Home / Publications / Data Law Navigator | Czech Republic

Data Law Navigator | Czech Republic

Information on Data Protection and Cyber Security laws from CMS experts

<< back to Overview
The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.
Jump directly to Cyber Security >>

Data Protection

Last reviewed March 2020

Risk scale

Risk Scale Orange

Laws

  • Act No. 110/2019 Coll., on processing of personal data (hereinafter the “Data Processing Act”)
  • Act No. 480/2004 Coll., on certain Information Society Services
  • Act No. 127/2005 Coll., on Electronic Communications
  • Act No. 40/1995 Coll., on Regulation of Advertisement

Authority

The Office for Personal Data Protection (Data Protection Office)

Anticipated changes to law

No legislative changes are anticipated.

If applicable: stage of legislative implementation of GDPR

  • Children of at least 15 years of age are entitled to grant their consent on processing of personal data in relation to information society services.
  • The controller is not obliged to assess the compatibility of purposes before processing personal data for a purpose other than that for which they were collected (so called “compatibility test”), provided that such processing is necessary and proportionate for:
    • fulfilment of legal obligations of the controller; and
    • performance of tasks carried out in the public interest or in the exercise of public authority vested in the controller. The protected interests include for example:
      • defence or security interests of the Czech Republic;
      • Public security and internal security, prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties or protective measures, including the safeguarding against and the prevention of threats to public security;
      • the prevention, investigation, detection and prosecution of breaches of ethics for regulated professions;
      • the protection of the rights and freedoms of persons; and
      • the enforcement of private legal claims.
  • Data controllers are not obliged to carry out the data impact assessment if the processing is necessary for compliance with controller’s legal obligation.
  • If a data controller processes personal data for purposes of complying with the controller’s legal obligations and is obliged to provide the data subject with information according to Article 13 and 14 of the GDPR, the controller may, to the extent appropriate to the processing normally carried out by this controller, provide such information by means allowing remote access.
  • Specific rules and principles are set out for:
    • processing of personal data for scientific or historical research purposes or for statistical purposes; and
    • processing of personal data for scientific or historical research purposes or for statistical purposes.

Scope

The Data Processing Act implements GDPR and the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

Penalties/enforcement

A fine of up to CZK 5,000,000 may be imposed for violation of prohibition of disclosure of personal data laid down in other legal regulations.

A fine of up to CZK 10,000,000 CZK may be imposed for violation of obligations set out in the Data Processing Act regarding processing for purposes of prevention or detection of criminal offence, proceedings of criminal offenses, enforcement of penalties, ensuring the security of the Czech Republic or ensuring public policy and security.

Other relevant provisions of GDPR shall apply.

Registration/notification

The Register of Data Controllers maintained by the Data Protection Office has been closed after GDPR became effective and registrations or notifications to the Data Protection Office are no longer required.

Main obligations and processing requirements

Articles 12 to 22 and, to their extent, Article 5 of GDPR shall apply similarly, or fulfilment of obligations of data controllers or processors or exercise of rights of data subject shall be delayed, if it is necessary and proportionate to ensuring protection of protected interests such as defence or security interests of the Czech Republic, prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, the protection of the rights and freedoms of persons, the enforcement of private legal claims.

If a controller or processor limits the rights or obligations pursuant to the previous paragraph, he is obliged to report such fact to the Data Protection Office.

Otherwise relevant provisions of GDPR shall apply.

Data subject rights

Please see above in “Main obligations and processing requirements” and below in “Breach notification”, otherwise relevant provisions of GDPR shall apply.

Processing by third parties

No country specific regulation under the Data Processing Act. Relevant provisions of GDPR shall apply.

Transfers out of country

No country specific regulation under the Data Processing Act. Relevant provisions of GDPR shall apply.

Data Protection Officer

Public authorities and bodies established by law which carry out statutory tasks in the public interest are obliged to appoint a Data Protection Officer.

Security

No country specific regulation under the Data Processing Act. Relevant provisions of GDPR shall apply.

