Act. nº 101 of April 4, 2000, on the Protection of Personal Data and on Amendent to Some Acts. As amended by the Act nº 227/2000 Coll., Act nº 177/2001 Coll., Act nº 450/2001 Coll., Act nº 107/2002 Coll., Act nº 310/2002 Coll., Act nº 517/2002 Coll., Act nº 439/2004 Coll., Act nº 480/2004 Coll., Act nº 626/2004 Coll., Act nº 413/2005 Coll., Act nº 444/2005 Coll., Act nº 109/2006 Coll., Act nº 112/2006 Coll., Act. nº 267/2006 Coll., Act nº 342/2006 Coll., Act nº 170/2007 Coll., Act nº 41/2009 Coll., Act nº 52/2009 Coll., Act nº 227/2009 Coll., Act. nº 281/2009 Coll., Act nº 375/2011 Coll., Act nº 468/2011 Coll., Act nº 64/2014 Coll., Act nº 250/2014 Coll. and nº 301/2016 Coll.
The Parliament has enacted the following Act of the Czech Republic:
Part One.- Personal Data Protection
Chapter I.- Introductory Provisions
Article 1.- Subject of the Act
This Act, in accordance with the law of the European Union, international agreements binding the Czech Republic, and to exercise everyone’s right to the protection from unauthorised interference with privacy, regulates the rights and obligations in processing of personal data and specifies the conditions under which personal data may be transferred to other countries.
Article 2
(1) The Office for Personal Data Protection is hereby established with seat in Prague (hereinafter referred to as the «Office»).
(2) The Office is a central administrative authority in the area of personal data protection in the scope provided by this Act, special legal regulation, international treaties which form part of the legal order, and directly applicable law of the European Union.
(3) The Office exercises the competence of a supervisory authority for the area of personal data protection following from international treaties which form part of the legal order.
Article 3.- Scope of the Act
(1) This Act shall apply to personal data that are processed by state authorities, territorial self-administration bodies, other public authority bodies, as well as natural and legal persons.
(2) This Act shall apply to all personal data processing, both by automatic or other means.
(3) This Act shall not apply to personal data processing carried out by a natural person for personal needs exclusively.
(4) This Act shall not apply to accidental personal data collection, unless these data are subject to further processing.
(5) Furthermore, this Act shall apply to personal data processing:
(a) if the law of the Czech Republic is applicable preferentially on the basis of the international public law, even if the controller is not established on the territory of the Czech Republic,
(b) if the controller who is established outside the territory of the European Union carries out processing on the territory of the Czech Republic, unless it is only a personal data transfer over the territory of the European Union. In this case the controller shall be obliged to authorize the processor on the territory of the Czech Republic by way of the procedure laid down in Article 6.
If the controller carries out processing through its organization units established on the territory of the European Union, he must ensure that those organization units will process personal data in accordance with national law of the respective member state of the European Union.
(6) The provisions of Article 5(1) and Articles 11 and 12 of this Act shall not apply to processing of personal data necessary to fulfil obligations of the controller provided by special Acts to ensure:
(a) security of the Czech Republic,
(b) defence of the Czech Republic,
(c) public order and internal security,
(d) prevention, investigation, detection and prosecution of criminal offences,
(e) important economic interest of the Czech Republic or of the European Union,
(f) important financial interest of the Czech Republic or of the European Union, in particular the stability of financial market and currency, functioning of currency circulation and system of payments as well as budgetary and taxation measures,
(g) exercise of control, supervision, surveillance and regulation related to exercise of public authority in the cases under (c), (d), (e) and (f),
(h) activities related to disclosure of files of the former State Security, or
(i) activities related to keeping a central registry of accounts.
Article 4.- Definitions
For the purposes of this Act:
(a) «personal data» shall mean any information relating to an identified or identifiable data subject. A data subject shall be considered identified or identifiable if it is possible to identify the data subject directly or indirectly in particular on the basis of a number, code or one or more factors specific to his/her physical, physiological, psychical, economic, cultural or social identity;
(b) «sensitive data» shall mean personal data revealing nationality, racial or ethnic origin, political attitudes, trade-union membership, religious and philosophical beliefs, conviction of a criminal act, state of health and sexual life of the data subject and genetic data of the data subject; sensitive data shall also mean a biometric data permitting direct identification or authentication of the data subject;
(c) «anonymous data» shall mean such data that cannot be linked to an identified or identifiable data subject in their original form or following processing thereof;
(d) «data subject» shall mean a natural person to whom the personal data pertain;
(e) «personal data processing» shall mean any operation or set of operations that is systematically performed by a controller or a processor upon personal data by automatic or other means. Personal data processing shall mean, in particular, the collection of data, their storage on data carriers, disclosure, modification or alteration, retrieval, use, transfer, dissemination, publishing, preservation, exchange, sorting or combination, blocking and liquidation;
(f) «personal data collection» shall mean a systematic procedure or set of procedures, which aim is to obtain personal data for the purpose of their further storage on a data carrier for their immediate or subsequent processing;
(g) «personal data storage» shall mean keeping data in a manner that permits their further processing;
(h) «blocking» shall mean any operation or set of operations restricting the manner or means of personal data processing for a specified period of time, except for the necessary interventions;
(i) «personal data liquidation» shall mean physical destruction of the data carrier, physical deletion of data or their permanent exclusion from further processing;
(j) «controller» shall mean any entity that determines the purpose and means of personal data processing, carries out such processing and is responsible for such processing. The controller may empower or charge a processor to process personal data, unless a special Act provides otherwise;
(k) «processor» shall mean any entity processing personal data on the basis of a special Act or on behalf of the controller;
(l) «published personal data» shall mean personal data that are disclosed, in particular, by mass media, via other form of public communication, or as a part of a public list;
(m) «register or personal data file» (hereinafter referred to as «data file») shall mean any set of personal data that is structured or can be made available according to common or specific criteria;
(n) «consent of data subject» shall mean a free and informed manifestation by which will of the data subject signifies his assent to personal data processing;
(o) «recipient» shall mean each subject to whom the personal data are disclosed. The entity processing personal data pursuant to Article 3(6)(g) is not considered a recipient.
Chapter II.- Rights and obligations in processing of personal data
Article 5
(1) The controller shall be obliged to:
(a) specify the purpose for which personal data are to be processed;
(b) specify the means and manner of personal data processing;
(c) process only accurate personal data, which he obtained in accordance with this Act. If necessary, the controller is obliged to update the data. If the controller finds that the processed data are not accurate as to the specified purpose, shall he take adequate measures without undue delay, in particular shall he block the processing and rectify or supplement the personal data, or liquidate them otherwise. Inaccurate personal data may be processed only within the limits of the provisions of Article 3(6) of this Act. Inaccurate personal data must be branded. The controller is obliged to provide all the recipients with the information about blocking, correction, supplementing or liquidation of personal data without undue delay;
(d) collect personal data corresponding exclusively to the specified purpose and in extent necessary to accomplish the specified purpose;
(e) store personal data only for a period necessary for the purpose of their processing. After expiry of this period, personal data may be retained only for purposes of the state statistical service, and for scientific and archival needs. When using personal data for these purposes, it is necessary to respect the right to protection of private and personal lives of the data subject from unauthorised interference and to make personal data anonymous as soon as possible;
(f) process personal data only in accordance with the purpose for which the data were collected. Personal data may be processed for some other purpose only within the limits of the provisions of Article 3(6) or if the data subject granted his consent herewith in advance;
(g) collect personal data only in an open manner. Collecting data under the pretext of some other purpose or activity shall be prohibited;
(h) ensure that personal data that were obtained for different purposes are not grouped.
(2) The controller may process personal data only with the consent of data subject. Without such consent, the controller may process the data:
(a) if he is carrying out processing which is essential to comply with legal obligation of the controller;
(b) if the processing is essential for fulfilment of a contract to which the data subject is a contracting party or for negotiations on conclusion or alteration of a contract negotiated on the data subject´s proposal;
(c) if it is essential for the protection of vitally important interests of the data subject. In this case, the consent of data subject must be obtained without undue delay. If the consent is not granted, the controller must terminate the processing and liquidate the data;
(d) if they were lawfully published in accordance with special legislation. However, this shall not prejudice the right to the protection of private and personal lives of the data subject, or
(e) if it is essential for the protection of rights and legitimate interests of the controller, recipient or other person concerned. However, such personal data processing may not be in contradiction with the data subject´s right to protection of his private and personal lives.
(f) if he provides personal data on a public figure, official or employee of public administration that reveals information on their public or administrative activity, their functional or working position, or
(g) if the processing relates exclusively to archival purposes pursuant to a special Act.
(3) If the controller processes personal data on the basis of a special Act, he shall be obliged to respect the right to protection of private and personal lives of the data subject.
(4) When giving his consent the data subject must be provided with the information about what purpose of processing, what personal data, which controller and what period of time the consent is being given for. The controller must be able to prove the consent of data subject to personal data processing during the whole period of processing.
(5) If the controller or processor carries out personal data processing for the purpose of offering business or services to the data subject, the data subject’s name, surname and address may be used for this purpose provided that the data were acquired from a public list or in relation to his activity of controller or processor. The controller or processor, however, may not further process the data specified above if the data subject has expressed his disagreement therewith. The disagreement with processing must be expressed in writing. No additional personal data may be added to the data specified above without the consent of data subject.
(6) The controller who processes personal data pursuant to paragraph 5 may transfer these data to other controller only under the following conditions:
(a) the data on the data subject were obtained in relation to activities of the controller or the personal data in question were made public;
(b) the data shall be used exclusively for the purpose of offering business and services;
(c) the data subject has been notified in advance of this procedure of the controller and the data subject has not expressed disagreement with this procedure.
(7) Other controller to whom data pursuant to paragraph 6 have been transferred may not transfer these data to any other person.
(8) Disagreement with processing pursuant to paragraph 6(c) must be expressed by the data subject in writing. The controller shall be obliged to notify each controller to whom he has transferred the name, surname and address of the data subject of the fact that the data subject has expressed disagreement with the processing.
(9) To eliminate the possibility that the name, surname and address of the data subject are repeatedly used for offering business and services, the controller shall be entitled to further process the subject’s name, surname and address in spite of the fact that the data subject expressed his/her disagreement therewith in accordance with paragraph 5.
Article 6
Where authorization does not follow from a legal regulation, the controller must conclude with the processor an agreement on personal data processing. The agreement must be made in writing. In particular, the agreement shall explicitly stipulate the scope, purpose and period of time for which it is concluded and must contain guarantees by the processor related to technical and organisational securing of the protection of personal data.
