Data Protection & Privacy in Czech Republic

Data protection in Czech Republic is governed by the General Data Protection Regulation (GDPR) directly, supplemented by Act No. 110/2019 Coll. on Personal Data Processing (Zákon o zpracování osobních údajů), which adapts EU rules to Czech national conditions. For international businesses operating in Czech Republic, non-compliance carries fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher. This article covers the legal framework, consent mechanics, DPO obligations, data breach procedures, cross-border transfer rules, and enforcement practice - giving decision-makers a structured roadmap for building defensible compliance in Czech Republic.

The GDPR applies directly in Czech Republic as an EU member state. It establishes the primary obligations for controllers and processors: lawful basis for processing, data subject rights, accountability, and security requirements. Act No. 110/2019 Coll. exercises the national margin of appreciation permitted by GDPR Article 6(2) and Article 9(4), setting specific rules for processing in employment, health, archiving, research and public interest contexts.

Act No. 111/2019 Coll. amended the Act on the Office for Personal Data Protection (Zákon o Úřadu pro ochranu osobních údajů), restructuring the supervisory authority - the Úřad pro ochranu osobních údajů (UOOU), or Office for Personal Data Protection - and aligning its investigative and sanctioning powers with GDPR Article 83. UOOU is the sole national supervisory authority for general data protection matters in Czech Republic.

Sector-specific overlays matter significantly. The Electronic Communications Act (Zákon o elektronických komunikacích, Act No. 127/2005 Coll.) governs cookies and direct marketing, implementing the ePrivacy Directive. The Labour Code (Zákoník práce, Act No. 262/2006 Coll.) restricts employee monitoring and processing of employee personal data. The Health Services Act (Zákon o zdravotních službách, Act No. 372/2011 Coll.) imposes additional safeguards for health data processing.

A common mistake among international clients is treating Czech Republic as a jurisdiction where GDPR alone is sufficient. The national acts create obligations that go beyond the GDPR text - particularly in employment and health contexts - and UOOU enforces both layers simultaneously.

GDPR Article 6 provides six lawful bases for processing personal data. In Czech Republic, UOOU's enforcement practice and published guidance place particular scrutiny on consent and legitimate interest, the two bases most frequently misapplied by businesses.

Consent under GDPR Article 7 must be freely given, specific, informed and unambiguous. In Czech Republic, this means:

• Pre-ticked boxes or bundled consent clauses are invalid.
• Consent obtained as a condition of service is presumptively invalid unless the processing is strictly necessary for the service.
• Records of consent - including the mechanism, timestamp and version of the privacy notice - must be retained for the duration of processing plus the applicable limitation period.
• Withdrawal must be as easy as giving consent; a single-click unsubscribe is the accepted standard for email marketing.

Legitimate interest under GDPR Article 6(1)(f) requires a three-part balancing test: identify the legitimate interest, assess necessity, and weigh it against the data subject's interests and fundamental rights. UOOU has issued guidance indicating that legitimate interest cannot be used as a default fallback when consent would be the appropriate basis. A non-obvious risk is that businesses relying on legitimate interest without documented balancing tests face enforcement action even where the underlying processing is substantively reasonable.

Act No. 110/2019 Coll., Section 6 permits processing of sensitive data categories in employment relationships without explicit consent where processing is necessary to fulfil legal obligations under Czech labour law. This is a meaningful national derogation: employers in Czech Republic can process health data for sick leave administration without seeking separate GDPR Article 9 consent, provided the processing is limited to what Czech labour law requires.

For direct marketing by electronic means, the Electronic Communications Act requires prior opt-in consent from individuals (natural persons). Business-to-business marketing to corporate email addresses operates under a softer regime, but the line between individual and corporate addresses is frequently contested in practice.

To receive a checklist on lawful basis selection and consent documentation for Czech Republic, send a request to info@vlo.com.

The Data Protection Officer (DPO) is a mandatory role under GDPR Article 37 in three situations: public authorities, organisations whose core activities require large-scale systematic monitoring of individuals, and organisations whose core activities involve large-scale processing of special category data. Act No. 110/2019 Coll. does not expand these categories for Czech Republic, but UOOU's published positions clarify how 'large-scale' and 'core activities' are interpreted domestically.

In practice, the following types of Czech-registered or Czech-operating entities typically require a DPO:

• Banks, insurance companies and financial intermediaries processing customer behavioural and credit data.
• Healthcare providers and health insurance funds processing patient records.
• Retail and e-commerce operators running loyalty programmes with systematic profiling.
• Employers with continuous electronic monitoring of employees (keylogging, GPS tracking, call recording).

The DPO must have expert knowledge of data protection law and practice (GDPR Article 37(5)). UOOU does not certify DPOs, but it expects demonstrable competence. A DPO can be an employee or an external service provider. The DPO must be reachable by data subjects and UOOU, must not receive instructions regarding the exercise of DPO tasks, and must not hold a position that creates a conflict of interest - for example, serving simultaneously as the organisation's legal counsel on data processing decisions.

