ACT Nº. 101 of 4 April 2000 on Protection of the Personal Data and on Amendments to Some Related Acts
The Parliament has enacted the following Act of the Czech Republic:
PART ONE. PERSONAL DATA PROTECTION
CHAPTER I. INTRODUCTORY PROVISIONS
Article 1. Subject of the Act
The Act regulates the protection of personal data concerning natural persons, the rights and obligations in processing of these data, and specifies the conditions under which personal data may be transferred to other countries.
Article 2
(1) The Office for Personal Data Protection is hereby established with a seat in Prague (hereinafter the «Office»).
(2) The Office shall be entrusted with the competence of a central administrative authority in the area of personal data protection in the scope stipulated by this Act and in the area of electronic signature in the scope stipulated by a special regulation.(1)
Article 3. Scope of the Act
(1) This Act shall apply to personal data that are processed by state authorities, territorial self-administration bodies, other public administration bodies, as well as natural and legal persons, unless this Act or a special Act stipulates otherwise.
(2) This Act shall apply to all personal data processing, both by automatic and by other means.
(3) This Act shall not apply to personal data processing carried out by a natural person exclusively for personal needs.
(4) This Act shall not apply to accidental personal data collection, unless these data are subject to further processing. This Act shall also not apply to accidental personal data collection in a scope that is required for carrying out an independent profession that is neither a small business nor any other business activity pursuant to special Acts (1a) which lay down the obligation of confidentiality.
(5) Processing of personal data for statistical and archival purposes shall be regulated by special Acts (2),(3).
(6) The provisions of Articles 5, 9, 11, 16, and 27 of this Act shall not apply to processing of personal data carried out by:
intelligence services(4),
the Police of the Czech Republic, including the Interpol National Centre, in detecting criminal activities(5),
the Ministry of Finance in the framework of financial and analytical activities pursuant to a special Act(6),
the National Security Office (NBU) in carrying out security screening according to a special Act (7).
the Ministry of Interior in issuing certificates pursuant to a special Act(8), in issuing cover documents(9) and in activities of the Inspection Division of the Minister of Interior (10).
authorities responsible for disclosing files resulted from activities of the former State Security pursuant to a special Act (10a), unless this special Act stipulates otherwise.
Article 4. Definition of Terms
For the purposes of this Act:
«personal data» shall mean any data relating to an identified or identifiable data subject. A data subject shall be considered to be identified or identifiable if his identity can be directly or indirectly determined on the basis of one or more items of personal data. Data shall not be considered personal data where inadequate quantity of time, effort or material resources are required to determine the identity of the data subject;
«sensitive data» shall mean personal data revealing nationality, racial and/or ethnic origin, political attitudes, membership in trade union organisations, religious and philosophical beliefs, criminal activity, health, and sexual life of the data subject;
«anonymous data» shall mean data that cannot be related to an identified or identifiable data subject in their original form or following processing thereof;
«data subject» shall mean a natural person to whom the personal data pertain;
«personal data processing» shall mean any operation or a set of operations that is systematically executed by a controller or processor in relation to personal data in an automatic or other manner. Personal data processing shall mean, in particular, the collection of data, their storage on data carriers, retrieval, modification or alteration, searching, use, transfer, dissemination, publishing, preservation, exchange, sorting or combination, blocking and liquidation;
«personal data collection» shall mean a systematic procedure or a set of procedures, whose aim is to obtain personal data for the purpose of their further storage on a data carrier for their immediate or subsequent processing;
«personal data preserving» shall mean keeping data in a manner that permits their further processing;
«personal data blocking» shall mean establishing a state in which personal data are inaccessible for a certain period of time and cannot be otherwise processed;
«personal data liquidation» shall mean physical destruction of their carrier, their physical deletion or their permanent exclusion from further processing;
«controller» shall mean any entity that determines the purpose and means of personal data processing, carries out such processing and is responsible therefor. The controller may authorise or assign a processor to process personal data, unless a special Act stipulates otherwise;
«processor» shall mean any entity processing personal data pursuant to this Act, on the basis of a special Act or authorisation by the controller;
«published personal data» shall mean personal data that are made accessible, in particular, by mass media, other form of public communication, or as a part of a public list.
CHAPTER II. RIGHTS AND OBLIGATIONS IN PROCESSING OF PERSONAL DATA
Article 5
(1) The controller shall be obliged to:
specify the purpose for which personal data are to be processed;
specify the means and manner of personal data processing;
process only authentic and accurate personal data, which he obtained in conformity with this Act. The controller shall be obligated to verify whether the personal data are authentic and accurate. If the controller finds that the data that are being processed thereby are not authentic or accurate with respect to the specified purpose, in particular, in relation to an objection raised by the data subject, the controller must block the personal data and correct or supplement them without undue delay. If the data cannot be corrected or supplemented, the controller must liquidate them without undue delay. Inauthentic, inaccurate, or unverified personal data may be processed only in cases stipulated by a special Act(11). These data must be duly designated and kept separately from other personal data;
collect personal data corresponding exclusively to the specified purpose and in an extent that is necessary for fulfilment of the specified purpose;
keep personal data only for a period of time that is necessary for the purpose of their processing. After expiry of this period, personal data may be kept only for statistical, scientific and archival purposes. When using personal data for these purposes, it is necessary to respect the right to protection of private and personal life of the data subject against unauthorised infringement;
process personal data only in accord with the purpose for which the data were collected, unless a special Act stipulates otherwise. Personal data may be processed for some other purpose only with the consent of the data subject ;
collect personal data only in an open manner; collecting data under the pretext of some other purpose or activity shall be prohibited, unless a special Act stipulates otherwise;
ensure that personal data that were obtained for various purposes are not combined, unless a special Act stipulates otherwise.
