Act No. 110 / 2019 Coll.
Law on the processing of personal data
Valid
Law
Effective from 24.04.2019
Contents
ČÁST PRVNÍ
HLAVA I
§ 1
§ 2
§ 3
HLAVA II
Díl 1
§ 4
§ 5
§ 6
§ 7
§ 8
§ 9
§ 10
§ 11
§ 12
§ 13
§ 14
§ 15
§ 16
Díl 2
§ 17
§ 18
§ 19
§ 20
§ 21
§ 22
§ 23
HLAVA III
§ 24
§ 25
§ 26
§ 27
§ 28
§ 29
§ 30
§ 31
§ 32
§ 33
§ 34
§ 35
§ 36
§ 37
§ 38
§ 39
§ 39a
§ 39b
§ 39c
§ 40
§ 41
§ 42
HLAVA IV
§ 43
§ 44
§ 45
§ 46
§ 47
§ 48
§ 49
HLAVA V
§ 50
§ 51
§ 52
§ 53
§ 54
§ 54a
§ 55
§ 56
§ 57
§ 58
§ 59
§ 60
HLAVA VI
§ 61
§ 62
§ 63
§ 64
§ 65
ČÁST DRUHÁ
§ 66
§ 67
§ 68
Zobrazeno prvních 200 z celkem 651 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
110
THE LAW
of 12 March 2019
on the processing of personal data
Parliament has decided on this law of the Czech Republic:
PROCESSING OF PERSONAL DATA
BASIC PROVISIONS
Subject matter
This law incorporates the relevant European Union1), following the directly applicable European Union2), and regulates the rights and obligations of processing personal data in order to fulfil everyone's right to privacy.
Scope of the law
This law governs
(a) processing of personal data pursuant to Regulation (EU) 2016 / 6792 of the European Parliament and of the Council;
(b) the processing of personal data by the competent authorities in order to prevent, seek or detect crime, prosecute criminal offences, pursue criminal penalties and safeguard measures, ensure the security of the Czech Republic or ensure public order and internal security, including the search for persons and objects;
(c) processing of personal data in the security of the defence and security interests of the Czech Republic;
(d) further processing of personal data to be or to be entered in the register or to be processed in full or in part in an automated manner, except for the processing of personal data by a natural person in the course of exclusively personal or domestic activities; and
(e) the status and competence of the Office for the Protection of Personal Data ("the Office").
Data subject
Data subject means the natural person to whom personal data relate.
PROCESSING OF PERSONAL DATA BY DIRECTLY APPLICABLE REGULATION OF THE EUROPEAN UNION
General provisions
Scope
(1) The provisions of this Title shall apply to the processing of personal data pursuant to Regulation (EU) 2016 / 679 of the European Parliament and of the Council.
(2) The provisions of this Title and of Regulation (EU) 2016 / 679 of the European Parliament and of the Council shall also apply to the processing of personal data to be entered in the register or to the processing of personal data which is carried out in full or in part in an automated manner, except for the processing of personal data by a natural person in the course of exclusively personal or domestic activities,
(a) in carrying out activities outside the scope of European Union law or of Title III or IV; or
(b) in carrying out activities falling within the scope of Chapter 2 of Title V of the Treaty on European Union.
Authorisation for the processing of personal data in the performance of a legal obligation or enforcement
The controller shall be entitled to process personal data if necessary for compliance with:
(a) the obligations imposed on the AIFM by law; or
(b) the task carried out in the public interest or in the exercise of public authority entrusted to the AIFM.
Exemption from the obligation to assess the compatibility of the purposes
(1) Unless otherwise provided for in other legislation, the controller shall not be obliged to assess the compatibility of such purposes, where such processing is necessary and proportionate for the purpose of ensuring the protected interest, before the processing of personal data is carried out for a purpose other than that for which it was collected.
(a) the obligations imposed on the AIFM; or
(b) the task of public interest laid down by law or in the exercise of public authority to which the AIFM is entrusted.
