Rowan Legal
What law(s) specifically govern personal data / information?
Apart from the EU legislation (mainly the GDPR), there is both general and specific national legislation governing data processing.
The general legislation is mainly represented by Act No. 110/2019 Coll., on processing of personal data, that adapts the national legislation to GDPR and transposes the Law Enforcement Directive (EU 2016/680).
From specific legislation, there is the Act No. 127/2005 Coll., on Electronic Communications, which sets out the requirements for data retention in telecommunications as well as the rules for the use of cookies and other similar technologies and telemarketing. The Act No. 480/2004 Coll, on certain Information Society Services, regulates the liability and the rights and obligations of entities that provide information society services and disseminate commercial communications.
Specific legislation may also lay down additional rules for the processing of personal data in certain sectors, for instance the processing of health data under Act No. 258/2000 Coll., on the Protection of Public Health, or the processing personal data connected with financial activities, under Act No. 253/2008 Coll., on certain measures against money laundering and terrorist financing. In the area of employment law, the Act No. 262/2006, Labour Code, prohibits employers from processing certain sensitive data about their employees (e.g. sexual orientation, origin) and lays down the rules for employee monitoring.
What are the key data protection principles in this jurisdiction?:
The GDPR is directly applicable and sets out the following principles:
Lawful basis for processing
The GDPR provides an exhaustive list of legal bases on which personal data may be processed:
- consent of the data subject for one or more specific purposes;
- contractual necessity;
- compliance with a legal obligation of the controller to perform the relevant processing;
- protection of the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests (i.e. the processing is necessary for the purposes of legitimate interests pursued by the controller, except where the controller's interests are overridden by the interests, fundamental rights or freedoms of the affected data subjects).
The processing of sensitive personal data requires stronger grounds and is only permitted under certain conditions, of which the most relevant are:
- explicit consent of the affected data subject;
- the processing is necessary in the context of employment or social security law; or
- the processing is necessary for the establishment, exercise or defence of legal claims.
Transparency
Personal data must be processed lawfully, fairly and in a transparent manner. Regarding the processing of personal data, controllers are obliged to provide certain information to data subjects. Such information must be provided in a concise, transparent, intelligible and easily accessible form, using clear and plain language.
Purpose limitation
Personal data may only be collected for specified, explicit and legitimate purposes and must not be further processed in a manner that is incompatible with those purposes.
Data minimisation
The processing of personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which those data are processed.
Accuracy
Personal data must be accurate and, where necessary, kept up to date.
Storage limitation
Personal data must be stored in a form that permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data was initially collected.
Integrity and confidentiality
Personal data must be processed in a manner that ensures appropriate security of that data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures.
Accountability
The controller is responsible for processing of data in accordance with the GDPR. In particular, the controller is obliged to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in compliance with the GDPR.
What is the supervisory authority / regulator in charge of data protection?
The Czech Personal Data Protection Office - https://uoou.gov.cz/en/.
Is there a requirement to register with a supervisory authority / regulator?
No, because the GDPR is directly applicable.
Is there a requirement to notify the supervisory authority / regulator?
Yes, article 33 GDPR imposes an obligation on controllers to notify the competent supervisory authority of a personal data breach without undue delay (and in any event within 72 hours) of becoming aware of a breach where it is likely to result in a risk to the rights and freedoms of natural persons. This obligation is further explained below.
Article 36 GDPR also requires the controller to consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
According to Article 37 GDPR, entities that are obliged to appoint a data protection officer are required to notify the DPO to the supervisory authority
Is it possible to register with / notify the supervisory authority / regulator online?
Yes, there is an online form for notifications of a personal data breach according to Article 33 GDPR, available here (only in Czech).
Notifications can be sent to the Czech Office for Personal Data Protection at the e-mail address: [email protected].
What are the key data subject rights under the data protection laws of this jurisdiction?
The rights stipulated under the GDPR (set out below), with certain deviations and restrictions in the cases of processing necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority, and further in cases of processing of data for journalistic, scientific or research purposes.
Rights under the GDPR:
a. Right to information
Pursuant to Articles 13 and 14 GDPR, data subjects have the right to be provided with information on the identity of the controller, the reasons for processing their personal data and other relevant information necessary to ensure the fair and transparent processing of personal data.
