The Czech Act on the Protection of Personal Data No. 101/2000 (the Act) includes the majority of definitions for Czech data protection law.
The basic term “personal data” means any information relating to an identified or identifiable data subject. The Act uses standard criteria to determine if personal data is identified or identifiable – if it is possible to identify the data subject directly or indirectly in particular on the basis of a number, code or one or more factors specific to his/her physical, physiological, psychical, economic, cultural or social identity.
To get more details about examples of various types of personal data pursuant to Czech legislation, please refer to an opinion by the Czech Office for Personal Data Protection.
The Act determines a special category of data, which are considered more sensitive, in the Article 4(b). It includes data revealing:
- racial or ethnic origin
- political attitudes, trade-union membership
- religious and philosophical beliefs,
- conviction of a criminal act,
- state of health and sexual life of the data subject and
- genetic data of the data subject;
- biometric data permitting direct identification or authentication of the data subject.
PERSONAL DATA COLLECTION
According to Article 4(f), the personal data collection is a systematic procedure or set of procedures, which aim is to obtain personal data for the purpose of their further storage on a data carrier for their immediate or subsequent processing.
PERSONAL DATA PROCESSING
The term “personal data processing” covers several different types of activities (Article 4(e)).
In general, it is any operation or set of operations that is systematically performed by a controller or a processor upon personal data by automatic or other means.
The Act gives a non-exhaustive list of activities:
- the collection of data
See the description of the data collection above.
- their storage on data carriers
It includes keeping data in a manner that permits their further processing (Article 4(g)).
It means any operation or set of operations restricting the manner or means of personal data processing for a specified period of time, except for the necessary interventions (Article 4(h)).
It means physical destruction of the data carrier, physical deletion of data or their permanent exclusion from further processing (Article 4(i)).
- and other activities, such as: disclosure, modification or alteration, retrieval, use, transfer, dissemination, publishing, preservation, exchange, sorting or combination.
For these activities, the Act does not include specific definitions.
In order to read more about the definition of personal data processing, you may access the opinion of the Czech Office for Personal Data Protection about this topic.
ANONYMOUS & PSEUDONYMOUS DATA
For a data to be considered anonymous, they cannot
- be linked to an identified or identifiable data subject
- in their original form
- or following processing thereof (Article 4(c) of the Act)
The definition does not specify the extent of measures necessary to identify the data subject. Moreover, the Act does not define the process of pseudonymisation.
The definition of a controller is based on several criteria (Article 4(j) of the Act):
- any entity that determines the purpose
- and means of personal data processing,
- carries out such processing and
- is liable for such processing.
The controller may empower or charge a processor to process personal data, unless they are forbidden to do so in a special Act. However, even if the controller uses the services of a processor for data processing, the controller is still liable for such processing.
To get more details about a determination of a data controller or a processor in specific situations, read the article.
THE DATA SUBJECT
The data subject is a natural person to whom the personal data pertain (Article 4(d))
DATA PROTECTION OF EMPLOYEES DATA
The legal regulation of the data protection of employee data is based on the Act, as well as the Labor Act No. 262/2006.
The employer does not need consent of a data subject to process their data for administrative purposes (HR, salaries). The Czech Office for the Protection of personal data (the Office) in one of its Opinions discouraged employers to ask for such consent. The data subject might be under an impression that they may decide to withdraw such consent. However, the employer must process data subject’s data to perform the labor contract. Therefore, the data subject loses a control about their personal data, which violates Article 11(2) of the Act. The employer might be fined for such behavior.
The Labor Act as well as other acts (in the area of pensions, health care insurance, etc.) enables the employer to collect personal data, such as:
- identification number
- date of birth
- place of birth
- information about children and spouse
- health insurance company
The employer is not obliged to notify the Office about the employee data processing, under Article 18(1)(b). However, this is true only if the employer processes employee’s personal data for administrative purposes. For other purposes, the employer would need to use a different legal ground for processing.
Moreover, a transmission of personal data within a group of undertakings is not possible without consent of an employee.