Draft of the new Data Protection Act ("DPA") is in the legislative process, currently in the second reading in the Chamber of Deputies (lower chamber of the Czech Parliament). Several amending proposals to the draft DPA have been submitted to the Parliament.
Current DPA No. 101/2000 Coll. to be repealed by the new DPA. Multiple existing laws (e.g. Civil Procedure Code, Criminal Procedure Code) to be amended by an Amending Act. The new DPA shall also transpose the Law Enforcement Directive.
DPA to be effective as of its publication in the Collection of Laws (after passing the legislative procedure).There is no estimated date of enactment for the new DPA in the Parliament.
Areas where Member States must have local laws:
Section 16 of the DPA allows processing of personal data carried out by adequate means for journalistic purposes or for purposes of academic, artistic or literary expression. Sections 17 et seq. stipulate exceptions to information obligations (Section 17), protection of source and content of information (Section 18), exceptions to right to restriction of processing (Section 19), information about rectification and erasure (Section 20), and limitation of the right to object (Section 21).
Section 59 stipulates fines for the administrative offence of unlawful publication of personal data where the prohibition of disclosure is stipulated by law (e.g. Criminal Procedure Code). Fines may amount to CZK 1 million. Maximum fines of CZK 5 million are stipulated if the administrative offence is carried out through print, film, radio, television, publicly accessible computer network or other similarly effective means.
Sections 60 and 61 stipulate various administrative offences in relation to data processing by public authorities and bodies. A fine up to CZK 10 million (i.e. lower than GDPR) may be imposed.
No new criminal penalties will be introduced (unauthorised use of personal data is already recognised by the current Criminal Code).
Areas where Member States may have local laws:
Section 56 stipulates an obligation of the Data Protection Authority to exclude from the file inspection information that constitute trade secrets or bank secrets or any similar types of secrets, copyrighted works, and information protected by secrecy obligations under special laws, if the file is inspected by a person who did not provide such protected information. The Data Protection Authority is only authorised to get acquainted with information protected by professional secrecy of attorneys with consent and upon presence of a representative of the Czech Bar Association.
Employees of the Data Protection Authority are bound by an obligation of secrecy which extends beyond the termination of their employment relationship with the DPA (Section 57).
Section 7 sets the age of consent for children in relation to offering of information society services at 15 years of age.
Section 16(2) stipulates that special categories of personal data (including genetic, biometric, health data) may be processed for journalistic purposes or for purposes of academic, artistic or literary expression if it is necessary for a legitimate objective and the legitimate interest in the personal data processing overrides the legitimate interests of the data subject.
Section 14 stipulates that obligation to appoint a Data Protection Officer under Article 37(1)(a) GDPR also applies to bodies established by law that fulfil tasks imposed by law in public interest.