A government bill for a so-called adjustment law, governing and supplementing certain individual data protection issues in connection with GDPR, has passed third reading in the House of Deputies.
On 25 May 2018 the General Data Protection Regulation (GDPR) came into force, which, in spite of being for the most part directly applicable, invites the individual EU member states to pass legislative measures on the national level for specific areas of concern.
In the Czech Republic, this legislative measure will take the form of what has become known as the 'adaptation law' (Act on the Processing of Personal Data). The relevant bill was passed by the House of Deputies on 5 December 2018 (parliamentary press 138).
In what follows, I would like to point to at least a few of the areas in which the Czech lawmaker decided to carve out exceptions to, or clarify, the GDPR rules:
According to Sec. 48 of the adaption law, the Czech Office for the Protection of Personal Data (Úřad pro ochranu osobních údajů) is and remains the supervisory authority within the realm of data protection, and in this capacity is in charge of communicating with the supervisory authorities of the other EU member countries, hearing cases of violations of the law, and imposing and collecting penalties.
The violation of duties under the GDPR carries a fine which according to the Regulation itself may reach amounts of up to EUR 20M or (in the case of undertakings) up to 4% of the infringer's worldwide annual turnover. In Sec. 59 et seq. of the adaptation law, the lawmaker lists the possible violations of data protection rules and stipulates the amount of the fines to be paid by public-law entities who commit them. It is important to note that the lawmaker made no use of the option to rule out sanctions against public-law entities entirely (though it did cap administrative penalties at CZK 10M.
A hotly debated issue was the use of social networks and other information society services by children. Article 8 GDPR leaves it to the member states to lower the age at which children may give valid online consent down to 13 years, providing a default age limit of 16 years. The Czech lawmaker duly considered all circumstances and arrived at the view that children ought to have completed fifteen years of age to be able to give valid consent on the internet.
We assume that work on the adaptation law will come to a close, and the bill will be written into law and come into force and effect, in the course of 1Q 2019.
GDPR Parliamentary press 138/0
Parliamentary press 139/0