Full text of Act No. 525 / 2004 Coll.
Full text of Act No. 101 / 2000 Coll., on the Protection of Personal Data and on the Amendment of Certain Laws, as resulting from subsequent amendments
Valid
Declared full text
Contents
ČÁST PRVNÍ
HLAVA I
§ 1
§ 2
§ 3
§ 4
HLAVA II
§ 5
§ 6
§ 7
§ 8
§ 9
§ 10
§ 11
§ 12
§ 13
§ 14
§ 15
§ 16
§ 17
§ 17a
§ 18
§ 19
§ 20
§ 21
§ 22 až 24
§ 25
§ 26
HLAVA III
§ 27
HLAVA IV
§ 28
§ 29
HLAVA V
§ 30
§ 31
§ 32
§ 33
§ 34
HLAVA VI
§ 35
§ 36
§ 37
§ 38
§ 39
§ 40
§ 41
§ 42
§ 43
HLAVA VII
§ 44
§ 45
§ 46
HLAVA VIII
§ 47
§ 48
ČÁST ČTVRTÁ
§ 51
Zobrazeno prvních 200 z celkem 421 ustanovení tohoto předpisu.
Zobrazit celý předpis →
Pro stažení celého znění použijte tlačítko Stáhnout výše.
525
PRESIDENT OF THE GOVERNMENT
Announces
The full text of Act No. 101 / 2000 Coll., on the Protection of Personal Data and on the Amendment of Certain Acts, as follows from the amendments made by Act No. 227 / 2000 Coll., Act No. 177 / 2001 Coll., Act No. 450 / 2001 Coll., Act No. 107 / 2002 Coll., Act No. 309 / 2002 Coll., Act No. 310 / 2002 Coll., Act No. 517 / 2002 Coll., Act No. 439 / 2004 Coll. and Act No. 480 / 2004 Coll.
THE LAW
on the protection of personal data
Parliament has decided on this law of the Czech Republic:
PROTECTION OF PERSONAL DATA
INTRODUCTORY PROVISIONS
Subject matter
This law, in accordance with the law of the European Communities, (1) by international treaties binding on the Czech Republic, (1a) and in order to fulfil everyone's right to protection against unauthorised interference in privacy, lays down the rights and obligations for the processing of personal data and lays down the conditions under which the transfer of personal data to other States takes place.
(1) A Office for the Protection of Personal Data, based in Prague (hereinafter referred to as the Office), is hereby established.
(2) The Office is entrusted with the powers of the Central Administrative Office in the field of personal data protection to the extent provided for by this Act and other powers provided for by specific legislation. (1b)
Scope of the law
(1) This law applies to personal data processed by public authorities, local authorities, other public authorities and natural and legal persons.
(2) This law applies to all processing of personal data, whether by automated means or by other means.
(3) This law shall not apply to the processing of personal data carried out by a natural person solely for personal use.
(4) This law shall not apply to the random collection of personal data unless such data are further processed.
(5) This law also applies to the processing of personal data,
(a) where the legal order of the Czech Republic applies primarily on the basis of public international law, even if the administrator is not established in the Czech Republic,
(b) where the controller established outside the territory of the European Union carries out processing in the territory of the Czech Republic and it is not only the transfer of personal data through the territory of the European Union; in this case the administrator is obliged to authorise the processor in the Czech Republic in accordance with the procedure laid down in § 6.
Where processing is carried out by the controller through its organisational units located in the territory of the European Union, it shall ensure that such organisational units process personal data in accordance with the national law of the relevant Member State of the European Union.
