Czech Republic and GDPR


Because the Czech Republic is a member of the EU, it was obliged to adopt the General Data Protection Regulation (GDPR) on May 25, 2018. The country's government did so when it passed the Personal Data Processing Act (PDPA) in 2019.

This article will cover GDPR Compliance in the Czech Republic and further data protection rules specific to the country, such as issues with cookie processing and penalties for violations of the law. We also provide steps businesses can take to become compliant.

Important Definitions

The GDPR's Article 4 sets out several important definitions that you need to be aware of, and that the PDPA adopts. These include the following:

  • Data Controller - A data controller is defined as a legal or natural person, agency, public authority, or other body which, jointly with others or alone, determines the purposes and means of the processing of personal data. Put simply, a data controller is an individual or organization that determines why and how personal data will be processed.
  • Data Processor - A data processor is defined as a legal or natural person, agency or other body which processes personal data for the controller, or public authority.
  • Data Subject - A data subject is identified by the GDPR as an individual who is the object of personal data processing.
  • Personal Data - Personal data is specified as:

    "any information related to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, indirectly or directly, particularly in reference to an identifier such as location data, a name, an identification number, an online identifier or to other factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."

    This is an expansive definition. In practice, it will encompass any data that could be used to pinpoint a specific individual. This includes readily apparent things like name and address, IP addresses, and cookies.

  • Sensitive Data - Honing in on personal data, the term "sensitive data'' is even more specific. It's defined as:

    "personal data consisting of political opinions, racial or ethnic origin, rade union membership, philosophical or religious beliefs, and the processing of biometric data, genetic data, with the aim of uniquely identifying a natural person, information concerning health or data concerning a natural person's sex life or sexual orientation."

  • Health Data - Health data is defined as any information relating to the mental or physical health of a natural person, including the provision of health care services, which reveals data about the individual's health status. This would include medical records and things like fitness trackers and other wearable devices that collect data about someone's health.
  • Biometric Data - Biometric data is defined as:

    "personal information resulting from specific technical processing related to the physiological, physical, or behavioral characteristics of a natural person, which permit or confirm the identification of that natural person, such as dactyloscopic data or facial images."

    This would include things like fingerprint scanners, iris scanners, and other devices that are used to identify a person based on their physical characteristics.

  • Pseudonymisation - Pseudonymisation is defined as:

    "the processing of personal data in such a way that the personal information can no longer pertain to a specific data subject without the use of additional data, provided that such additional data is kept separately and is subject to organizational and technical arrangements to ensure that the personal data is not attributed to an identified or identifiable natural person."

    In other words, it's the process of disguising personal information so that it can't be attributed to a specific individual without additional information, which is kept separately and subject to technical and organizational measures to ensure non-attribution.

Who Must Comply with the GDPR

The GDPR applies to businesses that process the personal data of individuals in the European Union. The law applies regardless of where the company is based. As previously stated, the Czech Republic is an EU member state.

According to Article 3 of the GDPR, the GDPR applies to anyone who:

  • Offers services or goods to anyone residing in the EU; or
  • Monitors individuals within the EU

In other words, if your business processes the personal data of Czech citizens, you must comply with the GDPR. You must also abide by other Czech data protection rules no matter where your company's headquarters resides.

National Exemptions

There are some important organizational exemptions to the GDPR in the Czech Republic, including in the areas of:

  • National security
  • Law enforcement
  • Non-commercial activity

Additionally, the PDPA adds exemptions in the areas of:

  • Academia
  • Art or literary speech
  • Journalism

Rules for Processing Personal Data

Companies must process personal data following six privacy principles. This principles relate to the collecting and processing of personal data, and require the following:

  • All processing must be lawful, transparent and fair
  • Personal data must only be collected for legitimate and specific purposes that you explicitly disclose
  • All processing must be relevant, adequate, and not excessive
  • Collected personal data must be kept accurate and up to date
  • Collected personal data must be maintained in an identifiable form for no longer than necessary, and
  • Collected personal data must be securely stored

Under the GDPR's Article 6, you need a lawful basis for processing personal data. There are six acceptable legal bases:

  • You have obtained valid consent for the processing
  • You need the personal data to carry out a contract with the data subject
  • You need the personal data to comply with legal obligations
  • You need the personal data to protect the data subject's vital interests
  • Processing the personal information is necessary for the exercise of official authority or for the public interest, or
  • You need the personal data for your company's legitimate interests, except when it is overridden by the data subject's interests

Note that the Czech Republic has a lower age of consent than other EU member states. Under the GDPR, when a child under the age of 16 years old wishes to engage in an online service, companies are legally bound to require permission from their parent or legal guardian.

However, in the Czech Republic, children as young as 15 can legally provide digital consent for their personal data to be processed.

