Last review date: 15 January 2025
The Czech Republic has one central data protection authority: the Office for Personal Data Protection and one central cybersecurity authority: the National Cyber and Information Security Agency.
In the context of non-personal data, the Section for European Affairs of the Office of the Government of the Czech Republic (available specifically at the e-mail address: digiczech@vlada.cz) is designated as a National information and contact point in the Czech Republic.
Last review date: 15 January 2025
Jointly with other European authorities, the Office for Personal Data Protection plans to investigate in 2025:
- the practical application of the right of data subjects to have their personal data erased under Article 17 of the GDPR,
- in view of the increasing number of complaints and submissions in relation to the exercise of the rights of the data subject, in general the correct handling of requests from data subjects to exercise their rights,
- in this context, it will be controlled in particular whether, for example, the relevant communication channels are correctly defined, whether the process for handling individual requests from data subjects is correctly set up or whether the whole process of assessing requests is correctly documented.
We expect that the National Cyber and Information Security Agency will focus predominantly on legislative, educational and guiding tasks rather than on enforcement. This position could start to change after the implementation of NIS2 Directive. Some of the non-enforcement priorities of the Agency for 2025 are described in the national cybersecurity strategy (available in Czech here).
Last review date: 15 January 2025
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Rare
☒ Staying the same
Class actions/group actions under data or cyber regulation are:
☒ Not available in the jurisdiction
Last review date: 15 January 2025
There are:
☒ administrative remedies /civil penalties applied by regulators and law enforcement
Under the GDPR these can amount to up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Under the Information Society Services Act regulating electronic marketing these can amount up to CZK 10 million (approx. EUR 400.000).
Further administrative fines can be imposed based on other sector-specific and cybersecurity laws. Other non-monetary sanctions (including warnings, reprimands, order to comply, temporary or definitive limitation of processing or ban of processing, order to suspend data flows) are also possible.
☒ criminal penalties from regulators and law enforcement
Sec. 180 Czech Criminal Code defines and penalizes illicit disposal with personal data as follows:
- whoever, even negligently, wrongfully publishes, communicates, makes available, or otherwise processes or misappropriates personal data gathered on another person in connection with the exercise of public competence and thereby causes a serious detriment on rights or rightful interests of the person concerned by the collected data; and
- anyone who even negligently breaches a state-imposed or state-recognized duty of confidentiality by wrongfully publishing personal data obtained in connection with performing their occupation, profession or function and thereby causes a serious detriment on rights or rightful interests of the person concerned by the personal data.
In both cases the perpetrator shall be sentenced to imprisonment for up to three years or to prohibition of activity. The imprisonment may be even longer depending on the severity of the damage and the means of illicit disposal of the personal data.
☒ private remedies
Individuals may, for example:
- file complaints with the data protection authorities
- claim damages for material or non-material damages