Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Both the data controller and the data processor are responsible for adopting appropriate measures to prevent any unauthorised or accidental access to or alteration or other abuse of the personal data (even after terminating the data processing). To that end, the data controller or data processor will conduct relevant risk assessments concerning:

  • the performance of instructions relating to data processing by persons with direct access to personal data;
  • the prevention of unauthorised access to personal data and the means of processing;
  • the unauthorised accessing, creation, copying, transfer, alteration or deletion of personal data; and
  • the measures enabling identification of the parties to whom personal data was provided.

In regards to automatic processing systems, the data controller and data processor must also ensure that:

  • the systems may be used only by authorised persons;
  • the authorised persons have only the necessary access rights;
  • electronic auditing enables the identification of who has accessed (or created) personal data and when and why they did so; and
  • unlawful access to data carriers is restricted.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

There is no general obligation under Czech law to notify data subjects of personal data security breaches, unless it is a breach in the telecommunications sector that is capable of seriously affecting the data subject’s privacy. However, a general obligation to notify data subjects can be deduced from the obligation to prevent damages that is imposed by the Civil Code (ie, in any case that such notification would effectively reduce the impact of the data breach).

However, this is subject to change by mid-2018, when the General Data Protection Regulation comes into force. Under this regulation, the data controller must communicate a personal data breach to the data subject without undue delay if it is likely to result in a high risk to individuals’ rights and freedoms.

Are data owners/processors required to notify the regulator in the event of a breach?

There is no general obligation under Czech law to notify personal data security breaches to the Office for the Protection of Personal Data, unless it is a breach in the telecommunications sector.

However, this will change by mid-2018, when the General Data Protection Regulation comes into force, under which there will be a general obligation for data controllers to notify the breach to the supervisory authority no later than 72 hours after learning of it.

Click here to view the full article.