New Czech Personal Data Processing Act 2019
Czech Transposition Act to European Regulation GDPR No. 110/2019 Coll. effective from 24.4.2019
As of April 24, 2019, a new Transposition Act No. 110/2019 Coll., on the Processing of Personal Data (“Czech Personal Data Processing Act”) - English translation of the Czech Data Processing Act is in force and effective in the Czech Republic, which specifies and further regulates the processing of personal data in accordance with the EU General Data Protection Regulation ("GDPR"). The discussion over this transposition act went on for over one year and the whole process, including the explanatory memorandum and individual amendments, can be found on the website of the Czech Chamber of Deputies under the “Chamber of Deputies Draft 138, government proposal on personal data processing – EU”. The new Czech Personal Data Processing Act completely abolishes the existing Personal Data Protection Act No. 101/2000 Coll., which remained in effect despite the fact that many of its provisions were in conflict with GDPR. In principle, the new Czech Personal Data Processing Act does not bring about any breakthroughs and, mostly just clarifies the rights and obligations of personal data administrators in areas where GDPR does not provide a comprehensive regulation or clarify legislation where the GDPR remains unspecified and, to some extent, simplified and regulated to some specific exceptions in the Czech Republic. Below we provide a summary of the main changes that the Czech Personal Data Processing Act brings to the Czech legislation.
The amount of fines imposed by the Czech Office for Personal Data Protection for the breach of GDPR rules until End of March 20169 was relatively low (report of the Czech Office for Personal Data Protection) shows, that only 6 penalties up to CZK 30,000, with legal force and one penalty of CZK 50,000 has been imposed. The concerns about the fundamental threats resulting from possible sanctions by the Czech Office for Personal Data Protection have therefore not been met.
Different age limits for granting consent to the processing of personal data
Under the GDPR, children are legally capable to grant their consent with the processing of their personal data in connection with the on-line services (typically within e-shop purchases or other on-line services either for remuneration or free of charge, e.g. even within social networks). This action can take place without any legal cooperation at the age of 16, while the Member States are allowed to reduce the legal capability of children up to 13 years of age.
The Czech legislator reduced the age limit of the child's legal capacity to grant such consent in Section 7 of the Czech Personal Data Processing Act to 15 years. This consent authorizes the administrator to process the personal data of children in connection with the on-line services to the extent necessary for providing such services, using all relevant provisions of the GDPR for the given type of processing. This reduction of the age limit corresponds with the 15 years of age stipulated in the Czech Republic for both civil and commercial purposes, as well as the criminal liability of children.
Definition of the term public entity
The GDPR generally stipulates in Article 37 (1) an obligation of public entities to appoint a data protection administrator, but does not include a definition of public entity itself. Section 14 of the Czech Personal Data Processing Act stipulates that a public entity, in addition to being a public authority, is also an entity established by law to perform statutory tasks in the public interest. Therefore, the Czech Personal Data Processing Act clarified this term, which has been discussed since the GDPR was passed through European legislation, and specified the application of relevant stipulations of GDPR in the Czech Republic.
Competence of the Office for Personal Data Protection
The entire Title V of the Czech Personal Data Processing Act is devoted to the legal establishment of the Personal Data Protection Office (in Czech: Úřad pro ochranu osobních údajů, "ÚOOÚ”), its organizational structure and competences, and the ÚOOÚ thus becomes the central administrative authority for personal data protection. Until now, the Office had not been able to decide on summary offences in the area of personal data protection according to the GDPR because such competence was not established anywhere and had to work only with a limited range of summary offences defined by the original Act No. 101/2000 Coll. (repealed on April 23, 2019).
Newly, the ÚOOÚ can use all of the instruments established by GDPR in the field of personal data protection, which is reflected in particular in the right to impose sanctions for summary offences under the GDPR. However, it is necessary to mention that in matters of summary offence proceedings, the ÚOOÚ will proceed entirely according to Czech legislation, i.e. in particular pursuant to Act No. 250/2016 Coll., on liability for summary offences and proceedings on them. The amount of the imposed fines have to correspond with the changes brought by the new Czech Personal Data Processing Act, which are lower in comparison to GDPR (see below).
New summary offences and reduction of fines
Furthermore, the new Czech Personal Data Processing Act limits the amount of the fines that may be imposed in connection with breaches of certain personal data protection obligations by a legal entity. In particular, in relation to the processing of personal data for the purpose of preventing, detecting or uncovering crime, prosecuting criminal offenses, executing penalties, establishing protective measures, ensuring the security of the Czech Republic, or securing public order and internal security to CZK 10,000,000, while the original adjustment in GDPR includes the possibility of imposing a fine up to EUR 20,000,000. Of course, proceeding on the summary offences under the GDPR, or under the Czech Personal Data Processing Act are and will be a subject to the Czech legislation on the principles of administrative punishment, which requires, in particular, the proportionality and individualization of the sentence, taking into account the nature of the subject against whom the penalty is imposed and the seriousness of the offense.
