Data protection supervision according to Czech law

There are two basic sources how to enforce the implementation of data protection obligations: a control by state authorities and self-control by data controllers or processors.

The control by state authorities

Based on the Czech Act on the Protection of Personal Data No. 101/2000 (the Act), there is an Office for the Protection of Personal Data (the Office). In Czech republic, there is only a single public authority for the whole country. Its seat is in Prague. The Act guarantees that it is an independent body (the Article 28).

Since 2014, a significant amount of the rules are included in The Act No. 255/2012 about inspection procedures (the Inspection Act).

The rights of the Office during an inspection of data protection compliance, under the Article 8 of the Inspection Act and under Article 37 of the Act:

  • When performing inspection, the supervisory staff is entitled to get acquainted with every piece of information, including sensitive data, necessary to achieve the inspection purpose
  • The supervisory staff may enter data controller or processor´s building, vehicles, land or other areas, except for a residence of an inspected person
  • Create visual or audio recordings
  • Require a cooperative attitude of the inspected person
  • Run tests, measurements, reviews, etc.

The obligations of the supervisory staff (Article 9 of the Inspection Act)

  • Protect the rights and legitimate interests of an inspected person and third parties
  • Issue a confirmation about any type of original documents that are a part of the inspection

Finally, the inspected person has several rights and obligations, such as

  • Can issue an official complaint against the findings of the inspection
  • Plead bias of the supervisory staff
  • Cooperate with the supervisory staff

The inspected person has a right to issue an official complaint against the findings of the inspection (Article 13 of the Inspection Act). The supervisory staff should deal with them within 7 days or within 30 days, if the supervisor of an inspector is needed.

For more information about the competences of the Office, visit the English website of the Office.

Self-control of data controllers and processors

The Act includes some obligations for data controllers and processors, in which they have to check the impact of their activities on the privacy of data subjects.

The most important rule is in Article 13 of the Act. Under this Article, the controller and the processor have an obligation to adopt measures preventing unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transmission, other unauthorized processing, as well as other misuse of personal data.

It is a general rule for a data security and data protection, but the important part is an emphasis on a prevention of data breaches and legislation violations. An important part is an evaluation of risks.

The demonstrative list of areas in which the data controller or processor have to evaluate the risk to data privacy is included in Article 13(3) of the Act. It includes:

  • compliance with instructions for personal data processing by people who have immediate access to the personal data (Article 13(3)(a) of the Act)
  • prevention of unauthorized persons’ access to personal data and to the means of their processing (Article 13(3)(b) of the Act)
  • prevention of unauthorized reading, creating, copying, transferring, modifying or deleting of records containing personal data, and (Article 13(3)(c) of the Act)
  • measures that enable to determine and verify to whom the personal data were transferred (Article 13(3)(d) of the Act)

The list is not final and every controller or processor has to analyze any risks associated with their specific details of data processing.

One of the key obligations is a prevention of unauthorized access to personal data. Data controllers and processors have to protect personal data not only against outside attacks, but also from their employees or contractors that are not supposed to have an access to such data.

Therefore, the data controllers and processors have to develop their internal data protection directives and norms, which cover the access of various types of employees to personal data. A best practice is also to prepare a list of procedures related to personal data protection and people responsible for these procedures. The employees and contractors, if necessary, should be trained. Finally, the data controller and processor must be able to demonstrate that these directives are followed and that they are controlling the data protection practices.

The Czech Labour Act No. 262/2006, in its Article 302, also governs the creation of internal directives. It describes particular obligations for employees at managing positions.

In the specific area of website development, the obligation of prevention might also include restrictions on an access to websites or databases with personal data. For this purpose, the website owner might:

  • alter robots.txt file
  • use tags, such as nofollow
  • develop a structure of the website, that places websites with personal or sensitive data in its deeper level

Contrary to the GDPR, Czech legislation at present does not include an explicit obligation to perform data protection impact assessments, implement privacy by design or privacy by default or designate a data protection officer. On the other hand, it is possible to argue, that such an obligation might result from the general obligation for prevention, pursuant to the Article 13 of the Act.