Data subjects’ rights according to Czech data protection law

In accordance with the concept included in Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, the Czech Act on Protection of Personal Data No. 101/2000 (the Act) specifies several rights of data subjects.

Article 10 of the Act includes the basic principle of data subject’s rights. The controller and processor shall ensure that the rights of the data subject are not infringed, in particular, the right to preservation of human dignity, and shall also ensure that the private and personal lives of the data subject are protected against unauthorized interference. This rule is an application of Czech constitutional rules and rights of natural persons.

More specifically, the Czech data protection legislation includes:

  • a right for information
  • a right to access information
  • a right to rectify data
  • a right to liquidate personal data

A right to information

The Act indirectly distinguishes between two situations: whether a data controller or processor collects personal data directly from the data subject or not.

The general provision in the Article 11(1) of the Act specifies information obligations for any type of personal data processing.

Pursuant to this Article, the controller, or the processor on behalf of the controller (Article 11(7) of the Act), is obliged to inform the data subject about:

  • the scope of the data processing
  • the purpose for which the personal data shall be processed
  • identify the person who will process personal data (for legal persons: name, registered office, ID number; for natural persons: name, surname, address, date of birth)
  • in what manner will the person process the personal data
  • identify the person to whom the personal data may be disclosed

An exemption to this rule is the situation, when the data subject is already aware of this information.

Moreover, the information notification must also include information about:

  • the right of access to personal data (Article 11(1) of the Act)
  • right to have their personal data rectified (Article 11(1) of the Act)
  • right to request an explanation (Article 21(1)(a) of the Act)
  • right to request an elimination of an unlawfulness of such situation (Article 21(1)(b) of the Act)

The information notice should be given before the beginning of data processing.

The person to whom the personal data may be disclosed must be clearly identified. It is not enough to refer to a general description of “businesses in the South East region.” However, if the data controller does not know all the persons that they would transfer the personal data to, they do not have to notify data subjects again. On the other hand, if the data subject requests information about data processing, the controller has to disclose such person.

If a data controller or processor collects personal data directly from the data subject, the Act includes two different sets of obligations.

If the data subject has to give their consent, pursuant to the Article 5(4) of the Act, a data controller or processor has to inform the data subject about:

  • what is the purpose of processing
  • what personal data are processed
  • which controller is processing
  • what period of time the consent is being given for

The second obligation is included in Article 11(2) of the Act. In case when the controller or processor processes personal data obtained from the data subject, they are obliged to instruct the data subject on whether the provision of the personal data is obligatory or voluntary. If the data subject is obliged pursuant to a special Act to provide personal data for the processing, the controller shall instruct him on this fact as well as on the consequences of refusal to provide the personal data.

Exceptions

As mentioned above, Article 11(1) includes an exception to some of the rules specified in the Article, when the data subject is already aware of this information.

Pursuant to Article 11(3) of the Act, the data controller or processor does not need to inform the data subject in specific situations when they did not collect personal data directly from the data subject and:

  • they are processing personal data exclusively for statistical, scientific or archival purposes and such information notification would involve a disproportionate effort or inadequately high costs; or if it is expressly required by a special Act. In these cases the controller shall be obliged to take all necessary measures against unauthorized interference with the data subject’s private and personal lives.
  • the personal data processing is imposed on them by a special Act or such data are necessary to exercise the rights and obligations ensuing from special Acts
  • they are processing exclusively lawfully published personal data, or
  • they are processing personal data obtained with the consent of data subject

Right to access to information

Pursuant to Article 12(1) of the Act, if the data subject requests information on the processing of his personal data, the controller shall be obliged to provide them with this information without undue delay.

The answer of the data collector or processor acting on behalf of the data collector to such a request must according to Article 12(2) of the Act include at least:

  • the purpose of personal data processing
  • the personal data or categories of personal data that are subject of processing including all available information on their source
  • the character of the automated processing in relation to its use for decision-making, if acts or decisions are taken on the basis of this processing the content of which is an interference with the data subject’s rights and legitimate interests;
  • the recipients or categories of recipients.

The data controller or processor might ask for a reasonable reimbursement not exceeding the costs necessary for providing information.

The liquidation of the data

According to Article 20(1) of the Act, the controller or, on the basis of his instructions, the processor shall be obliged to carry out liquidation of personal data in two cases:

  • as soon as the purpose for which personal data were processed ceases to exist or
  • on a request by the data subject

Right for explanation, blocking, correction and supplementing personal data

Every data subject might examine if the controller or the processor is carrying out processing of his personal data that is:

  • in contradiction with the protection of private and personal life of the data subject or
  • in contradiction with the law,
  • in particular if the personal data are inaccurate regarding the purpose of their processing

Each data subject who finds or presumes that these conditions were met, may pursuant to Article 21(1)(b) of the Act:

  • ask the controller or processor for explanation;
  • right to request an elimination of an unlawfulness of such situation. It can mean in particular blocking, correction, supplementing or liquidation of personal data.

In order to get more information about the right of a data subject that their data are not unlawfully published online, you may read an opinion by the Czech Office of Personal Data Protection