(2) The protected interest referred to in paragraph 1 shall mean:
(a) the defence or security interests of the Czech Republic;
(b) public policy and internal security, preventing, seeking out or detecting crime, prosecuting criminal offences, carrying out criminal penalties and protective measures, ensuring the security of the Czech Republic or ensuring public order and internal security, including the search for persons and things;
(c) another important objective of public interest of the European Union or of a Member State of the European Union, in particular the important economic or financial interest of the European Union or of a Member State of the European Union, including monetary, monetary, budgetary, tax and financial market, public health or social security matters;
(d) protection of the independence of courts and judges;
(e) the prevention, search, detection or prosecution of infringements of the ethical rules of regulated professions;
(f) supervisory, control or regulatory functions related to the exercise of public authority in the cases referred to in points (a) to (e);
(g) the protection of the rights and freedoms of persons; or
(h) the recovery of private-law claims.
Eligibility of the child for consent to the processing of personal data
The child shall be entitled to consent to the processing of personal data in connection with the supply of information society services directly to him by the 15th year of age.
Information obligation for processing personal data regulated by law
Where the controller carries out the processing of personal data pursuant to Article 5 and is obliged to provide the data subject with the information referred to in Article 13 or Article 14 (1), (2) and (4) of Regulation (EU) 2016 / 679 of the European Parliament and of the Council, that information may, to the extent appropriate to the processing of personal data normally carried out by him, be made public in a manner that allows remote access.
Notification by change of default record
Where the controller is obliged to notify the payee of the rectification, restriction of processing or deletion of personal data, it may do so by changing the personal data in the register if the payee regularly makes available its valid content.
Exemption from the obligation to assess the impact of the processing of personal data on the protection of personal data
The controller does not need to carry out an assessment of the impact of processing on the protection of personal data prior to the initiation of the processing, where the legislation obliges him to carry out such processing of personal data.
Restrictions on certain rights and obligations
(1) Unless otherwise provided for in other legislation, Articles 12 to 22 and, to the corresponding extent, Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council shall apply mutatis mutandis or the fulfilment of the obligations of the controller or processor or the exercise of the right of the data subject set out in those Articles shall be deferred, if necessary and within its scope appropriate to ensure the protected interest referred to in Article 6 (2).
(2) The controller or processor shall, without undue delay, notify the Office of the limitations of certain rights or obligations referred to in paragraph 1, indicating to a reasonable extent the facts referred to in Article 23 (2) of Regulation (EU) 2016 / 679 of the European Parliament and of the Council; This does not apply to courts handling personal data pursuant to Article 55 (3) of Regulation (EU) 2016 / 679 of the European Parliament and of the Council.
Exemptions from the obligation to notify a personal data breach to the data subject
Where the controller is obliged to report a breach of the personal data of the data subject, it shall carry out the notification to a limited extent or postpone it, if necessary and within its scope appropriate to ensure the protected interest referred to in Article 6 (2). Paragraph 11 (2) shall apply mutatis mutandis for the notification of such action to the Office.
Personal data with limited processing
Where the processing of personal data has been restricted in accordance with Article 18 (1) of Regulation (EU) 2016 / 679 of the European Parliament and of the Council, this shall not affect the obligation of the controller or processor to transmit or make available such personal data where that obligation is provided for by law. Such data shall be identified at the time of transmission or disclosure as the data referred to in Article 18 (1) of Regulation (EU) 2016 / 679 of the European Parliament and of the Council.
Appointment of a data protection officer
In addition to public authorities, the obligation to appoint data protection officers pursuant to Article 37 (1) (a) of Regulation (EU) 2016 / 679 of the European Parliament and of the Council shall also lie with the authorities established by law which perform statutory tasks in the public interest.
Accreditation of certification bodies
Persons authorised to issue personal data protection certificates shall be accredited by the person responsible for exercising the competence of the accreditation body under the law governing the accreditation of conformity assessment bodies (3).
