The new Act on Data Processing (“Act”) has recently been signed by the Czech President and will be submitted for publication in the Collection of Laws which may take approximately one or two weeks. This is the final stage of the legislative proceedings. Upon its publication, the Act will come into effect.
The Act implements the General Data Protection Regulation (Regulation (EU) No. 2016/679, GDPR) and stipulates certain derogations therefrom.
Important features of the Act include the following:
It stipulates specific rules of data processing for journalistic, academic, artistic or literary purposes. In such cases, the data processing is explicitly allowed provided it is adequate. It may include the processing of sensitive data (within the meaning of Art. 9 of the GDPR) and data relating to criminal convictions and offenses (within the meaning of Art. 10 of the GDPR), if it is necessary to achieve a legitimate objective and only if there is a legitimate interest prevailing over interests of the respective data subject. Data processing for the above-mentioned purposes is further exempted from certain data privacy obligations; corresponding rights of data subjects are limited. This includes an exemption from information duties according to Art. 13 and 14 of the GDPR, protection of the source of data as well as limitation of the right to restriction and the right to object.
The obligations of controllers and processors set out by Art. 12 to 22 and Art. 5 of the GDPR may be limited, if necessary for any of the following purposes:
- defense or security state interests
- prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties
- ensuring state security or public order and internal safety
- other important public interest objective of the EU or a Member State, including important economic or financial interests, interests regarding currency, monetary interests, budget-related interests, interests regarding tax or capital markets, public health or social security interests
- protection of independence of courts and judges
- supervisory, controlling or regulatory functions of public authorities
A child acquires the capacity to grant consent for data processing in relation to information society services once the child reaches 15 years of age.
The controller is not obligated to carry out the data protection impact assessment prior to the commencement of data processing, if the obligation to process personal data is set out by law.
The Act further stipulates data protection obligations of public authorities (and related subjects such as contracted data processors) in case of activities regarding prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, or ensuring state security or public order and internal safety.
Also, the Act sets grounds for the establishment and operations of the Czech Office for Personal Data Protection.
The Czech Accreditation Institute (Český institut pro akreditaci) has been granted the competence to issue data processing certifications.
Without prejudice to the GDPR, the Act sets out sanctions for breach of those provisions of the Act, which relate to obligations of public authorities; or which relate to obligations going outside or above the scope of the GDPR. Some of the specific (not GDPR-covered) breaches of obligations set out by the Act may be subject to a fine up to CZK 10,000,000 (approx. EUR 400,000).
In general, most of the personal data protection requirements and obligations continue to arise directly from the GDPR.
The Act relates merely to specific types of data processing and exemptions, as well as to the functioning of public authorities in this area.
The Act will have significant impact in particular on public authorities, persons carrying out journalistic, academic, artistic or literary activities, and data processors contracting with public authorities.
It is prudent for companies to familiarise themselves with the Act (soon to be available in Czech in the Collection of Documents) and determine whether any of their current or contemplated data processing activities fall within the scope thereof.