Personal data protection is regulated in the Czech Republic by a legal regulation, namely Act No. 101/2000 Coll., On the Protection of Personal Data and on Amendments to Certain Acts, and Other Legislation. In Czech constitutional law, the protection of personal data and privacy is also enshrined in the Charter of Fundamental Rights and Freedoms.
The right to protection of personal data is also regulated by super legally binding instruments. The Basic Extra-legal Legislation is the Council of Europe Convention No 108 of 28 January 1981 on the Protection of Individuals with regard to Automatic Processing of Personal Data, promulgated under No. 115/2001 Coll., which entered into force for the Czech Republic on 1 November 2001. This Convention is supplemented by the Additional Protocol of the Council of Europe of 8 November 2001 No. 181 to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data on Surveillance and Data Flow Transboundary Control Authorities, promulgated under No. 29/2005 Coll., which for the Czech Republic entered into force on 1 July 2004.
From the point of view of the European Union, the Treaty on the Functioning of the European Union, as amended by the Treaty of Lisbon and the Charter of Fundamental Rights of the European Union, is the foundation in the protection of persons. The legal regulation is based on Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, which from 25 May 2018 will be replaced by the General Regulation on the protection of personal data (GDPR) because it does not keep pace with technological developments. And the Czech law on the protection of personal data will be replaced by the GDPR and the Czech Adaptation Act.
GDPR is a legal framework for the protection of personal data across the EU that protects the rights of its citizens against unauthorized treatment of their data and personal data. The GDPR takes over all existing data protection and processing principles on which the EU’s privacy system stands and confirms that protection travels across borders along with personal data.
From May 25, 2018, the General Data Protection Regulation (GDPR) adds new obligations:
Records of activities – all – will need to keep track of the activities that take place with personal data.
Reporting of breaches of security – all – the second generally valid obligation is to report violations of personal data breaches to the Office for Personal Data Protection within 72 hours of the occurrence of such an incident. Serious incidents with serious consequences are to be reported. If a data leak occurs, for example, in a bank where you have money deposited, and you might be threatened to lose it, the bank will be required to notify you and, in the extreme case, also by publicly reporting such a serious incident.
Codes and Certificates – Voluntarily – If some business, such as business, is performing the same or very similar activities with personal data, a Code of Conduct may be developed, for example by a professional association.
Data Protection Officer – Only Someone – Authorities and other bodies that decide on citizens’ rights, including schools, will have to appoint personal data protection officers, a person who will deal with this issue and draw attention to potential shortcomings. It is assumed that the issue of personal data protection in the relevant industry will be understood. The delegate may be both an employee and an outsider. It is quite possible to use the possibility that a commissioner will be able to perform such activities for several offices, schools and hospitals, as they will also have the duty to nominate a commissioner in terms of a large amount of data on the health status of patients in the hospital’s information system. However, the Chief of Staff cannot be the head of the organization or the IT department because it would be in conflict of interest.
Impact assessment and consultation with the Authority – just someone – As well as the appointment of the Delegate, the impact assessment on personal data protection and the prior consultation with the Office for Personal Data Protection is not generally valid, it concerns those who intend to carry out large-scale risk operations with personal data such as large-scale profiling of people via the Internet, where detailed information about their private life is gained for marketing purposes, or the risk is using new technologies used, such as a large amount of patient health data. The list of these operations will be published by the Office for Personal Data Protection.
Penalties – always proportionate – violations of the general regulation of obligations imposed on high-volume, high-volume risk operations, generally large multinationals, may be subject to the maximum, large-scale, large-scale sanctions. Possible sanctions for breach of the obligations of the General Regulation will, as yet, be reasonable and in no case can they be liquidated.