Jurisdiction snapshot

Trends and climate
Would you consider your national data protection laws to be ahead or behind of the international curve?

The Czech Republic’s data protection laws are mostly part of the EU harmonised privacy regulation system and as such are considered to be rather rigorous on the international scale. 

Are any changes to existing data protection legislation proposed or expected in the near future?

The so-called ‘European data protection revolution’ is nearly over. The outcome is the EU General Data Protection Regulation, which unifies data protection across all EU member states. The final version of the General Data Protection Regulation was approved by the European Parliament and the Council in April 2016 and is due to be published in theOfficial Journal of the European Union shortly. The General Data Protection Regulation will then enter into force on May 24 2018.

Although the regulation will have direct effect in member states, Czech law will need to be amended in order to implement newly regulated processes. Detailed information about the proposed obligations is not yet available.

Legal framework

Legislation
What legislation governs the collection, storage and use of personal data?

The Act on the Protection of Personal Data (101/2000 Coll, April 4 2000), as amended, governs the collection, storage and use of personal data in the Czech Republic. The act implements the Charter of Fundamental Rights and Freedoms of the Czech Republic and EU Directive 95/46/EC on the protection of individuals, with regard to the processing of personal data and the free movement of such data.

Scope and jurisdiction
Who falls within the scope of the legislation?

The Protection of Personal Data Act applies to personal data processed by state authorities, territorial self‑administration bodies, other public authority bodies and natural and legal persons. The entities covered by the act are defined as:

  • the ‘data controller’, which determines the purpose and means of data processing and carries out and is responsible for such processing; and
  • the ‘data processor’, which processes personal data by way of a special law or the data controller’s authorisation.

Although only data controllers or data processors that are permanently established within the Czech territory primarily fall within the scope of the Protection of Personal Data Act, the processing of personal data by any data controller that occurs within the Czech territory also falls within the scope of the act (unless the processing consists only of the transit of data through the European Union).

What kind of data falls within the scope of the legislation?

The Protection of Personal Data Act covers personal data relating to natural persons. It does not cover data relating to legal persons. ‘Personal data’ is any information relating to an identified or identifiable data subject, including an individual’s name, address, photograph, telephone number or bank account number.

In addition to ‘ordinary’ personal data, the act distinguishes so-called ‘sensitive’ personal data, which is defined as data relating to an individual’s:

  • nationality;
  • racial or ethnic origin;
  • political attitudes;
  • trade union membership;
  • religious and philosophical beliefs;
  • criminal convictions;
  • health status;
  • genetics; or
  • sexuality.

‘Sensitive’ personal data also includes any biometric data enabling the direct identification or authentication of the data subject.

Sensitive personal data is subject to stricter processing conditions than ordinary personal data.

Are data owners required to register with the relevant authority before processing data?

The data controller is responsible for notifying the Office for the Protection of Personal Data before commencing the intended processing. Certain exceptions to this general rule apply if the processing:

  • relates to personal data that is part of data files that are publicly accessible by way of a special law (eg, the Commercial Register);
  • is imposed on the data controller by a special law, or where the personal data is needed to exercise rights and obligations deriving from a special law (this exemption is quite common – for example, in an employment relationship or when processing telecommunications data); or
  • pursues political, philosophical, religious or trade union aims carried out within the scope of an association’s legitimate activity. The processing must relate only to members of the association or persons with whom the association is in regular contact in relation to its legitimate activity. The personal data must not be disclosed without the data subject’s consent.

Is information regarding registered data owners publicly available?

The Office for the Protection of Personal Data maintains the Public Register of the Processing of Personal Data, which contains all registered processings.

The register is accessible at www.uoou.cz/verejny-registr-zpracovani-osobnich-udaju.asp.

Is there a requirement to appoint a data protection officer?

A data protection officer is not recognised by the Protection of Personal Data Act. As such, there is no requirement to appoint a data protection officer.

However, this is subject to change by mid-2018, when the EU General Data Protection Regulation comes into force.

Enforcement
Which body is responsible for enforcing data protection legislation and what are its powers?

The Office for the Protection of Personal Data is responsible for enforcing data protection legislation. It may carry out targeted inspections on its own initiative or investigate complaints that it receives. The office may carry out on-site investigations and the data controller must provide all necessary information on request and cooperate with the office throughout the investigation.

