New Czech act on the processing of personal data
On April 24, 2019 Act No. 11/2019 Coll. on the processing of personal data came into effect[1] (hereinafter referred to as the “Act”), which replaced previous act on the protection of personal data No. 101/2000 Coll., and, inter alia, specified in more detail some of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”). The objective of this article is to briefly summarize some aspects of the new legal framework and to inform about changes in the area of personal data protection.
Definition of the term “public body”
Due to the adoption of the GDPR, it was often discussed which entities could be considered as the so called “public bodies”, since the GDPR uses this term without defining it any further. Nevertheless, under the GDPR public bodies are exempted from some obligations and also obliged to designate themselves a data protection officer.[2] The Act therefore stipulates on the national level the legal definition of this term (in relation to the obligation of the public bodies to name a data protection officer), stating that it includes not only public authorities but also bodies established by law which fulfil the tasks in public interest under the law.[3] According to the explanatory memorandum to the Act, this includes e.g. municipalities and regions, ministries and other central administrative bodies or public institutions.
Stipulating the age limit
The Act follows the Article 8 para. 1 of the GDPR which allows the member states to provide for a different age limit to the one stipulated in the GDPR, i. e. at what age a child can give their lawful consent with the processing of their personal data in relation to an offer of information society services (therefore the consent not being given or authorised by the holder of parental responsibility over the child). The GDPR sets this age limit to the age of 16 years, however, the member states may provide by law for a lower age limit provided that such age is not lower than 13 years. Information society services include services usually provided for remuneration, which are provided by electronic means (i.e. especially via the internet) upon the individual request of the recipient of services.[4] The final wording of the Act sets the age limit at the age of 15 years. An amendment setting the age limit to 13 years was declined by the Chamber of Deputies.
Exceptions from the obligation to inform and from the obligation to notify the recipient of the operations carried out
From the practical point of view, these new exceptions will be important for most controllers.
Firstly, the Bill introduces an exception from the obligation to inform during processing carried out in accordance with a legal obligation to which the controller is subject to or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. In such cases, it is required by the Act only to inform the individuals by publishing the information about commonly carried out processing of personal data in a manner allowing remote access.[5]
Similarly, if the controller has the obligation to notify about carried out rectification, restriction of processing or erasure of personal data to the recipients of personal data, the Act gives the controller the possibility to fulfil such obligation by changing the personal data in the register, if an access to valid content of such register is regularly provided.[6]
Processing for journalistic and artistic purposes
The Act also entails a quite detailed regulation of the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression. The Bill deals not only with the question of assessment of proportionality of the processing of personal data for the given purposes, but also with certain exceptions from the rights of data subjects. At the same time, processing of personal data for these purposes is not subject to authorization or approval of the Office for personal data protection and moreover, the right of protection of sources and the content of information applies here.
From the data subjects’ point of view as well as with regard to actual functioning of the media, it could be considered as significant that the Act regulates the controller’s obligation to inform in the cases where he/she didn’t get the information directly from the data subject. The obligation to provide information under Article 14 and Article 21 para. 4 of the GDPR is now possible by mere publishing of the information about commonly carried out processing of personal data in a manner allowing remote access.[7]
Offences and sanctions
The Act also brings a regulation of offences in the area of protection of personal data, especially in relation to the implementation of Directive (EU) 2016/680 of the European Parliament and of the Council of 27th April 2016, on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
With relation to the GDPR, the conditions for imposing administrative fines for breach of GDPR have been mitigated. While the original government bill only limited the upper limit of fines imposed on public authorities and public entities to CZK 10,000,000[8], the adopted version of the Act completely excludes the possibility of the Office for Personal Data Protection to impose administrative penalties on public bodies and public authorities. From the Act's effective date it is therefore not possible to penalize, for example, municipalities or regions[9]. The Chamber of Deputies has thus utilized its authorization under the Article 83 para. 7 of the GDPR. In addition, public bodies and public authorities also cannot be penalized for violation of prohibition of disclosure of certain personal data based on other legal acts. The Act sets out an exception from the possibility to impose an administrative penalty for committing an offense of unauthorized disclosure of personal data in cases it has been committed by a public body or a public authority.
Other chosen aspects
Regarding the obligation to carry out a data protection impact assessment,[10] the Act stipulates an important exception from such obligation for the processing imposed on the controller by law[11]. Many of the controllers got rid of a significant administrative burden by the adoption of the Act.
The Act also stipulates which persons/entities will be entitled to issue a data protection certification pursuant to Article 42 of the GDPR, i.e. the persons/entities that will be accredited by the person/entity designated to exercise the powers of the accrediting body.[12] The purpose of the certification is that the controllers and processors can demonstrate fulfilment of their obligations under the GDPR and compliance of their procedures with the GDPR.[13] Obtaining of such certification shall be voluntary and might evocate a higher degree of trustworthiness of the collector or processor in the eyes of data subjects.
Conclusion
With respect to the above-mentioned, we can summarize that the Act does not present any significant changes to the regulation of personal data protection. It mostly brings refinement of the existing regulation in certain areas.
However from the point of view of public bodies and public authorities, the Act provides a significant relief, especially in respect of limitation of possible administrative punishments.
[2] Article 37 para. 1 letter a) of the GDPR
[3] Section 14 of the Act
[4] Section 2 letter a) of the Act no. 480/2004 Coll., On Some Information Society Services
[5] Section 8 of the Act
[6] Section 9 of the Act
[7] Section 19 para. 1 of the Act
[8] While for municipalities that do not exercise delegated powers within the scope of the municipal authority of municipalities with extended powers, voluntary associations of such municipalities and their contributory organizations and legal entities performing the activities of schools or school facilities, the upper fine was designed even more at CZK 5,000.
[9] Without distinction whether or not they carry out delegated powers within the scope of the municipal authority of a municipality with extended powers.
[10] Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out a data protection impact assessment.
[11] Section 10 of the Act
[12] According to the Act no. 22/1997 Coll., on technical requirements on products and on amendment and addition to selected acts, as amended.
[13] Article 24 para. 3 of the GDPR