The Office for Personal Data Protection (hereinafter the “Office”) encounters situations in which the general public is not entirely familiar with the relationship between the concepts of privacy and of personal data protection, and with their legal regulation and mutual differences. In certain cases, also including the public debate, these terms are being used as synonyms or in some other way that does not fully correspond to the valid legislation. The Office has issued this Position with the aim to help clarify this issue.
The term “privacy” is not explicitly defined in the Czech legislation. Privacy can be briefly described as the personal, intimate sphere of an individual within his integrity that covers all manifestations of the personality of a specific and unique human being. The term “privacy” also includes the material and mental space of an individual. The right to establish and develop relationships with other human beings is part of one´s private life too.
Privacy protection in the Czech legal system is regulated primarily by Act No. 2/1993 Coll., Resolution of the Presidium of the Czech National Council of 16 December 1992 on promulgation of the Charter of Fundamental Rights and Freedoms as part of the constitutional order of the Czech Republic, as amended by Act No. 162/1998, amending the Charter of Fundamental Rights and Freedoms (hereinafter the “Charter of Fundamental Rights and Freedoms”). This legal regulation of constitutional nature places the right to protection of privacy among fundamental human rights and freedoms, stating in Art. 10 (2) that every one has the right to protection against unauthorised interference with the private and family life.
Protection of privacy as a fundamental human right is also treated by important international documents. For example, the UN Universal Declaration of Human Rights stipulates, in Article 12, that no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks. A similar provision is also contained in the Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms, which stipulates, in its Art. 8 (1), that everyone has the right to respect for his private and family life, his home and his correspondence.
The above-mentioned basic and general definition of privacy in the context of the cited provision of the Charter of Fundamental Rights and Freedoms indicates that privacy is necessarily interfered with practically in every interaction with other people, i.e. both in direct interaction and in a situation when someone else has available and potentially further handles information on the manifestations of our personality. However, as a rule, these interventions must be authorised, i.e. legal, based on law. Any other state is undesirable and unlawful.
Protection against one-off and unsystematic interferences with privacy of individuals is provided particularly by Article 11 et seq. of Act No. 40/1964 Coll., the Civil Code, as amended, within the provisions on protection of personal rights. These provisions also encompass general regulation of the right of the affected natural person to claim satisfaction, even in financial terms, for any harm that he incurs as a result of the unauthorised interference with privacy.
Where systematic operations or set of operations are carried out with respect to personal manifestations or other information concerning a specific or identifiable natural person, this constitutes processing of personal data falling within the regime of Act No. 101/2000 Coll., on the protection of personal data protection and on amendment to some acts, as amended. This Act also implements another fundamental human right stipulated in Art. 10 (3) of the Charter of Fundamental Rights and Freedoms, namely the right of everyone to protection against unauthorised gathering, publication or other misuse of his or her personal data, which is an integral part of the right to protection of privacy.
As follows from the substance itself of the notion of personal data processing, this exercise inevitably and necessarily involves interferences with privacy, since, based on the wording of the Personal Data Protection Act, personal data processing would never occur in the absence of an operation (gathering, maintaining, utilisation, etc.) involving manifestations of personal character of an identified or identifiable person. For personal data processing to be lawful and interference with privacy of the given person justified, it is necessary that all the duties stipulated by the Personal Data Protection Act or special legal regulations be complied with in this processing.
The Personal Data Protection Act stipulates a number of duties of the data controller, i.e. the person who sets the purpose and means of processing, carries it out and is responsible for it: for example, the duty to set the purpose and means of processing of personal data, the duty to provide for a legal title for processing; the duty to process only accurate personal data in conformity with the given purpose; important circumstances aimed at protection of the processed personal data against unauthorised or accidental access; information duty towards the data subjects; duty to register with the Office, etc.
In the context of this Position, we will focus particularly on the duty stipulated in Article 5 (3) and Article 10 of the Personal Data Protection Act. This involves the duty of the controller or processor, as appropriate, to ensure that the data subject´s private and personal life is protected against unauthorised interference.