Article 7
The obligations specified in Article 5 shall similarly apply to the processor.
Article 8
If the processor finds out that the controller breaches the obligations provided by this Act, the processor shall be obliged to notify the controller of this fact without delay and to terminate personal data processing. If he fails to do so, the processor and the data controller shall be liable jointly and severally for any damage caused to the data subject. This shall in no way prejudice his responsibility pursuant to this Act.
Article 9.- Sensitive Data
Sensitive data may be processed only:
(a) if the data subject has given his express consent to the processing. When giving his consent, the data subject must be provided with the information about what purpose of processing, what personal data, which controller and what period of time the consent is being given for. The controller must be able to prove the existence of the consent of data subject to personal data processing during the whole period of processing. The controller is obliged to instruct in advance the data subject of his rights pursuant to Articles 12 and 21,
(b) if it is necessary in order to preserve life or health of the data subject or some other person or to eliminate imminent serious danger to their property, if his consent cannot be obtained, in particular, due to physical, mental or legal incapacity, or if the data subject is missing or for similar reasons. The controller shall be obliged to terminate data processing as soon as the above mentioned reasons cease to exist and must liquidate the data, unless the data subject gives his consent to further processing.
(c) if the processing in question is in relation with ensuring health services, public health protection, health insurance, and the exercise of public administration in the field of health sector pursuant to a special Act, or it is related to assessment of health in other cases provided by a special Act,
(d) if the processing is necessary to keep the obligations and rights of the controller responsible for processing in the field of labour law and employment provided by a special Act,
(e) if the processing pursue political, philosophical, religious or trade-union aims and is carried out within the scope of legitimate activity of a civil association, foundation or other legal person of non-profit nature (hereinafter referred to as the «association»), and which relates only to members of the association or persons with whom the association is in recurrent contact related to legitimate activity of the association, and the personal data are not disclosed without the consent of data subject,
(f) if the data processed pursuant to a special Act are necessary to employ sickness insurance, pension insurance (security), state social support and other state social security benefits, social services, social care, assistance in material need and social and legal protection of children, and if, at the same time, the protection of these data is ensured in accordance with the law,
(g) if the processing concerns personal data published by the data subject,
(h) if the processing is necessary to secure and exercise legal claims,
(ch) if they are processed exclusively for archival purposes pursuant to a special Act, or
(i) if it is the processing under special acts regulating prevention, investigation, detection of criminal activities, prosecution of criminal offences and search for persons.
Article 10
In personal data processing, the controller and processor shall ensure that the rights of the data subject are not infringed, in particular, the right to preservation of human dignity, and shall also ensure that the private and personal lives of the data subject are protected against unauthorized interference.
Article 11
(1) In collecting personal data the controller shall be obliged to inform the data subject of the scope in which and the purpose for which the personal data shall be processed, who and in what manner will process the personal data and to whom the personal data may be disclosed, unless the data subject is already aware of this information. The controller must inform the data subject about his right of access to personal data, the right to have his personal data rectified as well as other rights provided for in Article 21.
(2) In case when the controller processes personal data obtained from the data subject, he is obliged to instruct the data subject on whether the provision of the personal data is obligatory or voluntary. If the data subject is obliged pursuant to a special Act to provide personal data for the processing, the controller shall instruct him on this fact as well as on the consequences of refusal to provide the personal data.
(3) The controller shall not be obliged to provide the information and instruction pursuant to paragraph 1 in cases where the personal data were not obtained from the data subject, if
(a) he is processing personal data exclusively for the purposes of state statistical service, scientific or archival purposes and the provision of such information would involve a disproportionate effort or inadequately high costs; or if storage on data carriers or disclosure is expressly provided by a special Act. In these cases the controller shall be obliged to take all necessary measures against unauthorised interference with the data subject’s private and personal lives.
(b) the personal data processing is imposed on him by a special Act or such data are necessary to exercise the rights and obligations ensuing from special Acts.
(c) he is processing exclusively lawfully published personal data, or
(d) he is processing personal data obtained with the consent of data subject.
(4) The above provisions shall be without prejudice to the rights of the data subject to request information pursuant to special Acts.
(5) In processing the personal data pursuant to Article 5(2)(e) and Article 9(h), the controller shall be obliged to inform without undue delay the data subject about processing of his personal data.
(6) No decision of the controller or processor in consequence of which is an interference with the legal and legally protected interests of the data subject, may not be issued or made without verification solely on the basis of automated personal data processing. This shall not apply where such decision was made in favour of the data subject and upon his request.
(7) The information obligation regulated by Article 11 may be performed by the processor on behalf of the controller.
Article 12.- Data subject’s access to information
(1) If the data subject requests information on the processing of his personal data, the controller shall be obliged to provide him with this information without undue delay.
(2) The contents of the information shall always report on:
(a) the purpose of personal data processing;
(b) the personal data or categories of personal data that are subject of processing including all available information on their source;
(c) the character of the automated processing in relation to its use for decision-making, if acts or decisions are taken on the basis of this processing the content of which is an interference with the data subject’s rights and legitimate interests;
(d) the recipients or categories of recipients.
(3) For provision of this information the controller shall be entitled to require a reasonable reimbursement not exceeding the costs necessary for provision of information.
(4) The controller’s obligation to provide the data subject with information pursuant to Article 12 may be met by a processor on behalf of the controller.