If the office identifies any breach of the Protection of Personal Data Act, remedial measures may be imposed, including the deletion of data or cessation of the processing. The data controller may appeal to the president of the office (and subsequently to the administrative court).

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

In general, personal data may be processed (ie, collected, stored, disclosed, modified or transferred) either with the data subject’s consent or under one of the statutory exemptions allowing the data controller or data processor to do so without consent. The data subject must be informed and instructed of his or her rights in regards to the processing of his or her personal data. Moreover, the data controller must comply with the security obligation provided for by the Protection of Personal Data Act. Finally, the data controller must notify the Office for the Protection of Personal Data about each processing stage, unless that particular stage falls within one of the statutory exemptions.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The leading principle in Czech law is that a data controller may retain personal data only for as long as is necessary to fulfil the purpose for which it is being processed. Once this purpose has expired, the data should be deleted. The purpose must be defined by the data controller in compliance with other general legal requirements, and the retention period must be adequate and reasonable in the context of the stated purpose. In many cases, the purpose is defined by specific laws and regulations that usually provide for the retention period.

The general exemption provided for by the Protection of Personal Data Act is that personal data may be retained for the purpose of state statistical services, scientific purposes and archiving. However, the data subject’s right to protection from unjustified interference in his or her personal life must still be observed and the data must still be anonymised as soon as possible.

Specific laws provide for special retention periods in various areas such as:

  • taxation and accounting;
  • telecommunications;
  • healthcare;
  • social security and pension systems; and
  • financial services.

Do individuals have a right to access personal information about them that is held by an organisation?

Under the Protection of Personal Data Act, the data subject has the right to access information about his or her personal data that is processed by the data controller or data processor. This information must be provided by the data controller on the data subject’s request and includes:

  • the purpose of processing the personal data;
  • the personal data or types of personal data to be processed, including all available information on the source of the data;
  • the nature of the automated processing (if applicable); and
  • the recipients or types of recipient.

Do individuals have a right to request deletion of their data?

Data subjects who find or presume that the data controller or data processor is processing their personal data in a manner that contradicts the protection of their personal life or the law (in particular, if the purpose of processing the personal data is inaccurate) can:

  • ask the data controller or data processor for an explanation; or
  • require the data controller or data processor to block, correct, supplement or delete the personal data.

Consent obligations
Is consent required before processing personal data?

Consent constitutes the principal legal basis for the processing of personal data and any other legal ground is considered to be an exemption from that principle.

‘Consent’ for the processing of ordinary personal data is informed consent that is freely given in a genuine, specific and comprehensible manner. ‘Consent’ in regards to the processing of sensitive personal data is beyond this.

It is common malpractice for data controllers to have incomplete information on the data processing or to misjudge that there is no obvious alternative following the refusal of consent.

If consent is not provided, are there other circumstances in which data processing is permitted?

Without the data subject’s consent, the data controller may process the personal data only if the processing:

  • is essential to enable the data controller to comply with its legal obligations;
  • is essential for the fulfilment of a contract to which the data subject is a contracting party or for negotiations on the conclusion or alteration of a contract that were proposed by the data subject;
  • is essential for the protection of interests that are of vital importance to the data subject (in this case, consent must be obtained without undue delay. If consent is not granted, the data controller must terminate the processing and delete the data);
  • concerns personal data that was lawfully published pursuant to special legislation (in this case, the processing must not prejudice the data subject’s right to the protection of his or her personal life);
  • is essential for the protection of the rights and legitimate interests of the data controller, recipient or other concerned person (in this case, the processing must not prejudice the data subject’s right to the protection of his or her personal life);
  • involves personal data relating to a publicly active person, official or public administration employee that reveals information on his or her public or administrative activity, function or position; or
  • relates exclusively to archival purposes pursuant to a special law.

The processing of sensitive data may be carried out without the data subject’s consent only if one or more of the following conditions are met:

