Several countries have adopted legislation regulating how government agencies and businesses collect, use, and store user data. This brings into action privacy and data security standards that data handlers should meet to possess private data. The General Data Protection Regulation (GDPR) is landmark legislation that applies to all EU and EAA member states.
However, due to varying laws in other countries, some nations have additional privacy regulations. Therefore, just like many key additions and derogations between GDPR and ISO 27001, there are multiple differences between Czech DPL and GDPR.
Just to mention, the Czech Data Protection Laws are a set of data protection legislation passed in April 2019 aimed at improving data privacy. On the other hand, GDPR is legislation aimed at giving citizens of EU states more control over personal data.
How are Czech DPLs and GDPR Different?
Like other country-specific data protection laws, the Czech data protection act isn’t complex but features several clarifications and exceptions of the GDRL laws. These exceptions include reduced administrative fines for controllers, few informing requirements, and exceptions for specific data subject rights. On the other hand, clarifications provided by the Czech DPLs include the processing of private data, the age limit for child consent, and more.
Outlined below are some derogations and additions to GDPR on important personal data protection topics.
Definitions in Czech Data Protection Law
Below are some additional definitions to note;
- Data Subject – this is a natural individual whose private information is being processed.
- The Controlling Body – this term is under Article 24(3) of the Data Protection Act. As the name suggests, it is essentially a public authority or agency legally mandated to process private data for the prevention, detection, and investigation of criminal activities.
- The Protected Interest – according to Article 6(2), public interests include the security interest of the Czech Republic, protection of rights of individuals, enforcing private claims, and more.
Specific Data Protection Laws
The Czech data protection authority has a guideline detailing how data protection controllers should conduct data privacy impact assessments. This includes content requirements, guides on processing specific data cases, and more.
There are three additions for data processing in the Czech data protection law. They include;
- Processing of data necessary for compliance with legal obligations – article 5 of the Data Protection Act allows the controller to process personal data required for compliance with a legal obligation or the performance of tasks carried out due to public interests.
- Legal basis for journalistic, artistic, literary, and academic purposes – according to Article 17 of the Data Protection Act, private data can be processed without the subject’s consent if it meets the threshold for journalistic, academic, artistic, or literary purposes.
- Children’s consent – Article 7 of the Data Protection Act states that any child aged 15 years and above can lawfully consent to the processing of personal data.
Sensitive Personal Data
The Data Protection Act, under Article 66, defines the term “sensitive personal data” as used in most Czech legislations. According to this article, any legislation that includes the term “sensitive personal data” describes personal data that reveals the ethnic or racial origin, religious beliefs, or political opinions. Such data can be used in processing biometric or genetic data, health data, sex life, or sexual orientation to help identify a person for criminal convictions or any other purpose.
Czech data protection law has exceptions to private data informing requirements. Article 8 of the Czech Data Protection Act states that if the controller has to process personal data to comply with legal obligations or for public interests and is obligated to inform data subject as per articles 13 and 14 of the GDPR, the controller can inform data subjects through remote access.
Under Czech law, data breaches should be reported to Czech supervisory authorities. Cases that should be reported to Czech Data Protection Authority include;
- Attacks on computers that process personal data resulting in unlawful dissemination, misuse, or alteration of personal data
- Loss of documents with vital personal data; these include printed documents or manual filing systems whose content poses serious risks to data subjects.
The laws also outline cases that shouldn’t be reported, such as momentary inability to trace paper documents that are highly unlikely to have been accessed by unauthorized personnel. The law also highlights reporting guidelines, which are exactly what is listed by the GDPR.
Just to mention, reporting data should include the nature of the data breach, the name and contact details of the data protection officer, potential consequences of a data breach, and measures taken to address the breach. Czech data protection laws also outline exceptions to mandatory communication of data breaches to affected data subjects.
While the differences discussed above aren’t exhaustive, they represent the most significant provisions of Czech data protection laws. These newly adopted laws have reduced uncertainty in Czech data protection levels caused by poor implementation of legislation.