Article 13.- Obligations of Persons concerning Personal Data Security
(1) The controller and the processor shall be obliged to adopt measures preventing unauthorised or accidental access to personal data, their alteration, destruction or loss, unauthorised transmission, other unauthorised processing, as well as other misuse of personal data. This obligation shall remain valid even after terminating personal data processing.
(2) The controller or the processor shall be obliged to develop and to document the technical and organisational measures adopted and implemented to ensure the personal data protection in accordance with the law and other legal regulations.
(3) In the framework of measures pursuant to paragraph 1, the controller or the processor shall perform a risk assessment concerning
(a) fulfilment of instructions for personal data processing by persons who have immediate access to the personal data,
(b) prevention of unauthorized persons’ access to personal data and to the means of their processing,
(c) prevention of unauthorized reading, creating, copying, transferring, modifying or deleting of records containing personal data, and
(d) measures enabling to determine and verify to whom the personal data were transferred.
(4) In the area of automatic processing of personal data, the controller or processor shall, in the framework of measures under paragraph 1, be obliged to
(a) ensure that the systems for automatic processing of personal data are used only by authorized persons,
(b) ensure that the natural persons authorized to use systems for automatic processing of personal data have access only to the personal data corresponding to their authorization, and this on the basis of specific user authorizations established exclusively for these persons,
(c) make electronic records enabling to identify and verify when, by whom and for what reason the personal data were recorded or otherwise processed, and
(d) prevent any unauthorized access to data carriers.
Article 14
Employees of the controller or processor and other persons who process personal data on the basis of an agreement with the controller or processor, may process personal data only under the conditions and in the scope specified by the controller or the processor.
Article 15
(1) Employees of the controller or processor, other natural persons who process personal data on the basis of an agreement concluded with the controller or processor and other persons who, in the scope of fulfilling rights and obligations provided by law, come into contact with personal data at the premises of the controller or processor, shall be obliged to maintain confidentiality of personal data and security measures whose publishing would endanger the security of personal data. The obligation to maintain confidentiality shall survive termination of employment or the relevant work.
(2) The provisions of the previous paragraph shall in no way prejudice the obligation to maintain confidentiality pursuant to special Acts.
(3) The obligation to maintain confidentiality shall not apply to information obligation pursuant to special Acts.
Article 16.- Notification Obligation
(1) Whoever intends to process personal data as a controller or alter the registered processing pursuant to this Act, with the exception of the processing mentioned pursuant to Article 18, shall be obliged to notify in writing the Office of this fact before carring out the personal data processing.
(2) The notification must include the following information:
(a) the identification data of the controller, i.e. in case of natural person who is not an entrepreneur his first name or names, surname, date of birth and address of permanent residence; in case of other subjects their trade, corporate or other name, seat and identification number if assigned, and name, eventually first names and surnames of persons that are their statutory representatives;
(b) the purpose or purposes of processing;
(c) the categories of data subjects and of personal data pertaining to these subjects;
(d) the sources of personal data;
(e) a description of the manner of personal data processing;
(f) the location or locations of personal data processing;
(g) the recipient or category of recipients;
(h) the anticipated personal data transfers to other countries;
(i) the description of measures adopted to ensure the protection of personal data pursuant to Article 13;
(3) If the notification includes all essentials pursuant to paragraph 2 and no proceeding pursuant to Article 17(1) has been initiated, the personal data processing may start after the expiration of 30 days from the delivery of the notification. In such case the Office records the information stated in the notification into the register.
(4) If the notification does not include all essentials pursuant to paragraph 2, the Office shall send without delay a reminder to the notifying subject in which he shall make reference to the missing or insufficient information and set a deadline for supplementing the notification. In case the notification is being supplemented, running out the time limit pursuant to paragraph 3 shall begin as of the day of delivery of the notification supplement. If the Office does not receive the notification supplement within the set deadline, the notification shall be regarded as if it has not been submitted.
(5) Upon the request from the controller the Office shall issue a certificate which includes date of issuance, reference number, first name, surname and signature of the person by whom the certificate has been issued, official stamp, identification data of the controller and purpose of processing.
(6) If, pursuant paragraph 1, the notification concerns a processing subjected to investigation, the Office refuses to enter it into the register. The Office shall do the entry as soon as the investigation is closed.
Article 17
(1) If a justified concern arises from the notification that this Act might be breached in processing of personal data, the Office shall initiate proceedings at its own instigation.
(2) If the Office finds that the controller does not breach by his notified processing the conditions specified by this Act, he shall suspend the proceedings and make a record pursuant to Article 16(3). The processing of personal data may start not earlier than the day following the day when the record was made. In case the notified processing does not meet conditions specified by this Act, the Office shall not permit the processing of personal data.
Article 17a
(1) If the Office finds that the controller whose notification has been registered breaches the conditions provided by this Act, it shall decide on revocation of the registration.
(2) If the purpose for which the processing was registered ceases to exist, the Office shall decide on revocation of the registration either on its own instigation or on the controller´s request.
Article 18
(1) The notification obligation pursuant to Article 16 shall not apply to processing of personal data:
(a) that are part of data files publicly accessible on the basis of a special Act,
(b) imposed on the controller by a special Act or when such personal data are needed for exercising rights and obligations following from a special Act, or
(c) in case of processing that pursues political, philosophical, religious or trade- union aims carried out within the scope of legitimate activity of an association and which relates only to members of the association or persons with whom the association is in recurrent contact related to legitimate activity of the association, and the personal data are not disclosed without the consent of data subject.