  • It is necessary in order to preserve the life or health of the data subject or other person, or to eliminate imminent serious danger to his or her property, and consent cannot be obtained – in particular, due to physical, mental or legal incapacity or the absence of the data subject (the data controller must terminate the data processing as soon as these reasons cease to exist and delete the data, unless the data subject gives his or her consent to the continuation of the processing).
  • It relates to ensuring healthcare, public health protection, health insurance or the exercise of public administration in the health sector pursuant to a special law, or to a health assessment in other cases that is provided for by a special law (eg, the Act on Healthcare).
  • It is necessary in order to comply with the obligations and rights of the data controller responsible for processing in the areas of labour law or employment, as governed by a special law.
  • It pursues political, philosophical, religious or trade union aims and:
    • it is carried out within the scope of a legitimate activity of a civil association, foundation or other legal person of a non-profit nature;
    • it relates only to the above’s members or persons with whom it is in regular contact in relation to its legitimate activity; and
    • the personal data is not disclosed without the data subject’s consent;
  • The data processed pursuant to a special law is necessary to administer health insurance, social insurance (ie, security), state social support or other state social benefits, social care or the social and legal protection of children, and the protection of this data is in accordance with the law.
  • It concerns personal data published by the data subject.
  • It is necessary in order to secure and exercise legal claims.
  • It relates exclusively to archival purposes pursuant to a special archiving law.
  • It relates exclusively to special activities conducted for the prevention, search and detection of criminal activities and their prosecution or the search for persons.

What information must be provided to individuals when personal data is collected?

Unless the data subject already has this information, the data controller must advise the data subject on:

  • the scope of the personal data to be processed;
  • the purpose of processing;
  • who will process the data and in what manner; and
  • to whom the data may be disclosed.

The data controller must also inform the data subject of his or her rights to:

  • access the data;
  • ask the data controller or data processor for an explanation; and
  • have the data blocked, corrected, supplemented or deleted if its processing contradicts the law.

If the data is processed with consent, the data subject must be informed when giving consent of:

  • the purpose of processing;
  • the data that will be processed;
  • the data controller that will process the data; and
  • the period that the consent is for.

If the data controller processes personal data obtained from the data subject, it is obliged to instruct the data subject on whether the provision of the data is obligatory or voluntary. If the data subject is obliged to provide personal data for processing pursuant to a special law, the data controller must instruct the data subject on this fact and on the consequences of refusal to provide the data.

Data security and breach notification

Security obligations
Are there specific security obligations that must be complied with?

Both the data controller and the data processor are responsible for adopting appropriate measures to prevent any unauthorised or accidental access to or alteration or other abuse of the personal data (even after terminating the data processing). To that end, the data controller or data processor will conduct relevant risk assessments concerning:

  • the performance of instructions relating to data processing by persons with direct access to personal data;
  • the prevention of unauthorised access to personal data and the means of processing;
  • the unauthorised accessing, creation, copying, transfer, alteration or deletion of personal data; and
  • the measures enabling identification of the parties to whom personal data was provided.

In regards to automatic processing systems, the data controller and data processor must also ensure that:

  • the systems may be used only by authorised persons;
  • the authorised persons have only the necessary access rights;
  • electronic auditing enables the identification of who has accessed (or created) personal data and when and why they did so; and
  • unlawful access to data carriers is restricted.

Breach notification
Are data owners/processors required to notify individuals in the event of a breach?

There is no general obligation under Czech law to notify data subjects of personal data security breaches, unless it is a breach in the telecommunications sector that is capable of seriously affecting the data subject’s privacy. However, a general obligation to notify data subjects can be deduced from the obligation to prevent damages that is imposed by the Civil Code (ie, in any case that such notification would effectively reduce the impact of the data breach).

However, this is subject to change by mid-2018, when the General Data Protection Regulation comes into force. Under this regulation, the data controller must communicate a personal data breach to the data subject without undue delay if it is likely to result in a high risk to individuals’ rights and freedoms.

Are data owners/processors required to notify the regulator in the event of a breach?

There is no general obligation under Czech law to notify personal data security breaches to the Office for the Protection of Personal Data, unless it is a breach in the telecommunications sector.

However, this will change by mid-2018, when the General Data Protection Regulation comes into force, under which there will be a general obligation for data controllers to notify the breach to the supervisory authority no later than 72 hours after learning of it.

Electronic marketing and internet use

Electronic marketing
Are there rules specifically governing unsolicited electronic marketing (spam)?

In general, the opt-out principles concerning direct marketing apply in the Czech Republic. Under the Act on the Protection of Personal Data, if the data controller or data processor carries out personal data processing for the purpose of offering business opportunities or services to the data subject, the data subject's first name, surname and address may be used for this purpose without consent – provided that the data was acquired from a public list or in relation to the data controller or data processor’s activity and the data subject has not expressed his or her disagreement therewith.

