Data protection and cybersecurity laws in Czech Republic

Data protection

1. Local data protection laws and scope

  • Act No. 110/2019 Coll., on processing of personal data (hereinafter the “Data Processing Act”)
  • Act No. 480/2004 Coll., on certain Information Society Services
  • Act No. 127/2005 Coll., on Electronic Communications
  • Act No. 40/1995 Coll., on Regulation of Advertisement

The Data Processing Act implements GDPR and the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

2. Data protection authority

The Office for Personal Data Protection: https://www.uoou.cz/en

3. Anticipated changes to local laws

There are no anticipated changes to local laws.

4. Sanctions & non-compliance

Administrative sanctions:

A fine of up to CZK 5m may be imposed for violation of prohibition of disclosure of personal data laid down in other legal regulations.

A fine of up to CZK 10m may be imposed for violation of obligations set out in the Data Processing Act regarding processing for purposes of prevention or detection of criminal offence, proceedings of criminal offenses, enforcement of penalties, ensuring the security of the Czech Republic or ensuring public policy and security.

Criminal sanctions:

A punishment of a prison sentence up to eight years, monetary penalty or punishment by disqualification may be imposed for processing or appropriating personal data that was collected on another person in connection with the execution of public authority without authorisation, and thus causing serious harm to the rights or legitimate interests of the person whom the personal data concerns.

Similar punishment may be imposed for violation of the State imposed or recognised obligation of confidentiality by the same action as above in connection with the execution of their employment, profession, or function without authorisation, and thus causing serious harm to the rights or legitimate interests of the person whom the personal data concerns.

Others: 

Individual damages may be claimed pursuant to general obligations to compensate for damage caused by infringement of statutory or contractual obligations.

5. Registration / notification / authorisation

The Register of Data Controllers maintained by the Data Protection Office has been closed since the GDPR became effective, so authorisations, registrations or notifications to the Data Protection Office are no longer required.

6. Main obligations and processing requirements

Articles 12 to 22 and, to their extent, Article 5 of the GDPR shall apply similarly, or fulfilment of obligations of data controllers or processors or exercise of rights of data subject shall be delayed, if it is necessary and proportionate to ensuring protection of protected interests such as defence or security interests of the Czech Republic, prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, the protection of the rights and freedoms of persons, and the enforcement of private legal claims.

If a controller or processor limits the rights or obligations pursuant to the previous paragraph, he or she must report such fact to the Data Protection Office.

Otherwise there are no derogations from the GDPR.

7. Data subject rights

Please see above in “Main obligations and processing requirements” and below in “Breach notification”. 

Otherwise there are no derogations from the GDPR.

8. Processing by third parties

There are no derogations from the GDPR.

9. Transfers out of country

There are no derogations from the GDPR.

10. Data Protection Officer

Public authorities and bodies established by law which carry out statutory tasks in the public interest are obliged to appoint a Data Protection Officer. 

Otherwise There are no derogations from the GDPR.

11. Security

There are no derogations from the GDPR.

12. Breach notification

If the data controller is obliged to report a breach to the data subject, it may report the breach in limited scope or may delay the report, if it is necessary and proportionate to ensuring protection of protected interests such as defence or security interests of the Czech Republic, prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, the protection of the rights and freedoms of persons, the enforcement of private legal claims.

Otherwise there are no derogations from the GDPR.

Czech Data Protection Authority has published a form for data breach notifications available in Czech at: https://www.uoou.cz/assets/File.ashx?id_org=200144&id_dokumenty=46004

13. Direct marketing

  • By e-mail, SMS or other electronic messages: need to obtain consent, unless the controller can rely on the soft opt-in exemption – existing customers, marketing own similar products or services, and opt-out at the time of collection and afterwards, in every marketing communication (regulated by Act No. 480/2004 Coll., on certain Information Society Services).
  • By regular (postal) mail: opt-out regime – under Act No. 40/1995 Coll., on Regulation of Advertisement, anyone can use a sign “no commercial communication” or similar on their post box and the delivery of any such communication is then forbidden

14. Cookies and adtech

The EU cookies directive has been incorrectly implemented by the Act on electronic communication, and an opt-out regime applies in the Czech Republic. User consent is not required before cookies are downloaded to users’ computers. The website provider must only inform the user about the scope and purpose of the processing of data obtained by the cookies and give the user the option to decline such processing. In practice, the opt-out means that the user chooses to stop browsing on the website and leave it.