(2) The controller, who carries out processing pursuant to Article 18(1)(b), shall be obliged to ensure that the information concerning in particular the purpose of the processing, categories of personal data, categories of data subjects, categories of recipients and the period of preservation, which would otherwise be accessible by means of the register maintained by the Office pursuant to Article 35, is disclosed also through remote access or in other appropriate form.
Article 19
If the controller intends to terminate his activities, he shall be obliged to announce to the Office without delay how he handled personal data, if their processing was subject to the notification obligation.
Article 20.- Liquidation of Personal Data
(1) The controller or, on the basis of his instructions, the processor shall be obliged to carry out liquidation of personal data as soon as the purpose for which personal data were processed ceases to exist or on the basis of a request by the data subject pursuant to Article 21.
(2) A special Act shall provide exceptions relating to the preservation of personal data for archival purposes and to the exercising of rights in civil judicial proceedings, criminal proceedings and administrative proceedings.
Article 21.- Protection of Data Subjects’ Rights
(1) Each data subject who finds or presumes that the controller or the processor is carrying out processing of his personal data which is in contradiction with the protection of private and personal life of the data subject or in contradiction with the law, in particular if the personal data are inaccurate regarding the purpose of their processing, he may:
(a) ask the controller or processor for explanation;
(b) require from the controller or processor to remedy the arisen state of affairs. It can mean in particular blocking, correction, supplementing or liquidation of personal data.
(2) If the requirement of the data subject pursuant to paragraph 1 is found justified, the controller or processor is obliged to remove without delay the improper state of affairs.
(3) If the data subject incurred other than property damage as a result of personal data processing, the procedure pursuant to a special Act shall be followed when lodging a claim.
(4) If a breach of obligations provided by law occurs in the course of processing of personal data by the controller or by the processor, they shall be liable jointly and severally.
(5) The controller shall be obliged to inform without undue delay the recipient on the requirement of the data subject pursuant to paragraph 1 and on the blocking, correction, supplementing or liquidation of personal data. This shall not apply where informing the recipient is impossible or would involve disproportionate effort.
Article 22.- Repealed.
Article 23.- Repealed.
Article 24.- Repealed.
Article 25.- Indemnification
General regulation of liability for damage shall apply to matters not specified by this Act.
Article 26
The obligations pursuant to Articles 21 to 25 shall similarly apply to persons who have collected personal data without authorisation.
Chapter III.- TRANSFER OF PERSONAL DATA TO OTHER COUNTRIES
Article 27
(1) Free flow of personal data shall not be restricted if data are transferred to a member state of the European Union.
(2) Personal data may be transferred to third countries if the prohibition to restrict the free movement of personal data is ensuing from an international treaty to the ratification of which the Parliament has given his assent and which is binding the Czech Republic, or if the personal data are transferred on the basis of decision of an institution of the European Union. The Office in the Official Journal publishes information about such decisions in the Official Journal.
(3) Where the condition pursuant to paragraphs 1 and 2 is not met, the transfer of personal data may be carried out if the controller proves that:
(a) the data transfer takes place with the consent of, or on the basis of an instruction by the data subject;
(b) in a third country, where personal data are to be processed, has been created sufficient specific guarantees for personal data protection, e.g. by other legal or professional regulations and security measures. Such guarantees may be specified in particular by a contract concluded between the controller and the recipient, if this contract ensures application of these requirements, or if the contract contains contractual clauses for personal data transfer to third countries published in the Official Journal of the Office;
(c) the personal data concerned are part of publicly accessible data files on the basis of a special Act or are, on the basis of a special Act accessible to someone who proves legal interest; in such case the personal data may be disclosed only in the scope and under conditions provided by a special Act;
(d) the transfer is necessary to exercise an important public interest following from a special Act or from an international treaty binding the Czech Republic;
(e) the transfer is necessary for negotiating the conclusion or change of a contract, carried out on the data subject´s incentive, or for the performance of a contract to which the data subject is a contracting party;
(f) the transfer is necessary to perform a contract between the controller and a third party, concluded in the interest of the data subject, or to exercise other legal claims, or
(g) the transfer is necessary for the protection of rights or important vital interests of the data subject, in particular for rescuing life or providing health services.
(4) Prior to the transfer of personal data to third countries pursuant to paragraph 3, the controller shall be obliged to apply to the Office for authorization to the transfer, unless provided otherwise by a special Act. When considering the application, the Office shall examine all circumstances related to the transfer of personal data, in particular the source, final destination and categories of personal data which are to be transferred, the purpose and period of the processing, with regard to available information about legal or other regulations governing the personal data processing in a third country. In the authorization to the transfer, the Office shall specify the period of time over which the controller may perform the data transfers. If a change of the conditions under which the authorization was issued occurs, in particular on the basis of a decision of an institution of the European Union, the Office shall alter or revoke this authorization.
Chapter IV.- POSITION AND COMPETENCE OF THE OFFICE
Article 28
(1) The Office is an independent body. In its activities, it shall act independently and shall observe only the laws and other legal regulations.
(2) The activities of the Office may be intervened on the basis of law only.
(3) The activities of the Office shall be covered from a special chapter of the state budget of the Czech Republic.