A common mistake is appointing a DPO nominally - placing the title on an existing IT or legal staff member without adjusting their role, authority or workload. UOOU has found in enforcement proceedings that nominal DPO appointments do not satisfy the independence requirement of GDPR Article 38(3). The practical consequence is that the organisation is treated as having no DPO at all, which triggers the full mandatory-appointment violation.

The DPO's contact details must be published and notified to UOOU. UOOU maintains a register of DPO notifications. Failure to notify is a procedural violation separate from the substantive DPO obligations.

For organisations that do not meet the mandatory threshold, voluntary DPO appointment is permitted and can be strategically valuable - particularly for businesses seeking to demonstrate accountability to enterprise clients or public sector customers in Czech Republic.

A personal data breach is defined in GDPR Article 4(12) as a security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. In Czech Republic, the notification obligation under GDPR Article 33 requires controllers to notify UOOU within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to individuals' rights and freedoms.

The 72-hour clock starts when the controller has reasonable certainty that a breach has occurred - not when the full scope is known. UOOU accepts phased notifications: an initial notification within 72 hours with available information, followed by supplementary notifications as the investigation progresses. This is a critical practical point: waiting until the investigation is complete before notifying will almost always result in a late notification violation.

The notification to UOOU must contain, to the extent available:

• Nature of the breach and categories and approximate number of data subjects affected.
• Name and contact details of the DPO or other contact point.
• Likely consequences of the breach.
• Measures taken or proposed to address the breach and mitigate its effects.

Where the breach is likely to result in a high risk to individuals - for example, exposure of financial data, health data, or authentication credentials - the controller must also notify affected data subjects directly under GDPR Article 34. The notification must be in plain language and must describe the nature of the breach and the steps individuals can take to protect themselves.

Processors must notify controllers without undue delay upon becoming aware of a breach (GDPR Article 33(2)). Czech law does not specify a fixed processor-to-controller notification window beyond 'undue delay,' but UOOU's enforcement practice treats delays exceeding 24 hours as problematic where the processor had sufficient information to notify earlier.

UOOU receives breach notifications through its online portal. The portal accepts Czech and English submissions. Notifications submitted in English are processed, but UOOU may request Czech translations of supporting documentation during investigation.

The risk of inaction is significant: a controller that fails to notify a reportable breach within 72 hours faces a fine of up to EUR 10 million or 2% of global annual turnover under GDPR Article 83(4), separate from any fine for the underlying security failure. In practice, UOOU has imposed fines in the range of hundreds of thousands of Czech crowns (CZK) for notification failures by mid-sized Czech businesses, with higher amounts for larger organisations or repeated violations.

To receive a checklist on data breach response procedures and UOOU notification requirements for Czech Republic, send a request to info@vlo.com.

Transferring personal data from Czech Republic to countries outside the European Economic Area (EEA) requires a valid transfer mechanism under GDPR Chapter V. The available mechanisms are:

• Adequacy decision by the European Commission under GDPR Article 45 - currently covering countries including the United Kingdom (under a time-limited arrangement), Japan, South Korea, Canada (partially), and others. No transfer mechanism is needed for transfers to these destinations.
• Standard Contractual Clauses (SCCs) adopted by the European Commission under GDPR Article 46(2)(c) - the most widely used mechanism for transfers to non-adequate countries. The current SCCs were adopted in June 2021 and replaced the prior sets. Controllers must use the 2021 SCCs for new contracts; legacy contracts using old SCCs should have been updated.
• Binding Corporate Rules (BCRs) under GDPR Article 47 - approved by a lead supervisory authority and valid for intra-group transfers. UOOU can act as lead authority for BCR applications where Czech Republic is the EU establishment of the group's data protection lead.
• Derogations under GDPR Article 49 - available in specific situations such as explicit consent, performance of a contract, or compelling legitimate interests. UOOU treats Article 49 derogations as exceptional and not suitable for systematic or repetitive transfers.

A non-obvious risk in Czech Republic arises from the transfer impact assessment (TIA) requirement established by the Court of Justice of the EU in the Schrems II judgment. Controllers using SCCs must assess whether the legal framework of the destination country provides adequate protection in practice. UOOU has aligned with the European Data Protection Board (EDPB) guidance on TIAs. Businesses that implemented SCCs after Schrems II without conducting a documented TIA are exposed to enforcement risk even if the SCCs themselves are formally in place.

Cloud services present a recurring challenge. Many Czech businesses use US-based cloud providers. The EU-US Data Privacy Framework (DPF), adopted in July 2023, provides an adequacy basis for transfers to certified US organisations. Controllers should verify that their specific US provider is DPF-certified and that the certification covers the categories of data being transferred. DPF certification is self-certified and must be renewed annually; a lapsed certification removes the adequacy basis.

