Data Law Nav­ig­at­or | Czech Re­pub­lic

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last reviewed 8 October 2018

Risk scale

Laws

  • Act No. 480/2004 Coll., on certain Information Society Services
  • Act No. 127/2005 Coll., on electronic communication
  • Act No. 40/1995 Coll., on the regulation of advertising
  • Draft Act Implementing GDPR (Draft Data Processing Act)

Authority

The Office for Personal Data Protection (Data Protection Office)

Anticipated changes to law

The Draft Data Processing Act was introduced to the parliament, but will not be adopted before GDPR comes into force. The final version may be subject to changes and amendments.

If applicable: stage of legislative implementation of GDPR

The Draft Data Processing Act is currently being introduced to the Chamber of Deputies and thus is at the beginning of the legislative procedure.

Scope

The Draft Data Processing Act implements the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.   

Penalties/enforcement

  • No country specific regulation expected under the Draft Data Processing Act. Relevant provisions of GDPR shall apply.

Registration / notification

  • The Register of Data Controllers maintained by the Data Protection Office has been closed after GDPR became effective and registration or notification to the Data Protection Office is no longer required.

Main obligations and processing requirements

  • No country specific regulation expected under the Draft Data Processing Act. Relevant provisions of GDPR shall apply.

Data subject rights

  • No country specific regulation expected under the Draft Data Processing Act. Relevant provisions of GDPR shall apply.

Processing by third parties

  • No country specific regulation expected under the Draft Data Processing Act. Relevant provisions of GDPR shall apply.

Transfers out of country

  • No country specific regulation expected under the Draft Data Processing Act. Relevant provisions of GDPR shall apply.

Data Protection Officer

  • No country specific regulation expected under the Draft Data Processing Act. Relevant provisions of GDPR shall apply.

Security

  • No country specific regulation expected under the Draft Data Processing Act. Relevant provisions of GDPR shall apply.

Breach notification

  • No country specific regulation expected under the Draft Data Processing Act. Relevant provisions of GDPR shall apply.

Direct marketing

  • By e-mail: need to obtain consent, unless the controller can rely on the soft opt-in exemption – existing customers, marketing own similar products or services, and opt-out at the time of collection and afterwards, in every marketing  communication.
  • By regular (postal) mail: opt-out regime – under Act No. 40/1995 Coll., on the regulation of advertising, anyone can use a sign “no commercial communication” on their post box and the delivery of any such communication is then forbidden.

Cookies

The EU cookies directive has been incorrectly implemented by the Act on electronic communication, and an opt-out regime applies in the Czech Republic. Consent of the user is not required before cookies are downloaded to users’ computers. The website provider must only inform the user about the scope and purpose of the processing of data obtained by the cookies and give the user the option to decline such processing. In practice, the opt-out means that the user chooses to no longer browse on the website and leave it.

Useful links

 

Cyber Security

Last reviewed 8 October 2018

Risk scale

Laws and regulations

Act No. 181/2014 Coll., on cyber security and on changes of relating acts (Cyber Security Act)

Decree No. 316/2014 Coll., on security measures, cyber security incidents, reactive measures, and on requirements on reporting in cyber security area (Decree on Cyber Security)

Application

The Cyber Security Act sets out security obligations for:

  1. Electronic communication service providers and operators of electronic communication networks,
  2. Public authorities or subjects operating important networks – i.e. electronic communication networks which provide direct foreign connections to public communication networks or direct connection to critical infrastructure,
  3. Controllers and operators of information and communication systems of critical infrastructure – i.e. an element or set of elements of critical infrastructure in communication and information systems in cyber security,
  4. Controllers and operators of important information systems – i.e. information systems maintained by public authorities which are not categorised as critical infrastructure or information services for essential services, but where a security breach can restrict or significantly impede the exercise of power by public authorities,
  5. Controllers and operators of information services for essential services – i.e. services that depend on electronic communication networks or information systems and where a security breach could have a significant impact on securing social or economic activities in some of the following sectors: energy; transport;  banking;  financial markets infrastructure;  healthcare;  water resource management;  digital infrastructure; chemicals,
  6. Providers of essential services,
  7. Providers of digital services.

Authority

National Cyber and Information Security Agency (NCISA)

Key obligations

General obligations to:

  • Implement and enforce (necessary, appropriate) security measures;
  • Detect and report cyber security incidents.

Some of the persons subject to the Cyber Security Act  – usually persons under 3. and 4. listed above under “Application"– are further obliged to:

  • Adopt a written cyber security plan,
  • Appoint a cyber security manager, architect of cyber security, cyber security auditor, etc.,
  • Conduct an annual cyber security audit.

Penalties/enforcement

Administrative fine of up to CZK 5,000,000 (around EUR 200,000). 

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes:

  • The NCISA also operates as governmental CERT/CSIRT.
  • The association CZ.NIC operates as national CERT/CSIRT.

Is there a national incident management structure for responding to cybersecurity incidents?

Yes. In 2016 the Czech government adopted the Unified Methodology for Handling Cyber Security Incidents, which provides a response structure for handling cyber security crises and incidents.

Other cybersecurity initiatives

The NCISA closely cooperates with international corporations and provides additional services in cyber security, such as:

  • Sharing Data – subscription to BotnetFeed, IHAP & MDM and Shadowserver services,
  • Deployment of Honeypots,
  • Penetration testing, etc.

Useful links 

 

< back to Overview

Authors

Picture of Tomas Matejovsky
Tomáš Matĕjovský
Partner
Prague
Jan Jezek
Jan Ježek
Associate
Prague