Last review date: 15 January 2025
Yes.
☒ general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒ obligation to take specific security measures e.g., encryption
Not a strict legal requirement, but encryption is considered by the GDPR as an appropriate technical and organizational measure. In practice, the authorities expect encryption unless specific circumstances justify no encryption.
☒ requirement to undertake third party due diligence (security assessment of third party providers)
Not a strict legal requirement, but under Art. 28 GDPR, data controllers must only use processors providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the GDPR requirements. Thus, due diligence of a third party (especially of a processor) is strongly recommended as the data controller may be held liable in case of breach of the data protection requirements.
Last review date: 15 January 2025
☒ network information security requirements (broader than telecommunications)
☒ health regulatory requirements
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
☒ digital or connected (IoT) products
Last review date: 15 January 2025
☒ Data privacy
☒ network information security
☒ other
Last review date: 15 January 2025
Yes.
"Personal data breach" under the GDPR means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Last review date: 15 January 2025
☒ data protection authorities
Under the GDPR controllers are obligated to notify the Office for Personal Data Protection
- in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
- without undue delay and, where feasible, not later than 72 hours after having become aware of it
☒ affected individuals
Under the GDPR controllers are obligated to notify the affected individuals
- without undue delay
- if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:
- the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption; or
- the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize.
☒ other
According to the GDPR, there shall be public communication or similar measure whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects) if the communication to the data subject would involve disproportionate effort. Public communication shall also be made without undue delay.
Last review date: 15 January 2025
☒ controller/ owner
- in case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
- without undue delay after becoming aware of it, and within the period specified in the data processing agreement, if applicable
Last review date: 15 January 2025
Yes.
☒ cybersecurity authorities
☒ health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)
☒ financial services requirements
☒ telecommunication requirements
☒ providers of critical infrastructure
Details regarding the identified data security breach notification requirements
Electronic Communications
According to the Czech Electronic Communications Act, in case of a personal data breach the GDPR should be followed.
Additionally, a person providing a public communications network or a publicly available electronic communications service shall be obliged to immediately notify a serious breach of security and the loss of network integrity to:
- the Czech Telecommunications Office;
- entities operating as centers for receiving emergency calls; and
- users of the particular publicly available electronic communications service.
Cybersecurity incidents
Certain entities (in particular providers of critical infrastructure, operators of essential services and digital service providers) are required to report a cyber-security incident to the National Cyber and Information Security Agency and/or national CERT without a delay after the incident has been detected. Additionally, it is recommended (though not obligatory) to report a cyber security occurrence.
Medical Devices
Certain entities (in particular manufacturers, authorized representatives, importers, distributors, health care providers, service providers, dispensers and sellers) are obliged to notify the State Institute for Drug Control of an adverse event that arises in connection with the use of a medical device or in vitro medical device within the specified deadlines dependent on the type of the event.
Importers, distributors, health care providers, service providers, dispensers and sellers are furthermore obligated to report such adverse event to the manufacturer or the authorized representative.
Medicinal Products
A marketing authorization holder is in particular obligated to make available all suspected adverse reactions of medicinal products in the EudraVigilance database. A medical doctor, pharmacist or other healthcare professional who has suspected a serious or unexpected adverse reaction or other facts related to the use of a medicinal product which are serious to the health of patients must, inter alia, notify the State Institute for Drug Control.
Payment Services
The persons authorized to provide payment services shall notify the Czech National Bank of a serious security or operational incident in the field of payments without undue delay after its discovery.