(2) The controller may process personal data only with the consent of the data subject. Without such consent, the controller may process the data if he is carrying out processing specified by a special Act or required to comply with the duties specified by a special Act(12);
if it is essential that the data subject enter into negotiations on a contractual relationship or that he comply with the arrangements agreed upon with the controller;
if it is essential for the protection of important interests of the data subject. In this case, the consent of the data subject must be obtained without undue delay. If the consent is not granted, the controller must terminate the processing and liquidate the data;
in relation to personal data that were published with authorization pursuant to a special Act(13). However, this shall not prejudice the right to protection of private and personal life of the data subject;
if it is essential for the protection of rights of the controller; however, such personal data processing may not be in contradiction with the right of the data subject to protection of his private and personal life; or
if it is essential for carrying out a legitimate activity of political parties, political movements, civic associations, trade union organisation, churches and/or religious organisations.
(3) If the controller processes personal data on the basis of a special Act, he shall be obliged to respect the right to protection of private and personal life of the data subject.
(4) Personal data may be processed for statistical or scientific purposes without the consent of the data subject. When processed for the above specified purposes, personal data must be made anonymous as soon as possible. Nevertheless, when personal data are processed for these purposes, the level of their protection required under Article 13 must be ensured.
(5) However, the consent under paragraph (2) shall not affect the duties referred to in paragraph 1 (c) and (g). The consent must clearly specify the scope of the consent; to whom and for what purpose, and for what period of time and by whom the consent is granted. The consent may be revoked at any time, unless the data subject and the controller explicitly agree otherwise. The controller shall prove the consent for the period of processing of the personal data, for whose processing the consent was granted.
(6) If the controller or the processor carries out personal data processing for the purpose of offering business opportunities or services to the data subject, the data subject’s name, surname and address may be used for this purpose provided that the data were acquired from a public list or in relation to an activity of the controller or processor. The controller or processor, however, may not further process the above specified data if the data subject has expressed his disagreement therewith. The disagreement with processing must be expressed in writing. No additional personal data may be attached to the above specified data without the consent of the data subject.
(7) The controller who processes personal data pursuant to paragraph 6 may transfer these data to some other controller only if the following conditions are met:
the data on the data subject were acquired in relation to activities of the controller or the data in question consist in published personal data;
the data shall be used exclusively for the purpose of offering business opportunities and services;
the data subject has been notified in advance of this procedure of the controller and the data subject has not expressed disagreement with this procedure.
(8) Other controller to whom data pursuant to paragraph 7 have been transferred may not transfer these data to any third person.
(9) Disagreement with processing pursuant to paragraph 7 (c) must be expressed by the data subject in writing. The controller shall be obliged to notify each controller to whom he has transferred the name, surname and address of the data subject of the fact that the data subject has expressed disagreement with the processing.
(10) To eliminate the possibility that the name, surname and address of the data subject are repeatedly used for offering business opportunities and services, the controller shall be entitled to further process the data subject's name, surname and address for his own needs in spite of the fact that the data subject expressed his/her disagreement therewith in accordance with paragraph 6.
Article 6
Where authorisation does not follow from a legal regulation, the controller may conclude with the processor an agreement on personal data processing. The agreement must be made in writing, otherwise it shall be null and void. The agreement shall explicitly state the scope, purpose and period of time for which it is concluded. If the processor fails to provide adequate guarantee in the agreement in relation to technical and organisational provision for personal data protection, the agreement shall be null and void.
Article 7
The obligations specified in Article 5 shall apply to the processor mutatis mutandis.
Article 8
If the processor finds that the controller breaches the obligations stipulated by this Act, the processor shall be obliged to notify the controller of this fact without delay and terminate personal data processing. If he fails to do so, the processor and the data controller shall be liable jointly and severally for any damage incurred by the data subject. This shall in no way prejudice responsibility of the processor pursuant to this Act.
Article 9. Sensitive Data
Sensitive data may be processed only:
if the data subject has granted express consent therewith. The consent must be granted in writing, must be signed by the data subject and must clearly specify the data in respect of which the consent is granted, and the controller, purpose and period of time for which the consent is granted and by whom it is granted. The data subject may revoke his consent at any time. The controller shall be obliged to instruct the data subject in advance of his rights. The controller shall be obliged to keep the consent for the period of personal data processing for the processing of which the consent was granted;
if it is necessary in order to preserve the life or health of the data subject or some other person or to eliminate imminent danger to their property, if his consent can not be obtained, in particular, due to his physical, mental or legal incapacity, or if the data subject is missing or for similar reasons. The controller shall be obliged to terminate data processing as soon as the above mentioned reasons cease to exist and must liquidate the data, unless the data subject grants his consent to further processing;
in relation to the provision of health care(14), as well as other examination of the health condition pursuant to a special regulation, especially for the purposes of social security(15); or
in cases stipulated by a special Act(16).
Article 10
In personal data processing, the controller and processor shall ensure that the rights of the data subject are not infringed upon, in particular, the right to preservation of human dignity, and shall also ensure that the private and personal life of the data subject is protected against unauthorized intervention.
Article 11
(1) Prior to commencing processing of personal data, the controller shall be obliged to notify the data subject duly, in time and in writing of the scope and purpose of processing of the personal data, of the person who sill process the personal data and the manner of processing thereof and to whom the personal data may be disclosed, or for whom the data are designated, unless the data subject is also familiar with these facts.
(2) The controller must further instruct the data subject on whether the data subject is obliged under law to provide personal data for processing, what consequences follow from refusal of the data subject to do so, and when the data subject is entitled to refuse to provide personal data, or whether the provision of personal data is voluntary.
(3) The controller must notify the data subject of his right to access the personal data, as well as of other rights stipulated in Article 21 of this Act.