Conversely, the Act on Certain Information Society Services provides for an opt-in mechanism regarding the use of electronic contact details (eg, email addresses, telephone numbers, instant messaging numbers and Skype numbers). Thus, electronic contact details cannot be used for commercial communication without the data subject’s prior consent, subject to one exception: the email address of an existing customer (ie, a person with whom the sender has previously conducted business) can be used for that purpose until the customer rejects the sending of future commercial communications, if this was not rejected from the outset.

Cookies
Are there rules governing the use of cookies?

The use of cookies is regulated by the Act on Electronic Communications, which is intended to implement the so-called ‘cookie clause’ of the EU e-Privacy Directive. Unlike the e-Privacy Directive, the act provides for an opt-out (and not an opt-in) requirement. In particular, the use of cookies is permitted if:

  • the user or subscriber has been informed of the purposes of the data processing and his or her rights; and
  • the data controller has offered the user or subscriber the possibility of opting out before installing the cookies.

However, this obligation does not apply to activities relating to the use of cookies for the purposes of performing or facilitating message transmission via the electronic communications network. It also does not apply to cases where the use of cookies is needed for the provision of a service explicitly requested by the user (eg, the shopping cart in an online store).

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Under the Data Protection Act, personal data may be transferred outside the Czech jurisdiction only if there are no applicable restrictions or the following additional conditions are fulfilled:

  • The data exporter uses standard contractual clauses as approved by the European Commission.
  • The data exporter obtained the Office for the Protection of Personal Data’s prior authorisation.

The Office for the Protection of Personal Data will grant authorisation only if binding corporate rules are to be used or at least one of the conditions below applies:

  • The data subject has consented to the transfer.
  • The transfer involves personal data available in a public registry pursuant to a specific law.
  • The transfer is necessary for the purposes of an important public interest in accordance with either a specific law or an international treaty binding on the Czech Republic.
  • The transfer is necessary for negotiations concerning the execution or variation of an agreement initiated at the data subject’s request or for the performance of an agreement to which the data subject is a party.
  • The transfer is necessary for the performance of an agreement concluded in the data subject’s interest between the data controller and a third party or for the purposes of exercising a legal claim.
  • The transfer is necessary to protect the rights or vitally important interests of the data subject (eg, preservation of the data subject’s life or health).

Are there restrictions on the geographic transfer of data?

No restrictions apply to data transfers to:

  • EU member states;
  • signatory states of the European Council’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108); or
  • ‘countries with adequate level of protection’ as officially recognised by the European Commission.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Under the Act on the Protection of Personal Data, the data controller must inform the data subject of who will process the personal data and the parties to whom it may be disclosed.

Further, where authorisation stems from a legal regulation, the data controller must conclude with the data processor a written agreement on personal data processing. In particular, the agreement must explicitly stipulate the scope, purpose and period of time for which it is concluded and contain guarantees by the data processor relating to technical and organisational protection of the personal data.

Penalties and compensation

Penalties
What are the potential penalties for non-compliance with data protection provisions?

The following breaches of the Act on the Protection of Personal Data constitute administrative offences and may incur fines:

  • A natural person breaching confidentiality may incur a fine of up to Kr100,000 (approximately €3,700).
  • A natural person acting as a data controller may incur a fine of up to Kr1 million (approximately €37,000).
  • A legal person acting as a data controller may incur a fine of up to Kr5 million (approximately €185,000).
  • A natural person endangering a larger number of persons by unlawful intrusion of privacy or breach of obligations concerning the processing of sensitive personal data may incur a fine of up to Kr5 million (approximately €185,000).
  • A legal person endangering a larger number of persons by unlawful intrusion of privacy or breach of obligations concerning the processing of sensitive personal data may incur a fine of up to Kr10 million (approximately €370,000).

In addition, criminal penalties might apply in case of unlawful use or disclosure of personal data, including up to eight years’ imprisonment in extreme cases.

Compensation
Are individuals entitled to compensation for loss suffered as a result of a data breach or non-compliance with data protection provisions by the data owner?

Individuals are entitled to compensation for any loss (material or immaterial) caused as a result of an action that violates the Act on the Protection of Personal Data. Such individuals may claim damages from the data controller (and the data processor, which is jointly and severally liable) on the basis of civil liability.

Cybersecurity

Cybersecurity legislation, regulation and enforcement
Has legislation been introduced in your jurisdiction that specifically covers cybercrime and/or cybersecurity?

