Use the Lexology Navigator tool to compare the answers in this article with those from other jurisdictions.

Collection and storage of data

Collection and management
In what circumstances can personal data be collected, stored and processed?

In general, personal data may be processed (ie, collected, stored, disclosed, modified or transferred) either with the data subject’s consent or under one of the statutory exemptions allowing the data controller or data processor to do so without consent. The data subject must be informed and instructed of his or her rights in regards to the processing of his or her personal data. Moreover, the data controller must comply with the security obligation provided for by the Protection of Personal Data Act. Finally, the data controller must notify the Office for the Protection of Personal Data about each processing stage, unless that particular stage falls within one of the statutory exemptions.

Are there any limitations or restrictions on the period for which an organisation may (or must) retain records?

The leading principle in Czech law is that a data controller may retain personal data only for as long as is necessary to fulfil the purpose for which it is being processed. Once this purpose has expired, the data should be deleted. The purpose must be defined by the data controller in compliance with other general legal requirements, and the retention period must be adequate and reasonable in the context of the stated purpose. In many cases, the purpose is defined by specific laws and regulations that usually provide for the retention period.

The general exemption provided for by the Protection of Personal Data Act is that personal data may be retained for the purpose of state statistical services, scientific purposes and archiving. However, the data subject’s right to protection from unjustified interference in his or her personal life must still be observed and the data must still be anonymised as soon as possible.

Specific laws provide for special retention periods in various areas such as:

  • taxation and accounting;
  • telecommunications;
  • healthcare;
  • social security and pension systems; and
  • financial services.

Back to top
Do individuals have a right to access personal information about them that is held by an organisation?
Czech Republic
Havel, Holásek & Partners s.r.o.

Under the Protection of Personal Data Act, the data subject has the right to access information about his or her personal data that is processed by the data controller or data processor. This information must be provided by the data controller on the data subject’s request and includes:

  • the purpose of processing the personal data;
  • the personal data or types of personal data to be processed, including all available information on the source of the data;
  • the nature of the automated processing (if applicable); and
  • the recipients or types of recipient.

Do individuals have a right to request deletion of their data?

Data subjects who find or presume that the data controller or data processor is processing their personal data in a manner that contradicts the protection of their personal life or the law (in particular, if the purpose of processing the personal data is inaccurate) can:

  • ask the data controller or data processor for an explanation; or
  • require the data controller or data processor to block, correct, supplement or delete the personal data.

Consent obligations
Is consent required before processing personal data?

Consent constitutes the principal legal basis for the processing of personal data and any other legal ground is considered to be an exemption from that principle.

‘Consent’ for the processing of ordinary personal data is informed consent that is freely given in a genuine, specific and comprehensible manner. ‘Consent’ in regards to the processing of sensitive personal data is beyond this.

It is common malpractice for data controllers to have incomplete information on the data processing or to misjudge that there is no obvious alternative following the refusal of consent.

If consent is not provided, are there other circumstances in which data processing is permitted?

Without the data subject’s consent, the data controller may process the personal data only if the processing:

  • is essential to enable the data controller to comply with its legal obligations;
  • is essential for the fulfilment of a contract to which the data subject is a contracting party or for negotiations on the conclusion or alteration of a contract that were proposed by the data subject;
  • is essential for the protection of interests that are of vital importance to the data subject (in this case, consent must be obtained without undue delay. If consent is not granted, the data controller must terminate the processing and delete the data);
  • concerns personal data that was lawfully published pursuant to special legislation (in this case, the processing must not prejudice the data subject’s right to the protection of his or her personal life);
  • is essential for the protection of the rights and legitimate interests of the data controller, recipient or other concerned person (in this case, the processing must not prejudice the data subject’s right to the protection of his or her personal life);
  • involves personal data relating to a publicly active person, official or public administration employee that reveals information on his or her public or administrative activity, function or position; or
  • relates exclusively to archival purposes pursuant to a special law.

