Global Data and Cyber Handbook

Czech Republic

Select a Topic
Start Comparison
DPOs and Notification Requirements
Jump to
DPOs and Notification Requirements Start Comparison
Is the concept of data protection officer (DPO) recognized in the jurisdiction?

Last review date: 15 January 2025

Yes.

Are there circumstances in which it is mandatory to appoint a DPO or similar position?

Last review date: 15 January 2025

Yes.

If yes, under what circumstances?

☒       the processing is carried out by a public authority or body, except for courts acting in their judicial capacity

☒       the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale

☒       the core activities of the controller or the processor consist of processing on a large scale of special categories of data

Where a DPO is appointed, does the DPO have to meet specific requirements?

Last review date: 15 January 2025

Yes.

If yes, what are these requirements?

☒       other professional qualifications / experience

The DPO shall be designated on the basis of professional qualities and expert knowledge in data protection law and practices. According to the available guidelines, the DPO's relevant skills and expertise shall include:

  • expertise in national and European data protection laws and practices, including an in-depth understanding of the GDPR;
  • understanding the processing operations carried out;
  • understanding the information technologies and data security;
  • knowledge of the business sector and the organization; and
  • ability to promote a data protection culture within the organization.

The level of respective skills and expertise has to be evaluated on a case-by-case basis and result from the risk inherent in the respective processing activities.

Are there obligations to notify, submit filings to, register with or obtain approval from local data protection authorities to collect and/or process personal data generally?

Last review date: 15 January 2025

No, there are no such requirements necessary in order to generally collect and/or process personal data.

However, in specific circumstances, a notification, registration or other submission with the data protection authority might be required, such as:

  • a consultation with the data protection authority prior to the processing, where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk (Art. 36 GDPR).
  • a notification to the data protection authority where the data subjects' rights shall be limited in compliance with the Act on Processing of Personal Data (Sec. 11 of the Act on Processing of Personal Data).
  • an approval or other action relating to a certain mechanism for international data transfer (Art. 44 et seq. GDPR),
  • communication of the DPO's contact details (Art. 37 GDPR).
{{ $store.state.loadingScreen.message }} ...