The Czech Republic's second data protection act - The Personal Data Processing Act 2019
(No. 110/2019 Coll.; hereinafter ZZOÚ) - is the implementation of the EU new legal framework: GDPR, Data Protection Directive 2016/680 (LED) & PNRD. Both GDPR and ZZOÚ modernise data protection to ensure they are effective in the years to come. ZZOÚ re-creates a supervisory authority (SA) for data protection - the Data Protection Authority (in Czech: Úřad pro ochranu osobních údajů; hereinafter the Czech DPA). It creates room for a new role of the Czech DPA - freedom of information.
What is the difference between the Data Protection Act 2000 and the ZZOÚ?
The Czech Data Protection Act 2000 was a standalone piece of legislation. Now, the GDPR has direct effect across all EU member states, including the Czech Republic. The GDPR provides for most legal obligations, but it gives member states some opportunities to make provisions for how it applies in their country. This is the role of ZZOÚ, especially its Sec. 5 to 15. It is therefore important the GDPR and the ZZOÚ are read side by side.
What else does the ZZOÚ cover?
The ZZOÚ has a part dealing with processing that does not fall within EU law, for example, where it is related to immigration. It applies GDPR standards but it has been amended to adjust those that would not work in the national context. It also has a part that transposes the LED into domestic law: the LED complements the GDPR and Title III of the ZZOÚ sets out the requirements for the processing of personal data for criminal ‘law enforcement purposes’. National security is also outside the scope of EU law and is regulated by Title IV of the ZZOÚ. It is important the intelligence services are required to comply with internationally recognised data protection standards, so these provisions are based on Council of Europe Data Protection Convention 108.
There is also separate Title V to cover the Czech DPA and its duties, functions and powers plus Title VI- the enforcement provisions, but the public sector earned an exception. The ZZOÚ has repealed the Data Protection Act 2000. It has made the changes necessary to deal with the interaction between FOIA (No. 106/1999 Coll.) and the DPA since 1 January 2020.
The Czech DPA is vested with additional powers related to special issues and anchored in special laws. The basic procedural acts are the Supervisory Procedure Act (No. 255/2012 Coll.) and the Administrative Code (Act No. 500/2004 Coll.).
The Czech DPA has a role in electronic communications. The Electronic Communications Act (No. 127/2005 Coll.) provides in Sec. 87(3) supervision of the Czech DPA. Supervision of bulk commercial communication is regulated by Sec. 10(1) of the Several Information Society Services Act (No. 480/2004 Coll.) and its Sec. 12(5) provides fines. Transborder supervisory cooperation is provided by the Regulation No. 2006/2004 of the European Parliament and of the Council of 27 October 2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws (the Regulation on consumer protection cooperation). Similar is the role of the Czech DPA in advertising by the Regulation of Advertising Act (No. 40/1995 Coll.). Its Section 7(1)(f) provides supervision of compliance of any unsolicited advertising disseminated with help of electronic means.
Sec. 11 of the Basic Registers Act (No. 111/2009 Coll.) provides that the Czech DPA generates source identifiers of physical persons and item-related identifiers of physical persons, maintains lists thereof, and ensures transfers of a physical person’s item-related identifier within one administrative dossier to item-related identifier of this physical person under another dossier on the basis of a legal request.
Public sector supervision and penalties
In public sector, penalties are provided by Sec. 34a(4) and 34c(4) of the Travel Documents Act (No. 329/1999 Coll.) of unauthorised processing of information stored on biometric data carriers, Sec. 17e(6) of the Register of Population Act (No. 133/2000 Coll.), and Sec. 25(2) of the Conflict of Interests Act (No. 159/2006 Coll.) of minor offences constituting further non-compatible processing of data, breach of the confidentiality, and unauthorized disclosure.