Czech Republic - Data Breach Guide

Czech Republic

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either a) affected individuals; or b) a regulator such as a data protection authority (DPA)?

In principle there are three different legal obligations to notify an incident (data breach):

1.1.1 Under the GDPR:

This general obligation affects every controller and concerns a notification to the DPA and potentially also to affected data subjects.

1.1.2 Under the Act No 127/2005 Coll. on Electronic Communications:

This is applicable only to providers of publicly available electronic communications services. The obligation concerns in any case a notification to the DPA, and potentially also to affected individuals.

1.1.3 Under the Act No 181/2014 Coll. on Cybersecurity:

A data breach may also be considered as a cybersecurity incident. Providers or operators of certain information systems or infrastructure, or providers of regulated digital services, are required to notify such incidents to National CERT or National Cyber and Information Security Agency.

1.2 Under what conditions must such notification(s) be given, including a) what types of data must be breached to trigger notification; and b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

1.2.1 Under the GDPR:

This general obligation affects every controller and is triggered by any personal data breach, unless it is unlikely to result in a risk to the rights and freedoms of natural persons. Communication to affected data subjects is triggered if the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons. Data processors are required to make the notification to the relevant controllers, not the DPA or data subjects.

1.2.2 Under the Act on Electronic Communications:

The obligation is triggered by a data breach concerning personal data. The notification is to be made in any case to the DPA, and potentially also to affected data subjects if the data breach is apt to seriously impair the privacy of natural persons and/or the provider has not implemented sufficient remedy measures. It follows that the electronic communications services provider is data controller, as data processors should not have a direct contractual relationship with the end user. Data processors have the obligation to notify their customer, i.e. data controller. The Czech DPA assumes jurisdiction over providers of public electronic communication services registered with the Czech Telecommunication Office.

1.2.3 Under the Act on Cybersecurity:

In this case the type of data is not relevant; the notification obligation is triggered upon a security breach concerning a regulated information system, infrastructure or service. Both controllers and processors may be required to make the notification but in this context these terms are not GDPR related and aim at the entity’s relation to the information system, infrastructure or service (either they are providers or operators thereof).

1.3 For such notification(s), is there any required or suggested a) content of the notice; b) time period in which notice must be given; or c) method of giving notice, such as regular mail, email, web-posting or publication?

1.3.1 Under the GDPR:

The data breach must be reported without undue delay and generally not later than 72 hours after the controller having become aware of it (later notification requires reasons for such delay). The DPA has issued a standard form (in Czech language only). This form is suitable for electronic filling and can be then sent to the DPA’s email address posta@ouuo.cz or (for Czech subjects with active so called data box which is a functionality allowing electronic registered delivery to public recipients) to data box address qkbaa2n. The notification can also be made by mail in printed format. The content is quite extensive and includes information about all entities involved in the processing, development of the incident including timeline, its effects, categories of affected data subjects and categories of personal data and number thereof, likely implications, measures taken prior to the incident and afterwards, and other parameters specified in the form.

1.3.2 Under the Act on Electronic Communications:

The notification must take place without undue delay and is to be delivered to the DPA (not the Czech Telecommunication Office) via means of communication provided above. In this context, no specific form has been issued. The notification should include identification of the controller, information that a data breach occurred, effects of the incident and measures taken or to be taken. In case of more severe data breaches, the notification should include a description of the nature of the incident, recommendation on how to remedy its effects, and contact details to point of information.

1.3.3 Under the Act on Cybersecurity:

The notification must take place without any delay. The Agency has issued a separate form. This form is suitable for electronic filling and can then be sent to the Agency’s email address cert.incident@nukib.cz or via a data box to zzfnkp3. The notification can also be made by mail in printed format. The content of the notification should include an identification of the provider/operator, a detailed description of the incident including timeline, classification, estimation of effects and damages, measures taken, and details about targeted system and source system (if known).

1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

• Breach of the relevant GDPR provisions may result in administrative fines of up to EUR 10,000,000 or 2 % of the total annual turnover of the preceding financial year, whichever is higher. However, fines are not imposable upon public authorities and bodies due to limitations contained in the Act on Personal Data Processing.
• Breach of the notification obligation under the Act on Electronic Communication may result in administrative fines up to CZK 50,000,000 (approx. EUR 1,982,000) or 10 % of the total annual turnover of the preceding financial year, whichever is higher.
• Breach of the notification obligation under the Act on Electronic Communication may result in administrative fines up to CZK 1,000,000 (approx. EUR 40,000).
• Imposing a fine does not prevent exercising the right to receive compensation from the controller or processor for the damage suffered, under Article 82 of the GDPR. It also does not prevent initiating litigation for damages because by not being notified the data subject may have suffered material or immaterial damage or loss of profit which he/she may otherwise have been able to prevent.

1.5 Even if there is no current legal obligation to do so, or if there is no “data controller” or “data processor” located in your country, is notification to individuals recommended in the event of a data breach affecting residents in your country (such as in credit card data breaches)?

Even where aforementioned conditions triggering notification/communication obligations are not met, in certain cases some form of notification to the data subjects is advisable because of the general statutory obligation to limit damage, especially in cases where potential damages could be high.

1.6 What are the applicable (data protection) laws or guidelines within your country?

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR);
• Act No 110/2019 Coll., on Personal Data Processing;
• Act No 127/2005 Coll., on Electronic Communications for certain aspects related to electronic communications;
• Act No 181/2014 Coll., on Cybersecurity;
• The DPA also refers to Article 29 Data Protection Working Party’s (now replaced by EDPB) Guidelines on Personal data breach notification under Regulation 2016/679 (doc id WP250rev.01). These guidelines are not directly applicable but the DPA will usually use them when interpreting GDPR provisions).

1.7 Contact information for the local Data Protection Authority:

For more information, contact: