On 12 March 2019, the Chamber of Deputies of the Czech Republic has approved the Act on Personal Data Processing (hereinafter the “Adaptation Act”) in wording as returned by the Senate of the Czech Republic, which is a so-called adaptation act to the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”).
At the same time the Accompanying Act to the Adaptation Act (hereinafter “Accompanying Act”) was also approved, in the same version that had already been accepted by the Chamber of Deputies.
These acts will come into effect in following days by promulgation in the Collection of Laws. We have summarized for you the most important things that the new legislation brings.
Adaptation Act
Most of the Adaptation Act’s provisions specify or extend provisions already established by the GDPR. However, the legislator also used the possibility to vary from the adjustment of the GDPR and established certain exceptions. For example, the Adaptation Act sets the limit for the legal capacity of a child to grant a consent to his or her personal data processing in relation to information society services (e.g. processing the personal data by social network operators) to 15 years. That means, that the Czech legislator decreased the limit set by the GDPR by one year.
Another exception brought by the Adaptation Act is for example limitation of the obligation of the controller to carry out the data protection impact assessment (DPIA) in situations where such data processing is order directly by law.
The controller will also have a possibility to fulfil the information obligation towards the data subjects by publishing the information in a manner allowing distant access, in case it processes the personal data based on legal obligation or in public interest. This will typically include for example fulfilment of the employer’s information obligation towards employees, when it will no longer be necessary to inform each employee separately.
The Adaptation Act regulates in more detail the processing of personal data for the purpose of scientific or historical research or for the statistical purposes. The Adaptation Act also closely regulates the processing of the personal data for journalistic purposes or for the academic, artistic or literary expression purposes. In these cases, the law restricts data subject’s rights to access personal data according to the GDPR, with respect to the protection of information’s source and content.
The Adaptation Act also provides certain exceptions for example for the obligation to assess the compatibility of purposes, for the obligation to notify a personal data breach or exercise of other rights and obligations.
An important part of the Adaptation Act is devoted to protection of personal data during their processing for a purpose of prevention, investigation, detection or prosecution of criminal offences, execution of the sentence and protection measures, ensuring the security of the Czech Republic or ensuring public order and internal security and protection of personal data during ensuring the defence and security interests of the Czech Republic.
Due to the Senate amendments to the original Chamber of Deputies’s bill the powers of the Office for Personal Data Protection in the area of free access to information has been completely left out.
Finally, it should be noted that by the new law coming into force the Czech Act No. 101/2000 Coll., on Personal Data Protection, as amended is repealed and the new Adaptation Act along with the GDPR replaces it.
Offenses and sanctions
The GDPR allows the member states to independently modify the rules on imposing administrative fines to public authorities and public entities. The Czech legislator used this option during the preparation of the new Adaptation Act and determined that besided the situation in the following paragraph administrative fines shall not be imposed on public authorities and public entities settled in the Czech Republic even if they breach some of the obligations under the GDPR or the Adaptation Act.
The Adaptation Act also limits the amount of fine that may be imposed in connection with breaching certain obligations regarding the personal data protection, in particular those connected to prevention, investigation, detection or prosecution of criminal offences, execution of the sentence and protection measures, ensuring the security of the Czech Republic or ensuring public order and internal security and protection of personal data during ensuring the defence and security interests of the Czech Republic by a legal entity, to CZK 10,000,000.
A fine of up to CZK 1,000,000 or CZK 5,000,000 may be imposed for a breach of the prohibition to disclose personal data stipulated by another legal regulation, if the offense is committed by a press, film, radio, television, publicly accessible computer network or in another manner of similar effect.
The Adaptation Act also introduces some other new offenses beyond the offenses set out in GDPR related to the breach of obligations set forth by this Act with separate sanctions associated with these offenses. However, the abovementioned refraining from sanctions for public authorities and public bodies is also applicable here.
In this case, the supervisory authority, which is in the Czech Republic the Office for Personal Data Protection (ÚOOÚ), is responsible for dealing with offenses and fines pursuant to the Adaptation Act and the GDPR. However, the legislator allows the ÚOOÚ to impose measures on the controller or the processor, which has breached the obligations stipulated by law or the GDPR, to eliminate the identified deficiencies and to set a deadline for their removal. In such cases, the ÚOOÚ may waive the imposition of the administrative penalty in accordance with the law.
Accompanying Act
The Accompanying Act amends some other laws in connection with the adoption of the Adaptation Act, in particular it regulates the processing of personal data for the purposes of performing tasks in the public interest and also addresses selected specifics of personal data processing by individual components of public administration.
Conclusion
The newly adopted legislation completes the process of the first wave of adaptation of the Czech legal system to the GDPR. Further changes to the legislation can be expected in the future, especially in relation to some information society and e-commerce services (commercial communications, cookies,..) and labour law.
The laws now provide a sufficient legal framework for the ÚOOÚ to effectively carry out its supervisory and control activities in the area of personal data protection, which has been weakened since the effective date of GDPR in view of the lack of adaptation legislation.
We will inform you about the entry into force of the Adaptation Act and the Accompanying Act and on further developments in the area of personal data protection.
Mgr. Barbora Cetkovská, junior lawyer – cetkovska@plegal.cz
Mgr. Jakub Málek, partner – malek@plegal.cz
28. 03. 2019