Processing of personal data for the purpose of scientific or historical research or for statistical purposes
(1) The controller or processor in the processing of personal data for the purpose of scientific or historical research or for statistical purposes shall ensure compliance with specific measures to protect the interests of the data subject which correspond to the state of the art, the cost of execution, the nature, scale, context and purposes of the processing, as well as to the various likely and serious risks to the rights and freedoms of natural persons. Such measures may include in particular:
(a) technical and organisational measures aimed at the consistent application of the obligation under Article 5 (1) (c) of Regulation (EU) 2016 / 679 of the European Parliament and of the Council;
(b) the taking of records of at least all the operations of the assembly, entry, alteration and deletion of personal data, enabling the identification and verification of the identity of the person performing the operation, and the retention of such records for at least 2 years after the operation is carried out;
(c) informing persons processing personal data of personal data protection obligations;
(d) the appointment of the delegate;
(e) specific restrictions on access to personal data within the controller or processor;
(f) pseudonymisation of personal data;
(g) encryption of personal data;
(h) arrangements to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
(i) measures enabling the availability of personal data to be restored and timely access to such data in the event of incidents;
(j) the process of regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures in place to ensure the safety of processing;
(k) specific restrictions on the transfer of personal data to a third country; or
(l) specific restrictions on the processing of personal data for other purposes.
(2) Where this allows the purpose referred to in paragraph 1 to be achieved, the personal data referred to in Article 9 (1) of Regulation (EU) 2016 / 679 of the European Parliament and of the Council shall be further processed by the controller or processor in a form which does not allow the identification of the data subject, unless the legitimate interests of the data subject prevent it.
(3) Unless otherwise provided for in other legislation, Articles 15, 16, 18 and 21 and, to the corresponding extent, Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council shall apply mutatis mutandis, or the fulfilment of the obligations of the controller or processor or the exercise of the right of the data subject provided for in those Articles shall be postponed, if necessary and within their scope appropriate to the purpose of the processing referred to in paragraph 1. Article 15 and, to the extent appropriate, Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council shall not apply where processing is necessary for the purposes of scientific research and the provision of information would require disproportionate efforts.
Processing of personal data for journalistic or academic, artistic or literary purposes
Legality of processing
(1) Personal data may also be processed if it serves this adequately for journalistic or academic, artistic or literary purposes. In assessing proportionality under the first sentence, account shall also be taken of whether the processing involves personal data referred to in Article 9 (1) or Article 10 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council.
(2) The processing of personal data for the purposes referred to in paragraph 1 shall not be subject to the authorisation or approval of the Office and shall enjoy the right to protect the source and content of the information, including in the case of processing of personal data in a way that allows remote access.
Exemptions from the instruction and information obligation of the AIFM
(1) The controller may, in the processing of personal data for the purposes referred to in Article 17 (1), fulfil its obligations under Article 12 (1) and (2), Article 13 (1) to (3) and Article 21 (4) and, to the extent appropriate, Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council, also by any appropriate information to the data subject on the identity of the controller. It is also possible to inform about the identity of the administrator by appropriate login to the identity of the administrator, which can be done by graphic marking, orally or by other appropriate means. Information on the identity of the controller is sufficient if the instruction of the controller on the rights of the data subject and other facts necessary to protect his or her rights is publicly available to the extent appropriate to the processing of personal data normally carried out by him or her.
(2) Information on the identity of the AIFM need not be provided in justified cases, in particular where:
(a) this is not possible or would require disproportionate effort;
(b) the data subject may reasonably expect the processing referred to in Article 17 (1);
(c) the data subject has such information; or
(d) the provision of such information would jeopardise or impede the purpose of processing personal data if such a procedure is necessary to achieve the legitimate purpose of processing personal data, in particular in matters of public interest.
Instead of excluding the disclosure of information on the identity of the AIFM, the AIFM may postpone the provision of that information.