(4) If the controller has not obtained personal data from the data subject, he shall be obliged, on the basis of a written request, to provide the data subject without delay with information on who provided the controller with personal data (the source of personal data).
(5) The controller shall not be obliged to provide information pursuant to paragraph 1 to 4 if:
he is processing personal data exclusively for statistical, scientific or archival purposes;
the obligation to process personal data is imposed thereon by law or the data are necessary to exercise the rights and obligations following from special Acts;
a special Act(17) stipulates that he is not obliged to provide personal data;
he processes exclusively published personal data; or
he processes personal data with the consent of the data subject pursuant to Article 5 (5) and Article 9 (a).
(6) A decision of a public authority or any other act may not be issued or executed without verification exclusively on the basis of automated personal data processing. This shall not apply where the decision or act is executed in favour of the data subject.
(7) The above provisions shall in no way prejudice the right of the data subject to request information pursuant to special Acts(18).
(8) In processing personal data pursuant to Article 5 (2)(e), the controller shall be obliged to inform the data subject on this procedure without undue delay.
Article 12
(1) The controller shall not be obliged to fulfil the obligation to provide information pursuant to Article 11(1) if this information is a part of instruction pursuant to a legal regulation.
(2) Unless stipulated otherwise by law, on the basis of a written request of the data subject, once per calendar year, the controller shall be obliged to provide the data subject free of charge with information on personal data processed in relation to the data subject,; otherwise, such information shall be provided at any time for reasonable consideration not exceeding the costs required for the provision of information.
Obligations of Persons in Securing Personal Data
Article 13
The controller and the processor shall be obliged to adopt measures preventing unauthorised or accidental access to personal data, their alteration, destruction or loss, unauthorised transmission, other unauthorised processing, as well as other misuse of personal data. This obligation shall remain valid after terminating personal data processing.
Article 14
Employees of the controller or processor and other persons who process personal data on the basis of an agreement with the controller or processor, may process personal data only under the conditions and in the scope specified by the controller or the processor.
Article 15
(1) Employees of the controller or processor, other natural persons who process personal data on the basis of an agreement concluded with the controller or processor and other persons who, in the scope of fulfilling rights and obligations stipulated by law, come into contact with personal data at the premises of the controller or processor, shall be obliged to maintain confidentiality of personal data and security arrangements whose public disclosure would endanger the security of personal data. The obligation to maintain confidentiality shall survive termination of employment or the relevant work.
(2) The provisions of the previous paragraph shall in no way prejudice the obligation to maintain confidentiality pursuant to special Acts(19).
(3) The obligation to maintain confidentiality shall not apply to notification obligation pursuant to special Acts(20).
Article 16. Notification Obligation
(1) Whoever intends to process personal data shall be obligated to notify the Office of this fact prior to commencing personal data processing. The controller shall also be obliged to provide notification if he intends to alter the personal data processing. The notification must be executed in writing.
(2) The notification must include the following information:
the name of the controller, address of his registered office and identification number if it has been assigned;
the purpose or purposes of processing;
the categories of the data subjects and personal data pertaining to these entities;
the sources of personal data;
description of the manner of personal data processing;
the location or locations of personal data processing if this/these location/locations differ from the address of the controller’s registered office;
the recipient or a category of recipients to whom personal data may be provided or disclosed;
the anticipated personal data transfers to other countries;
description of measures adopted for ensuring the required protection of personal data pursuant to Article 13;
the links to other controllers or processors.
(3) Within 30 days as of the delivery of the notification to the Office, the Office shall be obliged to communicate to the notifier that the Office has registered his notification, or to issue a decision pursuant to Article 17.
(4) If the Office has registered the notification, the notifier may commence personal data processing as of the date of registration.
(5) If the Office fails to inform the notifier within the deadline specified in paragraph 3 that it has registered the notification or to issue a decision, it shall hold that the Office has registered the notification.
Article 17
(1) If the Office finds that the notifier does not meet the conditions specified by this Act, it shall not permit personal data processing.
(2) If the notification does not contain all the required information, the Office shall invite the notifier to supplement it within a set deadline.
(3) If a justified concern arises in relation to the notification that this Act might be breached in processing of personal data, the Office shall invite the notifier to supplement the notification within a set deadline, or may carry out its own investigation on site, if appropriate.
(4) After expiry of the deadline specified pursuant to paragraphs 2 and 3, the Office shall either register the notification or issue a decision not permitting personal data processing.
Article 17a
(1) If the Office finds that the controller is processing personal data on the basis of a notification registered pursuant to Article 16 in contradiction with the conditions stipulated by this Act, it shall decide on revoking the registration.
(2) If the Office finds that the controller, whose notification has been registered using a procedure pursuant to Article 16 (3) or Article 17 (4), breaches the conditions stipulated by this Act, the Office shall revoke the registration.
(3) If the purpose for which processing was registered ceases to exist, the Office shall revoke the registration either at its own instigation or on request of the controller.
Article 18
The notification obligation pursuant to Article 16 shall not apply to processing of personal data:
that are a part of publicly accessible records;
the processing of which is imposed on the controller by law(21), or that are required for exercising rights following from special Acts; or
by political parties, political movements, trade union organisations, churches, religious organisations and associations, civic associations, or any other non-profit-making legal persons that pursue political, philosophical, religious or trade union objectives, if they process personal data related to their members and these data are used for their own internal needs.
Article 19
If the controller intends to terminate his activities, he shall be obliged to inform the Office without delay on how he handled personal data, if their processing is subject to the notification obligation.
Article 20. Liquidation of Personal Data
(1) The controller or, on the basis of his instructions, the processor shall be obligated to carry out liquidation of personal data as soon as the purpose for which personal data were processed ceases to exist or on the basis of a request by the data subject pursuant to Article 21.
