Because the Czech Republic is a member of the EU, it was obliged to adopt the General Data Protection Regulation (GDPR) on May 25, 2018. The country's government did so when it passed the Personal Data Processing Act (PDPA) in 2019.
This article will cover GDPR Compliance in the Czech Republic and further data protection rules specific to the country, such as issues with cookie processing and penalties for violations of the law. We also provide steps businesses can take to become compliant.
The GDPR's Article 4 sets out several important definitions that you need to be aware of, and that the PDPA adopts. These include the following:
Personal Data - Personal data is specified as:
"any information related to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, indirectly or directly, particularly in reference to an identifier such as location data, a name, an identification number, an online identifier or to other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
This is an expansive definition. In practice, it will encompass any data that could be used to pinpoint a specific individual. This includes readily apparent things like name and address, IP addresses, and cookies.
Sensitive Data - Honing in on personal data, the term "sensitive data'' is even more specific. It's defined as:
"personal data consisting of political opinions, racial or ethnic origin, rade union membership, philosophical or religious beliefs, and the processing of biometric data, genetic data, with the aim of uniquely identifying a natural person, information concerning health or data concerning a natural person's sex life or sexual orientation."
Biometric Data - Biometric data is defined as:
"personal information resulting from specific technical processing related to the physiological, physical, or behavioral characteristics of a natural person, which permit or confirm the identification of that natural person, such as dactyloscopic data or facial images."
This would include things like fingerprint scanners, iris scanners, and other devices that are used to identify a person based on their physical characteristics.
Pseudonymisation - Pseudonymisation is defined as:
"the processing of personal data in such a way that the personal information can no longer pertain to a specific data subject without the use of additional data, provided that such additional data is kept separately and is subject to organizational and technical arrangements to ensure that the personal data is not attributed to an identified or identifiable natural person."
In other words, it's the process of disguising personal information so that it can't be attributed to a specific individual without additional information, which is kept separately and subject to technical and organizational measures to ensure non-attribution.
The GDPR applies to businesses that process the personal data of individuals in the European Union. The law applies regardless of where the company is based. As previously stated, the Czech Republic is an EU member state.
According to Article 3 of the GDPR, the GDPR applies to anyone who:
In other words, if your business processes the personal data of Czech citizens, you must comply with the GDPR. You must also abide by other Czech data protection rules no matter where your company's headquarters resides.
National Exemptions
There are some important organizational exemptions to the GDPR in the Czech Republic, including in the areas of:
Additionally, the PDPA adds exemptions in the areas of:
Companies must process personal data following six privacy principles. This principles relate to the collecting and processing of personal data, and require the following:
Under the GDPR's Article 6, you need a lawful basis for processing personal data. There are six acceptable legal bases:
Note that the Czech Republic has a lower age of consent than other EU member states. Under the GDPR, when a child under the age of 16 years old wishes to engage in an online service, companies are legally bound to require permission from their parent or legal guardian.
However, in the Czech Republic, children as young as 15 can legally provide digital consent for their personal data to be processed.
Data Protection Officers are a must for any company that engages in any of the following:
In the Czech Republic, companies must also appoint a Data Protection Officer if the processing is performed by an authority authorized to carry out statutory tasks that are within the public interest.
A Data Protection Officer's duties are described in Article 39 of the GDPR and are as follows:
You must conduct privacy impact assessments if your company carries out "high risk" processing. These include situations when:
If the privacy impact assessment determines that risk cannot be mitigated, the controller must confer with the appropriate supervisory authority.
In addition, companies should be aware that the Czech government has the power to draw up a list of businesses that engage in "high risk" processing. The companies on this list may vary over time.
On October 23, 2019, the Czech government also created a document providing additional guidance on how controllers and other subjects should move forward with privacy impact assessments. These add to the GDPR's privacy impact assessment rules and thus make for a stricter process in the Czech Republic.
Understanding data subject rights is one of the first steps in ensuring compliance with the GDPR. With that in mind, a list of rights the regulation protects is immediately below. The list also contains unique interpretations in the Czech Republic, of which you should be aware.
Privacy notices are required. When individuals provide data to a controller, the company must inform them of how it will process their information.
This includes knowing the identity and purpose behind any processing methods used as well as what level of access each party has to personal details at all times during interaction with that organization.
Note that in the Czech Republic, no rule states the privacy notice must be in the Czech language. However, ensuring Czech citizens can read and understand it is a best practice.
Data subjects are entitled to ask for access to copies of their personal data by making a written request. Controllers must not charge a fee for the first request.
You may charge for additional requests. Further, controllers can deny the request if it is deemed excessive or unfounded. Either way, the controller must respond to the data subject within one month.
An additional two-month extension may be deemed acceptable if the access request is complex.
Please note that the EU has drafted a new document that aims to give data subjects more control over access to their data. Additionally, that document would further curtail the ability of controllers to limit access.
