Czech Republic

CHART INSTRUCTIONS:

 Local law does not deviate from the GDPR.

 Local law deviates from the GDPR.

name

Návrh zákon o zpracování osobních údajů

Status: DRAFT

SME EXCEPTION

No Deviation

LAWFULNESS OF PROCESSING (ART 6)

SPECIFYING PROVISION: Processing for New Purposes: Controllers can process personal data for purposes other than collection if necessary to meet a legal obligation or when this is in the public interest, or in the exercise of public powers, such as: (1) public policy and internal security; (2) defense or security of the Czech Republic; (3) prevention, detection, and prosecution of criminal offenses or for the execution of judgments; (4) public policy objectives of the EU; (5) protection of judiciary independence; (6) prevention, detection, and prosecution of ethical rules of regulated professions; (7) exercise of official authority; (8) protection of individuals’ rights and freedoms; and (9) the enforcement of civil claims (Art 5 Czech Act).

CHILD'S CONSENT (ART 8)

SPECIFYING PROVISION: For information society services offered directly to children, consent within the meaning of Art 6(1)(a) GDPR is valid if the child is 13 years of age or if this is expressed or approved by the child’s legal representative (Art 6 Czech Act).

SENSITIVE DATA (GENETIC, BIOMETRIC AND HEALTH DATA) (ART 9 (4))

No Deviation

CRIMINAL CONVICTIONS/SECURITY MEASURES (ART 10)

No Deviation

INFORMATION OBLIGATION (ART 13 & 14)

SPECIFYING PROVISION: Information may be made available to the data subject via publication by remote access if the controller performs processing on the basis of a legal obligation or in the public interest or if the controller conducts processing in the exercise of public authority (Art 7 Czech Act).

AUTOMATED INDIVIDUAL DECISION-MAKING (ART 22)

No Deviation

RESTRICTIONS TO DATA SUBJECT'S RIGHTS (ART 23)

ADDITIONAL REQUIREMENT:

1. Right of Access: The right of access may be limited or excluded if it is necessary and proportionate in light of the protection of another individual’s rights (Art 10 Czech Act).

2. Right to restriction of processing: The right to restriction of processing may be limited or excluded when the controller or processor is under a legal obligation to transfer the data or make it available (Art 12 Czech Act).

JOINT CONTROLLER RESPONSIBILITIES (ART 26 (1))

No Deviation

AD HOC NOTIFICATIONS - RECORDS OF PROCESSING ACTIVITIES (ART 30)

No Deviation

SECURITY OF PROCESSING (ART 32)

No Deviation

DATA BREACH (ART 33 & 34)

No Deviation

DATA PROTECTION IMPACT ASSESSMENT (ART 35)

SPECIFYING PROVISION: The controller does not need to perform DPIAs before beginning processing activities unless this is explicitly provided for by law (Art 9 Czech Act).

DATA PROTECTION OFFICER (ART 37(4))

SPECIFYING PROVISION: 

DPO appointment requirement: The requirement to appoint a DPO when processing is carried out by a public body is specified by the interpretation of “public body,” which shall be considered a statutory body carrying out statutory tasks in the public interest (Art 13 Czech Act).

CERTIFICATION (ART 42)

No Deviation

DATA TRANSFER DEROGATIONS (ART 49(5))

No Deviation

POWERS SUPERVISORY AUTHORITIES (ART 58)

SPECIFYING PROVISION:

1. Powers: The supervisory authority’s powers shall include: performing investigations and audits, notifying controller/processor of infringements (which in turn may request clarification), establishing criteria for data protection certificates, approving codes of conduct, adopting standard contractual clauses, and imposing corrective measures to remedy data protection law infringements. If, however, an infringement is remedied immediately after discovery of the infringement, the supervisory authority can waive the imposition of a fine (Art 50 and 57–58 Czech Act).

2. Cooperation: The supervisory authority shall cooperate with the EDPS, EU institutions, and other Member States’ supervisory authorities. It shall comply with requests for information, investigations, or audits from other supervisory authorities (Art 50 Czech Act).

3. Confidentiality: Members of the supervisory authority are bound to confidentiality of data the disclosure of which would jeopardize the personal data concerned. This duty of confidentiality persists after termination of the employment relationship and can only be lifted in legal proceedings, with the consent of the individual whose personal data is concerned and protected by the duty of confidentiality (Art 56 Czech Act).

CLASS ACTIONS (ART 80 (2))

No Deviation

ADMINISTRATIVE SANCTIONS (ART 83)

ADDITIONAL REQUIREMENT: Fines imposed on public authorities: Public authorities acting as controller or processor that are in violation of the Czech Act can be fined up to 10 million CZK (€39,310) (Art 61 Czech Act).

PENALTIES (ART 84)

No Deviation

FREEDOM OF EXPRESSION AND INFORMATION (ART 85)

ADDITIONAL REQUIREMENT: For processing carried out for journalistic or academic purposes, the Czech Act foresees the following specifications and exemptions:

1. Sensitive data processing: Only allowed for journalistic or academic purposes if necessary to achieve the legitimate objective pursued and where the individual’s rights do not prevail.

2. Criminal data processing: Identical to sensitive data processing.

3. Information obligation and other individual rights: The controller may postpone making available the identity of the source and content of the personal information and may limit or exclude the individual’s rights for as long as necessary to achieve the journalistic or academic processing purpose. The individual may only exercise his right to restriction of processing when this is necessary for the exercise and defense of legal claims and must be balanced with the right to information and freedom of expression. The individual may object to processing if he demonstrates his interests prevail (Art 15 Czech Act).

PROCESSING FOR ARCHIVING, SCIENTIFIC, HISTORICAL RESEARCH OR STATISTICAL PURPOSES (ART 89)

No Deviation

OBLIGATIONS OF SECRECY (ART 90)

SPECIFYING PROVISION: Information protected by legal privilege can only be accessed and consulted by the supervisory authority in the presence and with the consent of a representative of the Czech Bar (Art 54 Czech Act).

LOCAL DPA GUIDANCE & LEGAL SOURCES

REMARKS

The Czech Act also contains data processing by competent authorities for purposes of law enforcement and public security, which is out of scope of the GDPR.