Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Czech Republic - Data Protection

History of Data Protection in CZECH REPUBLIC

Data protection found itself on the Czech Republic's agenda following the political changes of 1989. Act number 25/1992 on personal data in information systems was introduced shortly after. However, the act proved to incompatible with Directive 95/46/EC. As the Czech Republic was aiming to join the EU, formulating a new act that was compatible with the Directive became a priority.

Act number 101/2000 on personal data protection was introduced in order to render Czech law compatible with the Directive. The Act applies to manual processing as well as automatic processing, and it inaugurated the Czech Office for Personal Data Protection. These measures remedied crucial defects in Act number 25/1992.

Act number 101/2000 has since been amended several times. In May 2004, the Czech Republic became one of the ten newly associated states of the EU.

Summary of Data Protection in CZECH REPUBLIC

Title of Data Protection Legislation Act on the Protection of Personal Data and on Amendment to Some Related Acts (101 of 4 April 2000)
Name of supervisory authority Office for Personal Data Protection
General Powers of supervisory authority The key functions of the Office of Personal Data Protection are:

To supervise the observance of the law in the processing of personal data,

To maintain a register of instances of permitted personal data processing,

To deal with notifications and grievances from citizens concerning infringements of the law,

To provide consultations in the area of personal data protection.

(See Office website and Article 29 of the Act)
Who has standing to notify the supervisory authority of breaches? The data subject
What are the penalties for data controllers if they breach the law? Articles 44-6 and 49 of the 2000 Act set out the penalties for breaches of the law.

They are fines, prohibition of activities or imprisonment.
Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? No. 'National Identification Number' is used in a variety of ways in the Czech Republic. All should be treated simply as personal data.
Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably sufficient to use alternatives to consent even when it is not impracticable or inappropriate to obtain it.
Does the Data Protection Legislation cover the deceased? Yes
Who is able to indirectly identify the data subject? Anybody

Laws and Regulations

Institutions