Right of access
A data subject has the right to obtain from a controller certain information in respect of the data subject's personal data as listed in Article 15 GDPR.
Additionally, the data subject may request a copy of the personal data being processed.
Right to rectification of errors
Pursuant to Article 16 GDPR, data subjects have the right to rectification of inaccurate personal data.
Right to deletion/right to be forgotten
Data subjects have the right to erasure of their personal data (the 'right to be forgotten') if one of the reasons as listed in Article 17 GDPR apply.
Right to restriction of processing
Data subjects have the right to request restriction of the processing of personal data, which means that the data may only be processed for limited purposes as defined in Article 18 GDPR.
Right to data portability
Data subjects have a right to receive a copy of their personal data in a commonly used machine-readable format, and transfer their personal data from one controller to another or have the data transmitted directly between controllers (Article 20 GDPR).
Right to object to processing
Data subjects have the right to object, on grounds relating to their particular situation, to the processing of personal data where the basis for that processing is either public interest (Article 6 para 1(e) GDPR) or legitimate interest of the controller (Article 6 para 1(f) GDPR). The controller must cease such processing unless it demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the relevant data subject or requires the data in order to establish, exercise or defend legal rights.
Data subjects have the right to object to the processing of personal data for marketing purposes, including profiling.
Right to withdraw consent
A data subject has the right to withdraw their consent at any time (Article 7 para 3 GDPR). The withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
Right to complain to the relevant data protection authority(ies)
Data subjects have the right to lodge complaints concerning the processing of their personal data with the competent data protection authority.
Right not to be subject to automated individual decision-making
Under certain circumstances, data subjects have the right not to be subject to a decision based solely on automated processing of data (including profiling), which produces legal effects or similarly significant effects for the data subject (Article 22 GDPR).
It is important to note that this is only a summary. Other qualifications and limitations to these rights may be relevant.
Is there a requirement to appoint a data protection officer (or equivalent)?
Under the GDPR (Articles 37 to 39), a Data Protection Officer (DPO) must be appointed by organisations that:
- are a public authority or body (except for courts acting in their judicial capacity);
- whose core activities require large scale, regular and systematic monitoring of individuals (for example, online behaviour tracking); or
- whose core activities consist of large scale processing of special categories of data or data relating to criminal convictions and offences.
This applies to both controllers and processors. Organisations that are not required to appoint a DPO may do so voluntarily. In making a voluntary appointment, organisations should be aware that the same requirements of the position and tasks apply as if the appointment had been mandatory.
The DPO must have expert knowledge of data protection law and practices, be independent and report to the highest management level.
Do data protection/ privacy impact assessments need to be carried out in certain circumstances?
Yes, pursuant to Article 35 GDPR the controller is obliged – prior to the processing – to carry out a Data Protection Impact Assessment ('DPIA'), where the type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons.
In line with GDPR Art. 35 para (4) and (5), the Czech supervisory authority has also published (i) a list of the kind of processing operations which do not require a DPIA to be made (for example standard employee agenda, standard processing of customers' and website users' data, processing conducted by healthcare providers, attorneys, notaries, and social services providers) and (ii) the criteria for determining if any other processing requires DPIA to be completed (based on existence of monitoring of data subjects, processing of certain categories of data, large scale processing, use of advanced or complex infrastructure, use of new technologies). This guidance is available under this link (in Czech only).
Does this jurisdiction have any specific data breach notification requirements?
The controller is obliged to report a personal data breach to the relevant data protection authority, unless the breach is unlikely to result in a risk to the rights and freedoms of the data subjects. If the controller is obliged to notify a personal data breach to the competent authority, the notification shall be made without undue delay and within 72 hours of first becoming aware of the breach).
The notification must include a description of the nature of the personal data breach including the categories and number of data subjects concerned, the name and contact details of the data protection officer or relevant point of contact, the likely consequences of the breach and the measures taken to address the breach, including attempts to mitigate possible adverse effects.
Furthermore, the controller is obliged to communicate the breach to the data subject, if the data breach is likely to result in a high risk to the rights and freedoms of the natural persons. In that case, the the controller is obliged to communicate a personal data breach to data subjects without undue delay. If the controller is in default with such obligation, the competent authority may require the controller to inform the data subject.
