I. Legal framework
On 1 May 2004, the Czech Republic joined nine other countries in entering the European Union (EU), formally linking itself to the EU and to the EU regulatory framework for data protection.1 In preparation for accession, the Czech Republic enacted a new act on "Personal Data Protection" (the Personal Data protection Act or the Act), which went into effect on 1 June 2000.2 The Act replaced the 1992 Act on Protection of Personal Data in Information Systems.3 The Act implements the requirements of the EU Data Protection Directive 1995/46/EC, granting exceptions from several key provisions to the police and intelligence services in matters of public and national security in accordance with the directive.4 Data controllers were required to register their processing systems and fully comply with the Act by 1 June 2001. A May 2001 amendment exempted political parties, churches, sports clubs, and other civic organisations engaged in standard and legitimate activities from some of the Act's requirements, such as registering their data processing activity or obtaining consent of individuals before collecting personal information.
A June 2004 amendment to the Act on Personal Data Protection completed harmonisation with EU Data Protection Directive 1995/46/EC.5 The amendment refines certain terms, as well as introducing new terms in accordance with the EU Directive. The amendment includes terms regulating the granting of consent for personal data processing, the relationship between data controllers and data subjects, the notification duty of controllers, and indemnification of data subjects for breaches of duty committed by data controllers or data processors.6
In 2007, an emphasis was placed on data security, and an amendment to the Act on Personal Data Protection introduced more detailed rules on risk assessment and security measures that must be adopted before the commencement of personal data processing.7 In 2009, a widely discussed amendment8 specifically provided for the protection of recordings of intercepted telecommunications gathered in the course of criminal proceedings.9
Privacy is also largely protected by the Penal Code.10 It covers the infringement of the right to privacy in the definitions of criminal acts consisting of infringement of the home,11 slander,12 unauthorised use of personal data (collected either on the basis of sectorial acts by state authorities or by controllers or processors),13 infringement of the confidentiality of mail,14 and infringement of the confidentiality of information "kept in privacy" (this is a newly introduced crime compared to the previous Penal Code).15
In addition to the Penal Code, several other Czech laws also regulate certain specific aspects of data processing activities. These laws concern statistics, medical personal data, banking law, taxation, social security, and police data.
Data protection authority
The Act also established an Office for Personal Data Protection (OPDP) as an independent oversight body.16 The Office is responsible for supervising the implementation of the Act; maintaining a register of databases; investigating complaints; imposing fines for violations; conducting audits and providing consultations on data protection; and commenting on legislative proposals. Igor NÄ›mec, the President of the OPDP, was appointed to a five-year term that began 1 September 2005 and reappointed in 2010. The President of the Czech Republic also appointed seven independent inspectors, each position carrying a ten-year term.
During 2007, the OPDP received 574 complaints and petitions. The number of complaints in 2007 increased by 21 percent compared to 2006.17 Two-thirds of these complaints were dismissed as unjustified , a rate that's comparable to 2006.
The OPDP also commenced 35 investigations in 2007.18 Inspections were aimed at telecommunications carriers, media outlets, police, financial institutions such as banks and credit lenders, transportation authorities, law offices, city and municipality bodies, retail chains, Internet business, schools, and social and health care facilities. The OPDP imposed administrative fines in the total amount of CZK4,668,500 (approximately.â‚¬191,270) pursuant to the Code of Administrative Procedure.19
Many 2006 complaints continued to refer to excessive utilisation of birth certificate numbers based on an incorrect opinion that a birth certificate number is an absolute identifier of a natural person and is thus a natural supplement to the name. An attempt to improve this practice was brought about in 2004 by the adoption of an amendment to Act No. 133/2000 Coll. on Register of Population and Birth Numbers, through Act No. 53/2004 Coll. The Amendment to the Act on Register of Population and Birth Numbers imposed supervisory duties on the OPDP in the area of management of birth certificate numbers.20 The Amendment's detailed new rules concerning the use of birth certificate numbers came into effect 1 January 2006. Article 13c(1)(c) prohibits the use of birth certificate numbers in the private sphere unless the number holder has given free and informed consent. Article 13(1)(a) of the Act continues to grant authorisation to State administrative bodies to use the birth certificate number as an identifier. Despite this measure, however, the OPDP noted that it was still common to treat the birth certificate number as a unique identifier.21
Complaints also followed similar patterns as in the past, including lack of awareness by controllers of their notification duties under the Personal Data Protection Act, unclear sources of data used to address clients in direct marketing, excessive use of birth certificate numbers, inappropriate copying and retention of personal documents, and publishing of lists of debtors as a method of extracting payment for debts.
