Contributed by Rowan Legal.
What are the primary data protection-related laws and regulations in the Czech Republic?
Since the Czech Republic is an EU Member State, Regulation 2016/679 of the European Parliament and of the Council of April 27, 2016 (GDPR) is the major regulation applicable in this area.
In terms of national law, the relevant act is Act No. 110/2019 Coll., on the Processing of Personal Data, which, for example, provides for exceptions to the general legal framework where the GDPR allows it and implements Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016.
Some data protection-related topics are covered by specific regulations, such as Act No. 127/2005 Coll., on Electronic Communications, which applies to the use of cookies and other tracking technologies, telemarketing, and data retention. The rules for sending commercial communications in emails or by SMS are stipulated by the so-called Anti-Spam Act, Act No. 480/2004 Coll., on certain Information Society Services.
What are the other primary definitions outlined in the legislation within your jurisdiction (among others, data processing, data processor, data controller, data subject, personal data, sensitive personal data, consent, or equivalent)?
The definitions apply in principle to the extent defined in the GDPR.
Which entities fall under the data privacy regulations in the Czech Republic?
In general, all entities, including governmental bodies that process personal data, fall under the GDPR or under Act No. 110/2019 Coll., on the Processing of Personal Data.
Do specific sectors or types of data have distinct regulatory regimes within your jurisdiction? If so, which?
The general framework is set out in the GDPR and Act No. 110/2019 Coll., on the Processing of Personal Data. However, there are sectoral legal regulations that impose an obligation on the affected entities to process personal data (e.g., AML laws, legislation relating to the provision of health services and the maintenance of medical records, legal duties of confidentiality).
What rights do data subjects have under the data protection regulations in the Czech Republic?
Data subjects have the same rights as provided by the GDPR. Act No. 110/2019 Coll. introduces certain exceptions and nuances regarding processing for journalistic purposes or for the purposes of academic, artistic, or literary expression. The first one is the exemption from the rights to rectification, erasure, and restriction of processing, which are governed by separate legislation.
The second exception concerns the limitation of the right to object. This right may be revoked only against a specific disclosure or publication of personal data. The data subject must provide reasons demonstrating that, in the specific case, the legitimate interest in protecting their rights and freedoms outweighs the interest in disclosure or publication.
What is the territorial application of the data privacy regime in your jurisdiction?
There is no deviation from the GDPR in the Czech legislation. The GDPR applies to the EU and compliance with it in the Czech Republic is supervised by the Office for Personal Data Protection.
Within a one-stop-shop regime, the Czech data protection authority oversees compliance with data protection laws within the country, ensuring that controllers and processors seated in the Czech Republic handle personal data in accordance with the regulations.
What are the key factors and considerations to adhere to when engaging in personal data processing within your jurisdiction?
There are no distinct or specific key factors and considerations applicable to the processing of personal data in the Czech Republic.
The main obligation is to define the purposes of the processing, to draft privacy policies for the affected data subjects (e.g., customers, employees), and to prepare other documentation.
Are there regulations and best practices concerning the retention and deletion of personal data in the Czech Republic?
The Czech DPA requires controllers to inform data subjects of the retention period in a way that is comprehensible to the average consumer. While the period does not need to be precisely defined, it is essential to outline the criteria that guide its determination.
Moreover, some retention periods are also stipulated by pertinent laws.
Who serves as the regulatory authority(s) in your jurisdiction regarding data protection?
The Office for Personal Data Protection (Urad pro ochranu osobnich udaju) is the supervisory authority with general competence regarding data protection in the Czech Republic.
However, other supervisory authorities may also be active in certain areas. This is the case of the Czech Telecommunications Office, which is the competent authority for compliance with telemarketing rules. In the case of employee monitoring, the competent authority is the State Labor Inspection Office.
Is the appointment of a data protection officer mandatory for certain organizations or sectors in the Czech Republic, and under what conditions?
Article 37 of the GDPR sets out the conditions under which an organization must appoint a data protection officer. These conditions remain the same in the Czech Republic. This means that the appointment of a data protection officer is necessary for public authorities and public bodies or when data subjects are regularly and systematically monitored on a large scale or sensitive data such as health data or data relating to criminal convictions and offenses is processed.
How should data breaches be handled in your jurisdiction?
The procedure in the event of a data breach is identical to that set out in the GDPR. The controller is obligated to notify the breach of personal data to the supervisory authority within 72 hours after having become aware of it. If the breach is likely to result in a high risk for data subjects, the controller must also inform them.
In addition, in some cases, sectoral legislation sets out additional requirements for notifying supervisory authorities. Companies, particularly those operating critical infrastructure, may be required to report data breaches to the National Cyber and Information Security Agency, and financial institutions are in some cases required to notify data breaches to the Czech National Bank.
What are the potential penalties and fines for non-compliance with data protection regulations in the Czech Republic?
For failure to comply with data protection regulations, data controllers or processors may be subject to administrative fines of up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year.
The highest fine imposed by the Czech DPA as of April 2024 was EUR 14.1 million.
The Czech Republic utilized the possibility to set different fines for public authorities and public bodies. According to Act No. 110/2019 Coll., the supervisory authority will refrain from imposing a fine on them.
Are there any noticeable patterns or trends in how enforcement is carried out in the Czech Republic?
As noted above, the competent supervisory authority is the Office for Personal Data Protection. The primary mechanism for overseeing and enforcing GDPR compliance is through inspections and audits.
These inspections are initiated either pursuant to a predetermined inspection plan or in response to a complaint lodged by an individual regarding their personal data or following a data breach.
Current decision-making trends indicate that the supervisory authority consistently adheres to the guidance provided by the European Data Protection Board in determining penalties for GDPR violations. Consequently, the assessment of fines is rigorously guided by the turnover criterion in compliance with the EDPB’s guidelines.
The traditional area in which the Czech DPA is active is compliance with the rules on transmitting commercial communications, as this is also where it receives the most complaints. In the Czech Republic, commercial communications can only be transmitted with or without prior consent to one’s own customers and only if other conditions are met.
Over the past two years, the DPA has also been very active in monitoring and regulating the use of cookies on websites.
How do emerging technologies such as AI, IoT, and blockchain impact data protection considerations in the Czech Republic?
The Czech Republic is currently preparing to adopt European regulations governing artificial intelligence (AI Act) and the disclosure of personal and non-personal data (Data Act). Consequently, we expect increased activity in this area.
Are there any expected changes in data protection on the horizon in the next 12 months in the Czech Republic?
Changes directly relating to data protection are not anticipated within the next 12 months in the Czech Republic. However, the Digital Economy Bill is currently under discussion. This legislation is expected to enact significant modifications concerning the transmission of commercial communications and regulations governing the dissemination of commercial communications via electronic channels.
This new legislation is expected to establish a maximum duration during which commercial communications can be transmitted to customers without their prior consent. This marks a departure from the current scenario where no statutory time limit exists, leaving it to data controllers to establish the duration in accordance with other principles of data protection legislation.
