On Wednesday, April 24, 2019, the new data protection legislation was published in the Czech Collection of Laws and became effective. In doing so, the Czech Republic remedied its legislative deficiency, as it was one of the last EU states lacking the data protection adaptation legislation. (The overview of the current state of GDPR implementation in the Member States can be found here).
The Czech national implementation consists of two acts reflecting both the General Data Protection Regulation (GDPR) and the data protection Directive (EU) 2016/680 for Police and Criminal justice authorities. The first one is the Act on Personal Data Processing (PDPA)[1], replacing the previous data protection legislation from the year 2000. The second is the accompanying act[2] adjusting other 39 related legal acts such as the Criminal Procedure Code, the Anti Money Laundering Act, the Freedom of Information Act and others.
Besides the enactment of some specification or extensions of provisions already established by the GDPR, the Czech legislation makes only limited use of number of derogation options given by the GDPR for the national discretionary power. Below we bring an overview of the most significant provisions:
- Exemption from the obligation to assess compatibility of further processing with the initial purpose of data collection [Art. 6 (4) GDPR] – The exemption from the compatibility assessment applies in case of the further data processing necessary for securing a ‘protected interest’ such as national defense and security interests, prevention and detection of criminal offenses or regulated ethical rules, protection of the rights and freedoms of persons or enforcement of private claims. In addition, in case of securing a ‘protected interest’ some rights of data subjects as well as data breach notification obligation may be limited.
- Age limit for the child’s consent in relation to information society services [Art. 8 GDPR] – The minors from the age of 15 may grant a consent to the processing of his or her personal data for the purpose of providing information society services (e.g. social networks, online games or e-mail services) without the consent of the legal guardian.
- Possibility to fulfil the information obligation in a manner allowing distant access [Art. 13 and 14 GDPR] – In case of data processing based on legal obligation or in public interest, the controller may inform the data subjects by merely publishing the information in a manner allowing distant access (without informing each data subject separately).
- Notification of the personal data changes by register adjustment [Art. 19] – Another simplification is the possibility of the controller to communicate any rectification or erasure of personal data or restriction of processing to recipients by changing personal data in the register provided the updated register is regularly made available to the recipient.
- Limitation of the obligation to carry out the data protection impact assessment (DPIA) [Art. 35 GDPR] – In situations where the data processing is ordered directly by law, the controller is not required to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. In addition, the Czech data protection supervisory authority (Úřad pro ochranu osobních údajů (ÚOOÚ); The Office for Personal Data Protection) has published the list of the processing operations subject to the requirement of the DPIA.[3]
- Processing for scientific or historical research or statistical purposes [Art. 89] and processing for journalistic purposes or the purpose of academic artistic or literary expression [Art. 86] – The PDPA provides for some exemptions and derogations in case of processing for the mentioned purposes, such as limitation from the information obligation or to the right to object.
- Exemption from imposing administrative fines and penalties for public authorities and bodies [Art. 82 – 84 GDPR] – On of the most controversial provisions of the new act is the provision stipulating that the data protection authority shall refrain from imposing an administrative fine on public authorities and bodies. Unlike other data controllers, public authorities and bodies will not be fined in cases of an infringement of the GDPR or the Czech data protection legislation – despite the fact that some of them process massive amounts of personal data, including sensitive data and were in the past, repeatedly in breach of the data protection rules.
Further, the PDPA again declares The Office for Personal Data Protection (ÚOOÚ) to be the supervisory authority for the data protection matters, newly determines its structure and entrust it with various powers including the right to conduct inspections, on-site audits, impose fines, etc.
The newly adopted acts bring an end to the uncertainty in the area of the data protection in the Czech Republic caused by the lack of implementation legislation. With the first cases of data breaches coming, we will see how the data protection authority handles its re-establish role and if it will continue in the current approach guided by the principle of reparation rather than immediate repression. Instead of initiating sanction proceedings (in case of minor controllers and/or isolated and minor offenses), it informed the controller and called on him to remedy the defective processing.
[1] Act No. 110/2019 Coll., on Personal Data Processing; available in Czech at https://aplikace.mvcr.cz/sbirka-zakonu/ViewFile.aspx?type=c&id=38632
[2] Act No. 111/2019 Coll., amending certain acts in connection with the adoption of the Act on Personal Data Processing; available in Czech at https://aplikace.mvcr.cz/sbirka-zakonu/ViewFile.aspx?type=c&id=38632
[3] The list of the processing operations subject to the requirement of the DPIA available in Czech at https://www.uoou.cz/assets/File.ashx?id_org=200144&id_dokumenty=33193. The opinion of the European Data Protection Board on the draft list of the competent supervisory authority of Czech Republic regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR), Opinion 4/2018, Adopted on 25th September 2018 available at https://edpb.europa.eu/sites/edpb/files/files/file1/2018-09-25-opinion_2018_art._64_cz_sas_dpia_list_en.pdf