Czech here);
- Act No. 187/2006 Coll., on Sickness Insurance (only available in Czech here);
- Act No. 48/1997 Coll., on Healthcare Insurance (only available in Czech here); and
- Act No. 372/2011 Coll., on Healthcare Services (only available in Czech here).
The Act does not introduce any additional conditions, including limitations, with regard to the processing of genetic data, biometric data or data concerning health, generally allowed by Article 9(4) of the GDPR. It does, however, regulate a special regime for the processing of special categories of personal data in the area of journalism, academics, art and literary expression.
Pursuant to Section 16(2) of the Act, the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation for journalistic purposes and the purposes of academic, artistic or literary expression is primarily only allowed in anonymised form, unless the anonymisation would hamper achieving such purposes, or it is precluded by the legitimate interest of data subjects (such as participants in a clinical trial, depending on the accuracy of the processed results for a long time).
Personal data relating to criminal convictions and offences or related security measures may also be processed (in addition to the official authority purposes as presumed by Article 10 of the GDPR) for the purpose of exercising freedom of speech (i.e. appropriate journalistic, academic and literary expression).
7.1. Additional/varied requirements on DPO appointment, role and tasks
The only difference from the GDPR is that pursuant to Section 14 of the Act, the DPO must also be designated by an authority set up by law, which fulfils statutory tasks in the public interest, such as the CNB or the General Health Insurance Company of the Czech Republic and which would normally, according to the Act, fall outside the scope of 'public authority.'
8.1. Variation/exemptions on breach notification obligation
Section 12 of the Act provides a mitigation of the notification obligation in connection with data breaches (the information provided to the data subject can be either restricted or postponed), as far as it is proportionate and necessary for the purposes mentioned in Section 11 of the Act i.e. in the protected interests.
8.2. Sectoral obligations
Act No. 181 of 23 July 2014 On Cyber Security and Change of Related Acts ('the Act on Cybersecurity') provides additional data protection requirements and data breach notification duties for certain regulated entities, namely (Section 2 of the Act on Cybersecurity):
- electronic communications service providers and entities operating electronic communications networks;
- public authorities or natural and legal persons administrating important networks, unless being an administrator of a communications system;
- administrators of critical information infrastructure information systems;
- administrators of critical information infrastructure communication systems;
- administrators of important information systems;
- providers of basic services; and
- providers of digital services.
Providers of basic services cover non-IT entities from various sectors, such as energy, transportation, banking and financial services, health services and chemical industry. Regulated entities are then, pursuant to Section 8 of the Act on Cybersecurity, obliged to report cybersecurity incidents (information security breaches in information systems, or security of services breach, or breach of integrity of electronic communication networks resulting from a cybersecurity event) to the National Security Authority, in some cases to the administrator of the national Computer Emergency Incident Response Team.
The Act does not change the current implementation of Article 4(2) of the ePrivacy Directive (2002/58/EC) (as amended). Pursuant to Section 88(2) of the Act of 22 February 2005 on Electronic Communications and on Amendment to Certain Related Acts, in the event a breach of security occurs concerning the personal data of a natural person, the undertaking providing a publicly available electronic communications service is obliged to notify the UOOU of this fact without undue delay. This notification must contain a description of the outcome of the breach of security and the technical protection measures the undertaking has adopted or proposes adopting. In the event the breach of security concerning a user's personal data pursuant to Subsection 4 above may affect the privacy of a natural person in a particularly serious manner, or if the undertaking providing a publicly available electronic communications service has failed to adopt measures that would remedy this situation and which would be sufficient to protect the personal data at risk in accordance with the assessment made by the UOOU, it shall also notify the natural person concerned and the UOOU. In this notification, the undertaking must describe the nature of the breach of security concerning personal data, a recommendation to carry out interventions to mitigate the impact of the breach of security concerning personal data and a contact information site.
An undertaking providing a publicly available electronic communications service must make a summary of breaches of security concerning personal data, including information on the circumstances of the breach, its impact and measures adopted to remedy the situation.
The undertaking providing a public communications network must notify the Czech Telecommunication Office ('CTU') emergency call centres and the users, without undue delay, about any danger to the integrity and security of its network, its scope and reasons, including the remedial measures carried out or intended. The CTU can also decide to publish such information.
9.1. National activities subject to prior consultation/authorisation
The UOOU, pursuant to Article 35(5) of the GDPR, published, on 8 January 2020 an updated list of the categories of processing operations for which a Data Protection Impact Assessment ('DPIA') is required (only available in Czech here). This document does not provide a list of the types of processing that would require a DPIA to be carried out, but rather sets out criteria for deciding the level of risk to the rights and freedoms of data subjects connected with particular processing. These criteria include:
- monitoring of the data subjects;
- processing of critical data, data enabling direct identification and/or data of highly personal nature;
- processing of personal data which can expose the data subjects to a threat from the environment;
- large extent of the processing;
- monitoring of publicly accessible areas;
- processing which can be influenced by the data subject only to a limited extent;
- processing of publicly accessible personal data;
- processing within technologically complex or advanced infrastructures or platforms;
- processing with a link to another controller or processor; and
- use of innovative technological or organisational solutions.
