31.05.2021 11:19
Almost a year after the entry into force of the General Data Protection Regulation (GDPR), the Parliament of the Czech Republic succeeded in adopting related adaptation legislation, namely the Personal Data Processing Act and the accompanying Amending Law to make partial changes to other legal regulations. The new Act in some aspects complements and slightly modifies the European rules and “settles” the General Regulation in the domestic legal order.
At this time, both pieces of legislation are awaiting the signature of the President of the Republic. If the President signs, they will come into effect on the day of publication in the Collection of Laws.
In addition to covering questions related to the role of the Office for Personal Data Protection and its powers in the context of the General Regulation, and questions related to processing of personal data exclusive of cases not covered by the Regulation (e.g. detection and investigation of crime, etc.), the Personal Data Processing Act complements the General Regulation in several aspects. For example: (a) it sets the age of a child in relation to the information society services to 15 years of age; (b) it specifies exemptions from the obligation to carry out the purpose compatibility test; (c) it defines exemptions from the obligation to assess the impact on the protection of personal data or the obligation to inform the data subject of the processing of personal data; and (d) it sets forth specific conditions for appointing a data protection officer, etc.
Furthermore, the accompanying law brings about a number of partial changes to many laws and regulations. Out of the many changes, it seems appropriate to mention a positive and needed change in the legislation covering personal identification numbers.
The hitherto rules limit access to and handling of personal identification numbers to (a) processing by ministries, other administrative authorities and, in general, to public administration (land records, health insurance policy holders registries, etc.); (b) to cases prescribed by law (employers are obliged to register employees in the sickness insurance system using their personal identification numbers, etc.); and (c) to cases when the personal identification number holder or their legal guardian have given their consent. Subject to the principle of necessity (it is not possible to give such consent where the personal identification number is not necessary for the purpose pursued), the consent must comply with the requirements set out in the data protection regulations.
In other words and in short, according to the existing legislation it is not possible, for example, to collect and further process personal identification numbers of debtors for the purpose of debt collection.
The accompanying law will change that paradigm in as much as it will make it possible to process personal identification numbers if it is necessary for the enforcement of private claims or to prevent the emergence of non-performing debt, that is to say in the case described above, under the condition that specific measures be adopted to protect the rights and freedoms of personal identification number holders. Such measures include, for example: (a) technical and organizational measures for the protection of personal data within the meaning of the General Regulation; (b) verification of the identity of the person accessing personal identification numbers and record-keeping of any access, insertion, alteration, etc.; (c) informing the persons concerned on the processing of their personal identification numbers, or (d) ensuring confidentiality of information.
When the Personal Data Processing Act and the accompanying Amending Law come into effect, the basic legal framework for the new legislation on personal data protection will be complete. It is therefore time to complete also the implementation of the General Regulation, i.e. inter alia and in the light of the content of the Personal Data Processing Act and the recently issued methodological guideline of the Office for Personal Data Protection, to carry out data protection impact assessment or to compile records of processing activities. Those who have been holding off, unconcerned about the protection of personal data despite the intensive media coverage should get to work, because the Office for Personal Data Protection will acquire (this late and at last) the possibility to impose sanctions for violations of the General Data Protection Regulation.
Autor: JUDr. Jakub Morávek, Ph.D.