(6
(a) security of the Czech Republic, 4)
(b) Defence of the Czech Republic, 5)
(c) public policy and internal security, 6)
(d) prevention, search, detection and prosecution of criminal offences, 7)
(e) significant economic interest of the Czech Republic or of the European Union, 8)
(f) the significant financial interest of the Czech Republic or of the European Union, namely the stability of the financial market and currency, the functioning of money circulation and payment transactions, as well as budgetary and tax measures, 9)
(g) the exercise of control, supervision, supervision and regulation associated with the exercise of public authority in the cases referred to in (c), (d), (e) and (f), (10); or
(h) activities related to the making available of volumes of former State security. 10a)
Definition of terms
For the purposes of this Act:
(a) any personal information relating to a designated or identifiable data subject. The data subject shall be considered to be identified or identifiable if the data subject can be identified directly or indirectly, in particular on the basis of a number, code or one or more elements specific to his or her physical, physiological, psychological, economic, cultural or social identity,
(b) a sensitive indication of a personal figure indicating national, racial or ethnic origin, political attitudes, trade union membership, religion and philosophical beliefs, convictions for criminal offences, health status and sexual life of the data subject and any biometric or genetic indication of the data subject,
(c) by anonymous indication, such an indication which, either in its original form or after processing, cannot be linked to a designated or identifiable data subject;
(d) the data subject is the natural person to whom the personal data relate;
(e) the processing of personal data by any operation or system of operations which the controller or processor systematically carries out with personal data, by automated means or other means. The processing of personal data means, in particular, the collection, storage on information media, the making available, modification or modification, the search, use, transmission, dissemination, publication, retention, exchange, sorting or combination, blocking and destruction,
(f) by collecting personal data, a systematic procedure or a set of procedures aimed at obtaining personal data in order to further store them on a medium of information for their immediate or later processing;
(g) keeping personal data in such a form as to enable them to be processed further;
(h) by blocking personal data to create a state in which the personal data are not accessible for a certain period of time and cannot otherwise be processed;
(i) the disposal of personal data means the physical destruction of their medium, their physical deletion or their permanent exclusion from further processing;
(j) the controller shall carry out processing and be responsible for any body which determines the purpose and means of processing personal data. The controller may empower or entrust the processor with the processing of personal data, unless otherwise provided by a special law,
(k) by the processor, any body which, under a special law or mandated by the controller, processes personal data under that law;
(l) the personal data published, made available, in particular, by mass media, other public communications or as part of a public list,
(m) the registration or data set of personal data (hereinafter referred to as "data file") of any personal data file organised or made available according to common or specific criteria;
(n) by agreement of the data subject, a free and conscious expression of the will of the data subject, the content of which is the consent of the data subject to the processing of personal data;
(o) the recipient of each body to which personal data are made available; a body which processes personal data pursuant to Article 3 (6) (g) shall not be considered a beneficiary.
RIGHTS AND OBLIGATIONS FOR PROCESSING PERSONAL DATA
(1) The administrator shall:
(a) specify the purpose for which personal data are to be processed;
(b) determine the means and manner of processing of personal data;
(c) to process only the exact personal data obtained in accordance with this law. If necessary, it shall update personal data. Where the controller finds that the personal data processed by it are not accurate in view of the purpose set, it shall take appropriate measures without undue delay, in particular blocking the processing and correcting or supplementing the personal data, otherwise disposing of personal data. Inaccurate personal data can only be processed within the limits of § 3 (6.11) Inaccurate personal data shall be marked. The controller shall transmit the information on the blocking, repair, replenishment or destruction of personal data to all recipients without undue delay,
(d) collect personal data corresponding only to the intended purpose and to the extent necessary to fulfil the intended purpose;
(e) keep personal data only for as long as is necessary for the purpose of processing them. Upon expiry of this period, personal data may be stored only for the purposes of the national statistical service, for scientific and archiving purposes. When used for this purpose, the right to protection against unauthorised interference in the personal and private life of the data subject should be respected and personal data anonymised as soon as possible,
(f) to process personal data only in accordance with the purpose for which they were collected. Personal data may be processed for another purpose only within the limits of the provisions of Paragraph 3 (6) or, if the data subject has given prior consent,
(g) collect personal data only openly; it is impossible to collect data under the pretext of any other purpose or activity;
(h) not to collect personal data obtained for different purposes.