(2) A special Act shall stipulate exceptions relating to the storage of personal data for archival purposes and to the exercising of rights in civil judicial proceedings, criminal proceedings and administrative proceedings.
Protection of Rights of Data Subjects
Article 21
(1) If a data subject finds that the controller or processor breached his obligations, the data subject shall be entitled to address the Office and request that measures be taken for a remedy.
(2) If the controller or processor has breached his obligations, the data subject shall have the right to request:
that the controller or processor refrain from such activity, remedy the thus arisen state of affairs or provide at his own expense an apology or other satisfaction;
that the controller or processor carry out a correction or supplementation of personal data so that the personal data are authentic and accurate;
that the personal data be blocked or liquidated;
the payment of financial compensation, if the right of the data subject to human dignity, personal honour, good reputation or the right to protection of his name was thus infringed upon.
(3) Whoever proves that he could not prevent breach of obligations despite using best efforts that could be required therefrom, shall be relieved of the liability under paragraph 2. Nevertheless, the data subject may demand that the controller or the processor refrain from his wrongful acts, remedy an illegal state of affairs, carry out a correction, supplementation, blockage or liquidation of personal data.
(4) If the controller or processor has caused damage to the data subject, the controller and the processor shall be liable jointly and severally therefor pursuant to special regulations(22).
(5) If a breach of obligations stipulated by this Act has occurred both on the part of the controller and on the part of the processor, the controller and the processor shall be liable jointly and severally. The data subject may enforce his claims against either of them.
(6) The controller shall be obliged to promptly provide for notification of each entity, to whom personal data have been provided in the framework of processing, of measures taken pursuant to paragraph 2 (a) to (c), with the exception of information on provision of an apology or some other satisfaction.
Article 22
The data subject may not exercise the right to blocking or liquidation of personal data if the controller is obliged to process personal data pursuant to a special Act or if this could result infringe upon the rights of third parties.
Article 23. Remedy of Immaterial Damage
(1) If a person, who carries out activities for the controller or processor on the basis of an agreement, breaches the imposed obligations, the data subject shall have the right to request that:
this person refrain from this activity, remedy the thus arisen state of affairs or provide an apology or other satisfaction at his own expense;
this person liquidate personal data that he is processing without authorisation;
this person provide financial compensation for damage that resulted from the breach of right of the data subject to human dignity, personal honour, good reputation or the right to protection of name.
(2) If this person fails to provide an apology or other satisfaction at his own expense or provide financial compensation, the controller or the processor shall be obliged to fulfil this obligation in lieu of this person.
(3) If a person. who is employed by the controller or processor breaches the imposed obligations, his liability shall be governed by the Labour Code.
Article 24
Persons referred to in Article 23 shall be relieved of the liability if they prove that they did not cause the breach of the regulations. Nevertheless, the data subject may request that they refrain from the activities breaching the imposed obligations, remedy the thus arisen state of affairs and liquidate personal data that they are processing without authorisation.
Article 25. Indemnification
General regulation of liability for damage (23),(24) shall apply to matters not specified by this Act.
Article 26
The obligations pursuant to Articles 21 to 25 shall apply to persons who have collected personal data without authorisation mutatis mutandis.
CHAPTER III. TRANSFER OF PERSONAL DATA TO OTHER COUNTRIES
Article 27
(1) Personal data may be transferred to other countries under the condition that the legislation of the country where personal data are to be processed corresponds to the requirements stipulated by this Act.
(2) Where the condition pursuant to paragraph 1 is not met, transfer of personal data may be carried out provided that:
the transfer of personal data is carried out with the consent of, or on the basis of an instruction by, the data subject who is entitled to grant it;
it is essential for the protection of the rights of the data subject or enforcement of claims of the data subject;
the personal data concerned are part of publicly accessible registers or registers accessible to persons who prove legal interest; nevertheless, this shall apply only to individually determined data;
the transfer follows from an international treaty binding the Czech Republic;
the transfer is necessary for the conclusion or performance of a contract between the data subject and the controller or of a contract that is being concluded in the interest of the data subject;
it is essential for saving life or providing health care to the data subject;
it is stipulated by a special Act. (24a)
(3) The transfer of personal data may be carried out in other cases, if this is carried out in favour of the data subject and if it follows from a bilateral contract between the controller and the recipient that the recipient will ensure the required protection of personal data.
(4) The controller shall be obliged to apply to the Office for a single or multiple permit for the transfer of personal data to other countries. The Office shall make decision on the application without delay, and at the latest within 7 calendar days. If the Office fails to make a decision within this deadline it shall hold that the Office agrees with the transfer of personal data for a period specified in the application. If there is danger connected with delay, the Office shall issue its decision without delay. An appeal against the decision shall not have dilatory effect.
(5) If the Office issues a decision on a transfer of personal data, it shall also specify the period of time during which the controller may perform the transfer. If the controller breaches obligations stipulated by this Act, the Office shall revoke this permit. An appeal against the decision shall not have dilatory effect.
(6) The controller does not have the obligations pursuant to paragraphs 4 and 5 if so laid down by a special Act(25) or if the transfer follows from an international treaty binding the Czech Republic.
CHAPTER IV. POSITION AND COMPETENCE OF THE OFFICE
Article 28
(1) The Office is an independent body. In its activities, it shall act independently and shall be subject only to Acts and other regulations.
(2) The activities of the Office may be intervened with only on the basis of law.
(3) The activities of the Office shall be paid for from a special chapter of the state budget of the Czech Republic.
Article 29
(1) The Office shall:
perform supervision over fulfilment of obligations stipulated by this Act in personal data processing;
keep records of notifications executed pursuant to Article 16 and the register of instances of permitted personal data processing (hereinafter referred to as «the register»);
accept incentives and complaints of citizens concerning breach of this Act;
draw up an annual report on its activities and disclose the report to the general public;
issue implementing regulations pursuant to a special Act,(24a)
exercise other competence specified by law;
discuss misdemeanours and other administrative offences and impose fines pursuant to this Act;
ensure fulfilment of requirements following from international treaties binding the Czech Republic;
provide consultations in the area of personal data protection;
co-operate with similar authorities in other countries.
