top of page

CZECH REPUBLIC - Data Protection and GDPR Review

The history of data protection in the Czech Republic follows a trajectory shaped by both national legislation and adherence to European Union (EU) directives and regulations. Here's an outline of the significant developments in data protection within the country:

Early Legislation (Pre-2000)

The Czech Republic has a history of protecting privacy that dates back to the Charter of Fundamental Rights and Freedoms of 1991, which recognized the protection of personal data as a fundamental right. However, detailed legislation on data protection was lacking during the early post-communist period.

Implementation of the EU Data Protection Directive

In alignment with the EU Data Protection Directive (Directive 95/46/EC) of 1995, the Czech Republic passed Act No. 101/2000 Coll., on the Protection of Personal Data in 2000. This act established the legal framework for data protection, governing how personal data should be processed, stored, and handled. It also led to the creation of the Czech Office for Personal Data Protection (UOOU) as an independent supervisory authority.

Adaptation to the Data Retention Directive

The Czech Republic implemented the EU Data Retention Directive (2006/24/EC) into its national law, but it faced legal challenges. The Czech Constitutional Court annulled certain provisions of the implementing legislation in 2011, declaring them unconstitutional. The court ruled that the law interfered disproportionately with individuals' privacy rights.

Preparing for GDPR

In the lead-up to the GDPR, the Czech Republic took measures to align its data protection framework with the new regulations. Changes in legal interpretations, administrative procedures, and a shift towards a more proactive approach to data protection were observed.

Implementation of the General Data Protection Regulation (GDPR)

The GDPR came into force across the EU, including the Czech Republic, on May 25, 2018. This regulation significantly strengthened data protection rules, giving individuals greater control over their personal data and imposing more stringent obligations on data controllers and processors.

To ensure compliance with the GDPR, the Czech Republic passed an implementing act (Act No. 110/2019 Coll.) on Processing of Personal Data. This act adjusted certain aspects of the GDPR to the national context, providing specific rules for areas like the processing of national identification numbers.

Post-GDPR Developments

Since the implementation of the GDPR, the Czech Office for Personal Data Protection has been actively monitoring and enforcing compliance. Fines and penalties have been imposed on organizations that failed to comply with the GDPR, and there has been an increased focus on awareness and education for both individuals and businesses.

The history of data protection in the Czech Republic has evolved from foundational principles to a sophisticated legal framework aligned with EU regulations. The country's journey towards robust data protection has involved significant legal reforms, adherence to EU standards, and ongoing efforts to enforce and educate about the rights and responsibilities under the law. As in other EU member states, the implementation of the GDPR marked a significant milestone, reflecting a broader commitment to protecting personal data and privacy rights.

Introduction to GDPR in the Czech Republic

The GDPR came into effect across the EU, including the Czech Republic, on May 25, 2018. To supplement and implement the GDPR, the Czech Republic passed Act No. 110/2019 Coll. on Processing of Personal Data.

Key Principles

The GDPR in the Czech Republic rests on the following key principles:

a. Lawfulness, Fairness, and Transparency

Data processing must be legal, fair, and transparent, with clear information provided to the data subject.

b. Purpose Limitation

Data should only be collected for specific and legitimate purposes and not processed further in a way incompatible with those purposes.

c. Data Minimization

Data collection should be limited to what is necessary for the intended purpose.

d. Accuracy

Data must be accurate and kept up-to-date.

e. Storage Limitation

Data must not be stored longer than necessary.

f. Integrity and Confidentiality

Data must be handled securely to prevent unauthorized access or loss.

Rights of Individuals

Individuals in the Czech Republic have several rights under the GDPR, including:

a. Right to Information

Individuals must be informed about how their data is collected and used.

b. Right to Access

Individuals can request information about the personal data held about them.

c. Right to Rectification

If data is incorrect or incomplete, individuals have the right to have it corrected.

d. Right to Erasure (Right to be Forgotten)

In certain circumstances, individuals can request that their data be deleted.

e. Right to Restriction of Processing

Individuals can request a halt to the processing of their personal data in specific situations.

f. Right to Data Portability

Individuals can request their personal data in a transferable format.

g. Right to Object

Individuals can object to the processing of their personal data for particular purposes, such as direct marketing.

Obligations of Organizations

a. Appoint a Data Protection Officer (DPO)

Certain organizations must designate a DPO to oversee GDPR compliance.

b. Conduct Data Protection Impact Assessments (DPIAs)

A DPIA is required when processing is likely to result in a high risk to individuals' rights and freedoms.

c. Implement Privacy by Design

Organizations must integrate data protection into the design phase of products and services.

d. Report Data Breaches

Data breaches must be reported to the Czech Office for Personal Data Protection (UOOU) within 72 hours of discovery.

Czech Office for Personal Data Protection (UOOU)

The UOOU oversees GDPR compliance and enforcement in the Czech Republic. It also provides guidance and hears complaints from data subjects.

Penalties for Non-Compliance

Non-compliance with GDPR can result in fines of up to €20 million or 4% of the global annual turnover, whichever is higher.

Conclusion and Recommendations

Compliance with the GDPR in the Czech Republic requires an understanding of both EU regulations and specific national legislation. It is advisable for organizations to seek legal advice, conduct regular audits, and stay informed about updates and best practices in data protection.


This guide offers a general overview, and laws and regulations may change. It is strongly recommended to consult with a legal expert or the UOOU for specific guidance tailored to your situation.


bottom of page