A processor must notify any data breach to the controller without undue delay.
The EDPB (European Data Protection Board) has issued guidelines on the data breach notification, detailing requirements for data breach notifications (Guidelines 9/2022 on personal data breach notification under GDPR and Guidelines 01/2021 on Examples regarding Data Breach Notification). The Czech supervisory authority provides a summary of these guidelines along with its own input and an interactive Data Breach Notification Form, available here (in Czech only).
What restrictions apply to the international transfer of personal data / information?
International data transfers (i.e. jurisdictions outside the European Economic Area ('EEA')) can only take place if the transfer is subject to an 'Adequacy Decision' or the recipient has implemented certain safeguards required by the GDPR.
The EU Commission has issued decisions concerning an adequate level of protection on the basis of Article 45(3) GDPR for the following countries: Andorra; Argentina; Canada; Faroe Islands; Guernsey; Isle of Man; Israel; Japan; Jersey; New Zealand; Republic of Korea; Switzerland; United States (only in case of companies certified under the EU-US Data Privacy Framework), Uruguay and the United Kingdom (under the GDPR and the Law Enforcement Directive).
For a data transfer to all other countries the controller is obliged to ensure compliance for international data transfers:
The transfer may be based on contracts agreed between the data exporter and data importer provided that they meet the protection standards outlined in the GDPR. Additionally, prior approval by the relevant data protection authority is key.
The transfer may be based on Binding Corporate Rules ('BCRs'), in particular within a group of entities. For BCRs prior approval by the relevant data protection authority is needed. Most importantly, the BCRs need to include a mechanism to ensure they are legally binding and enforced by every member in the group of entities.
The transfer is covered by one of the permitted derogations set out in Article 49 (in the absence of an adequacy regulation or appropriate safeguard), such as the explicit consent of the data subject, the transfer is necessary for the performance of a contract between the data subject and data controller at the data subject's request or in the interest of the data subject, or the transfer is necessary for the establishment, exercise or defence of legal claims.
Do the data protection laws in this jurisdiction have “extra-territorial effect” (i.e. do they apply to organisations outside this jurisdiction)?
With regard to its geographic scope, the GDPR combines the principles of establishment, market place and territoriality.
Pursuant to the principle of establishment, the GDPR is applicable for processing activities carried out in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing itself takes place in the EU.
Pursuant to the principle of the market place, the GDPR is applicable for the processing of personal data of data subjects situated in the EU by a controller or processor who is not situated in the EU, where the processing activities are related to (i) the offering of goods or services to such data subjects situated in the EU, irrespective of whether a payment of the data subject is required; or (ii) the monitoring of their behaviour as far as their behaviour takes place within the EU (principle of the territoriality).
What rules specifically deal with marketing?
From the perspective of sending commercial communications, different rules apply to mailed advertisements (no specific regulation), advertisements conducted via telephone (consent is required for automated calling and for calling numbers on the 'do not call' list under Act No. 127/2005 Coll., on Electronic Communications), and via commercial communication (consent for non-customers, previous and subsequent opt-out possibility for current customers under Act No. 480/2004 Coll., on certain Information Society Services, that implements the EU ePrivacy directive).
Finally, there are also rules regarding the marketing practice generally, which address protection of consumers and specific areas of advertising (alcohol, tobacco, medicines, etc.). These are provided by Act No. 40/1995 Coll., on Advertising Regulation, ad Act No. 634/1992 Coll., on Consumer Protection.
Do different rules apply to business-to-business and business-to-consumer marketing?
Yes, but the only difference is that in the case of B2B marketing, personal data is not in some cases processed (therefore, the GDPR will not apply) and that some advertisements may only be communicated to professionals in the relevant field (tobacco, electronic cigarettes, infant formulas).
What rules specially deal with electronic marketing (for example, by email, text message, WhatsApp message, online ads etc)?
The sending of electronic mail or SMS including any kind of instant messaging like Whatsapp, Messenger or other similar services for purposes of direct marketing requires the recipient's prior opt-in consent unless the so called “customer exception” or “customer opt-out” can be relied upon.