Furthermore, the Czech Personal Data Processing Act introduces new legal definitions of summary offences, consisting of a breach of obligations set out by the Czech Personal Data Processing Act and also sets sanctions for them. It also reflects cases where there would be a breach of the prohibition on the disclosure of personal data set by another legal regulation, which is part of the Czech legal order. For such violation, a fine of up to CZK 1,000,000 may be imposed under the Personal Data Processing Act; or CZK 5,000,000 if it is an offense committed by a press, film, radio, television, computer network, or other similar entities in a very effective way .
Newly, the ÚOOÚ can make full use of the instruments established by GDPR in the field of personal data protection, which will be reflected in particular in the right to impose sanctions according to the GDPR up to CZK 10,000,000. Of course, all cases of sanctioning offenses under the GDPR, or under the Czech Personal Data Processing Act, are subject to the Czech legislation on the principles of administrative punishment, which requires in particular the proportionality and individualization of the sentence, taking into account the nature of the subject against whom the penalty is imposed and the seriousness of the offense.
Exemption from sanctions for public institutions and public entities
Furthermore, the Czech Personal Data Processing Act makes full use of the possibility stipulated in Article 83 (7) of the GDPR on the national regulation of the imposition of administrative sanctions on public authorities and public entities for failure to comply with the data protection rules of the GDPR or, where applicable, implementing national regulation. These entities can now be fined up to CZK 10,000,000 for summary offences, however, if such an entity is a municipality that does not exercise delegated powers within the scope of the municipal authority with extended powers, a voluntary union of such municipalities, (a contributory organization of such municipalities or legal entities performing school activities or a school facility established by a municipality or a voluntary association of municipalities), will result in a fine that cannot exceed the amount of CZK 5,000.
However, in addition to lowering of fines imposed on certain entities, the Czech Personal Data Processing Act also allows for the imposition of instruments for the removal of deficiencies against entities that have breached of legal regulations in the field of personal data protection. In accordance with Czech legal terminology, the so-called admonition and the imposition of appropriate measures, in addition to which the imposition of a fine may be waived from the administrative penalty.
Processing of personal data for scientific and historical research purposes or for statistical purposes and for processing personal data for journalistic purposes or for the purposes of academic, artistic or literary expression
In these cases, the Czech Personal Data Processing Act newly reflects the specificity of such processing of personal data. It limits the duties of the administrator, or eventually processor, while limiting the rights of personal data subjects, in particular the data subject's right to access personal data under the GDPR, with the intention of protecting the source and content of the information. Thus, the Czech Personal Data Processing Act explains, to a certain extent, the situation where journalists, artists, etc. are obliged to disclose information to data subjects about the processing of their personal data.
The Czech Personal Data Processing Act sets out the basic standard with which these categories of administrators should access personal data processing and requires, among other things, their storage in an anonymized form, i.e. so that information cannot be assigned to a particular data subject whenever it is possible with regard to their activity. In particular, this provision aims at the processing of information for statistical or research purposes.
The new act as the culmination of the first wave of adaptation of the Czech legal order to GDPR
The new Czech Personal Data Processing Act represents the completion of the first wave of the adaptation of the Czech legal order to the GDPR. Further changes to the legislation can be expected in the future, especially in relation to some IT services, online advertising (commercial messages, cookies, big data…), and labor law.
The Czech Personal Data Processing Act has created a legal framework for the ÚOOÚ to perform its supervisory and control activities in the area of personal data protection, which has been limited so far, mainly due to the absence of legislation implementing the GDPR.
In particular, the first 23 sections of the Personal Data Protection act that regulate the processing of personal data by an ordinary administrator, i.e. a legal or natural person, an employer, a trader and the likes, are useful for the standard entrepreneur, with the rest of the law focusing mainly on public and state entities. An important part of the Czech Personal Data Processing Act is also focused on the processing of personal data for the purpose of preventing, detecting or uncovering crime, prosecuting criminal offenses, enforcing criminal penalties and protective measures, ensuring the security of the Czech Republic, ensuring public order, internal security, and personal data protection, and/or ensuring the defense and security interests of the Czech Republic.
Please contact us for more information
JUDr. Mojmír Ježek, Ph.D.
ECOVIS ježek, advokátní kancelář s.r.o.
Betlémské nám. 6
110 00 Prague 1
About ECOVIS ježek, law firm s.r.o .:
Czech law firm ECOVIS ježek focuses mainly on company law, real estate law, dispute management, finance and banking law , and provides professional advice in all areas, making it an alternative for clients of international offices. The international dimension of the services provided is ensured through past experience and through cooperation with leading law firms in most European countries, in the United States and other jurisdictions within the ECOVIS network operating in 75 countries around the world. Members of ECOVIS ježek team have long-time experience from leading international lawyers and tax companies in providing legal advice to multinational corporations, large Czech companies, but also to medium-sized companies and individual clients. More information at www.ecovislegal.cz.