There is no specific regulation relating to adtech.

15. Risk scale

Moderate.

Cybersecurity

1. Local cybersecurity laws and scope

  • Act No. 181/2014 Coll., on cybersecurity and on changes of relating acts (“Cybersecurity Act”)
  • Decree No. 316/2014 Coll., on security measures, cybersecurity incidents, reactive measures, and on requirements on reporting in cybersecurity area (“Decree on Cybersecurity”)

The Cybersecurity Act implements the Directive (EU) 2016/1148 of the European Parliament and Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union.

2. Anticipated changes to local laws

There are no anticipated changes at the national level.

However, the Commission of the European Union has adopted a proposal for a revised Directive on Security of Network and Information Systems (NIS 2 Directive) and once the final directive is issued, it will be implemented in the Czech Republic.

3. Application 

The Cybersecurity Act sets out security obligations for:

  • Electronic communication service providers and operators of electronic communication networks;
  • Public authorities or subjects operating important networks – i.e. electronic communication networks which provide direct foreign connections to public communication networks or direct connection to critical infrastructure;
  • Controllers and operators of information and communication systems of critical infrastructure – i.e. an element or set of elements of critical infrastructure in communication and information systems in cybersecurity;
  • Controllers and operators of important information systems – i.e. information systems maintained by public authorities not categorised as critical infrastructure or information services for essential services, but where a security breach can restrict or significantly impede the exercise of power by public authorities;
  • Controllers and operators of information services for essential services – i.e. services that depend on electronic communication networks or information systems and where a security breach could have a significant impact on securing social or economic activities in sectors such as energy, transport, banking, financial markets infrastructure, healthcare, water resource management, digital infrastructure and chemicals;
  • Providers of essential services;
  • Providers of digital services.

4. Authority

National Cyber and Information Security Agency (NCISA): https://www.nukib.cz/en/ 

5. Key obligations 

General obligations to:

  • Implement and enforce necessary and appropriate security measures;
  • Detect and report cybersecurity incidents. 

Some of the persons subject to the Cybersecurity Act – especially in critical infrastructure and information systems – are further obliged to:

  • Adopt a written cybersecurity plan;
  • Appoint a cybersecurity manager, architect of cybersecurity, cybersecurity auditor, etc.;
  • Conduct an annual cybersecurity audit.

6. Sanctions & non-compliance 

Administrative sanctions:

A fine of up to CZK 5m may be imposed for violation of obligations under the cybersecurity regulation.

Criminal sanctions:

There are no specific criminal offences for non-compliance with cybersecurity regulation.

Others: 

It is generally possible that a claim for damages (and/or other remedies) is raised for the compensation of harm caused by violation of the cybersecurity obligations.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

Yes:

  • The NCISA also operates as governmental CERT.
  • The association CZ.NIC operates as national CERT/CSIRT.

8. National cybersecurity incident management structure

In 2016 the Czech government adopted the Unified Methodology for Handling Cybersecurity Incidents, which provides a response structure for handling cybersecurity crises and incidents.

9. Other cybersecurity initiatives 

The NCISA closely cooperates with international corporations and provides additional services in cybersecurity, such as:

  • Sharing Data – subscription to BotnetFeed, IHAP & MDM and Shadowserver services,
  • Deployment of Honeypots,
  • Penetration testing, etc.
Portrait of Tomáš Matĕjovský
Tomáš Matĕjovský
Partner
Prague
Portrait of Jakub Kabát
Jakub Kabát
Associate
Prague
Portrait of Jan Ježek
Jan Ježek
Associate
Prague
Daniel Szpyrc