(2) Supervision in the form of inspection shall be performed according to a special Act(26).
(3) Supervision over personal data processing performed by intelligence services shall be regulated by a special Act (27).
(4) The Office shall grant and revoke accreditation for acting as an accredited provider of certification services and shall perform supervision over the compliance with obligations stipulated by the Act on Electronic Signature.
CHAPTER V. ORGANISATION OF THE OFFICE
Article 30
(1) Employees of the Office shall consist in the President, inspectors and other employees.
(2) Control activities of the Office shall be carried out by inspectors and authorised employees (hereinafter referred to as «the controlling persons»).
(3) The provisions of the Labour Code shall apply to the employees of the Office, unless this Act stipulates otherwise.
(4) The President of the Office shall have the right to a salary, additional salary, reimbursement of expenses and consideration in kind as the President of the Supreme Audit Office pursuant to a special Act.(26a)
(5) The inspectors of the Office shall have the right to a salary, additional salary, reimbursement of expenses and consideration in kind as the members of the Supreme Audit Office pursuant to a special Act.(26a)
(6) The salaries of the employees of the Office, except for the President and inspectors, shall be governed by legal regulations providing for salaries of employees of the bodies of state administration(28).
(7) The employees of the Office, except for the President and inspectors shall have the right to reimbursement of travel expenses pursuant to a special regulation (29).
Article 31
Control activities of the Office shall be performed on the basis of an internal control plan or on the basis of the incentives and complaints of citizens.
Article 32. President of the Office
(1) The Office is directed by the President who shall be appointed and recalled by the President of the Czech Republic on the basis of a proposal of the Senate of the Parliament of the Czech Republic.
(2) The President of the Office shall be appointed for a period of 5 years. The President may be appointed for the maximum of two successive periods.
(3) The President of the Office may be only a citizen of the Czech Republic who:
enjoys legal capacity;
has no criminal record, meets the conditions prescribed by a special regulation (30) and for whom it can be assumed in relation to his knowledge, experience and moral qualities that he will serve his position properly; and has completed university education.
(4) For the purpose of this Act, a natural person shall be considered to have no criminal record if he has not been validly sentenced for a wilful criminal offence or for a criminal offence committed by negligence in relation to personal data processing.
(5) The position of the President of the Office shall not be compatible with the positions of a Member of Parliament or Senator, judge, state attorney, any position in the state administration, a position of a member of a territorial self-administration body and membership in political parties and movements.
(6) The President of the Office may not hold any other paid position, be in some other labour relationship, or perform any gainful activity, with the exception of administration of his own property and scientific, pedagogical, literal, journalistic and artistic activities, if such activities do not impair the dignity of the Office or threaten confidence in the independence and impartiality of the Office.
(7) The President of the Office shall be recalled from his position if he ceases to meet any of the conditions for his appointment.
(8) The President of the Office may also be recalled from his position if he fails to perform his position for a period of 6 months.
Inspectors of the Office
Article 33
(1) An inspector shall be appointed and recalled by the President of the Czech Republic on the basis of a proposal of the Senate of the Parliament of the Czech Republic.
(2) An inspector shall be appointed for a period of 10 years. he may be appointed repeatedly.
(3) An inspector shall carry out inspections, direct inspections, prepare the inspection report and perform other acts related to tasks of the Office.
(4) The activities pursuant to paragraph 3 shall be carried out by 7 inspectors of the Office.
Article 34
(1) An inspector may be only a citizen of the Czech Republic who enjoys legal capacity, has no criminal record, meets the conditions prescribed by a special regulation(30) and has completed professional university education.
(2) The position of an inspector shall not be compatible with the positions of a Member of Parliament or Senator, judge, state attorney, any position in the state administration, a position of a member of a territorial self-administration body and membership in political parties and movements. An inspector may not hold any other paid position, be in some other labour relationship, or perform any gainful activity, with the exception of administration of his own property and scientific, pedagogical, literal, journalistic and artistic activities, if such activity does not impair the dignity of the Office or threaten confidence in the independence and impartiality of the Office.
(3) An inspector shall be recalled from his position if he ceases to meet any of the conditions for his appointment.
CHAPTER VI. ACTIVITIES OF THE OFFICE
Article 35. Registration
(1) Information following from notifications under Article 16 (2) shall be recorded in the Register of instances of permitted personal data processing.
(2) The Office shall publish registration or revoking thereof in the Journal of the Office within 2 months, unless a special Act stipulates that registration or revoking thereof shall not to be published. The Office may also publish the notification of registration or revoking thereof in some other suitable manner.
(3) The Register shall be publicly accessible, with the exception of data specified in Article 16 (2)(e) and (i).
Article 36. Annual Report
(1) The annual report of the Office shall include, in particular, information on the performed control activities and evaluation thereof, information on and evaluation of the state of affairs in the area of personal data processing and protection in the Czech Republic and evaluation of other activities of the Office.
(2) The President of the Office shall submit the annual report for information purposes to the Chamber of the Deputies and the Senate of the Parliament of the Czech Republic and to the Government of the Czech Republic within 2 months of the end of the budgetary year, and shall publish it in the Journal of the Office.
