Standards of personal data protection in the Czech
Republic have been only very slowly reaching a level common with
the EU countries. Many people are still willing to pass over
sensitive personal data such as their birth registration code.
(Footnote 1)
A law on the protection of personal data –
Act No. 101/2000 Coll. as amended – was aimed at dealing with
the problem. The Personal Data Protection Act (PDPA) came into
force in the Czech Republic on June 1 2000, introducing European
standards in relation to the handling of personal data by both
state authorities and private companies. Its enforcement was
entrusted to an independent supervisory authority, the Office for
Personal Data Protection (OPDP), whose seven inspectors started
carrying out inspections in June 2000.
The PDPA, which underwent an amendment in May 2001,
authorizes the OPDP to act as a central administrative authority in
relation to Personal Data Protection. The PDPA first defines
elementary terms such as personal data protection, sensitive data,
anonymous data, and personal data administrator and then clarifies
the rights and duties of personal data administrators with regard
to personal data processing, storage and use. No data can be
collected without the written consent of a particular person and
data can only be used for purposes approved by the OPDP. The
provisions of the PDPA do not allow for a transfer abroad of
collected data in any form, without the due approval of the OPDP.
Furthermore, this can only be done on the condition that the
jurisdiction of the state to which the data is to be transferred
guarantees the same level of data protection as the Czech Republic.
As current practice shows, the OPDP has set a considerably strict
policy with regard to issue of the license to transfer such
data.
Although many Czech citizens are becoming more
aware of their rights on personal data protection, mostly due to
increased media coverage, most of them are still experiencing a
frequent abuse of their personal details. Some influential
companies are making high profits by selling databases that include
home addresses, telephone numbers or shopping preferences of their
customers. It is still not unusual to see a big financial
institution collecting and processing personal data for banking
purposes and then transferring it to its subsidiaries for leasing
or travel purposes.
The OPDP can impose a fine of up to 10 million CZK,
an equivalent of roughly €325,000, for violating the law, or
twice as much in the case of a repeated offence. Unfortunately, in
the meantime there is not much that ordinary clients can do to
protect themselves against malpractice, except to report such cases
to the OPDP. The only and the best advice of the OPDP inspectors
for everyone is to read the small print carefully before signing
any legal document.
For further information please contact Ian Parker
at ian.parker@cms-cmck.com or Ondrej Rob at ondrej.rob@cms-cmck.com
or on 00 420 2 96798111.
Footnotes
Footnote 1 The birth
registration code is a 10 digit number sequence that has been
widely used over the years as a main identification for various
purposes, revealing date of birth and sex of the holder. In the
past, refusal to state one's code could lead to the voidance of an
important application or questionnaire, or simply to unnecessary
troubles with local or state authorities.