Protection of resources and content of information
(1) The obligation to inform pursuant to Article 14 (1) to (4) and Article 21 (4) and to the corresponding extent also to Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council, as well as other rights of the data subject, may also be fulfilled by publishing such information in a way that allows remote access; In such a case, it shall be sufficient to inform the controller of the data normally processed.
(2) The right of access to personal data referred to in Article 15, and to the extent appropriate to it, also referred to in Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council shall not apply in respect of personal data which have not been published by the controller and are processed only for the purposes referred to in Article 17 (1). In other cases, the controller may exclude access to personal data in justified cases, in particular where the legitimate purpose of processing personal data would otherwise be compromised or thwarted or would require disproportionate efforts.
(3) Article 14 (2) (f) and Article 15 (1) (g) and, to the corresponding extent, Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council shall not apply to the processing of personal data for the purposes referred to in Article 17 (1).
(4) Where the controller is required to report a breach of personal data security pursuant to Article 33 (1) or Article 34 (1) of Regulation (EU) 2016 / 679 of the European Parliament and of the Council, the controller shall not be required to notify information enabling the identification of the source or content of personal data whose security has been infringed.
Exemption from rectification, erasure and restriction of processing of personal data
(1) In the case of the exercise of the rights to erasure or rectify personal data which are processed for the purposes referred to in Article 17 (1), other legislation4 shall be followed.
(2) Where the processing of personal data is carried out for the purposes referred to in Article 17 (1), the data subject shall have the right to restrict the processing of personal data pursuant to Article 18 and, to the extent appropriate, in accordance with Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council only where the controller no longer needs personal data for processing purposes, but the data subject requires such data to determine, exercise or defend legal claims. This does not apply if this would require disproportionate effort.
Information on repair, deletion and restriction of processing
(1) Where the controller is obliged to notify the recipients of the rectification, erasure or restriction of the processing of personal data pursuant to Article 17 (2) or Article 19, and to the extent applicable to them, pursuant to Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council, of the processing of personal data by means of remote access, in accordance with Article 17 (1), it may also fulfil that obligation by indicating the date of the last update of the content in which the personal data are or have been provided, or by any other appropriate measure.
(2) The rectification, erasure or restriction of processing referred to in Article 19 and, to the extent appropriate, in accordance with Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council shall be notified to whom the controller has transmitted personal data processed for the purposes referred to in Article 17 (1), where it is necessary to protect the rights or legitimate interests of the data subject and does not require disproportionate efforts.
(3) The controller may only inform the data subject of the categories of recipients where, in relation to the processing of personal data for the purposes referred to in Article 17 (1), a disproportionate effort is required to inform the data subject of the recipients referred to in Article 19 and, to the extent appropriate, in accordance with Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council, or where the legitimate purpose of the processing would be compromised or undermined.
Limitation of the right to an objection
(1) The objection referred to in Article 21 and to the corresponding extent also referred to in Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council may be raised in relation to the processing of personal data for the purposes referred to in Article 17 (1) only against the specific disclosure or publication of personal data; In so doing, the data subject shall state specific reasons suggesting that the legitimate interest in the protection of his rights and freedoms outweighs the interest in such disclosure or disclosure in the present case.
(2) Where an objection has been lodged pursuant to paragraph 1, the controller shall terminate such disclosure or publication if he considers that the data subject has demonstrated that the interest in such publication is predominant in the protection of his rights and freedoms. The controller shall inform the data subject without undue delay whether it has complied with its objection.
Additional exemptions for specific cases
(1) Paragraphs 18 to 22 and Articles 12 to 19, 21, 33 and 34 and, to the extent appropriate, Article 5 of Regulation (EU) 2016 / 679 of the European Parliament and of the Council shall not apply, shall apply mutatis mutandis, or the fulfilment of the obligations of the controller or processor or the exercise of the right of the data subject set out therein shall be deferred,
(a) where such a procedure is necessary to fulfil the purpose of processing referred to in Article 17 (1), and
(b) where such a procedure is unlikely to lead to a high risk to the legitimate interests of the data subject.
