Data security under Czech data protection law

One of the most important obligations of data controllers and processors is related to personal data security.

The basic obligation is to adopt measures preventing unauthorised or accidental access to personal data, their alteration, destruction or loss, unauthorised transmission, other unauthorised processing, as well as other misuse of personal data (Article 13(1) of the Czech Act on the Protection of Personal Data No. 101/2000 (the Act)). This obligation shall remain valid even after terminating personal data processing.

In order to determine the measures, the controller or the processor should evaluate the risks associated with:

  • compliance with instructions for personal data processing by people who have immediate access to the personal data (Article 13(3)(a) of the Act)
  • prevention of unauthorized persons’ access to personal data and to the means of their processing (Article 13(3)(b) of the Act)
  • prevention of unauthorized reading, creating, copying, transferring, modifying or deleting of records containing personal data, and (Article 13(3)(c) of the Act)
  • measures that enable to determine and verify to whom the personal data were transferred (Article 13(3)(d) of the Act)

The list is non-exhaustive and the data controller or processor has to analyze all relevant risks, no matter if they were explicitly mentioned in this article.

The controller or processor have an obligation to process and document the technical and organisational measures adopted and implemented to ensure the personal data protection (Article 13(2) of the Act).

In general, controller and processor must secure a personal data protection of both intended and negligent violations of data security, as well as force majeure risks. Another important thing is that for a violation of an obligation it is enough that there exists a certain risk, even though there is no actual loss, damage or misuse of personal data.

The Act includes a very broad and abstract rule for a description of technical and organizational measures. In order to determine the specific technical and organizational measures for a data controller or processor, it is necessary to take into consideration the specific situation and nature of data processing. It is possible that the measures and level of data security might differ from one data controller to another.

There are several ways how to determine the necessary measures. One way is to refer to industry security standards. In one of its decisions, the Czech Supreme Administrative Court referred to security standards, either ISO or Czech technical norms (the decision 3 As 21/2005 – 105).

Another way how to determine the necessary measures in Czech republic is to follow the registration survey that data controllers have to submit in order to register for personal data processing at the Czech Office for Personal Data Protection. The question 11 includes a list of measures and the applicant should check a tick box for any measure that they use.

They are divided into two categories:

  1. Manual and automated processing
  • locks and metal grids
  • central protection point
  • electronic security
  • security directives
  • documentation of implemented technical and organizational measures

The usual purpose of these measures is to secure the documents containing personal data and the offices/places, in which such documents are stored.

  1. Automated processing
  • access rights
  • antivirus protection
  • encryption
  • security backups
  • security directives

The common issue for both types of measures is that the data controller or processor should not only focus on the implementation of these measures, but also on the control of their practice. They have an obligation to prove that they implemented these measures. Therefore, any types of measures must also include processes for a control of personal data policies practice.

To learn more about the developments in the Czech legal rules for technical and organization measures, read the article.

Cybersecurity Act

Czech The Act on the Cybersecurity No. 181/2014 (the Cybersecurity Act) includes additional obligations and sanctions for several specific types of companies.

The key term of the legislation is the critical infrastructure.

There are certain companies in the Czech Republic, that have a significant impact on the information infrastructure. They are divided into five categories and the Cybersecurity Act defines specific obligations for each category.

The determination of an element of a critical infrastructure is based on several different criteria. Firstly, it depends on:

  • the number of victims with a treshold higher than 250 dead or more than 2500 people with a subsequent hospitalisation for a time period longer than 24 hours
  • economic impact with a treshold of an economic loss of a state higher than 0.5 percent of GDP
  • an impact on the general public with a treshold of a vast restriction of supplying necessary services or other significant interference into an everyday life of more than 125,000 people

Secondly, it might depend on the sectoral criteria:

  • energy sector (electricity, gas, oil, heat supply)
  • water sector
  • food and agriculture
  • healthcare
  • transportation
  • financial markets and currency
  • emergency/distress services (integrated life-saving system, radiation monitoring, etc.)
  • public services (public finances, social security and employment, etc.)

Not only do these companies have specific obligations, but they also cooperate with designated state bodies.

Specific obligations:

The companies have to implement security measures, such as:

  • organisational, for example: planning, processes, control
  • technical, for example: cryptography, access rights, physical security, etc.

These obligations apply only for 3 most important categories of companies.

The companies have to record and sometimes report and notify the designated state body about a security incidents.

These obligations apply for all categories, except the category with the lowest risk.

The Cybersecurity Act introduced the cybersecurity emergency situation. It is a situation of an existence of a thread to the security or integrity of information, services or networks of a great range and a risk of a thread for Czech republic interests. The main impact is that a more categories of companies must follow the specified obligations.

The State Security Office may control the implementation of these obligations and impose sanctions for non-compliance, including fines up to 100,000 CZK.