Interference with privacy is inevitable in personal data processing. However, pursuant to the cited provisions of the Personal Data Protection Act, these interferences must be justified. This means that the controller is obliged, inter alia, to determine the purpose of processing and the means whereby the processing will be carried out. Justified interference with privacy may be deemed to be a case where processing is carried out in a manner and by means appropriate to the chosen lawful and legitimate purpose of processing, i.e. a purpose that admitted by law and not prohibited. In the opposite case, although the processing would otherwise comply with all the requirements of the Act, the processing would be illegal and unlawful, and the Office would be able to exercise its supervisory powers. It would not primarily examine the purpose of processing itself or compliance with other duties of a controller, but would rather focus particularly on whether the chosen method of personal data processing is appropriate and proportionate to the set purpose and whether or not it excessively and thus unlawfully interferes with the private lives of data subjects.
In practical terms, it is appropriate to distinguish between two categories of controllers – entities of private law and entities of public law.
In principle, private-law entities determine the purpose and method of personal data processing themselves in the sense of the constitutional rule that everyone may do what is not prohibited, unless such processing is required by law. Therefore, after having selected the purpose of processing personal data, they may choose the relevant means and methods. Before they proceed with the actual processing of data, in the stage of considerations regarding its necessity and parameters, the controller must assess whether the given method of processing is appropriate to the set purpose, also with regard to all the circumstances of the contemplated processing, or whether it would inappropriately interfere with privacy with respect to its purpose. If the controller fails to do so and processes personal data in manner redundantly interfering with privacy of data subjects, the Office can exercise its supervisory competence. After having performed an inspection, it could prohibit such personal data processing within the resulting remedial measures, albeit it might otherwise be without any defects.
An entity of public law can, in cases where it plays this role, essentially do only what is allowed by law, and only in a manner stipulated by law. Consequently, where a controller, being a public-law entity, processes personal data in the sole manner allowed by the legislation, this is in principle always lawful and cannot involve illegal and unauthorised interference with privacy in the sense of Article 5 (3) or Article 10 of the Personal Data Protection Act. In those cases where the method of processing stipulated by law is not entirely appropriate to its purpose, the given controller must process personal data in the set manner. In these cases, given this unsuitable legislation, the Office, which does not have a legislative initiative, must push for a remedy in some way other than by exercising its supervisory power.
A public-law entity in the position of a controller may therefore affect the methods and means of personal data processing, and is thus obliged to assess their impact on privacy, only in those cases where the legislation provides it with a choice of several methods of processing whereby it can reach the set objective. In this case, the controller must evaluate the specific case, purpose of processing of personal data and other circumstances that are related to the processing, and choose a method of personal data processing that will less interfere with privacy of data subjects. In this case, an argument that the controller carries out the processing in one of the manners permitted by the law cannot stand. Every controller, and thus also a public-law entity, is also obliged to comply, in personal data processing, with the legal regulations providing for personal data processing, and thus also the Personal Data Protection Act. Consequently, if there is a choice of several options for personal data processing and the controller chooses the more invasive one, the method that less respects privacy of affected persons breaches the above-mentioned provisions of the Personal Data Protection Act and is thus in conflict with the latter (e.g. the relatively frequent requirement for identification of a person by means of the “date of birth or birth number”, where the controller must always require only the date of birth, because this data does not include any other information and less interferes with privacy of the given person). In this case, a potential remedial measure could not be employed to prohibit processing that is carried out on the basis of the law on authorization; however, it could in a specific case prohibit one of its potential methods.
Every processing of personal data constitutes interference with the individual´s privacy. For this interference and processing as such to be lawful, it is necessary that, in all cases where this is possible, the controller assess the potential methods of processing and choose the one that least interferes with privacy of data subjects. Otherwise processing will not be in conformity with the Personal Data Protection Act and the controller will face the risk of an inspection and application of a remedial measure by the Office; in an extreme case, this measure could also prohibit the processing as such.
Mode No graphics is currently switched on. Therefore you see the web page with no decorative graphics as well as any advanced formatting. If your browser supports CSS2, you can switch a graphic mode on.