(2) Chapter VII of Regulation (EU) 2016 / 679 of the European Parliament and of the Council does not apply to the processing referred to in Article 17 (1). Article 20, 22, 56 and 58 (1) (a), (b), (e) and (f) and Article 58 (2) (d), (f) and (g), and Chapters II, IV, V and IX of Regulation (EU) 2016 / 679 of the European Parliament and of the Council shall not apply, apply mutatis mutandis or the fulfilment of the obligations of the controller or processor or the exercise of the right of the data subject provided for in those provisions if it is necessary for the purpose of the processing referred to in Article 17 (1).
(3) Where the exclusion or limitation of certain rights or obligations under paragraph 2 would likely lead to a high risk to the legitimate interests of the data subject, the controller or processor shall, without undue delay, take and document appropriate measures to mitigate such or similar risk.
PROTECTION OF PERSONAL DATA IN THEIR PROCESSING FOR THE PURPOSES OF PREVIOUS, EXAMINATION OR DEROGATION OF CRITICAL ACTIVITIES, COMPETITION OF CRITICAL ACTIVITIES, EXECUTION OF CRITERIA AND PROTECTION MEASURES, SECURITY OF THE CZECH REPUBLIC OR ENSURE OF THE PUBLIC ORDER AND INTERNAL SECURITY
General provisions
(1) Save as otherwise provided in the law, the provisions of this Title shall apply to the processing of personal data which is necessary for the performance of the task and exercise of the public authority laid down by other legislation5) in order to prevent, seek and detect crime, prosecute criminal offences, the performance of criminal penalties and protective measures, the security of the Czech Republic or the provision of public order and internal security, including the search for persons and objects.
(2) For the purposes of this Title, Article 4 (1) to (6), (8), (9), (12) to (15) and (26) of Regulation (EU) 2016 / 679 shall apply mutatis mutandis.
(3) The management authority shall be the public authority responsible for carrying out the task referred to in paragraph 1 which is not the intelligence service or the municipal police.
(4) The provisions of this Title shall apply to the processing of personal data which are or are to be entered in the register or where such processing takes place in full or in part in an automated manner.
Principles of processing personal data
(1) When processing personal data by the managing authority
(a) specify the specific purpose of processing personal data in connection with the performance of the task referred to in Article 24 (1);
(b) take measures to ensure that personal data are accurate in relation to the nature and purpose of the processing; and
(c) keep personal data in a form allowing the identification of the data subject only for as long as is necessary to achieve the purpose of processing them.
(2) Personal data may be processed for a purpose not related to the performance of the task referred to in Article 24 (1) only if the managing authority is authorised to do so and that purpose is not incompatible with the specific purpose of processing them.
Categories of data subjects and quality of personal data
Where possible, the managing authority
(a) add to the personal data processed information on the status of the data subject in criminal proceedings and, where appropriate, information on the final decisions of the law enforcement authorities concerning such data, where justified for the purpose of processing them; and
(b) identify inaccurate personal data or, where appropriate, personal data based on personal evaluations.
Information to the data subject
The managing authority shall publish information on:
(a) its name and contact details;
(b) contact details of the data protection officer (hereinafter referred to as "the delegate"),
(c) the purpose of processing personal data;
(d) the right to lodge a complaint with the Office and the contact details of the Office; and
(e) the right to access, correct, restrict or delete personal data.
Right of access to personal data
(1) The managing authority shall, at the request of the data subject, communicate whether it processes personal data relating to the data subject. Where such data are processed by the managing authority, it shall transmit them to the data subject and inform him of:
(a) the purpose of processing personal data;
(b) the legislation on the basis of which it mainly processes such data;
(c) beneficiaries and, where appropriate, categories of beneficiaries;
(d) the intended storage period or method of determination;
(e) the right to request rectification, restriction of processing or erasure of personal data; and
(f) the source of such data.