(2) The controller may process personal data only with the consent of the data subject. Without that consent, he can process them,
(a) where it carries out the processing necessary for compliance with the legal obligation of the controller, 12)
(b) where processing is necessary for the performance of a contract to which the data subject is a party or for the negotiation of the conclusion or amendment of a contract made on a proposal from the data subject;
(c) where necessary to protect the vital interests of the data subject. In this case, its approval shall be obtained without undue delay. If the consent is not given, the controller must terminate the processing and dispose of the data;
(d) where the personal data lawfully disclosed are dealt with in accordance with specific legislation. 13) However, this shall be without prejudice to the right to protect the personal and private life of the data subject,
(e) where necessary for the protection of the rights and the rights of the protection of the interests of the controller, the consignee or any other person concerned; However, such processing of personal data shall not be contrary to the right of the data subject to protect his or her private and personal life;
(f) where it provides personal data on a publicly owned person, officials or servants of public administration which indicate his or her public or official activity, his or her functional or professional status; or
(g) in the case of processing exclusively for archiving purposes under a special law.
(3) If the controller conducts the processing of personal data under a special law, 12) he is obliged to observe the right to protect the personal and private life of the data subject.
(4) When giving consent, the data subject must be informed of the purpose of the processing and the personal data for which consent is given, the controller and for which period. The data subject's consent to the processing of personal data shall be demonstrated by the controller throughout the processing period.
(5) Where the controller or processor carries out the processing of personal data for the purpose of offering the trade or services of the data subject, the name, surname and address of the data subject may be used for this purpose, provided that such data have been obtained from a public register or in connection with its activities as controller or processor. However, the controller or processor may not further process the data if the data subject has opposed it. The non-consent of the processing shall be expressed in writing. Without the consent of the data subject, additional personal data may not be assigned to that data.
(6) An administrator who processes personal data pursuant to paragraph 5 may only transmit such data to another controller subject to the following conditions:
(a) data of the data subject have been obtained in connection with the activities of the controller or are disclosed personal data;
(b) the data will only be used for the purpose of offering trade and services;
(c) the data subject has been informed in advance of this procedure by the controller and has not opposed it.
(7) Any other controller to whom the data referred to in paragraph 6 have been transmitted may not transmit such data to another person.
(8) The data subject shall not agree to the processing referred to in paragraph 6 (c) in writing. The controller shall inform any controller to whom it has transmitted the name, surname and address of the data subject that the data subject has opposed processing.
(9) In order to exclude the possibility of the name, surname and address of the data subject being repeatedly used for the offer of trade and services, the controller shall be entitled to further process, for his own account, the name, surname and address of the data subject, even if the data subject has expressed opposition pursuant to paragraph 5.
Where the authorisation does not result from legislation, the controller must conclude a contract with the processor on the processing of personal data. The contract must be in writing. In particular, it shall specify to what extent, for what purpose and for what period, it is concluded and shall include the processor's guarantees on the technical and organisational security of personal data protection.
The obligations laid down in Article 5 shall apply mutatis mutandis to processors.
If the processor finds that the controller is in breach of the obligations laid down in this law, he shall be obliged to notify him immediately and to terminate the processing of personal data. If they do not do so, they shall be jointly and severally liable for damage to the data subject. This is without prejudice to his responsibility under this law.
Sensitive data
Sensitive data can only be processed if:
(a) the data subject has given express consent for processing. The data subject shall be informed when giving consent of the purpose of the processing and the personal data to which consent is given, to which controller and for which period. The data subject's consent to the processing of personal data shall be demonstrated by the controller throughout the processing period. The controller shall be obliged to inform the data subject in advance of his rights under Sections 12 and 21,
(b) it is necessary in order to preserve the life or health of the data subject or of another person or to avert the imminent serious danger to their property, unless its consent can be obtained, in particular for reasons of physical, mental or legal incompetence, in the event that it is missing or for other similar reasons. The controller shall terminate the processing of the data as soon as the reasons set out have elapsed and shall dispose of the data unless the data subject has given his consent for further processing,
(c) it is processing in the provision of health care, protection of public health, health insurance and the pursuit of public administration in the field of health under the Special Law 15), or it is the assessment of health status in other cases provided for by the Special Law, 15a)
(d) processing is necessary for compliance with the obligations and rights of the controller responsible for processing in the field of labour law and employment, as laid down by special law, 16)
(e) processing which pursues political, philosophical, religious or trade union objectives, carried out in the framework of the legitimate activities of a civil society association, foundation or other legal person of a non-profit-making nature (hereinafter referred to as "association") and which only concerns members of the association or persons with whom the association is in repeated contact with the legitimate activity of the association, and personal data are not disclosed without the consent of the data subject;
(f) these are data under the special law necessary for the implementation of sickness insurance, pension insurance (insurance), state social support and other state social benefits, social welfare and social protection of children, and while ensuring the protection of such data in accordance with the law,
(g) processing relates to personal data disclosed by the data subject;
(h) processing is necessary to ensure and enforce legal claims; or
(ch) are processed exclusively for archiving purposes under a special law.