Breach notification

If the data controller is obliged to report a breach to the data subject, it may report the breach in limited scope or may delay the report, if it is necessary and proportionate to ensuring protection of protected interests such as defence or security interests of the Czech Republic, prevention, investigation, detection and prosecution of breaches of ethics for regulated professions, the protection of the rights and freedoms of persons, the enforcement of private legal claims.

Otherwise relevant provisions of GDPR shall apply.

Direct marketing

  • By e-mail, SMS or other electronic messages: need to obtain consent, unless the controller can rely on the soft opt-in exemption – existing customers, marketing own similar products or services, and opt-out at the time of collection and afterwards, in every marketing communication (regulated by Act No. 480/2004 Coll., on certain Information Society Services).
  • By regular (postal) mail: opt-out regime – under Act No. 40/1995 Coll., on Regulation of Advertisement, anyone can use a sign “no commercial communication” on their post box and the delivery of any such communication is then forbidden.

Cookies

The EU cookies directive has been incorrectly implemented by the Act on electronic communication, and an opt-out regime applies in the Czech Republic. Consent of the user is not required before cookies are downloaded to users’ computers. The website provider must only inform the user about the scope and purpose of the processing of data obtained by the cookies and give the user the option to decline such processing. In practice, the opt-out means that the user chooses to no longer browse on the website and leave it.

Useful links


Cyber Security

Last reviewed March 2020

Risk scale

Risk Scale Orange

Laws and regulations

 

  • Act No. 181/2014 Coll., on cyber security and on changes of relating acts (Cyber Security Act)
  • Decree No. 316/2014 Coll., on security measures, cyber security incidents, reactive measures, and on requirements on reporting in cyber security area (Decree on Cyber Security)

Application

The Cyber Security Act sets out security obligations for:

  1. Electronic communication service providers and operators of electronic communication networks,
  2. Public authorities or subjects operating important networks – i.e. electronic communication networks which provide direct foreign connections to public communication networks or direct connection to critical infrastructure,
  3. Controllers and operators of information and communication systems of critical infrastructure – i.e. an element or set of elements of critical infrastructure in communication and information systems in cyber security,
  4. Controllers and operators of important information systems – i.e. information systems maintained by public authorities which are not categorised as critical infrastructure or information services for essential services, but where a security breach can restrict or significantly impede the exercise of power by public authorities,
  5. Controllers and operators of information services for essential services – i.e. services that depend on electronic communication networks or information systems and where a security breach could have a significant impact on securing social or economic activities in some of the following sectors: energy; transport;  banking;  financial markets infrastructure;  healthcare;  water resource management;  digital infrastructure; chemicals,
  6. Providers of essential services,
  7. Providers of digital services.

Authority

National Cyber and Information Security Agency (NCISA)

Key obligations

General obligations to:

  • Implement and enforce (necessary, appropriate) security measures;
  • Detect and report cyber security incidents.

Some of the persons subject to the Cyber Security Act  – usually persons under 3. and 4. listed above under “Application"– are further obliged to:

  • Adopt a written cyber security plan,
  • Appoint a cyber security manager, architect of cyber security, cyber security auditor, etc.,
  • Conduct an annual cyber security audit.

Penalties/enforcement

Administrative fine of up to CZK 5,000,000 (around EUR 200,000). 

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes:

  • The NCISA also operates as governmental CERT/CSIRT.
  • The association CZ.NIC operates as national CERT/CSIRT.

Is there a national incident management structure for responding to cybersecurity incidents?

Yes. In 2016 the Czech government adopted the Unified Methodology for Handling Cyber Security Incidents, which provides a response structure for handling cyber security crises and incidents.

Other cybersecurity initiatives

The NCISA closely cooperates with international corporations and provides additional services in cyber security, such as:

  • Sharing Data – subscription to BotnetFeed, IHAP & MDM and Shadowserver services,
  • Deployment of Honeypots,
  • Penetration testing, etc.

Useful links 

 

<< back to Overview

Authors

Picture of Tomas Matejovsky
Tomáš Matĕjovský
Partner
Prague
Jakub Kabat
Jakub Kabát
Associate
Prague
Daniel Szpyrc