(2) The managing authority shall not comply with the requests referred to in paragraph 1 or, if necessary, only partially if compliance would be jeopardised
(a) carrying out the task of preventing, seeking out and detecting crime, prosecuting criminal offences, carrying out criminal penalties and protective measures, ensuring the security of the Czech Republic or ensuring public order and internal security, including the search for persons and things;
(b) the conduct of an infringement, disciplinary action or conduct which has the characteristics of an infringement;
(c) the protection of classified information; or
(d) the legitimate interests of the third party.
(3) Should the request or notification of non-compliance, including justification, endanger the application referred to in paragraph 2, the managing authority shall inform the data subject as well as those applicants whose personal data are not processed.
(4) The management authority shall keep a dossier which it shall keep for at least 3 years on the grounds of the procedure referred to in paragraphs 2 and 3.
Right to rectification, restriction of processing or erasure of personal data
(1) The managing authority shall, at the request of the data subject, correct or supplement the personal data relating to the data subject. Where the purpose of processing personal data so requires, the managing authority may, instead of correcting personal data, supplement or attach an additional declaration to it.
(2) The managing authority shall, at the request of the data subject, delete personal data relating to its person if the managing authority has infringed the principles of processing of personal data pursuant to § 25 or other legislation5) or restrict the processing of certain categories of personal data, or if the managing authority has an obligation to delete such data.
(3) Instead of correcting or erasing personal data, the managing authority may restrict the processing of personal data by their specific marking,
(a) where the data subject denies their accuracy, it is not possible to determine whether the data are accurate; or
(b) where such data must be kept for the purpose of taking evidence.
(4) Where the processing of personal data is restricted in accordance with paragraph 3 (a), the managing authority shall inform the data subject before removing such restriction; the managing authority shall also inform the data subject if the restriction is to be lifted by decision of the Office or the competent court.
(5) The managing authority shall not comply with the requests referred to in paragraphs 1 to 3 or, if necessary, only partially if compliance would be compromised under Paragraph 28 (2). Should a notification of non-compliance, including justification, result in a threat under Paragraph 28 (2), the managing authority shall inform the applicant in such a way as to prevent such a threat.
(6) The management authority shall keep a dossier for the reasons for the procedure referred to in paragraph 5 which it shall keep for at least 3 years.
Common provisions on requests by the data subject
(1) The managing authority shall deal with the application in accordance with Paragraph 28 or 29 without undue delay, but no later than 60 days after the date of its submission.
(2) If the managing authority demonstrates that the application pursuant to Paragraph 28 or 29 is manifestly unfounded or disproportionate, in particular because it is repeated in the short term in the same case, it may not comply with the request.
(3) The managing authority shall inform the data subject of the possibility of:
Contents
ČÁST PRVNÍ
HLAVA I
§ 1
§ 2
§ 3
HLAVA II
Díl 1
§ 4
§ 5
§ 6
§ 7
§ 8
§ 9
§ 10
§ 11
§ 12
§ 13
§ 14
§ 15
§ 16
Díl 2
§ 17
§ 18
§ 19
§ 20
§ 21
§ 22
§ 23
HLAVA III
§ 24
§ 25
§ 26
§ 27
§ 28
§ 29
§ 30
§ 31
§ 32
§ 33
§ 34
§ 35
§ 36
§ 37
§ 38
§ 39
§ 39a
§ 39b
§ 39c
§ 40
§ 41
§ 42
HLAVA IV
§ 43
§ 44
§ 45
§ 46
§ 47
§ 48
§ 49
HLAVA V
§ 50
§ 51
§ 52
§ 53
§ 54
§ 54a
§ 55
§ 56
§ 57
§ 58
§ 59
§ 60
HLAVA VI
§ 61
§ 62
§ 63
§ 64
§ 65
ČÁST DRUHÁ
§ 66
§ 67
§ 68
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Act No. 110 / 2019 Coll., on the Processing of Personal Data |
|---|---|
| Regulation Type | Law |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 24.04.2019 |
|---|---|
| Effective from | 24.04.2019 |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0