Article 37. Rights of the Controlling Persons
(1) When performing inspection, the controlling persons shall be entitled to:
enter the premises, facilities and operations, properties and other premises of the controllers and processors, who are subjected to inspection, or every person who processes personal data (hereinafter «the controlled person»), if this is related to the subject of the inspection; the controlling persons may enter dwellings only if the relevant dwelling serves also for operation of business activities;
require that the controlled person and other persons submit within the specified deadlines original documents and other written materials, data records on computer-readable media, excerpts and software source codes, if these materials are owned thereby, excerpts and copies of data (hereinafter the «documents»), provided that these documents are related to the subject of inspection, and draw up their own documentation;
get acquainted with classified information under the conditions stipulated by a special regulation(31), as well as with other facts that are protected by the obligation to maintain confidentiality;
request that natural and/or legal persons provide authentic and complete information of the determined and related facts;
seize documents in justified cases; the act of taking over the documents must be confirmed in writing to the controlled person, and on his request , he must be provided with copies of the seized documents;
make copies of the content of computer-readable media found at the premises of the controlled person that contain personal data;
request that the controlled persons submit within the set deadline a written report on a remedy of any shortcomings found;
use telecommunication facilities of the controlled persons in cases where use thereof is essential for ensuring the inspection.
Article 38. Obligations of the Controlling Persons
(1) Controlling persons, in connection to whom reasonable doubts exist as to their prejudice with respect to their relationship with controlled persons or the subject of control, may not carry out inspections.
(2) Immediately after learning facts indicating his prejudice, a controlling person shall be obliged to notify the President of the Office of this fact.
(3) The President of the Office shall make a decision on an objection concerning prejudice of the controlled person without undue delay. Prior to making a decision on the objection concerning prejudice, the controlling person shall carry out only acts that cannot be delayed.
(4) A decision on an objection concerning prejudice shall not be subject to appeal.
(5) The controlling persons shall be obliged to:
identify themselves to the controlled person by a document of the controlling person;
notify the controlled person of commencement of inspection;
respect the rights and legally protected interests of controlled persons;
return the seized documents and copies of computer-readable media to the controlled person as soon as the reasons for their seizure cease to exist;
duly protect the seized documents against loss, destruction, damage or misuse;
draw up an inspection report on the results of inspection;
maintain confidentiality of facts found during the inspection and not to misuse knowledge of these facts. The obligation to maintain confidentiality shall not prejudice the notification obligation under special Acts. The obligation to maintain confidentiality shall survive the termination of the labour relationship with the Office. The President of the Office may release the controlling person from the obligation to maintain confidentiality. The obligation to maintain confidentiality shall not apply to anonymous and generalised information.
(6) The inspection report shall include, in particular, description of the established facts, together with specification of shortcomings and identification of provisions of legal regulations that have been breached and measures that were imposed for a remedy and setting of deadlines for providing for a remedy. The inspection report shall include designation of the Office and the names of the controlling persons participating in the inspection, designation of the controlled person, the place and time of performing the inspection, the subject of the inspection, the actual state of affairs, identification of documents and other documents and the findings on which the report is based. The inspection report shall be signed by the controlling persons who participated in the inspection.
(7) The controlling persons shall be obliged to acquaint the controlled persons with the contents of the inspection report and provide them with a copy thereof. The controlled persons shall confirm their acquaintance with the inspection report and acceptance thereof by signing the inspection report. If the controlled person refuses to be acquainted with the contents of the inspection report or to confirm the acquaintance, these facts shall be stated in the inspection report.
Article 39
In relation to performance of an inspection, each person shall be obliged to provide the required co-operation to the controlling persons in performance of their activities.
Measures for a Remedy
Article 40
(1) If a controlling person finds that obligations imposed by this Act have been breached, the inspector shall determine which measures shall be adopted in order to eliminate the established shortcomings and set a deadline for their elimination.
(2) If liquidation of personal data has been ordered, the relevant personal data shall be blocked until their liquidation. The controller may file an objection to the President of the Office against ordering of the liquidation. The personal data shall be blocked until a decision is made on the objection. An action may be filed against the decision of the President in accordance with the regulations on administrative justice. The data shall be blocked until a decision is made by the court.
(3) The controlled person shall be obliged to submit a report on the adopted measures within the set deadline.
Article 41
Unless stipulated otherwise by this Act, proceedings in matters regulated by this Act shall be governed by the Code of Administrative Procedure(32).
Article 42
Operation of information systems managing personal data pursuant to the current regulations shall mean personal data processing.
Article 43. Rights and Obligations in Supervision
The rights and obligations of controlling and controlled persons shall be governed by a special Act(26), unless stipulated otherwise by this Act.
CHAPTER VII. PENALTIES
Article 44. Offences
(1) A person who is in a labour or similar relationship to the controller or processor or who carries out activities therefor on the basis of an agreement, or a person who, as a part of fulfilling rights and obligations imposed by law, comes into contact with the personal data of the controller or processor shall be considered to have committed an offence and shall be punished by a fine of up to CZK 50 000 if he breaches the obligation to maintain confidentiality imposed by this Act.
(2) A person referred to in paragraph 1 shall be considered to have committed an offence and shall be punished by a fine of up to CZK 25 000 if he breaches some other obligation stipulated by this Act.
(3) Offences and hearing thereof shall be governed by a special Act(33).
(4) The Office shall be the authority competent to hear offences.
Article 45. Disciplinary Fine
A disciplinary fine of up to CZK 25,000 may be imposed, even repeatedly, on a person who fails to provide the Office with the required co-operation in performance of an inspection.
Article 46. Fines Imposed on Controllers and Processors
(1) A controller or processor who breaches an obligation stipulated by this Act in processing of personal data shall be punished by a fine of up to CZK 10 000 000.
(2) If a controller or processor repeatedly breaches obligations stipulated by this Act in processing of personal data within one year of the date of legal force of a decision of imposing a penalty, he shall be liable to a fine of up to CZK 20 000 000.
(3) A controller or processor who obstructs a controll performed by the Office may be punished by a disciplinary fine of up to CZK 1 000 000, even repeatedly.