Cybercrime and cybersecurity in the Czech Republic are covered by the Act on Cybernetic Security (181/2014 Coll, July 23 2014). This act has been applicable since January 1 2015 and mainly regulates measures and processes to prevent and minimise the impact of cyber-attacks on critically important information systems.

There are also two Act on Cybernetic Security implementing regulations.

What are the other significant regulatory considerations regarding cybersecurity in your jurisdiction (including any international standards that have been adopted)?

There has been significant discussion about intended changes to the Act on Cybernetic Security due to regulations to be introduced by the EU Network and Information Security Directive. This directive will likely be approved in mid-2016 and member states must adjust their national legislation to comply with it by 2018. The major change proposed is to the scope of affected entities, which has been expanded to include service providers in the energy, transport, banking, financial markets, health and digital infrastructure sectors, as well as entities operating online marketplaces, online search engines and cloud computing services.

In regards to international standards, it is possible to partially comply with the Act on Cybernetic Security by obtaining ISO/IEC 20000 or ISO/IEC 27001 certification.

Which cyber activities are criminalised in your jurisdiction?

The Penal Code specifies three crimes expressly connected to cyberspace:

  • unauthorised access to computer systems and information media (commonly known as ‘hacking’);
  • procurement and possession of access devices and computer system passwords and other such data (this crime is committed once the perpetrator acts with the intention of violating confidentiality of messages or hacking); and
  • damage to computer systems and information media records and intervention with computer equipment due to negligence. In extreme cases, the offender may receive a prison sentence of up to two years, disqualification or forfeiture of items.

However, a large number of cybercrimes (eg, phishing attacks) are still prosecuted as common crimes (ie, not specific to cyberspace) such as fraud. In addition, cyber-attacks on public infrastructure may be punished under special laws regulating the protection of such infrastructure, irrespective of the nature of the attack.

Which authorities are responsible for enforcing cybersecurity rules?

In general, the authority responsible for enforcing the Act on Cybernetic Security is the National Security Authority. 

Cybersecurity best practice and reporting
Can companies obtain insurance for cybersecurity breaches and is it common to do so?

It is generally uncommon for companies to obtain insurance for cybersecurity breaches. However, the first cybersecurity products have appeared on the insurance market.

Are companies required to keep records of cybercrime threats, attacks and breaches?

The Act on Cybernetic Security lists the categories of entity that are subject to the cybersecurity rules – in particular:

  • providers of electronic communications services and subjects securing electronic communications networks (eg, mobile operators and internet service providers);
  • entities securing fundamental networks (ie, direct cross-border connections with the public communication network or critical information infrastructure); and
  • critical infrastructure information and communication systems administrators.

Under current law, only the entities listed in the first and second points must detect threats to the security or integrity of the information in the information or communication systems and actual cybernetic security incidents.

Are companies required to report cybercrime threats, attacks and breaches to the relevant authorities?

The following entities must report actual (not potential) cybernetic security incidents:

  • entities securing fundamental networks (ie, direct cross-border connections with the public communication network or critical information infrastructure); and
  • critical infrastructure information and communication systems administrators.

These entities must submit their reports to the appropriate computer emergency response team (the National Security Authority for critical infrastructure information and communication systems administrators).

Are companies required to report cybercrime threats, attacks and breaches publicly?

If the affected company (or other affected entity) must report cybercrime threats, attacks or breaches, it must submit the report directly to the National Security Authority. The National Security Authority must publish all reported cybernetic security incidents, which it does on its website at www.nbu.cz. 

Criminal sanctions and penalties
What are the potential criminal sanctions for cybercrime?

In extreme cases, the penalty for unauthorised access to computer systems and information media may include disqualification, forfeiture of items or up to eight years’ imprisonment.

Similarly, the procurement and possession of access devices, computer system passwords and other such data may – in extreme cases – result in disqualification, forfeiture of items or up to five years’ imprisonment.

For negligence resulting in damage to computer systems and information media records and intervention with computer equipment, the offender may – in extreme cases – face disqualification, forfeiture of items or up to two years’ imprisonment.

What penalties may be imposed for failure to comply with cybersecurity regulations?

Legal persons or entrepreneurs falling within the scope of the Act on Cybernetic Security that do not comply with their obligations to implement security measures, report cybernetic incidents and implement measures to minimise the impact of cybernetic incidents – among other things – may incur fines of up to Kr100,000 (approximately €3,700).