When processing personal data, the controller and the processor shall ensure that the data subject does not suffer harm to his or her rights, in particular the right to preserve human dignity, and shall also ensure that the data subject is protected from unauthorised interference in the personal and private life of the data subject.
(1) When collecting personal data, the controller shall inform the data subject of the extent to which and for what purpose the personal data will be processed, who and how the personal data will be processed and to whom the personal data may be made available if the data subject is not already aware. The controller shall inform the data subject of its right of access to personal data, the right to rectify personal data, as well as other rights set out in Section 21.
(2) Where the controller processes personal data obtained from the data subject, the data subject shall instruct the data subject whether the provision of personal data is mandatory or voluntary. Where a data subject is required under a special law to provide personal data for processing, the controller shall inform him of this fact as well as of the consequences of the refusal to provide personal data.
(3) The information and information referred to in paragraph 1 shall not be required by the controller in cases where he has not obtained personal data from the data subject where:
(a) processing personal data solely for the purpose of carrying out a national statistical service, scientific or archival purposes and providing such information would require disproportionate efforts or excessive costs; or where the storage on media of information or disclosure is expressly provided for by a special law. In such cases, the controller shall take the necessary measures to prevent unauthorised interference in the personal and private life of the data subject,
(b) the processing of personal data is imposed on him by a special law or is necessary for the exercise of the rights and obligations arising from special laws;
(c) processing exclusively lawfully disclosed personal data; or
(d) process personal data obtained with the consent of the data subject.
(4) The prior provisions shall be without prejudice to the right of the data subject to request information under specific laws. 18)
(5) When processing personal data pursuant to Articles 5 (2) (e) and 9 (h), the controller shall inform the data subject of the processing of his personal data without undue delay.
(6) Any decision of the controller or processor resulting in interference with the legal and law-protected interests of the data subject shall not be issued or made without verification solely on the basis of automated processing of personal data. This shall not apply where such a decision has been taken in favour of the data subject and at his request.
(7) The information obligation laid down in Article 11 may be imposed on the controller by the processor.
Access to information by the data subject
(1) Where a data subject requests information on the processing of his or her personal data, the controller shall transmit that information to him without undue delay.
(2) The content of information is always a communication on:
(a) the purpose of processing personal data;
(b) personal data or categories of personal data which are the subject of processing, including any available information on their source;
(c) the nature of the automated processing in connection with its use for decision-making where, on the basis of such processing, acts or decisions involving interference with the rights and legitimate interests of the data subject are taken;
(d) beneficiaries or categories of beneficiaries, as appropriate.
(3) The controller has the right to require an adequate remuneration for the provision of information not exceeding the costs necessary for the provision of information.
(4) The controller's obligation to provide information to the data subject as set out in Section 12 may be met by the processor.
Obligations of persons in the security of personal data
(1) The controller and processor are required to take such measures as to prevent unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transmission, any other unauthorised processing or other misuse of personal data. This obligation shall also apply after the processing of personal data has ended.
(2) The controller or processor is required to process and document the technical and organisational measures taken to ensure the protection of personal data in accordance with law and other legislation.
Staff members of the controller or processor and other persons who process personal data under contract with the controller or processor may only process personal data under conditions and to the extent specified by the controller or processor.
(1) The staff of the controller or processor, other natural persons who process personal data under contract with the controller or processor, and other persons who come into contact with personal data with the controller or processor in the course of the performance of the statutory authorisations and obligations, are obliged to maintain confidentiality of personal data and of security measures which would jeopardise the security of personal data. The obligation of confidentiality shall continue after the employment or work concerned has ceased.
