Who has a notification obligation?
The notification obligation exists in two general cases (Article 16 of the Czech Act on the Protection of Personal Data No. 101/2000 (the Act)):
- whoever intends to process personal data as a controller or
- alter the registered processing
The obligation is for data controllers. In case of foreign companies with a registered office outside the Czech Republic and that are registered in the country of their registered office, they still have to notify.
If there are multiple branches of a company within the Czech Republic, it will be necessary to determine, who is in the position of the data controller. That company would have to meet the notification obligation.
However, the Act includes exceptions to the general rule (Article 18 of the Act):
- if personal data are included in publicly accessible data files pursuant to a special Act (for example: The Commercial Register, the Register of Trades),
- if data controller must process personal data based on a special Act or when such personal data are needed for exercising rights and obligations pursuant to a special Act (for example: Employer data processing, renting, etc.)
In these cases, the data controller is obliged to ensure that the information otherwise accessible in the registry of the Office, in particular the purpose of the processing, categories of personal data, categories of data subjects, categories of recipients and the period of preservation, is disclosed also through remote access or in other appropriate form. The common example is the website.
- in case of processing by associations:
- within their legitimate activities
- to pursue their political, philosophical, religious or trade union goals and
- personal data relates only to members of the association or persons with whom the association is in recurrent contact related to legitimate activity of the association, and
- the personal data are not disclosed without the consent of data subject.
What should the notification include (the Article 16(2) of the Act)?
- the identification of the controller
In case of natural person who is not an entrepreneur his first name or names, surname, date of birth and address of permanent residence; in case of other subjects their trade, corporate or other name, seat and identification number if assigned, and name, eventually first names and surnames of persons that are their statutory representatives;
- the purpose or purposes of processing
- the categories of data subjects and of personal data pertaining to these subjects
- the sources of personal data
- a description of the manner of personal data processing
- the location or locations of personal data processing
- the recipient or category of recipients
- the anticipated personal data transfers to other countries
- the description of measures adopted to ensure the protection of personal data pursuant to Article 13 of the Act
It is also recommended to add additional and more detailed information about data processing. It makes the decision-making process of the Office easier, which would make it faster for a data controller to get registered.
The Office´s website includes an online form to submit a notification request with these requirements.
The online form should be used for only one data processing. If a single data controller wants to notify the Office about multiple data processing activities, they would have to submit multiple online forms.
The activity of the Office
If the notification includes all essentials and there is no concern about the personal data processing, the data processing may begin 30 days after the delivery of the notification (Article 16(3) of the Act). The Office will create a record in the registry.
In case that the notification does not include all essential information, the Czech Office for the Protection of Personal Data (the Office) sends without delay a reminder to the notifying subject in which they have to make a reference to the missing or insufficient information and set a deadline for supplementing the notification. After supplementing the notification, the new 30 days time limit begins. If there are no more problems, data processing may start after the time period.
In case that the Office holds that there is a justified concern that the data processing might breach the protection obligations, it will initiate the proceedings against the data controller. If it finds that there is no case of a personal data breach, the Office will suspend the proceedings and create a record in the registry. The data controller may start processing the next day after the Office created a record.
After the successful registration
Upon the request from the controller the Office shall issue a certificate (Article 16(5) of the Act).
The Office has a right to revoke the registration, if the controller breaches the data protection obligations or the purpose for which the processing was registered ceases to exist (Article 17a of the Act).
If the controller intends to terminate their activities and their processing was subject to the notification obligation, they have to announce to the Office without delay how they handled personal data.