Data protection and cybersecurity laws in Czech Republic

• Act No. 110/2019 Coll., on processing of personal data (“Data Processing Act”)
• Act No. 480/2004 Coll., on certain Information Society Services
• Act No. 127/2005 Coll., on Electronic Communications
• Act No. 40/1995 Coll., on Regulation of Advertisement

The Data Processing Act implements GDPR and the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

Office for Personal Data Protection: https://www.uoou.cz/en

The new Act on Digital Economics is currently at an early stage of the legislative process in the Chamber of Deputies. Its primary aim is to regulate information society services, among other things the distribution of marketing communications via electronic means.

The current draft clarifies and slightly amends the existing rules for electronic marketing communications directed at customers. Specifically, customers must be given the opportunity to object to the use of their electronic address for marketing purposes both at the time they provide it and with each subsequent marketing message. Furthermore, an electronic address may only be used for marketing if no more than two years have passed since the last marketing communication was sent to that customer.

It is important to note that Parliamentary elections are scheduled for this autumn, and as such, there is a possibility that the Act on Digital Economics may not progress through the legislative process.

A fine of up to CZK 5m may be imposed for violation of prohibition of disclosure of personal data laid down in other legal regulations.

A fine of up to CZK 10m may be imposed for violation of obligations set out in the Data Processing Act regarding processing for purposes of prevention or detection of criminal offence, proceedings of criminal offenses, enforcement of penalties, ensuring the security of the Czech Republic or ensuring public policy and security.

A punishment of a prison sentence up to eight years, monetary penalty or punishment by disqualification may be imposed for processing or appropriating personal data that was collected on another person in connection with the execution of public authority without authorisation, and thus causing serious harm to the rights or legitimate interests of the person whom the personal data concerns.

Similar punishment may be imposed for violation of the State imposed or recognised obligation of confidentiality by the same action as above in connection with the execution of their employment, profession, or function without authorisation, and thus causing serious harm to the rights or legitimate interests of the person whom the personal data concerns.

Individual damages may be claimed pursuant to general obligations to compensate for damage caused by infringement of statutory or contractual obligations.

The Register of Data Controllers maintained by the Office for Personal Data Protection has been closed since the GDPR became effective, so authorisations, registrations or notifications to the Data Protection Office are no longer required.

Articles 12 to 22 and, to their extent, Article 5 of the GDPR shall apply similarly, or fulfilment of obligations of data controllers or processors or exercise of rights of data subject shall be delayed, if it is necessary and proportionate to ensuring protection of protected interests such as defence or security interests of the Czech Republic, prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, the protection of the rights and freedoms of persons, and the enforcement of private legal claims.

If a controller or processor limits the rights or obligations pursuant to the previous paragraph, they must report such fact to the Data Protection Office.

Otherwise there are no derogations from the GDPR.

Please see above in “Main obligations and processing requirements” and below in “Breach notification”.

Otherwise there are no derogations from the GDPR.

There are no derogations from the GDPR.

There are no derogations from the GDPR.

Public authorities and bodies established by law which carry out statutory tasks in the public interest are obliged to appoint a Data Protection Officer.

Otherwise There are no derogations from the GDPR.

There are no derogations from the GDPR.

If the data controller is obliged to report a breach to the data subject, it may report the breach in limited scope or may delay the report, if it is necessary and proportionate to ensuring protection of protected interests such as defence or security interests of the Czech Republic, prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, the protection of the rights and freedoms of persons, the enforcement of private legal claims.

Otherwise there are no derogations from the GDPR.

Czech Data Protection Authority has published a form for data breach notifications available in Czech at: https://www.uoou.cz/assets/File.ashx?id_org=200144&id_dokumenty=46004. 

• By e-mail, SMS or other electronic messages: need to obtain consent, unless the controller can rely on the soft opt-in exemption – existing customers, marketing own similar products or services, and opt-out at the time of collection and afterwards, in every marketing communication  (regulated by Act No. 480/2004 Coll., on certain Information Society Services). The message must be clearly identified as a marketing communication, identify the sender, and provide an opt-out option.
• By regular (postal) mail: opt-out regime – under Act No. 40/1995 Coll., on Regulation of Advertisement, anyone can use a sign “no commercial communication” or similar on their post box and the delivery of any such communication is then forbidden.

Initially, the EU’s Cookie Directive was incorrectly implemented by the Electronic Communications Act, and an opt-out regime applied in the Czech Republic. However, from 1 January 2022, user consent is required before cookies are downloaded from the users’ computers (except for the essential cookies). Consent must be informed and easily revocable. Website operators are prohibited from using pre-checked boxes to obtain consent.

There is no specific regulation relating to adtech.

Moderate.

Czech Office for Personal Data Protection

The current legal framework governing cybersecurity in the Czech Republic is set out in the Act No. 181/2014 Coll., on Cybersecurity, as amended, and its delegated legislation.

On 4 August 2025, a new Act No. 264/2025 Coll., on Cybersecurity was published in the Collection of Laws. This new act will enter into effect on 1 November 2025. In preparation for its implementation, the National Cyber and Information Security Agency has published drafts of the delegated legislation, which are currently undergoing intergovernmental consultation.

The new act implements the NIS2 Directive (Directive (EU) 2022/2555) and introduces several national-specific provisions that go beyond the NIS2 Directive’s requirements.