Article 29
(1) The Office shall:
(a) perform supervision over the observance of the obligations provided by law in personal data processing;
(b) keep the register of personal data processing operations;
(c) accept incentives and complaints concerning breach of obligations provided by law in personal data processing and inform of their settlement;
(d) compile and publish an annual report on its activities;
(e) exercise other competence specified by law;
(f) discuss misdemeanours and other administrative offences and impose fines pursuant to this Act;
(g) ensure fulfilment of requirements following from international treaties binding the Czech Republic, and from directly applicable law of the European Union,
(h) provide consultations in the area of personal data protection,
(i) co-operate with similar authorities in other countries, with institutions of the European Union and with bodies of international organizations operating in the area of personal data protection. In accordance with the law of the European Union the Office meets the obligation of notification towards the institutions of the European Union.
(2) Supervision in the form of inspection shall be performed pursuant to a special Act.
(3) Supervision over personal data processing performed by intelligence services shall be regulated by a special Act.
Article 29a
(1) The Ministry of Interior or the Police of the Czech Republic shall provide the Office for executing its competence pursuant to this Act and other legal regulations
- a) reference data from the basic register of population,
- b) data from the service-related population information system
- c) data from the service-related foreigners information system
(2) Data provided pursuant to paragraph (1)(a) are:
- a) surname,
- b) name or names,
- c) address of residence,
- d) date of birth.
(3)Data provided pursuant to paragraph (1)(b) are
- a) name or names, surname and name at birth if applicable,
- b) date of birth,
- c) address of permanent residence including previous addresses of permanent residence,d) commencement of permanent residence or date of annulment of permanent residence, or date of termination of permanent residence on the territory of the Czech Republic.
(4) Data provided pursuant to paragraph (1)(c) are
- a) name or names, surname and name at birth if applicable,
- b) date of birth,
- c) type of residence and address of residence,
- d) number and validity of the residence permit,
- e) commencement of residence or date of its termination if applicable.
(5) Data kept as reference data in the basic register of population may be collected from the service-related population information system or service-related foreigners information system only if they are in a format preceding the current state.
(6) Of the data provided only those data deemed necessary for satisfaction of a given task may be used in a particular case.
Chapter V.- ORGANISATION OF THE OFFICE
Article 30
(1) Employees of the Office shall consist of the President, inspectors and other employees.
(2) Supervisory activities of the Office shall be carried out by inspectors and authorised employees (hereinafter referred to as «the supervisory staff»).
(3) The President of the Office shall have the right to a salary, reimbursement of expenses and consideration in kind and golden handshake likewise the President of the Supreme Audit Office pursuant to a special Act.
(4) The inspectors of the Office shall have the right to a salary, reimbursement of expenses and consideration in kind as the members of the Supreme Audit Office pursuant to a special Act.
Article 31
Supervisory activities of the Office shall be performed on the basis of a supervision plan or on the basis of the incentives and complaints.
Article 32.- President of the Office
(1) The Office is managed by the President who shall be appointed and recalled by the President of the Czech Republic on the basis of a proposal of the Senate of the Parliament of the Czech Republic.
(2) The President of the Office shall be appointed for a period of 5 years. The President may be appointed for the maximum of two successive terms. The President shall be regarded as official body and entitled to issue orders to a civil servant as to the discharge of state service pursuant to the State Service Act.
(3) The President of the Office may be only a citizen of the Czech Republic who:
(a) enjoys legal capacity,
(b) is impeccable, meets the conditions prescribed by a special regulation and for whom it can be assumed in relation to his knowledge, experience and moral qualities that he will serve his position properly,
(c) has completed university education.
(4) For the purpose of this Act, a natural person shall be considered impeccable if he has not been lawfully sentenced for a wilful criminal offence or for an offence committed by negligence in relation to personal data processing.
(5) The position of the President of the Office cannot be exercised together with either of the positions of a Member of the Parliament or Senator, judge, state attorney, any position in the state administration, a position of a member of a territorial self-administration body and with the membership in political parties and movements.
(6) The President of the Office may not hold any other paid position, be in some other labour relationship, or perform any gainful activity, with the exception of administration of his own property and scientific, pedagogical, literal, journalistic and artistic activities, if such activities do not impair the dignity of the Office or threaten confidence in the independence and impartiality of the Office.
(7) The President of the Office shall be recalled from his position if he ceases to meet any of the conditions for his appointment.
(8) The President of the Office may also be recalled from his position if he fails to perform his position for a period of 6 months.
Article 33.- Inspectors of the Office
(1) An inspector shall be appointed and recalled by the President of the Czech Republic on the basis of a proposal of the Senate of the Parliament of the Czech Republic.
(2) An inspector shall be appointed for a period of 10 years. He may be appointed repeatedly.
(3) An inspector shall carry out inspections, direct inspections and perform other activities within the Office´s competence.
(4) The activities pursuant to paragraph 3 shall be carried out by 7 inspectors of the Office.
Article 34
(1) An inspector may be only a citizen of the Czech Republic who enjoys legal capacity, has no criminal record, meets the conditions prescribed by a special legal regulation and has completed professional university education.
