Commissioned processing under Czech data protection law

The data controller may decide to let other party process personal data on their behalf. However, the Czech Act No. 101/2001 of April 4, 2000 on the Protection of Personal Data (the Act) includes several obligations associated with these relationships, which both parties have to take care of.

The data processor and the contract

The data processor is any entity processing personal data on the basis of a special Act or on behalf of the controller (the Article 4(k) of the Act).

The definition is important because it specifies objective criteria how to determine the data processor, even if the parties use different terms for their positions.

In order to learn more about how to determine the positions of parties in a specific example of data processing, please refer to an article about a determination of a data controller and processor.

The legal relationship between a data controller and data processor is governed by a specific contract on the personal data processing (Article 6 of the Act). It must be in writing. It can be a part of another contract, but it must contain all required obligations. However, the contract is not necessary in case that the personal data processing is based on a special Act.

The data controller may have contracts with more than data processors.

Another issue is the situation of a chain of data processors. It means that the data processor would hire another party to perform a part of the data processing. The Czech Office for the Protection of Personal Data (the Office) held in its opinion 1/2009 that such practice is not supported by the Act. It is the responsibility of the data controller to determine the purpose and means of the data processing. If it were possible for a data processor to make a contract with other data processors, it would decrease the level of control of data controller.

However, the data processor may use the services of other parties. But the data processor cannot use the legal regime of the specific contract on the personal data processing under Article 6 of the Act, but the legal regime under Article 14 of the Act. It can be a labor or other type of agreement pursuant to other laws. The sanctions for violating the contract would also be based on general contract rules.

Data processors´ obligations

The Act imposes a high number of obligations on data processors.

Firstly, they have to comply with the obligations specified by the data controller in the contract on personal data processing. In case that the data processor violates these obligations, data controller might sue a data processor for damages.

Moreover, if the data processor processes personal data for other purpose than the one specified by the data controller, the data processor becomes a data controller for that data processing, with all legal consequences.

Secondly, they have to comply with the obligations of any relevant legislation. Most importantly, the Act imposes different types of obligations:

  • To comply with the basic principles of data processing
  • To comply with the legal grounds for data processing
  • To comply with the personal data processing for the purpose of offering business or services to the data subject (there three reasons are based on Article 7 of the Act)
  • To enable the execution of data subject´s rights (for example, Article 10 or 11 of the Act)
  • To implement technical and operational measures for data security (Article 13 of the Act)

The violations of these obligations might result in an administrative fine by the Office.

Thirdly, if the data processor finds out that the data controller breaches the obligations provided by this Act, the data processor has to notify the controller of this fact without delay and to terminate personal data processing, under Article 8 of the Act. If the data processor fails to do so, there are joint and several liabilities of the data processor and the data controller for damages caused to the data subject. Therefore, the data subject has a right to sue for damages.

Finally, if the personal data processing by the data controller or a data processor leads to a breach of legal obligations, there are joint and several liabilities of the data processor and the data controller (Article 21(4) of the Act).

The content of the contract on personal data processing

Pursuant to Article 6 of the Act, the contract must contain:

  • the scope of data processing
  • the purpose of data processing
  • period of time for which the contract is concluded
  • guarantees by the data processor related to technical and organizational securing of the protection of personal data

To satisfy the last point, it is not enough just to include a general reference, but the contract has to include basic parameters of how data processor plans to protect personal data. These parameters might include:

  • a detailed description of a system used for automatic data processing
  • measures to secure the building or site
  • determination of working positions and roles responsible for various types of data processing or various methods
  • show a regular trainings of employees
  • security measures to protect computers and network
  • security of data transfer