Legal basis according to Czech data protection law

The basic rule for personal data processing under the Czech Act on the Protection of Personal Data No. 101/2000 (the Act) is that the controller may process personal data only with the consent of data subject (Article 5(2) of the Act). However, the Act enables the controllers to process personal data without consent in specific situations.

Data processing based on the consent of the data subject

The controller must be able to prove the consent of data subject to personal data processing during the whole period of processing (Article 5(4) of the Act). Therefore, the data subject must agree with their personal data processing prior to its beginning.

The definition of consent of the data subject includes these characteristics:

  • a free and
  • informed manifestation
  • by which a will of the data subject signifies his or her assent to personal data processing

The Act specifies the conditions for a lawful informed manifestation. When giving the consent the data subject must be provided with information about (Article 5(4) of the Act):

  • what is the purpose of data processing
  • what personal data are processed
  • which controller will process data
  • what period of time the consent is being given for

In collecting personal data, the controller is obliged to inform the data subject (Articles 11(1) and (2) of the Act):

  • the scope of processing
  • in case the data will be processed by someone else, about who will process personal data and in what manner
  • to whom the personal data may be disclosed , unless the data subject is already aware of this information
  • about his right of access to personal data, the right to have his personal data rectified as well as other rights
  • instruct the data subject on whether the provision of the personal data is obligatory or voluntary

The consent is valid, if the data collected satisfied all the requirements of the Article 5(4), but did not satisfy the information requirements of the Article 11(1) and (2). However, the data collected may be sanctioned for not meeting the information requirements.

Other important rules about the use of consent

Data subjects give consent by themselves, but it is possible to obtain consent from a legal representative (in case of children personal data, etc.) or an authorized person.

The Czech legislation does not include an explicit rule for consent withdrawal. There are numerous provisions, which enable the data subject to express disagreement with data processing. However, the withdrawal of consent is possible too. The right is based on general rules of private law. On the other hand, it also means that the withdrawal of consent might result in the damages for a data collector or that the withdrawal is invalid.

For a further guidance on the consent of the data subject in Czech Republic, read an overview by the Czech Office of Personal Data Protection in English.

Personal data processing without consent of the data subject

The Act enables the controllers to process personal data without consent in specific situations.

These situations include:

  • if the data controller is carrying out processing which is essential to comply with legal obligation of the controller (Article 5(2)(a) of the Act)
  • if the processing is essential for fulfilment of a contract to which the data subject is a contracting party or for negotiations on conclusion or alteration of a contract negotiated on the data subject´s proposal (Article 5(2)(b) of the Act)
  • if it is essential for the protection of vitally important interests of the data subject (Article 5(2)(c) of the Act)

However, the consent of the data subject must be obtained without undue delay. If the consent is not granted, the controller must terminate the processing and liquidate the data.

  • if they were lawfully published in accordance with special legislation.

Personal data are published (Article 4(l) of the Act), if they are disclosed, in particular, by mass media, via other form of public communication, or as a part of a public list (Article 5(2)(d) of the Act)

However, the Act requires the data controller to protect private and personal lives of the data subject.

  • if it is essential for the protection of rights and legitimate interests of the controller, recipient or other person concerned (Article 5(2)(e) of the Act)

However, the Act requires the data controller to process personal data not in contradiction with the data subject´s right to protection of his private and personal lives.

  • if data collector provides (discloses) personal data on a public figure, official or employee of public administration that reveals information on their public or administrative activity, their functional or working position (Article 5(2)(f) of the Act)
  • if the processing relates exclusively to archival purposes pursuant to a special Act (Article 5(2)(g) of the Act)

Data breaches and notification obligations

At present, the legal regime of handling data breaches is based on general provisions about data security. Pursuant to the Article 13, the controller and the processor are obliged to adopt measures preventing:

  • unauthorized or accidental access to personal data
  • unauthorized transmission
  • other unauthorised processing
  • other misuse of personal data.

This obligation shall remain valid even after terminating personal data processing.

However, the Act does not include a general obligation to notify data breaches to the public authority. There are specific categories of controllers that are obliged to notify data breaches, pursuant to specific laws.

Based on the Electronic Communications Act No. 127/2005, the providers of publicly available services of electronic communications have an obligation to notify a breach to the Office as well as data subjects. The Act specifies the details of the notification and it also includes an obligation to keep a record of data breaches, including impact assessment and implemented measures. The notification period is 24 hours and the sanction is up to 20 million CZK.

Based on the Act on the Cybersecurity No. 181/2014, it is obligatory to notify a data breach to a public authority in cases of critical infrastructure data breaches. However, these rules do not apply to the vast majority of private sector companies.

To access the form to report a breach of personal data protection, follow the online form at the Office of Personal Data Protection website.