Personal data protection in the Czech Republic

Czech Republic

Standards of personal data protection in the Czech Republic have been only very slowly reaching a level common with the EU countries. Many people are still willing to pass over sensitive personal data such as their birth registration code. (Footnote 1)

A law on the protection of personal data – Act No. 101/2000 Coll. as amended – was aimed at dealing with the problem. The Personal Data Protection Act (PDPA) came into force in the Czech Republic on June 1 2000, introducing European standards in relation to the handling of personal data by both state authorities and private companies. Its enforcement was entrusted to an independent supervisory authority, the Office for Personal Data Protection (OPDP), whose seven inspectors started carrying out inspections in June 2000.

The PDPA, which underwent an amendment in May 2001, authorizes the OPDP to act as a central administrative authority in relation to Personal Data Protection. The PDPA first defines elementary terms such as personal data protection, sensitive data, anonymous data, and personal data administrator and then clarifies the rights and duties of personal data administrators with regard to personal data processing, storage and use. No data can be collected without the written consent of a particular person and data can only be used for purposes approved by the OPDP. The provisions of the PDPA do not allow for a transfer abroad of collected data in any form, without the due approval of the OPDP. Furthermore, this can only be done on the condition that the jurisdiction of the state to which the data is to be transferred guarantees the same level of data protection as the Czech Republic. As current practice shows, the OPDP has set a considerably strict policy with regard to issue of the license to transfer such data.

Although many Czech citizens are becoming more aware of their rights on personal data protection, mostly due to increased media coverage, most of them are still experiencing a frequent abuse of their personal details. Some influential companies are making high profits by selling databases that include home addresses, telephone numbers or shopping preferences of their customers. It is still not unusual to see a big financial institution collecting and processing personal data for banking purposes and then transferring it to its subsidiaries for leasing or travel purposes.

The OPDP can impose a fine of up to 10 million CZK, an equivalent of roughly €325,000, for violating the law, or twice as much in the case of a repeated offence. Unfortunately, in the meantime there is not much that ordinary clients can do to protect themselves against malpractice, except to report such cases to the OPDP. The only and the best advice of the OPDP inspectors for everyone is to read the small print carefully before signing any legal document.

For further information please contact Ian Parker at ian.parker@cms-cmck.com or Ondrej Rob at ondrej.rob@cms-cmck.com or on 00 420 2 96798111.

Footnotes

Footnote 1 The birth registration code is a 10 digit number sequence that has been widely used over the years as a main identification for various purposes, revealing date of birth and sex of the holder. In the past, refusal to state one's code could lead to the voidance of an important application or questionnaire, or simply to unnecessary troubles with local or state authorities.