(4) Any breach of obligations shall be heard by the Office.
(5) When imposing a fine pursuant to this Act, the Office shall follow, in particular, from the character, seriousness, manner of conduct, degree of fault, duration and consequences of the unlawful conduct.
(6) A fine may be imposed within one year of the day when the competent authority established the breach of the obligation; however,, not later than within 3 years of the day when the breach occurred.
(7) Fines shall be collected by the Office. Fines shall be enforced by the territorial financial authority pursuant to a special regulation(34).
(8) The revenue from fines shall be an income for the state budget of the Czech Republic.
CHAPTER VIII. JOINT, TRANSITORY AND CONCLUDING PROVISIONS
Article 47. Measures for the Transitional Period
(1) Every person who processes personal data by the date of legal force of this Act and who is subject to the notification obligation under Article 16 shall be obliged to fulfil this obligation at the latest within 6 months as of the date of legal force of this Act.
(2) Personal data processing carried out prior to the legal force of this Act shall be brought into accord with this Act by December 31, 2001.
(3) In case the controlling personsestablish a breach of obligations pursuant to paragraph 2, the provisions of Article 46 (1) and (2) shall not be employed in this case prior to December 31, 2002
Article 48. Repealing Provision
Act Nº. 256/1992 Coll., on the Protection of the Personal Data in Information Systems is hereby repealed.
PART TWO
Article 49. Amendment to the Criminal Code
Act Nº.140/1961 Coll., the Criminal Code, as amended by Act Nº. 120/1962 Coll., Act Nº. 53/1963 Coll., Act Nº. 56/1966 Coll., Act Nº. 148/1969 Coll., Act Nº. 45/1973 Coll., Act Nº. 43/1980 Coll., Act Nº. 10/1989 Coll., Act Nº. 159/1989 Coll., Act Nº. 47/1990 Coll., Act Nº. 84/1990 Coll., Act Nº. 175/1990 Coll., Act Nº. 457/1990 Coll., Act Nº. 545/1990 Coll., Act Nº. 490/1991 Coll., Act Nº. 557/1991 Coll., Award of the Constitutional Court of the Czech and Slovak Federative Republic of September 4, 1992, Act Nº. 290/1993 Coll., Act Nº. 38/1994 Coll., Act Nº. 91/1994 Coll., Act Nº. 152/1995 Coll., Act Nº. 19/1997 Coll., Act Nº. 103/1997 Coll., Act Nº. 253/1997 Coll., Act Nº. 92/1998 Coll., Act Nº. 112/1998 Coll., Act Nº. 148/1998 Coll., Act Nº. 167/1998 Coll., Act Nº. 96/1999 Coll., Act Nº. 191/1999 Coll., Act Nº. 210/1999 Coll., Act Nº. 223/1999 Coll., Act Nº. 238/1999 Coll., Act Nº. 305/1999 Coll., Act Nº. 327/1999 Coll., Act Nº. 360/1999 Coll. a Act Nº. 29/2000 Coll.,, shall be amended as follows:
1. Article 178 paragraph (1) shall read as follows:
» (1) A person who, without authorization, even by negligence, discloses, makes accessible, otherwise processes or appropriates personal data on another person that have been collected in connection with execution of public administration, shall be punished by imprisonment of up to three years or by prohibition of activities or by a fine.».
2. In article 178 paragraph (2), the word «personal » shall be inserted after the word «who».
PART THREE
Article 50. Amendment to the Act on Free Access to Information
Act Nº. 106/1999 Coll., on Free Access to Information, shall be amended as follows:
Article 2 paragraph (3), including footnote Nº.1 shall read as follows:
«(3) The Act shall not apply to providing personal data and information pursuant to a special regulation.1
__________________________
1E.g., Act nº 101/2000 Coll., on the Protection of Personal Data and Amendment to Some Related Acts and Act Nº. 123/1998 Coll., on the Right to Information on the Environment.».
2. In article 5 paragraph (3), the second sentence shall be replaced by a sentence which, including the footnote nº 3a, shall read as follows: «For this purpose, the obligation to avoid combining information pursuant to a special regulation shall not apply to these entities.3a
______________________
3aArticle 5 (1) (h) of Act Nº. 101/2000 Coll., on the Protection of Personal Data and Amendment to Some Related Acts».
3. In article 8, paragraphs (1) and (2), including the heading and footnote Nº. 5, shall be repealed.
PART FOUR
Legal Force
Article 51
This Act comes into effect on June 1, 2000, with the exception of the provisions of Articles 16, 17 and 35, which come into effect on December 1, 2000.
Klaus Havel Zeman
——————————————————————————————————–
(1) Act Nº. 227/2000 Coll., on Electronic Signature and on Amendment to Some Related Acts (the Electronic Signature Act).
(1a) E.g., Act Nº. 85/1996 Coll., on Advocacy, as Amended, Act Nº. 358/1992 Coll., on Notaries and Their Activities, as Amended, Act Nº. 237/1991 Coll., on Patent Representatives, as Amended by Act Nº. 14/1993 Coll., Act Nº. 523/1992 Coll., on Tax Consulting and Chamber of Tax Consultants of the Czech Republic, Act Nº. 254/2000 Coll., on Auditors, Act Nº. 36/1967 Coll., on Experts and Interpreters.
(2) Act Nº. 89/1995 Coll., on the State Statistical Service. Act Nº. 158/1999 Coll., on the Census of Citizens, Houses and Flats in 2001.
(3) Act Nº. 97/1974 Coll., on Archives, as Amended by Act Nº. 343/1992 Coll.
(4) Act Nº. 153/1994 Coll., on the Intelligence Service of the Czech Republic, as Amended by Act Nº. 118/1995 Coll.