(2) The provision of the previous paragraph is without prejudice to the obligation to maintain confidentiality under specific laws. 19)
(3) The obligation to maintain confidentiality does not apply to information obligations under specific laws. 20)
Notification obligation
(1) Any person intending to process personal data as a controller or to change registered processing under this Act, with the exception of the processing referred to in Paragraph 18, shall notify the Office in writing before processing personal data.
(2) The notification shall contain the following information:
(a) the identity details of the AIFM, for a natural person who is not an entrepreneur, the name and, where applicable, the name, surname, date of birth and the address of the place of permanent residence, for another entity, the business name, registered office and identification number, if any, and the name of the persons who are their statutory representatives;
(b) the purpose or purposes of the processing;
(c) the categories of data subjects and personal data relating to those entities;
(d) personal data sources;
(e) a description of how personal data are processed;
(f) the place or places of processing of personal data;
(g) the beneficiary or categories of beneficiaries;
(h) intended transfers of personal data to other States;
(i) a description of the measures to ensure the protection of personal data pursuant to Article 13.
(3) Where the notification contains all the particulars referred to in paragraph 2 and the procedure provided for in Article 17 (1) is not initiated, the processing of personal data may be initiated after a period of 30 days from the date of receipt of the notification. In that case, the Office shall enter the information specified in the notification in the register.
(4) If the notification does not contain all the particulars referred to in paragraph 2, the Authority shall without delay send a notice to the notifier indicating the missing or insufficient information and setting a time limit for supplementing the notification. If the notification is supplemented, the period referred to in paragraph 3 shall begin to run on the date on which the notification is completed. In the event that the Authority does not receive the addition of the notification within the time limit set, it shall consider the notification made as if it had not been submitted.
(5) The Office shall, at the request of the administrator, issue a certificate containing the date of the copy, the reference number, the name, the surname and signature of the person who issued the certificate, the stamp of the official stamp, the identity of the administrator and the purpose of the processing.
(6) The procedure of the Office referred to in paragraphs 1 to 5 shall not apply to the administrative rules.
(1) Where there is a reasonable concern from the notification that a breach of this law could occur when processing personal data, the Office shall initiate proceedings on its own initiative.
(2) If the Office finds that by the notified processing, the administrator does not infringe the conditions laid down by this law, the proceedings shall be terminated and the registration provided for in Article 16 (3) shall be carried out. The processing of personal data may be initiated at the earliest the day following the entry. In the event that the notified processing does not fulfil the conditions laid down in this Act, the processing of personal data shall not be authorised by the Office.
(1) If the Office finds that the administrator whose notification has been entered in the register is in breach of the conditions laid down by this Law, it shall decide to revoke the registration.
(2) If the purpose for which the processing has been registered is that of the Office on its own initiative or at the request of the controller, the Office shall decide on the revocation of the registration.
(1) The obligation to notify pursuant to Article 16 shall not apply to the processing of personal data,
(a) which are part of data sets publicly accessible under a special law;
(b) imposed by a special law on the controller or is necessary for the exercise of the rights and obligations under the special law; or
(c) where processing is carried out which pursues political, philosophical, religious or trade union objectives, carried out in the context of the legitimate activities of the association, and which only concerns members of the association or persons with whom the association is in repeated contact with the legitimate activities of the association, and personal data are not disclosed without the consent of the data subject.
(2) The controller who carries out the processing referred to in Article 18 (1) (b) must ensure that information, in particular concerning the purpose of the processing, categories of personal data, categories of data subjects, categories of recipients and retention periods which would otherwise be accessible through a register maintained by the Office under Article 35, is made available, including by remote access or other appropriate means.
If the administrator intends to cease his or her activities, he or she shall notify the Office without delay of how he or she has dealt with personal data where their processing is subject to a notification obligation.
Disposal of personal data
(1) The controller or, on the basis of his instructions, the processor is obliged to carry out the destruction of personal data as soon as the purpose for which the personal data have been processed has elapsed or at the request of the data subject in accordance with Article 21.
