Effective as of the end of April 2019, the Act on Data Processing (Act No. 110/2019 Coll.) introduces the long-awaited adaptation of the GDPR regulation into Czech law. Since the provisions of the GDPR are directly applicable, the act resembles a “filling of gaps” rather than a complex regulation.
In accordance with the GDPR, the act establishes a public authority responsible for data processing. As expected, the Data Protection Office (in CZ: “Úřad pro ochranu osobních údajů”) will continue to fill the role and exercise general supervisory powers. In addition, the responsibilities of the Data Protection Office will be extended to the right of information, where the office will act as an ex-traordinary appeal body. The office will further undergo certain organizational changes.
The act further establishes additional obligations of the personal data administrators and proces-sors and additional rights of the data subjects on top of GDPR. Based on the ECJ case law, it estab-lishes the “right to be forgotten”. On the other hand, the act implements the acceptable excep-tions from the GDPR – it adds additional reasons and options of data processing in specific cases of public interest (public security, defense) and in relation to the journalist licence.
As a part of the GDPR implementation certain acts, which regulate data processing in relation to the investigation and prevention of serious criminal activities, namely the Act on Czech Police and the Act on Civil Aviation, were also amended. The amendments establish, in particular, new rules for the processing and transfer of data from the passenger name records.