GDPR in the Czech Republic – a Retrospective
Earlier in March 2019, the Czech Republic approved legislation incorporating General Data Protection Regulation (GDPR) provisions from the European Union level.
GDPR aimed to create harmonized personal data processing standards across EU Member States. While countries could request derogations only in specific circumstances, they had to ensure national regulations complied with GDPR regarding matters like freedom of speech and information rights.
Key Czech Derogations
The Czech Data Processing Act included several important modifications:
Age of Consent: “A child can validly consent to personal data processing for specific purposes if he or she is at least 15 years of age” regarding remote electronic services like social media accounts.
Restricted Rights: The legislation permitted limitations on individual rights under GDPR Articles 12-22 when necessary to protect interests including national defense, public order, crime investigation, judiciary independence, and other significant public concerns.
Special Protections: Data controllers received exemptions for journalistic, academic, artistic, and literary purposes involving personal data processing.
Public Authority Exemptions: Public authorities and bodies were fully exempt from administrative penalties.
Prior Consent: Any consent given under previous legislation qualified as GDPR consent provided it met GDPR standards, defined as “freely given, specific, informed and unambiguous indication of the data subject’s wishes.”
Implementation Framework
The Data Processing Act addressed only issues delegated to Member States or outside GDPR’s scope. GDPR itself governs the rights and obligations of data subjects, controllers, and processors.