Personal
data protection is regulated by supralegal instruments. The main instrument is
the Council of Europe Convention
no. 108 of 28 January
1981 for the Protection of Individuals with Regard to Automatic Processing of Personal Data,
published in the Czech Republic in the Collection of International Treaties
under no. 115/2001 Sb.m.c.(PDF)
and entered into effect as of 1 November 2001. The Convention is complemented by the
Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic
Processing of Personal Data, regarding Supervisory Authorities and Transborder
Data Flows published in the Collection of International Treaties under no.
29/2005 Sb. m. s. (PDF),
which entered into effect as of 1 July 2004. In Czech Constitutional Law, the
basic provisions are Article 7, paragraph 1 and Article 10, paragraphs 2 and 3
of the Charter of Fundamental Rights and Freedoms.
With
regard to the European Union, basic provisions are Article 16 of the Treaty on
the Functioning of the EU (TFEU) of the Lisbon Treaty and Article 8 of the
Charter of Fundamental Rights of the European Union.
The
main legal Act in Directive 95/46/EC
of the European Parliament and of the Council of 24 October 1995 on the
protection of individuals with regard to the processing of personal data and on
the free movement of such data (content and
applicable
text) will be replaced as of 25 May 2018 by the General Data Protection
Regulation (GDPR).
The
general legal act regulating personal data protection in the Czech Republic is
Act no. 101/2000 Sb. (Coll.) on the
Protection of Personal Data and on Amendments to Some Acts (applicable text, content),
which will be replaced as of 25 May 2018 by the GDPR and by the Czech
Adaptation Act.
EU Regulation 2016/679 (GDPR) provides for the legal
framework regarding personal data protection applicable to the whole EU
territory and for the protection of EU citizens´ rights against unlawful processing
of their data and personal information.
GDPR
contains all the existing principles relating to data protection and data
processing on which EU data protection is based. It confirms that protection
“travels” with the data across borders. The GDPR further develops and
reinforces the rights of persons concerned by data processing in the two main
aspects: having (obtaining) information on which data is being processed and why, requiring compliance with the rules, and
seeking remedies. The GDPR systematically promotes effective enforcement of the
rights of individuals and the obligations of controllers (responsible for data
processing). To achieve that, it provides for more sophisticated and stricter
rules for specific types of data and modes of processing. It also requires a
more proactive approach from controllers and processors. This concerns
especially the obligation to assess the impact of each new data processing on
data protection (DPIA), the obligation to use appropriate data protection tools
and to consult supervisory authorities in some specific situations.
The
key element determining controllers´ obligations is the level of risk which is correlated
to the scope of processing, the personal nature of data and the use of
technologies. Controllers and processors are, in certain cases, obliged to
designate a Data Protection Officer. The Regulation provides for more detailed
obligations regarding data security and imposes a new obligation i.e. to notify
any breach of personal data security to the supervisory authority and to all
persons concerned.
The GDPR also
contains explicit provisions regarding the independence of supervisory
authorities, general conditions for their members, their competence, tasks and
powers, in the EU member states, the EEE and Switzerland; it furthermore
provides for cooperation between these supervisory authorities. It also
provides for a uniform approach to sanctions.