Although the situation in 200822 could indicate slowly raising awareness among the public â€“ 697 complaints and two-thirds of them being dismissed â€“ 200923 brought 879 complaints but more than four-fifths of them were dismissed. The number of investigations has increased from 112 in 2008 to 143 in 2009. In addition, the OPDP dealt with 1,458 complaints regarding unsolicited commercial communications (and investigated 155 cases) in 2008 compared with 2,261 complaints (and 145 cases investigated) in 2009.
Beginning in 2004, the Control Department of the Office for Personal Data Protection, as a rule, no longer addressed the entity against which the petition was aimed. Where the circumstances indicate that a criminal offense was committed, the matter is promptly submitted to the bodies actively engaged in criminal proceedings, and then the Control Department further cooperates with these bodies. The department continues to fully engage in resolving these issues within its responsibility until the criminal proceedings are closed.24
In the course of supervision, the OPDP followed the principle that, as a rule, the identity of the complainant is not disclosed to third persons in the framework of the relevant enquiries; his or her identity is revealed only when necessary and after obtaining his consent. The Control Department also does not refuse to handle anonymous complaints.
Financial penalty for proven misconduct usually accompanies remedial and indemnification measures and it facilitates remediation of the defective state of affairs in the course of the OPDP's supervisory activities. The Personal Data Protection Act distinguishes between misconduct of controllers and processors, who are liable to a fine of up to CZK10 million (â‚¬410,000) â€“ CZK20 million (â‚¬820,000) for repeated torts â€“ and misdemeanours of natural persons, which are subject to a fine of up to CZK100,000 (â‚¬16,300). Natural persons acting as controllers or processors are subject to a fine of up to CZK5 million (â‚¬205,000). The Act does not stipulate the applicable amount of fines for individual torts where civil liability (sued in a court proceeding) would apply; however, consideration must always be taken of the general criteria stipulated by the act, including the nature, seriousness, and manner of conduct, degree of fault, duration, and consequences of the misconduct.25
As of 31 December 2007, the OPDP consisted of 92 employees.26 The increase in the number of employees was to enable the OPDP to become fully involved in Schengen cooperation.27 In January 2006, the Department of Complaints and Consultations was established to improve public services. The new Department was charged with responding to telephone inquiries, providing personal consultations, responding to electronic petitions, and assessing complaints. In most cases, the Department was able to respond to inquiries within half of the statutory 30-day deadline.28 At the end of 2009, the OPDP employed 95 employees.29
The OPDP actively engages in making the relevant information about its activities public. The OPDP holds regular press conferences. It also publishes two journals: the official one (five issues per year) includes positions of the OPDP and European documents relevant to personal data protection. A quarterly is designed for the public at large. It provides information on the OPDP's activities, as well as worldwide news concerning personal data protection.30
At the end of 2004, a campaign for citizens was launched. It involved publishing leaflets related to the Act on Personal Data Protection, rights and responsibilities of data subjects, and risks that they ought to prevent. About 300,000 issues were distributed (to the regional and local administrative bodies and high schools â€“ with the cooperation of the Ministry of Education). TV, radio stations, and newspapers supported the campaign. The OPDP also cooperated with media (354 publications and broadcasting items through the year 2004).31
The OPDP reported some gain in public awareness in 2005, illustrated in the increased number of complaints and inquiries since 2004, as well increased media coverage. Nonetheless, the OPDP still concluded that overall awareness among controllers and the general public was largely uncultivated.32
In 2006 the OPDP again focused on raising public awareness of personal data protection. The OPDP acted as co-authors in a 13-part television series on the subject titled Ignorance does not excuse. Everyone has secrets. An audience of 160,000 to 310,000 viewed the series. The OPDP's conclusion was somewhat more optimistic in 2006. Citing higher numbers of complaints, consultations, and requests for assistance, the OPDP believed that public awareness of data privacy was constantly increasing33 and statistical data for 2008 and 2009 partially endorsed the tendency, although the unexpectedly higher rate of dismissed complaints in 2009 could mean that the general public might have been overestimating its rights.34
In addition to its supervisory activities, the OPDP focuses on communication and education programmes. The OPDP launched an educational programme called "Protection of Personal Data in Education", supported by the Ministry of Education, Youth, and Sports in 2007; 2009 was the third consecutive year in the framework of further training of pedagogical workers.35
Positive feedback from the campaign aimed at young children accompanied with the competition "My privacy! Don't look, don't poke about!" should emerge as a completely new project in 2011. Similarly, the OPDP also tries to disseminate information on privacy right among seniors in cooperation with Charles University.36
Major privacy and data protection case law
The relevant case law concerning privacy and data protection is discussed infra in the text and categorised under the corresponding section.37
- 1. Official Journal of the European Union, Vol. 4 L 168, 1 May 2004, available at http://eur-lex.europa.eu/JOHtml.do?uri=OJ:L:2004:168:SOM:EN:HTML.
