Designation of the Data Protection Officer
The Data Protection Act does not include any exception to the GDPR DPO designation requirements, but it includes an additional category of persons that have to designate a DPO.
Pursuant to Article 14 of the Data Protection Act, not only public authorities or bodies have an obligation to designate a DPO (pursuant to Article 37(1)(a) GDPR), but also bodies established by law that perform task carried out in the public interest.
Notification of the Data Protection Officer to the authorities
The Czech Data Protection Authority published the requirements for the notification of the Data Protection Officer (DPO) and its contact details to the supervisory authority (in Czech).
According to the Czech Data Protection Authority, the form of notification for DPO’s contact details is not specified in more detail by the GDPR. Therefore, the Czech Data Protection Authority recommends notification via a Czech system of special electronic storage used for communication with public authorities, written notification, or email (via email@example.com). The DPO’s contact details are to be reported by the controller or processor.
Tasks of Data Protection Officers
The Czech Data Protection Authority published a Q&A about the designation and tasks of the DPO (in Czech).
In general, it includes the description of the tasks pursuant to the GDPR, with one notable additional point:
The Czech Data Protection Authority enables the DPO to perform not only the tasks pursuant to Articles 37 to 39 GDPR, but also other tasks based on the agreement between the controller and the DPO. However, the Czech Data Protection Authority stresses that such tasks cannot result in a DPO’s conflict of interest with the performance of the DPO primary tasks pursuant to the GDPR.
Supervisory Authority Guidelines
The Czech Data Protection Authority dedicated a whole section of its website for data protection officers (in Czech) at: https://www.uoou.cz/poverenec-pro-ochranu-osobnich-udaju/ds-5550/p1=5550
In the section, the data controllers or processors may get additional information about the requirements for data protection officers, their designation, consultations for DPOs etc.