|
CZECH REPUBLIC
The Czech Office for Personal Data Protection Website:
http://www.uoou.cz/uoou.aspx
Act No. 101/2000 on the Protection of Personal Data:
http://ec.europa.eu/justice_home/fsj/privacy/docs/implementation/
czech_republic_act_101_en.pdf
What needs to be done prior to collection?
CONTACT THE DATA SUBJECT
Article 11
(1)
In collecting personal data the controller shall be obliged to
inform the data subject of the scope in which and the purpose for
which the personal data shall be processed, who and in what manner
shall process the personal data and to whom the personal data shall
be disclosed, unless the data subject is already aware of this
information. The controller must inform the data subject about his
right of access to personal data, the right to have his personal
data rectified as well as other rights provided for in Article 21
(2)
In case when the controller processes personal data obtained from
the data subject, he is obliged to instruct the data subject whether
the provision of the personal data is obligatory or voluntary. If
the data subject is obliged pursuant to a special Act to provide
personal data for the processing, the controller shall instruct him
on this fact as well as on the consequences of refusal to provide
the personal data
(3)
The controller shall not be obliged to provide the information and
instruction pursuant to paragraph 1 in cases where the personal data
were not obtained from the data subject, if
a.
He is processing personal data exclusively for the purposes of state
statistical service, scientific or archival purposes and the
provision of such information would involve a disproportionate
effort or inadequately high costs; or if storage on data carriers or
disclosure is expressly provided by a special Act. In these cases
the controller shall be obliged to take all necessary measures
against unauthorised interference with the data subject’s private
and personal life
b.
The personal data processing is imposed on him by a special Act or
such data are necessary to exercise the rights and obligations
ensuing from special Acts
c.
He is processing exclusively lawfully published data, or
d.
He is processing personal data with the consent of the data subject
(4)
The above provisions shall be without prejudice to the rights of the
data subject to request information pursuant to special Acts
CONTACT THE OFFICE FOR PERSONAL DATA PROTECTION
Article 16
(1)
Whoever intends to process personal data as a controller or alter
the registered processing pursuant to this Act, with the exception
of the processing mentioned in
pursuant to Article 18, shall be obliged to notify in writing the
Office of this fact prior to commencing personal data processing.
(2)
The notification must include the following information:
a.
The identification data of the controller, i.e. in the case of a
natural person who is not an entrepreneur his first name or names,
surname, date of birth and address of permanent residence; in the
case of other subjects their trade, corporate or other name, seat
and identification number if assigned, and name, eventually first
names and surnames of persons that are their statutory
representatives;
b.
The purpose or purposes of processing;
c.
The categories of data subjects and of personal data pertaining
to these subjects;
d.
The sources of personal data;
e.
A description of the manner of personal data processing;
f.
The location or locations of personal data processing;
g.
The recipient or category of recipients;
h.
The anticipated personal data transfers to other countries;
i.
The description of measures adopted for ensuring the protection
of personal data pursuant to Article 13;
(3)
If the notification includes all essentials pursuant to paragraph
2 and no proceeding pursuant to Article 17(1) has been initiated,
the personal data processing may start after the expiration of 30
days from the delivery of the notification. In such case the Office
records the information stated in the notification into the
register.
(4)
If the notification does not include all essentials pursuant to
paragraph 2, the Office shall send without delay a reminder to the
notifying subject in which he shall make reference to the missing or
insufficient information and set a deadline for supplementing the
notification. In case the notification is being supplemented,
running of the time limit pursuant to paragraph 3 shall begin as of
the day of delivery of the notification supplement. If the Office
does not receive the notification supplement within the set
deadline, the notification shall be regarded as if it has not been
submitted.
(5)
Upon the request from the controller the Office shall issue a
certificate which includes date of issuance, reference number, first
name, surname and signature of the person by whom the certificate
has been issued, official stamp, identification data of the
controller and purpose of processing.
(6)
The Administrative Code shall not apply to the proceedings of the
Office pursuant to paragraphs (1) - (5).
Article 18
(1)
The notification obligation pursuant to Article 16 shall not
apply to processing of personal data:
a.
That are part of data files publicly accessible on the basis of a
special Act
b.
Imposed on the controller by a special Act or when such personal
data are needed for exercising rights and obligations following from
a special Act, or
c.
In case of processing that pursues political, philosophical,
religious or trade-union aims carried out within the scope of
legitimate activity of an association and which relates only to
members of the association or persons with whom the association is
in recurrent contact related to legitimate activity of the
association, and the personal data are not disclosed without the
consent of the data subject
(2)
The
controller, who carried out the processing pursuant to Article 18
(1) (b), shall be obliged to ensure that the information concerning
in particular the
purpose of the
processing, categories of personal data, categories of data
subjects, categories of recipients and the period of preservation,
which would otherwise be accessible by means of the register
maintained by the Office pursuant to Article 35, is disclosed also
through remote access or in other appropriate form.
What needs to be done prior to shipping?
Article 27
(1)
Free flow of personal data shall not be restricted if data are
transferred to a member state of the European Union.
(2)
Personal data may be transferred to third countries if the
prohibition of restriction of the free movement of personal data is
ensuing from an international treaty to the ratification of which
the Parliament has given his assent and which is binding the Czech
Republic, or if the personal data are transferred on the basis of
decision of an institution of the European Union. The Office in the
Official Journal publishes information about such decisions.
(3)
Where the condition pursuant to paragraphs 1 and 2 is not met, the
transfer of personal data may be carried out if the controller
proves that:
a.
The
data transfer is carried out with the consent of, or on the basis of
an instruction by the data subject;
b.
In
a third country, where personal data are to be processed, has been
created sufficient specific guarantees for personal data protection,
e.g. by other legal or professional regulations and security
measures. Such guarantees may be specified in particular by a
contract concluded between the controller and the recipient, if this
contract ensures application of these requirements, or if the
contract contains contractual clauses for personal data transfer to
third countries published in the Official Journal of the Office;
c.
The
personal data concerned are part of publicly accessible data files
on the basis of a special Act or are, on the basis of a special Act
accessible to someone who proves legal interest; in such case the
personal data may be disclosed only in the scope and under
conditions provided by a special Act;
d.
The
transfer is necessary to exercise an important public interest
following from a special Act or from an international treaty binding
the Czech Republic;
e.
The
transfer is necessary for negotiating the conclusion or change of a
contract, carried out on the incentive of the data subject, or for
the performance of a contract to which the data subject is a
contracting party;
f.
The
transfer is necessary to perform a contract between the controller
and a third party, concluded in the interest of the data subject, or
to exercise other legal claims, or
g.
The
transfer is necessary for the protection of rights or important
vital interests of the data subject, in particular for rescuing life
or providing health care.
(4)
Prior to the transfer of personal data to third countries pursuant
to paragraph 3, the controller shall be obliged to apply to the
Office for authorization to the transfer, unless provided otherwise
by a special Act. When considering the application, the Office shall
examine all circumstances related to the transfer of personal data,
in particular the source, final destination and categories of
personal data which are to be transferred, the purpose and period of
the processing, with regard to available information about legal or
other regulations governing the personal data processing in a third
country. In the authorization to the transfer, the Office shall
specify the period of time over which the controller may perform the
data transfers. If a change of the conditions under which the
authorization was issued occurs, in particular on the basis of a
decision of an institution of the European Union, the Office shall
alter or revoke this authorization.
What are the sanctions for non-compliance?
See Chapter VII for a detailed explanation on Penalties
Please refer to the Czech Office for Personal Data Protection
Website for further details on the Statute
|