(5) Act Nº. 283/1991 Coll., on the Police of the Czech Republic, as Amended.
(6) Act Nº. 61/1996 Coll., on Certain Measures against Legalisation of Proceeds from Criminal Activities and on Amendment to Some Related Acts, as Amended by Act Nº. 15/1998 Coll.
(7) Act Nº. 148/1998 Coll., on the Protection of classified Information and on Amendment to Some Related Acts, as Amended.
(8) Act Nº. 451/1991 Coll. Specifying Some Additional Prerequisites for the Performance of Certain Positions in State Authorities and Organisations of the Czech and Slovak Federal Republic, the Czech Republic and the Slovak Republic, as Amended. Act Nº. 279/1992 Coll. on Some Additional Prerequisites for the Performance of Certain Positions Staffed on the Basis of Assignment or Appointment of Officers of the Police of the Czech Republic and of the Correctional Service Corps of the Czech Republic, as Subsequently Amended.
(9) Article 34a of Act Nº. 283/1991 Coll.
(10) Article 2(4) of Act Nº. 283/1991 Coll.
(10a) Act Nº. 140/1996 Coll., on Disclosure of the Files Resulted from Activities of the Former State Security, as Amended by Act Nº. 107/2002 Coll.
(11) E.g., Act Nº. 89/1995 Coll., Act Nº. 153/1994 Coll., as Amended by Act Nº. 118/1995 Coll., and Act Nº. 283/1991 Coll., as Amended.
(12) E.g. Act Nº. 111/1998 Coll., on Universities and on Amendment to other Acts (the Universities Act); Act Nº. 564/1990 Coll., on the State Administration and Self-Administration in Education, as Amended; Act Nº. 153/1994 Coll., as Amended by Act Nº. 118/1995 Coll. and Act Nº. 61/1996 Coll., as Amended by Act Nº. 15/1998 Coll.
(13) Act Nº. 81/1966 Coll., on the Periodical Press and Other Media of Mass Information, as Amended.
(14) Act Nº. 20/1966 Coll., on the Care for Health of the Population, as Amended.
(15) E.g. Act Nº. 582/1991 Coll., on Organisation and Implementation of Social Security, as Amended.
(16) E.g. Act Nº. 48/1997 Coll., on Public Health Insurance and on Amendment to Some Related Acts, as Amended; Act Nº. 280/1992 Coll., on Ministry, Branch, Undertaking and Other Health Insurance Companies, as Amended; Act Nº. 551/1992 Coll., on the General Health Insurance Company of the Czech Republic, as Amended; and Act Nº. 158/1999 Coll.
(17) E.g. Act Nº. 153/1994 Coll., as Amended by Act Nº.118/1995 Coll.; Act Nº. 61/1966 Coll., as Amended by Act Nº. 15/1998 Coll., and Act Nº. 283/1991 Coll., as Amended.
(18) E.g. Act Nº. 123/1998 Coll., on the Right to Information on the Environment; Act Nº. 367/1990 Coll., on Municipalities (the Municipality System), as Amended; Act Nº. 106/1999 Coll., on Free Access to Information.
(19) E.g. Act Nº. 148/1998 Coll., as Amended; Act Nº. 89/1995 Coll.; Act Nº. 20/1966, as Amended; Act Nº. 15/1998 Coll., on the Securities Commission and on and Amendment to Some Related Acts.
(20) E.g. Articles 167 and 168 of Act Nº. 140/1961 Coll., the Criminal Code, as Amended; Act Nº. 21/1992 Coll., on Banks, as Amended; Act Nº. 20/1966 Coll., as Amended.
(21) E.g., Act Nº. 153/1994 Coll.; Act Nº. 61/1996 Coll., as Amended by Act Nº. 15/1998 Coll.; Act Nº. 283/1991 Coll., as Amended; and Act Nº. 158/1999 Coll.
(22) E.g. Act Nº. 40/1964 Coll., the Civil Code, as Amended; Act Nº. 82/1998 Coll., on Liability for Damage Caused by Resolution or Incorrect Official Procedure while Executing Public Authority; Act Nº. 358/1992 Coll., on Notaries and Their Activity (the Notaries Procedure Act), as Amended.
(23) Act Nº. 40/1964 Coll., as Amended.
(24) Act Nº. 513/1991 Coll., the Commercial Code, as Amended.
(24a) Act Nº. 227/2000 Coll.
(25) E.g. Act Nº. 153/1994 Coll., as Amended by Act Nº. 118/1995 Coll.; Act 61/1996 Coll., as Amended by Act Nº. 15/1998 Coll.; and Act 283/1991 Coll., as Amended.
(26) Act Nº. 552/1991 Coll., on the State Inspection, as Amended. Article 12 of Act Nº. 153/1994 Coll.
(26a) Act Nº. 236/1995 Coll., on Salaries and Another Requisites Related to Execution of the Office by Representatives of State Administration and Some State Authorities and Judges, as Amended.
(27) Act Nº. 143/1992 Coll., on Salaries and Remuneration for Emergency Readiness in Budgetary and Some Other Organisations and Authorities, as Amended.
(28) Government Decree Nº. 253/1992 Coll., on Salaries of Employees of Authorities of State Administration, Some Other Authorities and Municipalities, as Amended.
(29) Act Nº. 119/1992 Coll., on Travel Expenses Compensation, as Amended.
(30) Act Nº. 451/1991 Coll.
(31) Act Nº. 148/1998 Coll., as Amended.
(32) Act Nº.71/1967 Coll., on Administrative Proceedings (the Code of Administrative Procedure), as Amended by Act Nº. 29/2000 Coll.
(33) Act Nº. 200/1990 Coll., on Misdemeanours, as Amended.
(34) Act Nº.337/1992 Coll., on Administration of Taxes and Charges, as Amended.