Important data protection legislation in Czech Republic

As in the majority of the EU Member States, there are several legal documents that govern the protection of personal data in the Czech Republic.

EU legislation

As in other EU Member States, the Czech legislation is under direct influence of the EU legislation, most notably:

  • Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data
  • Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market and on
  • Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector.

Council of Europe legislation

The Czech Republic ratified Council of Europe´s Convention No. 108 for the Protection of Individuals with regard to Automatic Processing of Personal Data.

Moreover, the European Convention for the Protection of Human Rights and Fundamental Freedoms in its Article 8 grants a right to respect for private and family life, with several specified exceptions associated with public interest.

Domestic consitutional legislation

The data protection is governed by the Czech Charter of Fundamental Rights and Freedoms. It imposes the inviolability of the person and its privacy in Article 7(1), the protection against unauthorized invastions of privacy in Article 10(2) and the protection against unauthorized collection, publication or other misuse of personal data in Article 10(3).

Domestic legislation: the Act on the Protection of Personal Data (the Act)

The primary legislation covering data protection in the Czech Republic at present is an Act No. 101/2001 of April 4, 2000 on the Protection of Personal Data (inofficial English version). There is only this one Act and one public authority for the whole Czech Republic.

The Czech Republic does not plan any major modifications of the Act at present. With the implementation of the General Data Protection Regulation (GDPR), the the Czech Republic plans to prepare an adaptation act.

The Act applies to personal data that are processed by state authorities, territorial self-administration bodies, other public authority bodies, as well as natural and legal persons, both by automatic or other means.

The Act applies to data processing of persons or authorities on the territory of the Czech Republic. The Act also applies, if the person or an authority, who is established outside the territory of the European Union carries out processing on the territory of the Czech Republic. The exception is if it is only a personal data transfer over the territory of the European Union.

The Act also obliges the person or an authority, that carries out processing through its organization units established on the territory of the European Union, that those organization units will process personal data in accordance with national law of the respective Member State of the European Union.

The Act protects only personal data of natural persons, not legal persons. The Act does not apply to personal data processing carried out by a natural person for personal needs exclusively or to accidental personal data collection. There is no division between private and public sector processing.

The Act has 8 Chapters. The first three chapters are most important for the rights and obligations associated with data processing.

Basic principles according to the Act

The Act does not include an explicit list of principles as in the EU Directive 95/46/EC. However, you may find all of them inside the Act in various provisions.

Fairness and lawfullness

The Act allows the personal data processing only under certain criteria, otherwise it is illegal. The Act specifies the legal grounds for personal data processing, such obtaining person´s consent as well as other grounds, under the Article 5(2).

The Act also includes obligations for a transparency of data processing. The controller or processor may collect personal data only in an open manner (Article 5(1)(d)). The person must be provided with the information about the purpose of processing, what personal data, which controller and what period of time the consent is being given for, under the Article 5(4). The person also has an access to information rights, under the Article 12.

Purpose limitation

The controller or processor must specify the purpose of data processing (Article 5(1)(a)) and collect and process personal data corresponding exclusively to the specified purpose (Article 5(1)(d) and Article5(1)(f)). Additionaly, the controller or processor must ensure that personal data that were obtained for different purposes are not grouped (Article 5(1)(h)).

Adequacy and no excessivity

The controller or processor may collect personal data only in an extent necessary to accomplish the specified purpose (Article 5(1)(d)).

Accuracy

The controller or processor must process only accurate personal data, which they obtained in accordance with the Act. If necessary, the controller or processor is obliged to update the data (Article 5(1)(c)).

Data necessity

The controller or processor must store personal data only for a period necessary for the purpose of the processing. After that period, data may be retained only for statistical, scientific or archival purposes. The controller or processor must protect such data from unauthorised interference and make them anonymous (Article 5(1)(e)).

Special domestic laws

The Act on the Protection of Personal Data is not the only Act governing the data protection regulation. Here is the list of the most important acts:

  • The Electronic Communications Act No. 127/2005
  • The Act on Some Services of Information Society No. 480/2004
  • The Act on the Cybersecurity No. 181/2014
  • The Act on Healthcare Services No. 372/2011
  • The Telecommunications Act No. 151/2000
  • The Act on the Protection of Classified Information and on security qualification No. 412/2005
  • The Act on Principal Registries No. 111/2009
  • The Act on Citizen IDs No. 328/1999
  • The Consumer Protection Act No. 634/1992
  • The Act on the Citizen Evidence No. 133/2000
  • The Act on Banks No. 21/1992
  • The Labour Act No. 262/2006

The general principle is that the Act on the Protection of Personal Data is the lex generalis act for the data protection regulation. The above-mentioned acts usually modify the rights and obligations for particular industries or areas.

These acts usually contain additional rights and obligations. For example, the Labour Act includes several rights of employees and obligations for employers regarding the processing of employee´s data.

Moreover, these acts often specify the activities of public authorities. For example, the Act on Citizen IDs describe the processes how public authorities have to deal with citizen ID data.

Finally, there are also cases, in which these acts implement obligations pursuant to the EU Directives, such as the Electronic Communications Act or the Act on Some Services of Information Society No. 480/2004.