On May 25, 2018, the personal data protection rules in the Czech Republic were substantially changed. The Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation or GDPR) became directly applicable law in all EU Member States after a two-year transition period. Thus, the principles of the personal data protection in the Czech Republic, the rights, duties and processing requirements are regulated primarily by the GDPR.
In order to adapt the legal system of the Czech Republic to the GDPR, the new Act No. 110/2019 Sb. (Coll.) on Personal Data Processing (Personal Data Processing Act) was passed and finally came into effect on April, 24 2019. The Personal Data Processing Act fully replaced the older Personal Data Protection Act [Act No. 101/2000 Sb. (Coll.), as amended]. The Personal Data Processing Act contains provisions which functionally complement the GDPR. It also regulates the jurisdiction of the Office for Personal Data Protection and personal data processing for ensuring defense and national security of the Czech Republic.
Since the GDPR became effective, the Register of Data Controllers maintained by the Office for Personal Data Protection had been terminated. Thus, any registrations or notifications to the Office for Personal Data Protection so as to process personal data in the Czech Republic are no longer required.
The significant derogation from the GDPR related to the limitation of certain rights and obligations is stipulated in Section 11 of the Personal Data Processing Act. Articles 12 to 22 [rights of the data subject] and, as far as relevant, also Article 5 [principles relating to processing of personal data] of the GDPR shall apply mutatis mutandis or the compliance with the controller’s or processor’s obligations or exercise of the data subject’s right laid down in those articles shall be postponed if this is necessary and reasonable in terms of scope to ensure a protected interest, such as (a) defense or security interests of the Czech Republic, (b) public policy and national security, prevention, investigation or detection of criminal offences, (c) prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, (d) protection of rights and freedoms of persons, (e) enforcement of civil law claims, etc. If the controller or processor limits the rights or obligations in that way, it must notify the Office for Personal Data Protection of any such limitations without undue delay.
Besides the GDPR and the Personal Data Processing Act, there are also some other statutes which are relevant in the data protection context, in particular Act No. 480/2004 Sb. (Coll.) on Certain Information Society Services, as amended (Act on Certain Information Society Services), Act No. 127/2005 Sb. (Coll.) on Electronic Communications, as amended, and Act No. 181/2014 Sb. (Coll.) on Cyber Security, as amended.
With regard to spam and other unsolicited commercial communications, there are certain rules under the Act on Certain Information Society Services. Any commercial communications may only be sent if a clearly identified recipient has given the valid consent in advance (prior to the receipt of the communication). Recipients shall have an option to withdraw the consent in each commercial communication addressed to them (usually reflected in the “unsubscribe“ line found at the end of an e-mail). Otherwise, the sender may rely on the soft opt-in exemption which presumes the customer’s consent. Thus, the controller may send commercial communications to the current customers about its own similar products or services provided that the customer may easily forbid to send him/her such commercial communications using e.g. the “unsubscribe“ line at the end of an e-mail (the possibility of opt-out).
The Office for Personal Data Protection is the central administrative authority in the field of personal data protection which, inter alia, provides consultations and informs the public of the risks, rules, safeguards and rights in relation to personal data processing. The Office for Personal Data Protection also adopts statements, summary materials and recommendations. Most recently, the Office for Personal Data Protection published, inter alia, the Summary Material related to the verification of identity and processing of personal data, the Statement on a Digital Green Certificate (CovidPass), the Recommendations for mandatory employee testing, etc.