Czech Republic: New rules on personal data protection


Only a few days ago, the European Union adopted the General Data Protection Regulation (that will often be referred to in its abbreviated form, GDPR, in the future). This Regulation is to replace the existing EU Directive in less than two years, whereas the Czech Act on the Protection of Personal Data, which is based on the current Directive, will no longer be valid.

The new legislation is quite extensive, and compared to the current Czech data protection regulation, which has been operating for 15 years without any major changes, GDPR will bring many revolutionary changes in the collecting, processing and storing of personal data. These include, among others:

  • a dramatic increase in penalties for breaches of personal data protection rules. Compared to the current situation, where maximum fines amount to several million CZK, the Regulation sets out that the DPA may impose a fine of up to half a billion CZK (20 million EUR), or 4% of the total worldwide turnover;
  • expanding the current and introducing new individual's rights, including the right to request restrictions on the scope of the processing of personal data, the right to data portability, the right to be provided with a copy of the personal data at no charge, and the so-called right “to be forgotten”;
  • the obligation to formally notify the intent to process personal data is revoked, and on the contrary, the obligation to keep internal records of personal data processing is introduced;
  • many companies will have to establish a job position of a data protection officer;
  • supervisory authorities will be considerably strengthened, and will be allowed to conduct joint coordinated investigations in several EU member states;
  • the rules for technical and organisational measures aimed at protecting personal data are refined;
  • the data controller will have a new duty to assess the impact of the data processing on the personal data protection and, if necessary, consult the supervisory authority on a mandatory basis;
  • any breach of personal data security will have to be immediately notified to the DPA and the individuals concerned;
  • completely new concepts for technology development regulation in terms of data protection and privacy are introduced (privacy by design and privacy by default);
  • data controllers seated in non-EU countries may also be effectively sanctioned;
  • and many others.

Although two years appear to be a period long enough for adjusting company's internal processes relating to the personal data protection and generally for ensuring compliance with the new regulation, our first experience and consultations with the European supervisory authorities show that the changes are so fundamental that this period is not as long as it seems to be. We believe one should start preparing himself for the GPDR as soon as possible. Our teams of specialists in the data protection area are naturally available for consultations.