- 2. Act No. 101/2000 Coll. on Personal Data Protection, available at http://www.uoou.cz/uoou.aspx?menu=4&submenu=5&lang=en.
- 3. Act No. 256/1992 Coll. on Protection of Personal Data in Information Systems.
- 4. Directive 1995/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 24 October 1995, OJ L 281, 23 November 1995, at 31â€“50, available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:E....
- 5. Act No. 439/2004 Coll.
- 6. Office for Personal Data Protection Annual Report 2004, at 31, available at http://www.uoou.cz/files/rep_2004.pdf.
- 7. Act No. 170/2007 Coll.
- 8. Act No. 177/2008 Coll.
- 9. See "Wiretapping, access to, and interception of communications," infra.
- 10. Act No. 40/2009 Coll., the Penal Code (effective since 1 January 2010).
- 11. Id., at Section 178.
- 12. Id., at Section 184.
- 13. Id., at Section 180.
- 14. Id., at Section 182.
- 15. Id., at Section 183.
- 16. Office for Personal Data Protection, at http://www.uoou.cz/.
- 17. Office for Personal Data Protection Annual Report 2007, at 36, available at http://www.uoou.cz/files/rep_2007.pdf.
- 18. Id.
- 19. Id., at 26.
- 20. Email from Karel Neuwirt the President of the Office for Personal Data Protection, to Ula Galster, International Policy Fellow, Electronic Privacy Information Center, 18 May 2005, (on file with EPIC). See also Office for Personal Data Protection Annual Report 2004, supra at 4.
- 21. Office for Personal Data Protection Annual Report 2006,at 39, available at http://www.uoou.cz/files/rep_2006.pdf.
- 22. Office for Personal Data Protection Annual Report 2008, available at http://www.uoou.cz/files/rep_2008.pdf.
- 23. Office for Personal Data Protection Annual Report 2009, available at http://www.uoou.cz/files/rep_2009.pdf.
- 24. Office for Personal Data Protection Annual Report 2006,supra at 39.
- 25. Act No. 101/2000 Coll., supra at Section 46.
- 26. Office for Personal Data Protection Annual Report 2007, supra at 62.
- 27. Resolution of the Government of the Czech Republic No. 633 of 11 June 2007.
- 28. Office for Personal Data Protection Annual Report 2006, supra at 29.
- 29. Office for Personal Data Protection Annual Report 2009, supra at 71.
- 30. Office for Personal Data Protection Annual Report 2007, supra at 59.
- 31. Office for Personal Data Protection Annual Report 2006, supra at 9.
- 32. Office for Personal Data Protection Annual Report 2005, at 2, available at http://www.uoou.cz/files/rep_2005.pdf.
- 33. Office for Personal Data Protection Annual Report 2006, supra at 34.
- 34. Office for Personal Data Protection Annual Report 2009, supra.
- 35. Joint press release of the Chairman of the Article 29 WP and the President of the Office for Personal Data Protection in the Czech Republic within the framework of the European awareness campaign on Internet and minors, 8 March 2009, available at http://www.uoou.cz/files/wp29_statement.pdf . See also Section "Online youth safety," infra.
- 36. Office for Personal Data Protection Annual Report 2009, supra at 65.
- 37. Cfr. "National databases for law enforcement and security purposes," "Bodily Privacy," "Health & Genetic Privacy," infra in this Report.