Support Centre

Czechia

Summary

Law: Act No. 110/2019 Coll. on Personal Data Processing (the Act) and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR)

Regulator: Office for Personal Data Protection (UOOU)

Summary: The Act No. 110/2019 Coll. on Personal Data Processing (the Act) is the main piece of privacy regulation in Czechia and transposes the GDPR. The Act establishes the Office for Personal Data Protection (UOOU) as the supervisory authority regarding data protection, designating the UOOU with supervisory responsibilities, including performing audits, publishing Standard Contractual Clauses (SCCs), investigating complaints in relation to breaches of obligations laid down by law, and imposing fines.

Furthermore, Article 89(3) of the Act No. 127/2005 Coll. Of 22 February 2005 on Electronic Communications and on Amendment to Certain Related Acts (the Electronic Communications Act) implements the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (the ePrivacy Directive). Since the 2009 amendment of the ePrivacy Directive, Czechia has retained the 'opt-out' system, meaning that the Electronic Communications Law does not reflect the 'opt-in' consent requirement under the amended ePrivacy Directive.

Moreover, in relation to Data Protection Impact Assessments (DPIA), the UOOU has issued a list of activities that requires a DPIA (i.e., a blacklist) and a list of activities that do not require a DPIA (only available in Czech here).

Insights

Article 37 of the General Data Protection Regulation (GDPR) obliges data controllers and processors to designate a data protection officer (DPO). As part of this obligation, data controllers and processors are also required to publish the contact details of the DPO and to communicate the DPO's contact details to relevant supervisory authorities. In part one of this Insight series, OneTrust DataGuidance focuses on the requirement to communicate DPO contact details to the relevant supervisory authorities, providing an overview on the rules and guidelines for DPO contact registration across Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, and Greece.

Cookies have become an integral part of web browsing. However, the use of cookies has raised several privacy and security concerns. Under Czech law, website operators are required to obtain visitors' consent before storing non-technical cookies on their devices. In this Insight article, Tomáš Matějovský, Daniel Szpyrc, and Jakub Kabát, from CMS Cameron McKenna Nabarro Olswang, advokáti, v.o.s., delve into practical strategies for implementing cookie consent mechanisms. They also provide an overview of frequently asked questions (FAQs) regarding cookie banners and consents, only available in Czech, and recently published by the Czech Office for Personal Data Protection (UOOU).

We recently published an article about the amendment to Act No. 127/2005 Coll. Of 22 February 2005 on Electronic Communications ('the Electronic Communications Act'), which introduced a significant change to the use of cookies and telemarketing. The key change consists of replacing the opt-out regime with an opt-in one, our previous article summarised the change and its implications for businesses. However, since the amendment came into force, many questions have been asked and specific situations in daily practical life have challenged the authorities, lawyers, experts, and others connected to law and business. Daniel Szpyrc, Jakub Kabát, and Tomáš Matějovský, from CMS Cameron McKenna Nabarro Olswang, advokáti, v.o.s., discuss the most recent developments in this article.

Act No. 127/2005 Coll. Of 22 February 2005 on Electronic Communications and on Amendment to Certain Related Acts ('the Electronic Communications Act') regulates the use of cookies and telemarketing in the Czech Republic. This regulation will soon be amended as the Czech Parliament has introduced a conceptual change from an opt-out to opt-in regime regarding cookies and telemarketing. This change requires a new technical solution to be found and legal policies updated. Daniel Szpyrc, Jakub Kabát, and Tomáš Matějovský, from CMS Cameron McKenna Nabarro Olswang, advokáti, v.o.s., provide insight into the new legislation and how businesses can start preparing.