Czechia

[CZ] New Data Protection Act Adopted

IRIS 2000-5:1/20

Jan Fučík

Česká televize

On 4 April 2000, the Parliament of the Czech Republic passed zákon o ochrane osobních údaju (the new Data Protection Act). The Act sets out rights and duties linked to the processing of personal data and the conditions for their transmission abroad, thus transposing Data Protection Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

According to the law, personal data means information on a particular or determinable natural person. Information that does not meet this criterion is not protected and may, just like anonymous data, be obtained and processed. However, the processing of personal data for statistical or archive purposes is not covered by the Data Protection Act.

Under the new Act, personal data may only be processed with the user's consent. There are special rules for so-called "sensitive data", i.e. information on racial or ethnic background, political opinions, membership of a political party, religious or philosophical beliefs, membership of a trade union, health or sex life. Such information may only be processed with the written permission of the person concerned and the purpose of the exercise must be mentioned in the consent document. Responsibility lies with the administrator of the data, i.e. the person who determines the purpose and means of processing personal data, who carries out the processing and is responsible for it. The term "processing" encompasses virtually any action done after the data has been obtained. If personal data is obtained, unless the person concerned has already been made aware some other way, information must be provided concerning the identity of the administrator, the reasons for obtaining, processing and using the data and the recipient or types of recipient to whom the data is to be forwarded. If false data is obtained, the person concerned is entitled to demand it be corrected. Those responsible for processing personal data are obliged to keep that data confidential. The supervisory body responsible is the Ústav na ochranu informací (the Data Protection Authority), whose Director and Data Protection Inspectors are appointed by the President of the Czech Republic on the proposal of the Senate. Anyone intending to process personal data must be registered with the Data Protection Authority, which keeps a list of all personal data administrators. Applications must include details about the administrator and the reason for processing data. The Data Protection Authority can, without giving advance notice, ensure that data protection laws are being applied. Administrators found to be breaking the law are liable to be fined or closed down. They may also be subject to criminal and civil proceedings.

Personal data may only be transmitted abroad if the laws in the receiving country correspond with the requirements of the Data Protection Act. In addition, the transmission of data abroad is subject to the approval of the Data Protection Authority. The Act comes into force on 1 June 2000.