What They Know About You

Being late by almost a year, a national law implementing the European General Data Protection Regulation (GDPR) has finally made it to the ultimate stage of the legislative process; the new Act on Personal Data Processing (PDPA) landed on the president’s desk for signing.

The PDPA will finally adjust the GDPR which already replaced the previous Czech legislation on personal data protection. Although being innovative as a whole, the GDPR provided merely a very basic framework in many respects and left a more thorough regulation of many aspects to national laws.

Since the Czech Republic failed to adopt the requested measures when the GDPR came into operation, a number of details concerning data processing remained open. The PDPA finally clarifies these issues and also mitigates certain obligations under the GDPR to the extent the GDPR allows for such modifications.

First, the PDPA substantially reduced the amount of penalties for public bodies. Under the GDPR, the penalty for non-compliance may be up to EUR 20,000,000 or 4% of the world wide turnover. PDPA limits the applicable penalties to CZK 10,000,000 (roughly EUR 400,000) and in case of certain municipalities and their organizations (e.g. schools) of up to CZK 5,000. Penalties to private companies are also mostly subject to the PDPA rather than the GPDR. It may be assumed that the penalties for companies will be capped at CZK 10,000,000 in the majority of cases.

The PDPA also allows for a rather substantial limitation of the rights to information about data processing in case of public or security interest. This mainly relates to public authorities, defence and state security.

It comes handy for businesses that the information duty may be carried out in a number of cases by way of publication of the respective notification on a website.

Further, personal data may be processed without the subject’s consent for reasonable journalistic, academic, artistic or literary purposes. A right to object to processing may be exercised only in respect of a particular publication of data or making data accessible in a particular case.

Moreover, the controller does not have to carry out assessment of the impact of the envisaged processing operations on the protection of personal data if processing of data is required under the applicable law. This regulation will be beneficial for a number of controllers (e.g. in the health and medicine sector) which commonly process special categories of data (sensitive personal data) on a large scale.

Last but not least, the PDPA sets forth powers and competence of the Office for Personal Data Protection as local regulator.


Mgr. Radek Werich