On March 12, the Czech Chamber of Deputies approved two bills adapting Czech law to the EU General Data Protection Regulation — the Data Protection Act and the Accompanying Act. This comes more than nine months after the GDPR came into effect. The bills will now be presented to President Miloš Zeman for his signature.
The Data Protection Act fully replaces the current Czech Data Protection Act and includes several local derogations and exceptions (primarily for the public authorities). The act also includes provisions on the constitution and powers of the Czech Data Protection Office. In addition, it transposes Directive 2016/680, which regulates the processing of personal data related to preventing and investigating crimes and regulates the processing of data while ensuring the defense and security mechanisms of the Czech Republic. The Accompanying Act affects and amends more than 30 laws in connection with the GDPR and Directive 2016/680.
There were extensive discussions about the acts in the Chamber of Deputies, and the deputies discussed more than 30 amending proposals. The bills were also returned by the Senate with proposed amendments that were (in case of the Data Protection Act but not in case of the Accompanying Act) approved by the Chamber of Deputies.
The approved bills bring about a few important changes (besides legislative-technical changes), mainly:
- Broad exceptions for the processing of personal data for compatible purposes in case of public interest and where the controller is subject to the legal obligation.
- Broad possibilities for restricting data subjects’ rights in matters of public interest and regarding the enforcement of private claims.
- The possibility of the processing of the national identification numbers (birth certificate number) for the enforcement of private claims.
- The possibility of informing data subjects online (via the publication of information on the internet), if the processing of data is based on law and in the public interest.
- The exceptions for processing personal data for scientific or historical research or statistical purposes.
- The possibility for controllers to inform data subjects of corrections, limitations and liquidation of data just by an update of initial records in some instances.
- A definition of public subjects who are obliged to name a data protection officer.
Most importantly, the deputies have completely abolished fines for all public authorities and bodies. The scope of this wide exception remains to be interpreted, but it will most likely cover all governmental bodies, ministries, municipalities, schools, public hospitals, and other controllers and processors established by a legal act for the fulfillment of duties in public interest. In addition, the Czech Data Protection Office is, as a general rule, allowed to drop minor offenses without initiating formal proceedings and without notifying the person concerned.
Apart from other things, the deputies have not approved the widely discussed lowering of the age limit to 13 years for the necessity of the consent of a legal representative for using online services. Finally, the age limit for children’s consent is raised to 15 years.
A hardly visible though important change is the extension of the authority of the Czech Data Protection Office. According to the Accompanying Act, the office has gained new powers in the area of free access to information. Among other things, the office obtains a new power to issue (a directly enforceable) instruction to subordinate authorities to provide information (the change affects primarily Act 106/1999 Coll., on free access to information). The office would lead the review procedure of provision of information and has been authorized to issue these kinds of orders. These provisions should come into effect from Jan. 1, 2020.
The act is now waiting for the signature of the president. With regards to this procedure, it is expected that the act will be approved and effective sometime in April 2019.
Photo by Anthony DELANOIX on Unsplash