National Data Protection Law

    Czech Republic

    National Data Protection Law

    Approved text 138 on the Processing of Personal Data - Approved text 139 Accompanying Act

    A data protection framework comprising two bills: a Data Protection Act and an Accompanying Act, was adopted in the Czech Chamber of Deputies on 12 March 2019. The bills await to be sanctioned by President Miloš Zeman before they are enacted.


    Last Updated: July 30, 2019

  • General

    The aim of the Data Protection Framework is to incorporate relevant European Union legislation into the general Data Protection Framework and across other legal fields that are relevant to the processing of personal data. The Data Protection Act mirrors the GDPR in general, lays down derogations, regulates the powers of the Czech Data Protection Office. The Accompanying Act amends several laws, notably, the Criminal Code and Public Prosecution Act, rules of evidence, and the Code of Civil Procedure, and laying down specific provisions related to the processing of personal data by the Ministry of Justice and the Constitutional Court.


    As with the other Member States, these Acts mirror the GDPR in general in that it encompasses all processing activities carried out by automated means and all processing operations performed manually when they form part of a filing system outside the purely domestic sphere. The Czech Data Protection Act regulates in particular:

    1. the processing of personal data by competent authorities for the purpose of preventing, detecting or detecting crime, prosecuting criminal offences, enforcing penalties and protective measures, ensuring the security of the Czech Republic or ensuring public order and internal security, including searches for persons and things;
    2. The processing of personal data in ensuring the defence and security interests of the Czech Republic; and
    3. the status and authority of the Office for Personal Data Protection (hereinafter “the Office”).


    Both bills include derogations and exceptions to several aspects of the GDPR:

    • the minimum age allowed by the GDPR for consenting to Information Society Services to 15 years of age. The age of consent was proposed to be lowered to 13 years of age, but the representatives did not approve;
    • the obligation of secrecy and confidentiality on DPOs.
    • Exempting all public bodies from fines issued by the DPA.
    • An exception to the obligation of carrying out a DPIA.
    • An exemption to the obligation of assessing the compatibility of purposes in a number of cases when further processing is carried out in the public interest (including, the investigation and prosecution of infringement of ethical rules, ensuring the independence of the judiciary and national security interests) or where there is a legal obligation imposed on the controller to carry out the processing activities.
    • An exemption from the obligation to carry out a DPIA if the controller is required by law to carry out a processing activity that may otherwise be subject to a prior impact assessment.
    • A related provision in the Accompanying Act concerning the processing of personal data, in the realm of police investigation, derogates the general prohibition to the processing of special categories of data if the collection of information revealing racial or ethnic origin, religious, philosophical or political beliefs, trade union membership, health status, sexual behaviour or sexual orientation is necessary for the purpose of investigating a specific criminal offence.
    • Further processing for scientific research, historical or statistical purposes is considered compatible and allowed provided that the processing is subject to adequate safeguards. Article 16 of the Act lists several safeguards that could be implemented, such as recording all operations, appointing a trustee, restricted access within the organisations, pseudonymisation, encryption, and several restrictions on other processing activities and transfers to third countries.
    • The Act lays down an exemption to the breach notification obligation. Controllers ought to notify data breaches to the extent that such reporting does not harm the protected interests of the nation as listed in Article 6§2 (defence, national security, investigation and prosecution of criminal offences, public interest, enforcement of claims, etc.).
  • DatabreachPedia


    In the Czech Republic, there is a general requirement under the General Data Protection Regulation for data controllers to notify personal data breaches to their regulator and in cases of likely high risk to the rights and freedoms of natural persons, also to them.

    Is it Mandatory to Notify Individuals?

    Yes, if the personal data breach is likely to result in a high risk to their rights and freedoms.

    Is it Mandatory to Notify Regulator?

    Yes, if the personal data breach is likely to result in a risk to the rights and freedoms of natural persons.

    Notification Deadline

    72 hours

    Responsible Regulator

    The Office for Personal Data Protection
    Úřad pro ochranu osobních údajů
    Pplk. Sochora 27
    170 00 Prague 7

    Tel.+420 234 665 111
    Fax +420 234 665 444
    E-mail: [email protected]

    Breach Notification Format

    Minimum requirements: nature of the breach, categories and approx. number of data subjects concerned, name and contact details of the DPO, likely consequences, measures taken/proposed to be taken. Czech regulator advises that breaches can be notified through electronic data box (‘datová schránka’) or via e-mail.

Want to learn more? Login to the full DataGuidance platform.

About OneTrust

OneTrust is the #1 most widely used privacy, security and third-party risk technology platform trusted by more than 3,000 companies to comply with the CCPA, GDPR, ISO27001 and hundreds of the world’s privacy and security laws. OneTrust's three primary offerings include OneTrust Privacy Management Software, OneTrust PreferenceChoice™ consent and preference management software, and OneTrust Vendorpedia™ third-party risk management software and vendor risk exchange. To learn more, visit or connect on LinkedIn, Twitter and Facebook.