The Ministry of the Interior of the Czech Republic published a bill in September to replace the current Act No. 101/2000 Coll., on the Protection of Personal Data. This Act is particularly interesting because it is a “Czech reaction” to GDPR in matters where the regulation allows for national derogations or specifications.

However, the bill is not just a response to GDPR. On the contrary, the larger part on its content implements the EU Directive on the processing of personal data in connection with the investigation and prevention of criminal offences. A separate part of the bill then deals with the processing of personal data in the course of the defence and security of the state.

This is the list of provisions responding to the GDPR, and to the possibility of a national derogation in the relevant legislation, given by the GDPR:

  • setting maximum fines for public authorities and public entities at CZK 10 million
  • containing the definition of a “public entity” which (in addition to a public authority) must appoint a data protection officer (DPO)
  • the age limit when the consent of a child’s statutory guardian is needed when using online services is reduced to 13 years (GDPR sets out 16 years)
  • providing for exceptions for the processing of data for so-called compatible purposes, and the possibility of restricting the rights of the data subject in matters of public interest
  • providing the possibility of informing data subjects by publishing information on the Internet, if processing is carried out on the basis of law, or in the public interest
  • providing the right for data controllers to notify, under certain circumstances, any changes, limitations, and removal of personal data to recipients of the updates of the default registers
  • setting out the confidentiality requirements of the DPO for personal data and security measures

The bill will now go to an interdepartmental commentary procedure. At the same time, the submitted text may still be subject to a number of changes.