Individuals have the right to receive the personal data they have provided to a controller in a commonly used, structured, and machine-readable format.
They are also entitled to transmit that data to another controller without hindrance from the original controller.
Under the GDPR, individuals are entitled to request that a controller erase their personal data, where that information is no longer necessary in relation to the purposes for which it was initially collected or processed.
This right exists to protect individuals from having their data retained indefinitely by controllers.
However, there are some exceptions to this right, including where the data is necessary for exercising the right of freedom of information and expression, for compliance with a legal obligation, or for the establishment, defense, or exercise of legal claims.
The right to object to direct marketing is the right of individuals to object to their data being used for direct marketing purposes.
The GDPR defines direct marketing as "the communication by whatever means of advertising or other form of solicitation directed to particular individuals with a view to promoting, directly or indirectly, any goods, services or events."
This right is not absolute, and certain conditions must be met for an objection to be valid. For example, the data subject must have a "reasonable ground relating to their particular situation."
The general obligation to protect personal data from unauthorized access is a core part of the GDPR. This means that organizations will need appropriate technical and organizational measures in place and clear policies for employees who manage datasets or have access to them on behalf of an employer.
Specifically, controllers and processors must ensure the following:
If you engage a third party to process personal data on your behalf, the GDPR requires that you take steps to ensure they are doing so in a way that is compliant with the regulation.
This includes ensuring that the agent has appropriate security measures in place to protect the data and that they have contractually committed to only processing the data following your instructions.
Furthermore, you are required to perform due diligence on any potential third-party agent before engaging them to ensure they will be able to comply with the GDPR.
Finally, you must ensure that you have a written contract with the processor. That contract must contain the enhanced clause concerning processing activities, which is a specific contract term that you must include in any agreement between a controller and processor under the GDPR.
The clause establishes each party's responsibilities with regard to data processing. It ensures that both parties are compliant with the GDPR.
In order for cookies to be used on a website, the user must give their consent. The data subject must provide this consent through a clear and affirmative action, such as clicking a button or ticking a box.
The company must also inform the user about what they are consenting to. In other words, you must provide them with clear and concise information about the cookies that will be used and what these cookies will do.
This information must be easily accessible and understandable for the user.
Processing personal data through technical cookies is allowed without consent. Still, this exception only applies to a user's browser storage and reading of cookies. Any further processing of data must comply with GDPR rules on consent.
Controllers can store cookies for a period up to 12 months, which is considered reasonable.
To acquire cookie consent, controllers must ensure the following:
There are a few methods that business owners can use to obtain cookie consent from their data subjects.
A common practice is to have a banner on the website that explains what cookies are being used and why. It typically also provides a link to the privacy policy.
The banner should also include a button that allows visitors to accept or reject the use of cookies.
Another standard method is to have a pop-up window that appears when the website is first accessed.
This pop-up should also explain what cookies are being used and why and provide a link to the privacy policy. It should also include a button that allows visitors to accept or reject the use of cookies.
Pre-ticked boxes are unacceptable for cookie consent because they do not give the data subject a choice. The data subject must be able to choose whether or not to accept cookies, and a pre-ticked box takes away that choice.
This is why GDPR compliance requires that visitors must explicitly give their consent before the company can place cookies on their devices.
Different sized or colored buttons are unacceptable for cookie consent because they do not give the data subject a clear choice.
The data subject must be able to choose whether or not to accept cookies, and different sized or colored buttons make it difficult to understand the choices.
The button for accepting cookies must be the same color and size as the button for rejecting cookies.
The GDPR states that consent be "freely given, specific, informed, and unambiguous."
Closing the cookie notice does not constitute consent because the data subject is not making an active, explicit choice to accept or reject the cookies.
If a data subject rejects the use of cookies, the controller must not ask for cookie consent again for a period of six months.
It is possible to reduce this time frame if the following occurs:
The GDPR introduces fines of up to 4% of annual global sales or €20 million, whichever is greater for violations of privacy and data protection regulations.
The GDPR provides for more minor infractions. These lower-tier violations are subject to penalties of up to 2% of annual global sales or €10 million, whichever is greater. Failing to secure a contract with a processor or a personal data breach falls into this category.
The Czech Republic has two criminal offenses concerning misuse of personal data that could result in a prison sentence for those involved.
These offenses are:
The GDPR is landmark legislation that applies to all European Union and European Economic Area (EEA) member states.
However, some nations, such as the Czech Republic, have additional privacy regulations which apply equally across the board for businesses doing business within their borders.
It is therefore crucial for companies doing business in the Czech Republic to understand GDPR regulations as well as local data protection laws.
Failing to comply with GDPR and local Czech legislation can result in hefty fines and in some cases, imprisonment. With that in mind, companies should regularly monitor changes to the law, be flexible enough to respond, and adapt corporate policies accordingly.