(2) The position of an inspector cannot be exercised together with either the positions of a Member of Parliament or Senator, judge, state attorney, any position in the state administration, a position of a member of a territorial self-administration body and membership in political parties and movements. An inspector may not hold any other paid position, be in some other labour relationship, or perform any gainful activity, with the exception of administration of his own property and scientific, pedagogical, literal, journalistic and artistic activities, if such activity does not impair the dignity of the Office or threaten confidence in the independence and impartiality of the Office.
(3) An inspector shall be recalled from his position if he ceases to meet any of the conditions for his appointment.
Chapter VI.- ACTIVITIES OF THE OFFICE
Article 35.- Register
(1) Information following from notifications pursuant to Article 16(2) and the date of execution or cancellation of the registration shall be recorded beside the entities of controllers in the Register of permitted personal data processing.
(2) Information written into the register, except the information referred to in Article 16(2)(e) and (i), are publicly accessible especially in the manner enabling remote access.
(3) Cancellation of registration pursuant to Article 17(a) shall be notified by the Office in the Official Journal of the Office.
Article 36.- Annual Report
(1) The annual report of the Office shall contain, in particular, information on performed supervisory activities and evaluation thereof, information on and evaluation of the state of affairs in the area of processing and protection of personal data in the Czech Republic and assessment of other activities of the Office.
(2) The President of the Office shall lay the annual report for information purposes before the Chamber of the Deputies and the Senate of the Parliament of the Czech Republic and before the Government of the Czech Republic within 2 months of the end of the budgetary year, and it shall be published.
Article 37.- Rights of the Supervisory Staff to Access Information
When performing inspection, the supervisory staff shall be entitled to get acquainted with every piece of information, including sensitive data, necessary to achieve the investigation purpose.
Article 38.- Licence of the Supervisory Staff
The supervisory staff is obliged to prove his identity before the investigated subject with an identity card, the sample of which is specified in a Government regulation and which represents authorization to perform supervision.
Article 39.- Repealed
Article 40.- Measures for Remedy
(1) If during the personal data processing an obligation provided by this Act or imposed on the basis thereof have been breached, the inspector shall specify measures that shall be adopted in order to eliminate the established shortcomings and set a deadline for their elimination.
Article 40a
Once the unlawful state remedied in accordance with the measures imposed or immediately after the breach of duty was detected, the Office may refrain from a fine.
Article 41.- Repealed
Article 42.- Repealed
Article 43.- Rights and Obligations in Supervision.- Repealed
Chapter VII.- ADMINISTRATIVE DELICTS
Article 44
(1) Natural person who
(a) is in a labour or similar relationship to the controller or processor;
(b) carries out activities for the controller or processor on the basis of an agreement, or who
(c) in the framework of fulfilling powers and obligations imposed by a special Act comes into contact with personal data at the controller or processor,
commits an offence by breaching the obligation to maintain confidentiality (Article 15).
(2) Natural person in the position of the controller or processor commits an offence in the course of personal data processing if he:
(a) fails to specify the purpose, means or manner of processing (Article 5(1)(a) and (b)) or breaches an obligation by the specified purpose of processing or exceeds his authority ensuing from a special Act,
(b) processes inaccurate personal data (Article 5(1)(c))
(c) collects or processes personal data in an extent or manner which does not correspond to the specified purpose (Article 5(1)(d),(f) thru (h))
(d) retains personal data for a period longer than necessary for the purpose of processing (Article 5(1)(e))
(e) processes personal data without the consent of data subject except for the cases provided by law (Article 5(2) and Article 9)
(f) fails to provide the data subject with information in the scope or in the manner provided by law (Article 11)
(g) refuses to provide the data subject with the requested information (Articles 12 and 21)
(h) fails to adopt or implement measures for ensuring security of personal data processing (Article 13)
(i) fails to fulfil the notification obligation pursuant to this Act (Articles 16 and 27)
(j) fails to implement imposed remedial measures in the fixed period.
(3) Natural person in the position of the controller or processor commits an offence if he in the course of personal data processing:
(a) jeopardises a substantial number of persons by unauthorized interference in the private and personal lives, or
(b) fails to fulfil obligations related to the processing of sensitive data (Article 9)
by some of the courses of action pursuant to paragraph 2.
(4) A fine up to CZK 100,000 may be imposed for an offence pursuant to paragraph 1.
(5) A fine up to CZK 1,000,000 may be imposed for an offence pursuant to paragraph 2.
(6) A fine up to CZK 5,000,000 may be imposed for an offence pursuant to paragraph 3.
Article 44a
(1) Natural person commits an offence by breaching prohibition to publish personal data provided by other legal regulation.
(2) A fine up to CZK 1,000,000 may be imposed for an offence pursuant to paragraph 1.
(3) A fine up to CZK 5,000,000 may be imposed for an offence pursuant to paragraph 1 committed by press, film, radio, television, publicly accessible computer network or by other equally effective way.
Article 45
(1) Legal or natural person doing business according to special regulations when processing personal data in the position of the controller or processor commits an administrative delict if he:
(a) fails to specify the purpose, means or manner of processing (Article 5(1)(a) and (b)) or breaches an obligation by the specified purpose of processing or exceeds his authority ensuing from a special Act;
(b) processes inaccurate personal data (Article 5(1)(c));
(c) collects or processes personal data in a scope or manner which does not correspond to the specified purpose (Article 5(1)(d), (f) thru (h));
(d) retains personal data for a period longer than necessary for the purpose of processing (Article 5(1)(e));
(e) processes personal data without the consent of data subject except for the cases provided by law (Article 5(2) and Article 9);
(f) fails to provide the data subject with information in the scope or in the manner provided by law (Article 11);
(g) refuses to provide the data subject with the requested information (Article 12 and Article 21);
(h) fails to adopt or implement measures for ensuring security of personal data processing (Article 13);
(i) fails to fulfil the notification obligation pursuant to this Act (Articles 16 and 27);
(j) don’t maintain an inventory of personal data breaches pursuant to Article 88 (7) of the Electronic Communications Act.
