Exceptions
Pursuant to Article 10 of the Data Protection Act, the controller does not have an obligation to carry out a DPIA prior to specific personal data processing in the case that the controller has an obligation to process such personal data based on specific legislation.
DPIA list from the Czech supervisory authority
The Czech Data Protection Authority published a list of processing operations for which the data protection impact assessment is and is not necessary (in Czech).
For example, DPIA is necessary for these operations:
- the monitoring of behaviour (e.g. using CCTV),
- special categories of personal data,
- personal data that may cause harm to the data subjects (e.g. data about sexual orientation, physical disability, religion, etc.),
- large-scale personal data, which needs to be evaluated in specific cases. However, the Czech Data Protection Authority specified several levels, such as processing personal data of more than 10,000 data subjects, more than 20 employees or other people with access to personal data,
On the other hand, DPIA is not necessary for these operations:
- Processing of personal data of employees with a permanent place of work in Czech Republic for the purpose of compliance with a legal obligation (e.g. accounting or HR agenda)
- Processing of personal data of a single visit of the customer at the website, in case that no special categories of personal data are processed and no targeting of threatened groups occurs
- Personal data processing by single attorneys, if additional criteria are met (for example purpose limitation, no transfer of data to third countries, no use of a processor, etc.)
- Processing of personal data of customers (including competitions or newsletters), in the case that the processing includes no special categories of personal data and data is processed only in Czech language,
The Office also published the methodology on how to perform Data Protection Impact Assessments. It includes a step-by-step guide on how to conduct DPIA and also a methodology for risk identification and assessment.
Finally, the Czech Data Protection Authority issued guidelines on the use of data protection impact assessments in the legislative process.