The processing of sensitive data may be carried out without the data subject’s consent only if one or more of the following conditions are met:

  • It is necessary in order to preserve the life or health of the data subject or other person, or to eliminate imminent serious danger to his or her property, and consent cannot be obtained – in particular, due to physical, mental or legal incapacity or the absence of the data subject (the data controller must terminate the data processing as soon as these reasons cease to exist and delete the data, unless the data subject gives his or her consent to the continuation of the processing).
  • It relates to ensuring healthcare, public health protection, health insurance or the exercise of public administration in the health sector pursuant to a special law, or to a health assessment in other cases that is provided for by a special law (eg, the Act on Healthcare).
  • It is necessary in order to comply with the obligations and rights of the data controller responsible for processing in the areas of labour law or employment, as governed by a special law.
  • It pursues political, philosophical, religious or trade union aims and:
    • it is carried out within the scope of a legitimate activity of a civil association, foundation or other legal person of a non-profit nature;
    • it relates only to the above’s members or persons with whom it is in regular contact in relation to its legitimate activity; and
    • the personal data is not disclosed without the data subject’s consent;
  • The data processed pursuant to a special law is necessary to administer health insurance, social insurance (ie, security), state social support or other state social benefits, social care or the social and legal protection of children, and the protection of this data is in accordance with the law.
  • It concerns personal data published by the data subject.
  • It is necessary in order to secure and exercise legal claims.
  • It relates exclusively to archival purposes pursuant to a special archiving law.
  • It relates exclusively to special activities conducted for the prevention, search and detection of criminal activities and their prosecution or the search for persons.

What information must be provided to individuals when personal data is collected?

Unless the data subject already has this information, the data controller must advise the data subject on:

  • the scope of the personal data to be processed;
  • the purpose of processing;
  • who will process the data and in what manner; and
  • to whom the data may be disclosed.

The data controller must also inform the data subject of his or her rights to:

  • access the data;
  • ask the data controller or data processor for an explanation; and
  • have the data blocked, corrected, supplemented or deleted if its processing contradicts the law.

If the data is processed with consent, the data subject must be informed when giving consent of:

  • the purpose of processing;
  • the data that will be processed;
  • the data controller that will process the data; and
  • the period that the consent is for.

If the data controller processes personal data obtained from the data subject, it is obliged to instruct the data subject on whether the provision of the data is obligatory or voluntary. If the data subject is obliged to provide personal data for processing pursuant to a special law, the data controller must instruct the data subject on this fact and on the consequences of refusal to provide the data.

Data transfer and third parties

Cross-border data transfer
What rules govern the transfer of data outside your jurisdiction?

Under the Data Protection Act, personal data may be transferred outside the Czech jurisdiction only if there are no applicable restrictions or the following additional conditions are fulfilled:

  • The data exporter uses standard contractual clauses as approved by the European Commission.
  • The data exporter obtained the Office for the Protection of Personal Data’s prior authorisation.

The Office for the Protection of Personal Data will grant authorisation only if binding corporate rules are to be used or at least one of the conditions below applies:

  • The data subject has consented to the transfer.
  • The transfer involves personal data available in a public registry pursuant to a specific law.
  • The transfer is necessary for the purposes of an important public interest in accordance with either a specific law or an international treaty binding on the Czech Republic.
  • The transfer is necessary for negotiations concerning the execution or variation of an agreement initiated at the data subject’s request or for the performance of an agreement to which the data subject is a party.
  • The transfer is necessary for the performance of an agreement concluded in the data subject’s interest between the data controller and a third party or for the purposes of exercising a legal claim.
  • The transfer is necessary to protect the rights or vitally important interests of the data subject (eg, preservation of the data subject’s life or health).

Are there restrictions on the geographic transfer of data?

No restrictions apply to data transfers to:

  • EU member states;
  • signatory states of the European Council’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108); or
  • ‘countries with adequate level of protection’ as officially recognised by the European Commission.

Third parties
Do any specific requirements apply to data owners where personal data is transferred to a third party for processing?

Under the Act on the Protection of Personal Data, the data controller must inform the data subject of who will process the personal data and the parties to whom it may be disclosed.

Further, where authorisation stems from a legal regulation, the data controller must conclude with the data processor a written agreement on personal data processing. In particular, the agreement must explicitly stipulate the scope, purpose and period of time for which it is concluded and contain guarantees by the data processor relating to technical and organisational protection of the personal data.

Click here to view the full article.