Enactment of Data Privacy Legislation in the Czech Republic
Act No. 110/2019 Coll. on Personal Data Processing is a data privacy law that was recently passed in the Czech Republic in 2019. As the Czech Republic is an EU member state, Act No. 110/2019 Coll. on Personal Data Processing implements the General Data Protection Regulation for GDPR for short into law within the country, under provisions within the EU’s GDPR law that allows for member states to enact their own legislation relating to data protection and personal privacy. To this point, Act No. 110/2019 Coll. on Personal Data Processing and the EU’s GDPR law are the foremost legal means by which personal data be collected, processed, used, and disclosed within the Czech Republic.
What are the variations between the EU’s GDPR law and Act No. 110/2019 Coll. on Personal Data Processing?
While many of the provisions set forth in the EU’s GDPR law are also applicable under Act No. 110/2019 Coll. on Personal Data Processing, there are certain ways in which both of these forms of legislation differ from one another. For example, as it pertains to the personal scope of Act No. 110/2019 Coll. on Personal Data Processing, “Title IV of the Act contains provisions the processing of personal data that is excluded from the scope of EU law and which concerns the security and defense of the Czech Republic, i.e. the processing of personal data that takes place within the intelligence services.” To this point Act No. 110/2019 Coll. on Personal Data Processing does establish certain legal obligations that vary from those set out in the EU’s GDPR law.
For instance, “Section 43(3) of the Act provides for the following specific legal grounds for processing data for the purpose of ensuring the defense and security interests of the Czech Republic”:
- The personal data was already legally published;
- The processing is for the purpose of providing information about a publicly active person (with respect to her public position);
- The processing is carried out solely and exclusively for archiving purposes.
Furthermore, Act No. 110/2019 Coll. on Personal Data Processing does vary from the EU’s GDPR law as it pertains to the data protection principles that data controllers and processors are charged with adhering to. While Act No. 110/2019 Coll. on Personal Data Processing does not create any new principles concerning data protection that vary from those set forth in the EU’s GDPR law, the ways in which said principles are interpreted under Act No. 110/2019 Coll. on Personal Data Processing are somewhat different. To illustrate this point further, “the Act also provides for principles relating to the processing of data provided for the purpose of prevention, investigation, or detection of criminal offenses. Specifically, the Act provides that the controller shall”:
- Determine a specific purpose of personal data processing in connection with the performance of the task;
- Implement measures ensuring that personal data are accurate in relation to the nature and purpose of the processing; and
- Keep personal data in a form enabling identification of the data subject only for the period necessary for achieving the purpose of their processing.
How do punishments under Act No. 110/2019 Coll. on Personal Data Processing vary from the EU’s GDPR law?
As the Act No. 110/2019 Coll. on Personal Data Processing was enacted for the purposes of regulating the processing and collection of personal within the Czech Republic on a national level, the law also empowers the Office for Personal Data Protection or UOOU for short to impose fines and penalties against data controllers and processors operating within the country who fail to comply with the law. For instance, in addition to the fines set forth in the EU’s GDPR law, the UOOU also has the authority to impose monetary fines and penalties which may “amount to approx. €40,000 ($45,123) and a maximum fine of approx. €200,000 ($225,556) is provided if this administrative offense is carried out through print, film, radio, television, publicly accessible computer network or other similarly effective means.”
To provide an example of the ways in which the punishments imposed by the UOOU and the EU’s GDPR law act in accordance with one another, the maximum penalty that was issued against a data controller or processor operating with the Czech Republic in 2020 was €9,000 ($10,140). Conversely, during this same time period, the highest fine imposed against a data controller or processor was €230,000 ($259,169), which was issued in response to the sending of “unsolicited commercial communication”. As such, even in instances where a data controller or processor faces a minimal monetary penalty for offenses under the EU’s GDPR law, Act No. 110/2019 Coll. on Personal Data Processing ensures that said parties will still face additional penalties should they face to achieve compliance.
Through the enactment of Act No. 110/2019 Coll. on Personal Data Processing in accordance with the General Data Protection Regulation, data subjects residing within the Czech Republic can have the assurance and peace of mind that their personal data is being protected at all times. As legislation can inherently create grey areas as it relates to what is legal and what is permissible as it pertains to certain actions or activities, having two forms of legislation working in conjunction with one another allows for more comprehensive protection for all individuals involved. In this way, the General Data Protection Regulation continues to serve as an international standard for the protection of personal data and privacy.