Online data protection under Czech law

The area is regulation by several acts, in particular by

  • The Electronic Communications Act No. 127/2005 (the Electronic Communications Act)
  • The Act on Some Services of Information Society No. 480/2004 (the Information Society Act)
  • The Act No. 101/2001 of April 4, 2000 on the Protection of Personal Data

In these laws, the Czech Republic implemented the requirements pursuant to several EU directives, in particular:

  • Directive 2000/31/EC on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market
  • Directive 2002/58/EC on the processing of personal data and the protection of privacy in the electronic communications sector

As the regulation is spread across several acts, it might be difficult to determine a list of obligations for website providers.

Information requirements for website operators

The Information Society Act describes some of the obligations of website owners as information society services providers. However, unlike similar laws implementing the EU Directive 2000/31/EC in other countries, it does not include a list of specific details that a website operator has to disclose at the website, pursuant to the Article 5 of the Directive.

On the other hand, in other laws there are several obligations for specific categories of website providers.

Undertakings

Under the Czech Act No. 90/2012 on Commercial Companies and Cooperatives (Business Corporations Act), certain types of undertakings has to meet specific information requirements (the Article 7(2-3)):

  • Public limited liability company – always has to disclose some information via a website
  • Private limited liability company – if it has a website then it has to disclose them

The websites of these undertakings must include information, such as the name of the undertaking, a registered office, a record of a public limited liability company, including a section and an insert, an identifying information, additional information by law (registered capital, group of undertakings, etc.)

However, it is argued that the rule applies only to the website of a firm and it does not mean that such data must be included in websites operated by the firm, such as product websites, etc.

Website providers targeting consumers

Based on the Czech Civil Code No. 89/2012 (the Civil Code), a website provider that targets consumers, might have to satisfy several information requirements. Pursuant to Article 1811(2) of the Civil Code this is the case:

  • if the relationship between an undertaking and a consumer is heading towards a contract completion and
  • information are not already available based on the context of the situation
  • the undertaking must inform the consumer in a appropriate time before contract completion or before the consumer comes up with a binding offer

The information requirements include:

  • undertaking’s identity, or a phone number or an address for electronic mail or another contact detail
  • other information about the products themselves

Therefore, for this particular group of website providers, it will be obligatory to provide the consumers with certain contact information.

To get more details about the information obligations for website providers, read the article.

Web analytics & Cookies

The requirements of EU Directive 2002/58/EC were implemented in the Electronic Communications Act.

For anyone interested in using web analytics services based on a cookie in the user’s browser, there are basically two different legal regimes.

For some types of cookies and situations, the legislation does not impose any specific action and the website provider might collect data based on cookies. These situations include (the Article 89/3):

  • activities relating to technical storage or access and serving exclusively for the purposes of performing or facilitating message transmission via the electronic communications network
  • where such technical storage or access activities are needed for the provision of an information society service explicitly requested by the subscriber or user

For other situations, including the majority of web analytics cookies, the Electronic Communications Act requires (Article 89/3):

  • anybody wishing to use, or using, the electronic communications network for the storage of data or for gaining access to the data stored in the subscribers’ or users’ terminal equipment
  • shall inform those subscribers or users beforehand in a provable manner about the extent and purpose of processing such data and
  • shall offer them the option to refuse such processing

It means that the Czech cookie legislation requires an opt-out regime for a cookie collection. Such a conclusion was confirmed by several authors or mentioned in an opinion of a Czech Office of Personal Data Protection. However, at the same time, the Office acknowledged that current regime is not in accordance with the requirements of EU Directive.

On the one hand, it is argued that the website providers should operate an opt-in regime and they should require consent of a user. On the other hand, it is argued that the Act must be interpreted in accordance with the EU Directive. Then again it is argued that the consent requirement results from cookies being personal data pursuant to the Personal Data Protection Act.

Therefore, it is possible to recommend using at least an opt-in regime, when a cookie is being used only after the user consents by using the website.

Regarding the information requirements associated with a cookie, the user should get:

  • a clear, comprehensible and complete information
  • about data processing, its means and purpose and
  • about how to withdraw the consent

To read more about the obligations of the website providers when dealing with personal data, in particular about the processes of their publication, please refer to an opinion by the Czech Office for Personal Data Protection.