Practical scenario one: a Czech e-commerce company transfers customer order data to a US fulfilment partner. If the partner is DPF-certified and the transfer covers only the data categories within the certification scope, no additional mechanism is needed. If the partner is not certified, SCCs with a documented TIA are required.

Practical scenario two: a Czech subsidiary of a multinational group transfers employee HR data to a parent company in a non-EEA country. BCRs are the most efficient long-term solution for systematic intra-group transfers. In the absence of BCRs, SCCs with a controller-to-controller or controller-to-processor module (depending on the relationship) must be in place.

Practical scenario three: a Czech technology company provides SaaS services to clients globally and processes client personal data on Czech servers. Outbound transfers occur when the company uses sub-processors located outside the EEA. The company must map all sub-processor locations, implement SCCs with each non-EEA sub-processor, and reflect these arrangements in its data processing agreements with clients.

UOOU (Úřad pro ochranu osobních údajů) is headquartered in Prague and exercises supervisory powers under GDPR Article 57 and Act No. 111/2019 Coll. Its enforcement tools include:

• Investigations initiated on complaint or ex officio.
• Corrective powers: warnings, reprimands, orders to bring processing into compliance, temporary or permanent bans on processing, and administrative fines.
• Advisory opinions and prior consultations under GDPR Article 36.

UOOU's complaint procedure is accessible to any natural person who believes their data protection rights have been infringed. Complaints can be submitted online, by post or in person. UOOU must inform the complainant of the outcome. The investigation timeline is not fixed by statute, but UOOU targets resolution within three months for straightforward cases; complex investigations can extend to twelve months or longer.

Administrative fines are imposed through a formal administrative procedure governed by Act No. 500/2004 Coll. (Administrative Procedure Code, Správní řád). The controller or processor receives a statement of objections and has the right to submit observations before a fine is imposed. The fine decision is a formal administrative act subject to appeal.

Appeals against UOOU fine decisions proceed in two stages. First, an internal review (rozklad) is submitted to UOOU's presidium within 15 days of the decision. If the internal review is unsuccessful, the party may challenge the decision before the Municipal Court in Prague (Městský soud v Praze) under the Administrative Justice Code (Soudní řád správní, Act No. 150/2002 Coll.). Further appeal lies to the Supreme Administrative Court (Nejvyšší správní soud) on points of law.

The cost of UOOU enforcement proceedings for the respondent includes legal representation fees - typically starting from the low thousands of EUR for straightforward cases and rising significantly for complex investigations or court proceedings - plus the risk of the fine itself. Businesses that engage proactively with UOOU during investigations, provide complete documentation and demonstrate remediation steps consistently receive more favourable outcomes than those that contest procedurally without substantive cooperation.

A common mistake is treating UOOU as a purely bureaucratic body that can be managed with formal responses. UOOU has technical staff capable of reviewing system architectures, consent management platforms and data flow diagrams. Incomplete or misleading responses to UOOU information requests are treated as aggravating factors in fine calculations.

The loss caused by an incorrect response strategy in UOOU proceedings can be substantial. A business that fails to demonstrate accountability documentation - Records of Processing Activities (ROPA) under GDPR Article 30, Data Protection Impact Assessments (DPIAs) under GDPR Article 35, and written data processing agreements under GDPR Article 28 - during an investigation faces a significantly higher fine than one that can produce complete records promptly.

We can help build a compliance and enforcement response strategy tailored to your business operations in Czech Republic. Contact info@vlo.com.

The Records of Processing Activities (ROPA) under GDPR Article 30 is the foundational accountability document. Controllers with 250 or more employees must maintain a ROPA. Controllers with fewer than 250 employees must also maintain a ROPA if their processing is not occasional, involves special category data, or could result in a risk to individuals. In practice, almost every business operating in Czech Republic with any systematic data processing must maintain a ROPA.

The ROPA must contain: the name and contact details of the controller and DPO; the purposes of processing; a description of data subject categories and personal data categories; categories of recipients; details of transfers to third countries; retention periods; and a general description of technical and organisational security measures. UOOU can request the ROPA at any time; failure to produce it within a reasonable period is itself a violation.

Data Protection Impact Assessments (DPIAs) under GDPR Article 35 are mandatory before commencing processing that is likely to result in a high risk to individuals. UOOU has published a list of processing types requiring a mandatory DPIA in Czech Republic, as required by GDPR Article 35(4). The list includes systematic large-scale processing of location data, large-scale processing of biometric data for identification, and systematic monitoring of publicly accessible areas.