Appointing Data Protection Officers

Data Protection Officers are a must for any company that engages in any of the following:

  • Large scale systematic and regular monitoring of individuals in the EU
  • Controlling/processing special categories of data on a large scale from individuals in the EU
  • The controlling/processing of data related to criminal convictions and criminal offenses from individuals in the EU

In the Czech Republic, companies must also appoint a Data Protection Officer if the processing is performed by an authority authorized to carry out statutory tasks that are within the public interest.

The Duties of the Data Protection Officer

A Data Protection Officer's duties are described in Article 39 of the GDPR and are as follows:

  • Educate data controllers, data processors, and their employees about what the GDPR requires and how to comply
  • Monitor company-wide GDPR compliance by training employees on relevant topics, managing company data protection practices, and having auditing procedures in place
  • Advise the upper management of any changes or developments regarding the law and compliance
  • Be a liaison between executives and the upper management team to make sure all decision-making is done in an informed manner.
  • Being available to advise individuals in the company about data protection practices

Privacy Impact Assessments

You must conduct privacy impact assessments if your company carries out "high risk" processing. These include situations when:

  • Extensive and systematic profiling that significantly impacts individuals or that generates legal effects
  • You process personal data, sensitive data, or special categories related to criminal offenses and convictions on a large scale; and
  • You conduct systematic monitoring of an area that is publicly accessible, such as with CCTV systems.

If the privacy impact assessment determines that risk cannot be mitigated, the controller must confer with the appropriate supervisory authority.

In addition, companies should be aware that the Czech government has the power to draw up a list of businesses that engage in "high risk" processing. The companies on this list may vary over time.

On October 23, 2019, the Czech government also created a document providing additional guidance on how controllers and other subjects should move forward with privacy impact assessments. These add to the GDPR's privacy impact assessment rules and thus make for a stricter process in the Czech Republic.

Data Subject Rights

Understanding data subject rights is one of the first steps in ensuring compliance with the GDPR. With that in mind, a list of rights the regulation protects is immediately below. The list also contains unique interpretations in the Czech Republic, of which you should be aware.

Privacy Notices

Privacy notices are required. When individuals provide data to a controller, the company must inform them of how it will process their information.

This includes knowing the identity and purpose behind any processing methods used as well as what level of access each party has to personal details at all times during interaction with that organization.

Note that in the Czech Republic, no rule states the privacy notice must be in the Czech language. However, ensuring Czech citizens can read and understand it is a best practice.

The Right to Access

Data subjects are entitled to ask for access to copies of their personal data by making a written request. Controllers must not charge a fee for the first request.

You may charge for additional requests. Further, controllers can deny the request if it is deemed excessive or unfounded. Either way, the controller must respond to the data subject within one month.

An additional two-month extension may be deemed acceptable if the access request is complex.

Please note that the EU has drafted a new document that aims to give data subjects more control over access to their data. Additionally, that document would further curtail the ability of controllers to limit access.

Right to Data Portability

Individuals have the right to receive the personal data they have provided to a controller in a commonly used, structured, and machine-readable format.

They are also entitled to transmit that data to another controller without hindrance from the original controller.

Right to Be Forgotten

Under the GDPR, individuals are entitled to request that a controller erase their personal data, where that information is no longer necessary in relation to the purposes for which it was initially collected or processed.

This right exists to protect individuals from having their data retained indefinitely by controllers.

However, there are some exceptions to this right, including where the data is necessary for exercising the right of freedom of information and expression, for compliance with a legal obligation, or for the establishment, defense, or exercise of legal claims.

Right to Object to Direct Marketing

The right to object to direct marketing is the right of individuals to object to their data being used for direct marketing purposes.

The GDPR defines direct marketing as "the communication by whatever means of advertising or other form of solicitation directed to particular individuals with a view to promoting, directly or indirectly, any goods, services or events."

This right is not absolute, and certain conditions must be met for an objection to be valid. For example, the data subject must have a "reasonable ground relating to their particular situation."

Security

The general obligation to protect personal data from unauthorized access is a core part of the GDPR. This means that organizations will need appropriate technical and organizational measures in place and clear policies for employees who manage datasets or have access to them on behalf of an employer.

Specifically, controllers and processors must ensure the following:

  • The encryption and pseudonymisation of personal data
  • The ability to ensure the ongoing integrity, availability, resilience, and confidentiality of its information technology systems
  • The ability to reinstate the availability and access to personal information in a timely manner in case of a physical or technical event; and
  • A process for routinely testing, assessing, and evaluating the effectiveness of organizational and technical measure for ensuring the security of the processing

Processing by Third Party Agents

If you engage a third party to process personal data on your behalf, the GDPR requires that you take steps to ensure they are doing so in a way that is compliant with the regulation.