The overview provided in this data law navigator is based on the anticipated legislation, including:

• Act No. 264/2025 Coll., on Cybersecurity (“Cybersecurity Act”),
• Decree on regulated services,
• Decree on security measures for providers of regulated services under the regime of higher obligations,
• Decree on security measures for providers of regulated services under the regime of lower obligations,
• Decree on the Office Portal and requirements for selected tasks,
• Decree on security rules for public administrations using services of cloud computing providers,
• Decree on security levels for public administration information systems,
• Government Decree on essential functions of a specified scope,
• Government Decree on regulated services that meet the conditions of strategically important services and on parts of strategically important services that constitute the necessary scope for ensuring the availability of strategically important services.

As noted above, significant changes to the Czech cybersecurity framework are anticipated in connection with the finalisation and adoption of the delegated legislation to the new Cybersecurity Act. While the new Cybersecurity Act itself will come into effect on 1 November 2025, the accompanying six decrees and two government decrees are currently undergoing intergovernmental consultation and are not yet finalised.

Until then, the current legal regime remains governed by the Act No. 181/2014 Coll., on cybersecurity, as amended, and its existing implementing regulations.

The Cybersecurity Act sets out security obligations for providers of regulated services in the following sectors:

• Public administration,
• Energy,
• Manufacturing industry,
• Food industry,
• Chemical industry,
• Water management,
• Waste management,
• Transport,
• Digital infrastructure and services,
• Financial market,
• Healthcare,
• Science, research and education,
• Postal and courier services,
• Defence industry,
• Space industry.

The key criteria for applicability of the Cybersecurity Act, which also determine the categorisation of regulated entities into entities under the higher obligations’ regime (essential) and entities under the lower obligations’ regime (important), are:

• Operation in a regulated sector,
• Provision of a regulated service,
• Size of the organisation or eventually fulfilment of significance parameters.

The exact specification of the criteria of applicability are set out in the Decree on regulated services.

National Cyber and Information Security Agency (NCISA)

General obligations include:

• Notifying the NCISA of meeting the statutory criteria for registration as a regulated service provider,
• Defining the “scope of cyber-security management” (i.e., identifying and keeping record of assets related to the provision of the regulated service),
• Implementing and maintaining security measures,
• Reporting cybersecurity incidents,
• Implementing countermeasures issued by the NCISA.

On top of the NIS 2 Directive, the Cybersecurity Act increases the emphasis on supply chain security and introduces “strategically important services”, i.e. regulated services whose disruption could have a significant effect on national security or public order.

Providers of strategically important services will be subject to additional obligations, including:

• Ensuring the availability of strategically important services to the necessary extent directly from the Czech Republic,
• Identifying and registering suppliers of “security-relevant supplies” and notifying the NCISA of these suppliers and any changes.

Regulated entities under the higher obligations’ regime may be fined up to CZK 250 million (approx. EUR 10 million) or up to 2% of their global annual turnover, whichever is higher.

Regulated entities under the lower obligations’ regime may be fined up to CZK 175 million (approx. EUR 7 million) or 1.4% of their global annual turnover, whichever is higher.

The NCISA may also temporarily prohibit a member of the statutory body of a regulated entity under the higher obligations’ regime from performing their function, if that person has repeatedly or seriously breached their duties concerning the obligation imposed on the regulated entity to remedy identified deficiencies, as a result of which proper compliance with NCISA’s decision was thwarted.

There are no specific criminal offences for non-compliance with cybersecurity regulation.

It is generally possible that a claim for damages (and/or other remedies) is raised for the compensation of harm caused by violation of the cybersecurity obligations.

Yes:

• The NCISA operates as CSIRT.
• The association CZ.NIC operates as national CERT.

The Cybersecurity Act obliges all regulated entities to report cybersecurity incidents:

• Regulated entities under the higher obligations’ regime will be required to report to the NCISA all incidents related to the regulated service that originate in cyberspace and where intentional misconduct cannot be ruled out within 24 hours of detection.
• Regulated entities under the lower obligations’ regime, on the other hand, will only be required to report to the national CERT incidents that emerge within the scope of cybersecurity management, originate in cyberspace, with a significant impact on the provision of the regulated service, and where intentional misconduct cannot be ruled out within 24 hours of detection.

Regulated entities will be required to submit an initial notification within 24 hours of detecting the incident, and in the case of incidents with a significant impact on the provision of the regulated service or on the state’s cyberspace, they will also be required to submit an initial assessment within 72 hours of detecting the incident, followed by either a status report (if the incident is ongoing) or a final report (if the incident has been resolved) within 30 days of submitting the initial assessment.

All reports must be submitted electronically via the NCISA Portal.

Details on incident reporting will be laid down in the NCISA decrees.

In addition, the Cybersecurity Act enables the NCISA to respond to cybersecurity threats or incidents with three types of countermeasures: warning, advisory, and reactive countermeasure.

The NCISA actively engages in cooperation with international corporations and domestic institutions across both the public and private sectors. In addition to its core responsibilities, it provides a range of supplementary cybersecurity services. These initiatives include:

• Coordination and Aid in Resolving Incidents,
• Detection System Project,
• Implementing Honeypots,
• Penetration Testing,
• Forensic Laboratory,
• Educational and Research Activities,
• Project BIVOJ – A strategic cybersecurity initiative with the primary objective to ensure centralized management and security oversight of shared information and communication systems and services used by public sector organizations across the country,
• Projekt INJECT – Creation of an open-source platform for the preparation, execution, and evaluation of non-technical table-top cyber security exercises,
• LockedShields (NATO Cooperative Cyber Defence Centre of Excellence),
• NATO Cyber Coalition, etc.

• NCISA
• Services provided by the NCISA
• National CERT of the Czech Republic
• National Cybersecurity Strategy of the Czech Republic 2021-2025 (currently in Czech only)