Please note that the list contains additional requirements with regard to every criterion in order to determine whether the DPIA must be carried out or not.
Part of the document issued by the UOOU is also a list of operations which would not require a DPIA to be carried out (the White List). However, the UUOU states that the White List is not definitive and will be subject to further amendments with respect to newly obtained practical knowledge from the market and technological development. For more details see section 9.2 below.
Czech Republic has not made use of the possibility of Article 36(5) of the GDPR to expand the situations that would require prior consultation.
9.2. National activities not subject to prior consultation/authorisation
Pursuant to Section 10 of the Act, a controller is not required to carry out a DPIA if it is required by law to perform such data processing. Otherwise, there are no national specifications with regard to either the DPIA or the prior consultation with the UOOU.
The White List published by the UOOU as mentioned in section 9.1 above provides that the following seven operations of processing do not require the performance of DPIA:
- processing of personal data of employees with their permanent place of employment within the territory of the Czech Republic carried out exclusively within the territory of the Czech Republic in order to comply with a legal obligation in the areas of accounting, payroll and personnel accounting, social and health insurance (the permanent place of employment means the place of employment at which the employee stays for more than four hours per shift);
- processing of employees' data with their permanent place of their employment in the territory of the Czech Republic if such processing does not contain also processing of biometric data, evaluation and scoring of the data subjects or systematic monitoring of the data subjects. HR agenda in this context does not include whistleblowing;
- processing of customers' data carried out entirely within the territory of the Czech Republic concerning a business activity (including loyalty cards, organising events, sending newsletters etc.), carried out exclusively in the Czech language and not containing processing of special categories of personal data, evaluation, scoring or systematic monitoring of the data subjects (with the exception provided under point 4 of the White List) (the business activity shall be therefore considered to be aimed predominantly or exclusively on the Member State language of which is used, see the ECJ judgement in the case C-213/14);
- processing carried out in connection with a customer's single visit of a web page, including profiling of the customer based on their choices of particular goods or services chosen from the offer of that web page of the controller. Such processing must not include processing of special categories of data, data of highly personal nature and must not aim at processing of personal data of vulnerable data subjects as a target group;
- processing carried out by persons providing health care services who are not in an employment relationship (i.e. health care provider as a sole entrepreneur) using the personal data exclusively in order to provide the health care services to the data subject (Recital 91 of the GDPR). Such processing must not include systematic transfers of the personal data to third countries, the processing must not include the engagement of any processor for certain processing activities nor shall the patients' personal data be shared/interconnected between two or more physicians;
- processing carried out by individual attorneys and/or notaries who are not in an employment relationship using the personal data necessary exclusively for the purpose of providing of the legal services to the data subject (Recital 91 of the GDPR). Such processing must not include systematic transfers of the personal data to third countries, the processing shall not include the engagement of any processor for certain processing activities nor shall the clients' personal data be shared/interconnected between two or more lawyers; and
- processing carried out by sole proprietors providing social services who are not in an employment relationship using the personal data exclusively in order to provide the social services. Such processing must not include systematic transfers of the personal data to third countries, the processing must not include the engagement of any processor for certain processing activities nor shall the clients' personal data be shared/interconnected between two or more providers of social services.
Please note that this is an overview and a detailed case-by-case assessment is necessary. The White List is also subject to further amendments by the UOOU.
10.1. National implementation of Article 89 of the GDPR
The Act does not implement any new provisions, but for exemptions on data subjects' rights in relation to these purposes see sections 3, 4 and 6 above. The Amending Act does, however, change the Act No. 499/2004 Coll. on Archiving and Records Management and on the Amendment of Selected Acts, and provides for a new statutory basis for the processing of particular categories of personal data and also limits data subjects' right of access (Article 15 of the GDPR) and restricts other rights of data subjects (namely, Articles 16 and 18-21 of the GDPR do not apply in this case).
Section 61 of the Act classifies as an administrative offence, the unlawful publication of personal data where the prohibition of disclosure is stipulated by law (currently only Act No. 141/1961 Coll., Criminal Procedure Code (only available in Czech here) which bans unlawful publishing of wiretapping records/transcripts). Fines may amount to approx. €40,000 and a maximum fine of approx. €200,000 is provided if this administrative offence is carried out through print, film, radio, television, publicly accessible computer network or other similarly effective means.
Section 61(3) of the Act provides in accordance with Article 83(7) of the GDPR that no sanction shall be imposed on public authorities and bodies established in the Czech Republic. The general rules on sanctions provided by the GDPR apply in the remaining cases.
No new criminal penalties are planned to be introduced.
12. OTHER SPECIFIC JURISDICTIONAL ISSUES
Part III of the Act imposes many of the obligations related to the protection of personal data also on state authorities when pursuing prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties in accordance with the Law Enforcement Directive.
Finally, the Act stipulates that for any other processing of personal data that is out of the scope of the GDPR, out of the scope of the law of the EU, and not regulated by the Law Enforcement Directive, the GDPR and the Act (as described above excluding its Part III) applies, too.