###

NEWS

GDPR Implementation Act enters into force


15/5/2019

On 24 April 2019, the Act on the processing of personal data was published in the Collection of laws under No. 110/2019. In addition to adapting the Czech legal system and ensuring its compliance with the General Data Protection Regulation (GDPR), it also regulates cases where the GDPR allows Member States to adapt certain areas in this domain at their discretion, transposes the criminal justice directive (EU) 2016/680 of the European Parliament and of the Council into the Czech legal system and regulates the status of the Office for Personal Data Protection as the supervisory body in the field of personal data processing.

Areas regulated by the Czech legislators differently from the GDPR include, for example, the minimum age for a child to be able to give consent to the processing of personal data. The age is lowered from the proposed 16 years to 15 years. The law also facilitates compliance with the information obligation for controllers processing personal data for the purpose of complying with a legal obligation or in the public interest and abolishes the obligation to carry out a data protection impact assessment where a law requires the controller to carry out such an assessment. Furthermore, the law also regulates the work of journalists, reducing for them some of the general obligations of the controller.

However, the most striking and probably the most controversial exception to GDPR is the exclusion of public authorities from the group of subjects eligible to impose an administrative fine for offences under the Personal Data Processing Act and the GDPR. The Ministry of the Interior also supported the adoption of the act with this change, arguing that the public administration will still be motivated to meet its obligations by being subject to the Office's supervisory activities and to potential recoveries, through the courts, of damages incurred by data subjects.