The legal regime of data transfers depends on the destination country.
Data transfers within the Czech republic or within EU Member states
The Czech Republic enables a free flow of personal data, if they are transferred to a Member State of the European union (Article 27(1) of the Act No. 101/2001 of April 4, 2000 on the Protection of Personal Data (the Act)).
Data transfers to other countries
There are several legal possibilities how to transfer of personal data to third countries.
The first group enables a transfer without an approval of the Office (Article 27(2) of the Act):
- Based on a ratified international treaty
The most important treaty is the Council of Europe´s Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data.
- Based on a decision of an institution of the European Union
The Office in the Official Journal publishes information about such decisions in the Official Journal.
These decisions include:
- an adequacy decision by the European Commission pursuant to Article 25(6) of the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Directive). The examples are decisions about Argentina, etc.
- implementation of standard contractual clauses, issued by European Commission, pursuant to Article 26(4) of the Directive
- specific decisions of the European Commission on the creation of mechanisms and tools, which enable to provide adequate protection of personal data. The most famous example of these decisions is the Privacy shield mechanism to enable personal data transfer to and from the United States.
If it is not possible to use these mechanisms, it is necessary to get an approval of the Czech Office for the Protection of Personal Data (the Office).
The Office published an example of such a request for an approval.
It may be based on one of these conditions:
- the data transfer takes place with the consent of, or on the basis of an instruction by the data subject;
- in a third country, where personal data are to be transferred, there are sufficient specific guarantees implemented for personal data protection.
For example, there are other legal or professional regulations and security measures. Such guarantees may be specified in particular by a contract concluded between the controller and the recipient, if this contract ensures application of these requirements, or if the contract contains contractual clauses for personal data transfer to third countries published in the Official Journal of the Office.
It might also include a situation when the Standard Contractual Clauses by European Commission were implemented into a contract, but with modifications.
Another example is the implementation of Binding Corporate Rules, which are being used in the whole company.
- the personal data are a part of publicly accessible data files on the basis of a special Act or are, on the basis of a special Act accessible to someone who proves legal interest.
In such case the personal data may be disclosed only in the scope and under conditions provided by a special Act. An example of a legal interest might be a request to get a copy from the Office´s registry by a person from abroad.
- an important public interest following from a special Act or from an international treaty binding the Czech Republic
- the transfer is necessary for negotiating the conclusion or change of a contract, carried out on the data subject´s incentive, or for the performance of a contract to which the data subject is a contracting party (for example a personal data in a hotel)
- the transfer is necessary to perform a contract between the controller and a third party, concluded in the interest of the data subject, or to exercise other legal claims (the relationships between insurance companies and hospitals)
- the transfer is necessary for the protection of rights or important vital interests of the data subject, in particular for rescuing life or providing health services.
The data controller has to apply for an approval of such data transfer. If the Office gives an approval, it also includes a time period, for which the data processing might take place. If the Office refuses a request, the data controller might challenge the decision in administrative proceedings.