Such prior consent is not required if:
- contact details for the communication were obtained in the context of a sale or a service to the recipient;
- the communication is transmitted for the purpose of direct marketing of similar products or services of the sender; and
- at the time the electronic contact information was collected and furthermore on the occasion of each contact, the recipient has been given the opportunity to object, free of charge and in an easy manner, to such use of their electronic contact details.
A new bill is currently in the legislative process which should also provide some more detailed rules e.g. on the time period during which the “customer exception” can be relied upon or specific new rules for commercial communication by members of a professional self-governing chamber (e.g. attorneys, architects, pharmacists, physicians etc.).
What rules specifically deal with cookies?
The national legislation represented by the Act No. 127/2005 Coll., on Electronic Communications, transposes the legal framework stipulated ePrivacy directive. The storage of non-essential cookies (or similar technologies) on an end user's device requires prior consent. Section 89 of the Act No. 127/2005 Coll., on Electronic Communications distinguishes between:
- cookies serving the sole purpose of carrying out the transmission of a communication via an electronic communications network or necessary to provide a service requested by the subscriber or user, which do not require the consent of the user; and
- any other cookies, which require the consent of the user.
Under EU law established by the CJEU (Planet49, C-673/17), consent to the use of cookies containing personal data as described has to be explicit opt-in consent.
The Czech supervisory authority is quite active in this field, since the requirement of prior consent has been laid at the beginning of 2022. This has resulted in a rather extensive decision-making practice, through which the Czech supervisory authority has established specific requirements, for example regarding pre-ticked boxes or the different colour of “Allow all” and “Refuse all” buttons. These requirements are also summarized in its FAQs on cookies (available here, in Czech only).
What are the consequences of non compliance with data protections laws (including marketing laws)?
Fines that may be imposed for violation of the data processing legislation are stipulated in the GDPR. The maximum penalty is the higher of EUR 20 million or 4 % of worldwide turnover (Article 83 GDPR).
In case rules regulating the marketing are breached, a fine up to CZK 5 million may be imposed.
In case rules regulating sending of commercial communications are breached, a fine up to CZK 10 million may be imposed.
It is important to note that the Czech supervisory authority follows the European Data Protection Board Guidelines 04/2022 on the calculations of administrative fines under the GDPR (available here), which has resulted in higher fines being imposed in the past years. Most notably, the Czech supervisory authority has fined an antivirus system provider, Avast Software s.r.o., CZK 351 million (approx. EUR 14,4 million) for unlawful processing of personal data in 2024, which is the largest fine imposed under GDPR in Czechia to date.
It is important to note that the Czech supervisory authority follows the European Data Protection Board’s Guidelines 04/2022 on the calculation of administrative fines under the GDPR (available here). This has resulted in higher fines being imposed in recent years. Most notably, in 2024 the authority imposed a fine of CZK 351 million (approximately EUR 14.4 million) on an antivirus provider Avast for unlawful processing of personal data (available here). This remains the largest GDPR fine imposed in Czechia to date.
In broad terms, multinational organisations should be aware of what key factors if they process personal data / information from individuals within this jurisdiction, without being located there?
Controllers and processors who are not established in the EEA are generally required under Article 27 of the GDPR to designate a representative in the EEA where their activities fall within the territorial scope of the EEA data protection regime under Article 3, specifically if they involve processing personal data of data subjects within the EEA in connection with the provision of goods or services, or the monitoring of the behaviour of data subjects located in the EEA.
Other than mentioned above, Czech law is largely harmonised with the European legislation so there are no specific national requirements that need to be mentioned.
What upcoming data protection developments should multinational organisations be aware of?
The Act on Digital Economy is currently in the legislative process and should adapt the Czech legal order to the new EU legislation such as the Data Governance Act and Digital Services Act, Regulation on promoting fairness and transparency for business users of online intermediation services and other EU legal acts. The new Act will also newly incorporate namely the abovementioned rules on digital commercial communication.
The new Act should be passed through the Parliament and enacted in the course of 2025.
Further developments may also be expected in connection with upcoming EU regulations, in particular the Data Act and the planned revision of the GDPR. Although these regulations are directly applicable, it is highly likely that the Czech legislator will adopt implementing acts or amend the existing legislative framework, thereby introducing additional requirements for the protection of personal data.