A DPIA must describe the processing, assess necessity and proportionality, identify risks, and document the measures taken to address them. Where residual risks remain high after mitigation, the controller must consult UOOU before commencing processing under GDPR Article 36. UOOU has eight weeks to respond to a prior consultation request, extendable by a further six weeks for complex cases.

Vendor management - specifically the data processing agreement (DPA) under GDPR Article 28 - is an area where Czech businesses frequently have gaps. Every processor engaged by a controller must be bound by a written DPA covering the mandatory clauses of GDPR Article 28(3). This includes cloud providers, payroll processors, marketing automation platforms, IT support providers with access to personal data, and any other vendor processing data on the controller's behalf.

A non-obvious risk is the sub-processor chain. GDPR Article 28(2) requires processors to obtain controller authorisation before engaging sub-processors. Many standard vendor contracts include a general authorisation for sub-processors with a notification mechanism. Controllers must ensure they actually review sub-processor notifications and have a process for objecting where a new sub-processor creates compliance concerns - particularly for cross-border transfers.

Retention and deletion schedules are frequently overlooked. GDPR Article 5(1)(e) requires personal data to be kept no longer than necessary. Czech sector laws impose specific retention periods: the Accounting Act (Zákon o účetnictví, Act No. 563/1991 Coll.) requires retention of accounting records for five to ten years; the Labour Code requires retention of certain employment records for ten years after the employment relationship ends. Controllers must map these statutory retention obligations against their GDPR minimisation obligations and implement automated deletion or anonymisation processes.

To receive a checklist on ROPA, DPIA and vendor management requirements for Czech Republic, send a request to info@vlo.com.

What are the most significant practical risks for a foreign company processing Czech customer data without a local compliance programme?

A foreign company that processes personal data of individuals located in Czech Republic is subject to the GDPR regardless of where the company is established, provided it offers goods or services to Czech individuals or monitors their behaviour (GDPR Article 3(2)). Without a local compliance programme, the company lacks the ROPA, DPAs, consent records and breach response procedures that UOOU expects to see during an investigation. UOOU can investigate foreign companies and, where necessary, coordinate enforcement with the supervisory authority in the company's EU establishment member state. The practical risk is not merely a fine: UOOU can order a temporary ban on processing, which can halt business operations in Czech Republic entirely. Companies without an EU establishment must also designate an EU representative under GDPR Article 27, and failure to do so is itself a sanctionable violation.

How long does a UOOU investigation typically take, and what are the likely financial consequences of a finding of violation?

UOOU investigations vary significantly in duration. Complaint-based investigations involving straightforward consent or access right violations typically resolve within three to six months. Complex investigations involving large-scale processing, systemic violations or cross-border elements can extend to twelve to twenty-four months. Financial consequences depend on the nature and severity of the violation, the degree of cooperation, and whether the violation was intentional or negligent. For procedural violations - such as failure to maintain a ROPA or failure to appoint a DPO - fines are typically in the range of tens of thousands to low hundreds of thousands of CZK for smaller businesses. For substantive violations involving unlawful processing or inadequate security leading to a breach, fines can reach millions of CZK. Legal costs for representation through an investigation and any subsequent court proceedings typically start from the low thousands of EUR and increase with complexity.

When should a business use consent as the lawful basis, and when is legitimate interest more appropriate for processing Czech customer data?

Consent is the appropriate basis when the processing is genuinely optional from the individual's perspective and the individual has a real choice - primarily direct marketing, profiling for personalisation beyond what is necessary for the service, and sharing data with third parties for their own purposes. Legitimate interest is more appropriate for processing that is necessary for the controller's business operations and where the individual would reasonably expect the processing - fraud prevention, network security, intra-group administrative transfers, and certain analytics. The key distinction is that consent requires active opt-in and can be withdrawn at any time, which creates operational complexity for processing that needs to continue regardless of individual preferences. Using consent for processing that would qualify under legitimate interest creates a risk that withdrawal of consent forces the controller to stop processing it cannot operationally stop. Conversely, using legitimate interest for processing that is genuinely optional and where individuals would not reasonably expect it inverts the accountability logic and is likely to be challenged by UOOU.

Data protection compliance in Czech Republic requires navigating both the GDPR and a set of national laws that modify and supplement it in employment, health and other sectors. UOOU is an active supervisory authority with technical capacity and a track record of enforcement. The combination of 72-hour breach notification, mandatory DPO appointment thresholds, ROPA and DPIA obligations, and cross-border transfer mechanics creates a compliance architecture that demands structured, documented implementation - not a one-time exercise. For international businesses, the cost of building a defensible programme is consistently lower than the cost of responding to enforcement without one.

Our law firm Vetrov & Partners has experience supporting clients in Czech Republic on data protection and privacy matters. We can assist with GDPR compliance audits, DPO advisory services, data breach response, UOOU investigation defence, cross-border transfer structuring, and vendor contract review. To receive a consultation, contact: info@vlo.com.