Protection of personal data in the Czech Republic

Czech Republic

From 26 July, 2004, Czech data protection laws have been changed to bring them into line with EU law. The most important changes are:

  • free movement of personal data within the EU

Because other member states are subject to the same EU directive providing the same protection for the processing of information about individuals, it is no longer necessary to seek approval from the Czech supervisory authority when providing data to another member state.

  • greater regulation of data processing

Before a person holding personal data (the data controller) can allow it to be processed (this includes using it, altering it, organising it, disclosing it or destroying it) by anyone else, other than its employees (the data processor), he must obtain a written guarantee from the data processor that satisfactory organizational and technical arrangements are in place for the data processing activities.

Data controllers will need to attach more importance to data protection legislation – something they have often neglected to do in the past – as their compliance comes under increasing scrutiny. This will come not only from heightened public awareness of individual rights but also from an increase in the number of inspections carried out by the Czech supervisory authority.

On 1 January, 2006, data controllers will also need the express consent of data subjects before processing their birth numbers. Birth numbers are widely used by businesses as key identifiers (of customers etc.) in databases because they provide unambiguous identification of all Czech citizens. Data controllers should start obtaining consents from all data subjects well in advance of 2006 or they will need to use a different means of identification both in new and existing information systems.

For further information please contact Jan Rataj at jan.rataj@cms-cmck.com or on +420 221 098 871.