This includes ensuring that the agent has appropriate security measures in place to protect the data and that they have contractually committed to only processing the data following your instructions.

Furthermore, you are required to perform due diligence on any potential third-party agent before engaging them to ensure they will be able to comply with the GDPR.

Finally, you must ensure that you have a written contract with the processor. That contract must contain the enhanced clause concerning processing activities, which is a specific contract term that you must include in any agreement between a controller and processor under the GDPR.

The clause establishes each party's responsibilities with regard to data processing. It ensures that both parties are compliant with the GDPR.

Use of Cookies

In order for cookies to be used on a website, the user must give their consent. The data subject must provide this consent through a clear and affirmative action, such as clicking a button or ticking a box.

The company must also inform the user about what they are consenting to. In other words, you must provide them with clear and concise information about the cookies that will be used and what these cookies will do.

This information must be easily accessible and understandable for the user.

Storing Cookies

Processing personal data through technical cookies is allowed without consent. Still, this exception only applies to a user's browser storage and reading of cookies. Any further processing of data must comply with GDPR rules on consent.

Controllers can store cookies for a period up to 12 months, which is considered reasonable.

Rules for Acquiring Cookie Consent

To acquire cookie consent, controllers must ensure the following:

  • Data subjects are given clear and concise information about the cookies that will be used on their websites, and what these cookies will do.
  • Information about the cookies must be easily accessible and understandable for the data subject.
  • The data subject must be able to make a choice about whether or not to give consent, and this choice must be easy to understand and easy to make; and
  • The data subject must be able to withdraw their consent at any time, and this must also be easy to understand and easy to do.

Methods for Obtaining Cookie Consent

There are a few methods that business owners can use to obtain cookie consent from their data subjects.

A common practice is to have a banner on the website that explains what cookies are being used and why. It typically also provides a link to the privacy policy.

The banner should also include a button that allows visitors to accept or reject the use of cookies.

Another standard method is to have a pop-up window that appears when the website is first accessed.

This pop-up should also explain what cookies are being used and why and provide a link to the privacy policy. It should also include a button that allows visitors to accept or reject the use of cookies.

Pre-Ticked Boxes Are Not Acceptable

Pre-ticked boxes are unacceptable for cookie consent because they do not give the data subject a choice. The data subject must be able to choose whether or not to accept cookies, and a pre-ticked box takes away that choice.

This is why GDPR compliance requires that visitors must explicitly give their consent before the company can place cookies on their devices.

Different Sized or Colored "Accept All" and "Reject All" Buttons are Not Acceptable

Different sized or colored buttons are unacceptable for cookie consent because they do not give the data subject a clear choice.

The data subject must be able to choose whether or not to accept cookies, and different sized or colored buttons make it difficult to understand the choices.

The button for accepting cookies must be the same color and size as the button for rejecting cookies.

Closing the Cookie Notice is Not Considered Consent

The GDPR states that consent be "freely given, specific, informed, and unambiguous."

Closing the cookie notice does not constitute consent because the data subject is not making an active, explicit choice to accept or reject the cookies.

Controllers Can't Ask for Consent More than Once in Six Months

If a data subject rejects the use of cookies, the controller must not ask for cookie consent again for a period of six months.

It is possible to reduce this time frame if the following occurs:

  • The circumstances of processing have changed; or
  • The data subject has deleted cookies already stored on their device (i.e., the controller has no way of knowing if cookies were previously rejected)

Enforcement of the GDPR in the Czech Republic

The GDPR introduces fines of up to 4% of annual global sales or €20 million, whichever is greater for violations of privacy and data protection regulations.

The GDPR provides for more minor infractions. These lower-tier violations are subject to penalties of up to 2% of annual global sales or €10 million, whichever is greater. Failing to secure a contract with a processor or a personal data breach falls into this category.

Imprisonment is Possible in the Czech Republic

The Czech Republic has two criminal offenses concerning misuse of personal data that could result in a prison sentence for those involved.

These offenses are:

  • Causing serious harm to the legitimate interests or rights of a data subject by misuse of personal data. Even if that harm occurs out of negligence, you could face up to three years in prison.; and
  • The abuse of personal data for the purpose of stalking. If convicted, you could face up to a year in prison.

Summary

The GDPR is landmark legislation that applies to all European Union and European Economic Area (EEA) member states.

However, some nations, such as the Czech Republic, have additional privacy regulations which apply equally across the board for businesses doing business within their borders.

It is therefore crucial for companies doing business in the Czech Republic to understand GDPR regulations as well as local data protection laws.

Failing to comply with GDPR and local Czech legislation can result in hefty fines and in some cases, imprisonment. With that in mind, companies should regularly monitor changes to the law, be flexible enough to respond, and adapt corporate policies accordingly.