(2) The special law provides for exceptions to the retention of personal data for archiving purposes and the exercise of rights in civil proceedings, criminal proceedings and administrative proceedings.
(1) Any data subject who finds or believes that the controller or processor is processing his or her personal data which is contrary to the protection of the personal and personal life of the data subject or to the law, in particular if the personal data are inaccurate with regard to the purpose of processing it, may:
(a) request an explanation from the controller or processor;
(b) require the controller or processor to remove the situation thus created. In particular, this may include blocking, repair, supplementing or destruction of personal data.
(2) If the request of the data subject referred to in paragraph 1 is found to be justified, the controller or processor shall immediately remove the malfunctioning.
(3) If the controller or processor does not comply with the request of the data subject referred to in paragraph 1, the data subject shall have the right to contact the Office directly.
(4) The procedure referred to in paragraph 1 shall not preclude the data subject from contacting the Office directly with his or her initiative.
(5) Where personal data have been processed by a data subject other than property damage, the exercise of his or her right under a special law shall be carried out. 22)
(6) Where personal data have been processed in breach of obligations imposed by law on the controller or processor, they shall be jointly and severally liable for them.
(7) The controller shall inform the payee without undue delay of the request of the data subject referred to in paragraph 1 and of the blocking, rectification, addition or destruction of personal data. This does not apply if informing the beneficiary is impossible or would require disproportionate efforts.
cancelled
Compensation
The general arrangements for liability for damage shall apply to matters not covered by this Act. 23), 24)
The obligations laid down in paragraphs 21 to 25 shall apply mutatis mutandis to persons who have collected personal data unduly.
TRANSMISSION OF PERSONAL DATA
(1) The free movement of personal data cannot be restricted if the data are transmitted to a Member State of the European Union.
(2) Personal data may be transferred to third countries if the prohibition on the free movement of personal data results from an international agreement for which Parliament has given its consent and which the Czech Republic is bound, 1a) or is transmitted by decision of the European Union institution. The Office shall publish information on these decisions in the Bulletin.
(3) Where the condition in paragraphs 1 and 2 is not met, the transfer of personal data may take place if the controller proves that:
(a) the transmission of the data takes place with the consent or following an order from the data subject;
(b) in the third country where personal data are to be processed, sufficient specific safeguards are established for the protection of personal data, for example through other legal or professional provisions and security measures. Such guarantees may be specified in particular by a contract concluded between the controller and the beneficiary, provided that such a contract ensures the application of those requirements or that the contract contains contractual clauses for the transfer of personal data to third countries published in the Office's Bulletin,
(c) personal data which, by virtue of a special law, are part of the data files made publicly available or accessible to the person showing the legal interest; in that case, personal data may only be made available to the extent and under the conditions laid down by the Special Act;
Contents
ČÁST PRVNÍ
HLAVA I
§ 1
§ 2
§ 3
§ 4
HLAVA II
§ 5
§ 6
§ 7
§ 8
§ 9
§ 10
§ 11
§ 12
§ 13
§ 14
§ 15
§ 16
§ 17
§ 17a
§ 18
§ 19
§ 20
§ 21
§ 22 až 24
§ 25
§ 26
HLAVA III
§ 27
HLAVA IV
§ 28
§ 29
HLAVA V
§ 30
§ 31
§ 32
§ 33
§ 34
HLAVA VI
§ 35
§ 36
§ 37
§ 38
§ 39
§ 40
§ 41
§ 42
§ 43
HLAVA VII
§ 44
§ 45
§ 46
HLAVA VIII
§ 47
§ 48
ČÁST ČTVRTÁ
§ 51
Sign in for notes, favorites and notifications
Regulation Information
| Citation | Full text of Act No. 525 / 2004 Coll., Act No. 101 / 2000 Coll., on the Protection of Personal Data and on the Amendment of Certain Laws, as resulting from subsequent amendments |
|---|---|
| Regulation Type | Declared full text |
| Author | - |
| Collection | Code of Laws |
| Date of Promulgation | 13.10.2004 |
|---|---|
| Effective from | - |
| Effective until | - |
| Status | Valid |
The regulation text is for informational purposes only.
Comments 0