Search

Data protection impact assessment (DPIA) under Czech law

Exceptions

Pursuant to Article 10 of the Data Protection Act, the controller does not have an obligation to carry out a DPIA prior to specific personal data processing in the case that the controller has an obligation to process such personal data based on specific legislation.

DPIA list from the Czech supervisory authority

The Czech Data Protection Authority published a list of processing operations for which the data protection impact assessment is and is not necessary (in Czech).

For example, DPIA is necessary for these operations:

  • the monitoring of behaviour (e.g. using CCTV),
  • special categories of personal data,
  • personal data that may cause harm to the data subjects (e.g. data about sexual orientation, physical disability, religion, etc.),
  • large-scale personal data, which needs to be evaluated in specific cases. However, the Czech Data Protection Authority specified several levels, such as processing personal data of more than 10,000 data subjects, more than 20 employees or other people with access to personal data,

On the other hand, DPIA is not necessary for these operations:

  • Processing of personal data of employees with a permanent place of work in Czech Republic for the purpose of compliance with a legal obligation (e.g. accounting or HR agenda)
  • Processing of personal data of a single visit of the customer at the website, in case that no special categories of personal data are processed and no targeting of threatened groups occurs
  • Personal data processing by single attorneys, if additional criteria are met (for example purpose limitation, no transfer of data to third countries, no use of a processor, etc.)
  • Processing of personal data of customers (including competitions or newsletters), in the case that the processing includes no special categories of personal data and data is processed only in Czech language,

The Office also published the methodology on how to perform Data Protection Impact Assessments. It includes a step-by-step guide on how to conduct DPIA and also a methodology for risk identification and assessment.

 

Finally, the Czech Data Protection Authority issued guidelines on the use of data protection impact assessments in the legislative process.

activeMind.legal Rechtsanwaltsgesellschaft is a law firm specialising in data protection law. With our partner firms in the UK and Switzerland, we cover all aspects of GDPR compliance and national data protection law in Europe.

Munich

activeMind.legal
Rechtsanwaltsgesellschaft m. b. H
Potsdamer Straße 3
80802 Munich, Germany

+49 (0) 89 / 919 29 49 00

Berlin

activeMind.legal
Rechtsanwaltsgesellschaft m. b. H
Kurfürstendamm 56
10707 Berlin, Germany

+49 (0) 30 / 770 19 10 70

Services

Resources

About

Group

© 2016-2024 activeMind.legal

powered by rethink digital & KLEINWERKSTATT

Contact us!

+49 (0)89 / 91 92 94 – 900

Full details of how we handle your data can be found in our privacy policy.

Secure the knowledge of our experts!

Subscribe to our free newsletter:

By clicking on "Subscribe now" you consent to receive our newsletter. We will only use your data in accordance with our privacy policy.