(k) fails to implement imposed remedial measures in the fiwed period.
(2) Legal person in the position of the controller or processor commits an administrative delict if he in the course of personal data processing:
(a) jeopardises a substantial number of persons by unauthorized interference in the private and personal lives, or
(b) fails to fulfil obligations related to the processing of sensitive data (Article 9)
by some of the courses of action pursuant to paragraph 1.
(3) A fine up to CZK 5,000,000 shall be imposed for an administrative offence pursuant to paragraph 1.
(4) A fine up to CZK 10,000,000 shall be imposed for an administrative offence pursuant to paragraph 2.
Article 45a
(1) Legal person or natural person doing business commits an administrative delict by breaching prohibition to publish of personal data provided by other legal regulation.
(2) A fine up to CZK 1,000,000 shall be imposed for an administrative delict pursuant to paragraph 1.
(3) A fine up to CZK 5,000,000 shall be imposed for an offence pursuant to paragraph 1 committed by press, film, radio, television, publicly accessible computer network or by other equally effective way.
Article 46
(1) Legal person shall not be liable for an administrative delict if he proves that he has made all reasonable effort to prevent the breach of a legal obligation.
(2) When deciding on the amount of the fine, especially the seriousness, manner, duration and consequences of the unlawful behaviour and the circumstances under which the unlawful behaviour was committed shall be taken into account.
(3) Liability of the legal person for an administrative delict becomes extinct, if the administrative body has not initiated proceedings within 1 year as of the day when it learned of it, but not later than within 3 years as of the day when the delict was committed.
(4) Administrative delicts pursuant to this act shall be dealt with in the first instance by the Office.
(5) The provisions on the liability of legal person and related sanctions applies on the liability for the behaviour of natural person that occurred when the natural person carried on business activities or in a direct relation to such business activities.
(6) The fine is payable within 30 days as of the day when the decision on imposing the fine came into force.
(7) The fine shall be collected by the Office. The revenue from fines shall be an income of the state budget.
Chapter VIII.- COMMON, TRANSITIONAL AND FINAL PROVISIONS
Article 47.- Measures for the Transitional Period
(1) Everyone who processes personal data by the date of entry into effect of this Act and who is subject to the notification obligation pursuant to Article 16 shall be obliged to fulfil this obligation at the latest within 6 months as of the date of entry into effect of this Act.
(2) Personal data processing carried out prior to the date of entry into effect of this Act shall be brought into accordance with this Act by December 31, 2001.
(3) In case the supervisory staff establishes a breach of obligations pursuant to paragraph 2, the provisions of Article 46(1) and (2) shall not be applied in such case prior to December 31, 2002
Article 48.- Repealing Provision
Act nº 256/1992 Coll., on the Protection of the Personal Data in Information Systems is hereby repealed.
Part TWO.- Repealed
Article 49.- Repealed
Part THREE
Article 50.- Amendment to the Act on Free Access to Information
Act nº 106/1999 Coll., on Free Access to Information, shall be amended as follows:
- Article 2 paragraph (3), including footnote nº 1 shall read:
«(3) The Act shall not apply to the provision of personal data and information pursuant to a special regulation.
- In Article 8, paragraphs (1) and (2), including the heading and footnote nº 5, shall be repealed.
Part FOUR.- Legal Force
Article 51
This Act comes into effect on June 1, 2000, with the exception of the provisions of Articles 16, 17 and 35, which come into effect on December 1, 2000.
Selected provisions of amandments
Article II of the Act nº 439/2004 Coll.
- Notifications and decisions on the registration of personal data processing pursuant to Articles 16, 17 and 17a of the Act nº 101/2000 Coll., on the Protection of Personal Data and on Amendment to Some Acts in wording of the Act nº 450/2001 Coll., submitted and issued prior to the day of entry into effect of this Act continue to be valid.
- Permissions for transfer or transfers of personal data to other state issued prior the day of entry into effect of this Act shall cease to have force on the day of entry into effect of this Act, if the state for which this permission was meant is a member state of the European Union or a state for which the prohibition to restrict the free movement of personal data ensues from a published international agreement, to the ratification of which the Parliament has given his assent and which is binding the Czech Republic. Permissions to transfer or transfers of personal data to a state not mentioned in the proceeding sentence issued before the Act has come into effect continue to be valid.
- Proceedings initiated and not terminated before the effective date of Act shall be completed pursuant to applicable legal regulations except of proceedings on the permission for transfer or transfers of personal data to a member state of the European Union or a state for which the prohibition to restrict the free movement of personal data ensues from a published international agreement, to the ratification of which the Parliament has given his assent and which is binding the Czech Republic, that will be discontinued.
- A controller performing the personal data processing for which no registration was needed pursuant to previous legal regulations and which underlies registration as of the day of entry into effect of this Act must notify such personal data processing to the Office for Personal Data Protection within 6 months as of the day of entry into effect of this Act.