31.05.2021 11:52
The General Data Protection Regulation is directly applicable, i.e. the rights and obligations follow directly from the Regulation. Despite this, its proper functioning, for a number of reasons, calls for national legislation to be adapted. Almost a year after the entry into force of the General Data Protection Regulation (GDPR), the Czech Parliament has successfully completed the process of its implementation in the Czech Republic’s legal system by adopting the Act No. 110/2019 Coll., on personal data processing, and the related Act No. 111/2019 Coll. Both pieces of regulation came into force on 24 April 2019.
The Personal Data Processing Act:
– incorporates the GDPR into the Czech Republic’s legal system (Title I, II.),
– provides for the Office for Personal Data Protection as an institution supervising compliance with the rules of the GDPR accordingly, and
– defines administrative offences in the area of personal data protection (Title VI), i.e. introduces a comprehensive basis for sanctions in connection with breaches of the General Regulation.
– it also reflects related European legislation (e.g. Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977 / JHA).
In terms of individual rights and obligations under the GDPR, the Act on the Processing of Personal Data, in particular:
– specifies the legal right to process personal data;
– expands on and clarifies the obligation to assess the compatibility of purposes;
– sets the child’s age for consenting to the processing of personal data in connection with the offering of information society services (by way of derogation from the basic rule in the GDPR) to 15 years;
– lists possible ways of fulfilling the obligation to provide information under the GDPR in cases of personal data processing undertaken to fulfill a legal obligation or meet public interest,
– addresses notifications of corrections, changes and restrictions on the processing of data kept in shared records,
– establishes an exception from the data protection impact assessment for cases of personal data managed by personal data controllers by law,
– defines some cases when the rights of data subjects can be limited,
– provides for an exemption from the obligation to inform the data subject about a breach of security of their data,
– specifies the treatment of personal data which has been restricted in the context of the GDPR,
– defines the notion of a public body, thereby specifying the obligation to appoint a data protection officer.
Author of the article: JUDr. Jakub Morávek, Ph.D.