On May 25, 2018, the personal data protection rules in the Czech Republic were substantially changed. Regulation (EU) 2016/679 of the European Parliament and of the Council – the General Data Protection Regulation, or GDPR – became directly applicable law in all EU Member States, after a two-year transition period. Thus, the principles of personal data protection in the Czech Republic, the rights, duties, and processing requirements are regulated primarily by the GDPR.
In order to adapt the legal system of the Czech Republic to the GDPR, the new Act No. 110/2019 on Personal Data Processing (PDPA) was passed and finally came into effect on April 24, 2019. The PDPA fully replaced the older Personal Data Protection Act (No. 101/2000, as amended). The PDPA contains provisions that functionally complement the GDPR. It also regulates the jurisdiction of the Office for Personal Data Protection and personal data processing for safeguarding the defense and national security of the Czech Republic.
Since the GDPR became effective, the Register of Data Controllers maintained by the Office for Personal Data Protection had been terminated. Thus, any registrations or notifications to the Office for Personal Data Protection towards processing personal data in the Czech Republic are no longer required.
A significant derogation from the GDPR, related to the limitation of certain rights and obligations, is stipulated in Section 11 of the PDPA. Articles 12 through 22, on rights of the data subject, and, as far as relevant, also Article 5, on principles relating to the processing of personal data, of the GDPR shall apply, mutatis mutandis. However, compliance with the controller’s or processor’s obligations and exercise of the data subject’s rights, laid down in those articles, could be postponed – if this is necessary and reasonable in terms of scope, to safeguard a protected interest. These include (a) the defense or security interests of the Czech Republic, (b) public policy and national security, prevention, investigation, or detection of criminal offenses, (c) prevention, investigation, detection, and prosecution of breaches of ethics for regulated professions, (d) protection of rights and freedoms of persons, (e) enforcement of civil law claims, among others. If the controller or processor limits the rights or obligations in that way, it must notify the Office for Personal Data Protection of any such limitations without undue delay.
Besides the GDPR and the PDPA, there are also some other statutes which are relevant in the data protection context, in particular Act No. 480/2004 on Certain Information Society Services, as amended, Act No. 127/2005 on Electronic Communications, as amended, and Act No. 181/2014 on Cyber Security, as amended.
The Act on Certain Information Society Services includes rules regarding spam and other unsolicited commercial communications. Any commercial communications may only be sent if a clearly identified recipient has given valid consent in advance, prior to the receipt of said communication. Recipients shall have the option to withdraw their consent in each commercial communication addressed to them, usually reflected in the unsubscribe line found at the end of an e-mail. Alternatively, the sender may rely on the soft opt-in exemption, which presumes the customer’s consent. Thus, the controller may send commercial communications to its current customers, about its own similar products or services, provided that the customer may easily prevent the sending of such commercial communications, using either the unsubscribe line at the end of an e-mail or other opt-out versions.
The Office for Personal Data Protection is the central administrative authority in the field of personal data protection which, inter alia, provides consultations and informs the public of the risks, rules, safeguards, and rights in relation to personal data processing. The Office for Personal Data Protection also adopts statements, summary materials, and recommendations. Most recently, the Office for Personal Data Protection published, inter alia, the Summary Material related to the verification of identity and processing of personal data, the Statement on a Digital Green Certificate (CovidPass), and the Recommendations on mandatory employee testing.
By Michal Matejka, Partner, and Bohdan Zubac, Attorney, PRK Partners