Personal Data Protection in the Czech Republic

One of the facts of modern life is that we are increasingly sharing more information about ourselves. Whether registering a trade license or signing up to use a plan with a phone company, you’ll find that you have to give the relevant authorities information about yourself, such as your name, permanent address, birth date and (if you have one) your Czech National Identification Number (rodné číslo). But how much of that information is safe? Who can get their hands on it? And what can you do about it when they do?

What the Law Says?
Being part of the European Union means that the protection of personal data in the Czech Republic is governed by both national laws and European guidelines. The guideline in question is Directive 95/46/EC, which claims to “respect the fundamental rights and freedoms, notably the right to privacy” of natural people whatever the nationality. However, the guidelines make some provisions for sharing of sensitive information on the grounds of “public interest”. One of the most recent and highest profile cases in which a company has been considered in breach of the guidelines concerns Google and the changes to its privacy policy. Viviane Reding, the EU commissioner for justice, saw those changes as conflicting with the guidelines. Soon they could tighten even further, because EU Parliament is proposing to replace them with one law to circumvent what is viewed as a costly divergence of the application of the current rules.

The Czech Act on Personal Data Protection (Act No. 101/2000 Coll.) specifies the nature of data more clearly. One of the most important distinctions it makes is between personal data and sensitive data. The former is the information used to identify a person as who they say they are and includes name, address and possibly telephone number. Sensitive data in the law is “data revealing nationality, racial or ethnic origin, political attitudes, trade-union membership, religious and philosophical beliefs, conviction of a criminal act, health status, and sexual life of the data subject and genetic data of the data subject.” Biometric data is also classified as sensitive.

As for the thornier issue of sensitive data, she said, “collecting and processing of this sensitive data is generally prohibited, unless an explicit consent of the data subject (the person to whom the information is related) is given or if such processing is permitted by specific legal regulation, e.g. for prosecution and criminal investigation or protection of public health. In these cases, the controller (someone who collects personal data) does not have to have the data subject’s consent.”

Another way in which a third party can obtain your personal details is through your consent – which you may done inadvertently. Have you ever received a phone call from a telemarketer offering you, for instance, a new telephone plan? Have you wondered how this company, which may not be the company you have your plan with, got your number? Did you read the small print of your contract? Somewhere in the section on ‘processing personal data’ (zpracování osobních údajů), will be a clause about sharing your details with a third party for the purposes of marketing. It might stipulate that the marketing is only for that particular company – but once you’ve signed the contract they can share this information. so ask before signing anything. If you have an existing contract, request the company removes your details from any marketing lists.

Your credit history is not so easily accessible, and the situation around it is a little more complicated. Brosková explained, “Regarding credit rating, the situation is different. There is a Central Register of Debtors available online; however, it is a privately-run paid service. If you have a loan (bank, consumer loan), mortgage loan, or possess a credit card, or for example, you owe on taxes, social security insurance, etc., you will likely be listed in this register. Most of the financial institutions (sometimes even creditors other than banks) include in their contracts a provision allowing the creditor to transfer debtor’s information to this register. It means that by signing a mortgage loan contract you give consent to process your debts’ information and transfer it to the Central Debtors Register. Any person who would like to then scan a person’s financial history can access such information at one place.” Again, it might be necessary to read the fine print before taking out loans or opening an account.

Real Dangers
Sadly, with so much data being requested and processed there are risks. One of the most high profile examples of this abuse of data has allegedly involved the OpenCard project. (See here for the City of Prague’s response.) For those who are concerned and haven’t heard, it is now possible to obtain an OpenCard which does not have your personal data. The card costs 250 CZK and is available from the customer center at Jungamannová 35, window 60. Or you can wait because the project might be terminated.

Sharing with Other Countries
The fact that the Czech Republic is part of the European Union may make you wonder if personal information can be passed on to other EU member states. The short answer is “yes”, as specified in article 27, paragraph 1 of the Czech Act on Personal Data Protection. The key sentence reads: “Free flow of personal data shall not be restricted if data are transferred to a member state of the European Union.” The EU directive states: “Member States shall neither restrict nor prohibit the free flow of personal data between Member States for reasons connected with the protection afforded under paragraph.”