Logo Logo

New Czech act on the processing of personal data

During the course of December 2018, the Chamber of Deputies has approved a bill on the processing of personal data[1] (hereinafter referred to as the “Bill”), which is supposed to replace the current Act no. 101/2000 Coll., on the protection of personal data, and, inter alia, to specify some provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “GDPR”) in more detail. The objective of this article is to briefly summarize some aspects of the expected legal regulation and to inform about possible changes. We find it appropriate to mention that this article reflects the state of the Bill as it was discussed and amended by the Chamber of Deputies.

Definition of the term “public body”

Due to the adoption of the GDPR, it was often discussed which subjects could be considered as the so called “public bodies”, since the GDPR uses this term without defining it any further. Nevertheless, under the GDPR public bodies are exempted from some obligations and also obliged to designate themselves a data protection officer.[2] The Bill therefore stipulates the legal definition of this term, stating that it includes not only public authorities but also bodies established by law which fulfil the tasks in public interest under the law.[3] According to the explanatory memorandum to the Bill, this includes e.g. municipalities and regions, ministries and other central administrative bodies or public institutions.

Stipulating the age limit

The Bill reflects the Article 8 para. 1 of the GDPR which allows the member states to provide for a different age limit to the one stipulated in the GDPR, i. e. at what age a child can give their lawful consent with the processing of their personal data in relation to an offer of information society services (therefore the consent not being given or authorised by the holder of parental responsibility over the child).[4] The GDPR sets this age limit to the age of 16 years, however, the member states may provide by law for a lower age limit provided that such age is not lower than 13 years. Information society services include services usually provided for remuneration, which are provided by electronic means (i.e. especially via the internet) upon the individual request of the recipient of services.[5] The current wording of the Bill sets the age limit at the age of 15 years. An amendment setting the age limit to 13 years was declined by the Chamber of Deputies.

Exceptions to the obligation to inform and to the obligation to notify the recipient of the carried out operations

From the practical point of view, these new exceptions will be important for most controllers.

Firstly, the Bill introduces an exception from the obligation to inform during processing carried out in accordance with a legal obligation to which the controller is subject to or where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. In such cases, it is required by the Bill only to inform the individuals by publishing the information about commonly carried out processing of personal data in a manner allowing remote access.

Similarly, if the controller has the obligation to notify about carried out rectification, restriction of processing or erasure of personal data to the recipients of personal data, the Bill gives the controller the possibility to fulfil such obligation by changing the personal data in the register, if an access to valid content of such register is regularly provided.[6]

Processing for journalistic and artistic purposes

The Bill also entails a quite detailed regulation of the processing of personal data for journalistic purposes and the purposes of academic, artistic or literary expression. The Bill deals not only with the question of assessment of proportionality of the processing of personal data for the given purposes, but also with certain exceptions from the rights of data subjects. At the same time, processing of personal data for these purposes is not subject to authorization or approval of the Office for personal data protection and moreover, the right of protection of sources and the content of information applies here.

From the data subjects’ point of view as well as with regard to actual functioning of the media, it could be considered as significant that the Bill regulates the controller’s obligation to inform in the cases where he/she didn’t get the information directly from the data subject. Should the Bill be adopted, the obligations to provide information under the Article 14 and the Article 21 para. 4 of the GDPR would be fulfillable by mere publishing of the information about commonly carried out processing of personal data in a manner allowing remote access.[7]

Offences and sanctions

The Bill also brings a regulation of offences in the area of protection of personal data, especially due to the implementation of the Directive (EU) 2016/680 of the European Parliament and of the Council of 27th April 2016, on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. Due to the adoption of the GDPR, expected decrease of the upper limit of administrative fines imposed on the public authorities and public bodies shall take place, the Bill set the fine to the amount of CZK 10,000,000. The sanctions are even milder for municipalities which do not exercise the delegated competence in the extent of the municipal office of a municipality with the extended powers, voluntary unions of such municipalities and funded institutions and legal entities exercising the activity of school or educational institution established by such municipalities.[8] The Chamber of Deputies has utilized its authorization under the Article 83 para. 7 of the GDPR.

Other chosen aspects

Regarding the obligation to carry out a data protection impact assessment,[9] the Bill stipulates an important exception from such obligation for the processing imposed on the controller by law, including the processing imposed on the controller by law adopted before the effect of the GDPR.[10] Should the Bill be adopted in this wording, many of the controllers would get rid of a significant administrative burden.

The Bill also stipulates which persons/entities will be entitled to issue a data protection certification pursuant to Article 42 of the GDPR, i.e. the persons/entities that shall be accredited by the person/entity designated to exercise the powers of the accrediting body.[11] The purpose of the certification is that the controllers and processors can demonstrate fulfilment of their obligations under the GDPR and compliance of their procedures with the GDPR.[12] Obtaining of such certification shall be voluntary and might evocate a higher degree of trustworthiness of the collector or processor in the eyes of data subjects.

Conclusion

With respect to the above-mentioned, we can summarize that the current wording of the Bill does not present any radical changes to the regulation of personal data protection. It mostly brings refinement of the existing regulation in certain areas. The Bill shall now be discussed in the Senate. We will inform you about progress of the legislative process.

[1] Government bill sent to the deputies as the print no. 138/0, available in Czech from:

http://www.psp.cz/sqw/text/tiskt.sqw?O=8&CT=138&CT1=0, as amended.

[2] Article 37 para. 1 letter a) of the GDPR

[3] Section 14 of the Bill

[4] Section 7 of the Bill

[5] Section  2 letter a) of the Act no.  480/2004 Coll., On Some Information Society Services

[6] Section 9 of the Bill

[7] Section 19 para. 1 of the Bill (as amended).

[8] Section 59 of the Bill.

[9] Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out a data protection impact assessment.

[10] Section 10 of the GDPR.

[11] According to the Act no. 22/1997 Coll., on technical requirements on products and on amendment and addition to selected acts, as amended.

[12] Article 24 para. 3 of the GDPR

back to articles