In the operation of most internet shops, processing of personal data occurs. Almost as often, personal data processed by the operator of the internet shop are entrusted to third parties (for example, hosting companies, marketing companies, etc.). Although entrepreneurs’ awareness of the existence of regulation in the area of personal data and its content is increasing, rarely are all the requirements of Act No. 101/2000 Coll., on the Protection of Personal Data and on Amendment to Certain Acts, as amended (hereinafter referred to as “the Act on Processing of Personal Data”), also fulfilled in practice.

One of these somewhat neglected areas is also the regulation of relations between the controller of personal data and the processor of personal data. Breach of the Act on the Protection of Personal Data currently carries for traders rather a reputational risk than that a substantial administrative sanction by the Office for Personal Data Protection would be threatened, but this cannot be entirely ruled out either (especially in the case of denunciation).

An internet trader will in most cases act in the role of the so-called controller of personal data. The controller of personal data is defined by the provision of Section 4(j) of the Act on the Protection of Personal Data as “a subject that determines the purpose and means of processing personal data, carries out the processing and is responsible for it.” The controller may authorise or commission a processor to process personal data. Also having regard to the relatively broad definition of the concept of processing of personal data in the Act on the Protection of Personal Data, such a processor will be in particular entities that provide hosting, marketing or mailing services for the trader (for example, including persons whom the trader has commissioned to organise its consumer competitions). That is, every person who “processes personal data on the basis of a special act or commission by the controller…”.

The provision of Section 6 of the Act on the Protection of Personal Data establishes that the controller of personal data “must conclude a contract on processing of personal data with the processor. The contract must be in written form.” This obligation is often not fulfilled in practice. It may be either a separate contract on processing of personal data, or provisions concerning the processing of personal data may be part of another written contract concluded between the controller and the processor (for example, a hosting company has provisions on processing of personal data integrated into its standardised contract documentation).

The provision of Section 6 of the Act on the Protection of Personal Data then also contains a definition of the essential requirements of the contract on processing of personal data. “It must expressly state in particular the scope, purpose and duration for which it is concluded and must contain the processor’s guarantees regarding technical and organisational security of the protection of personal data.” The degree of complexity of these contractual provisions varies considerably in practice. Sometimes it concerns provisions on one standard page and other times an entire complex contractual documentation (especially in the case of financial institutions). When designing the content of the contract on processing of personal data, it is necessary to bear in mind also other requirements and consequences arising from the Act on the Protection of Personal Data (in relation to the controller or processor), including the fact that the controller of personal data bears responsibility in this area for the processor’s actions.

In conclusion, it is appropriate to state that the above-mentioned relationship between the controller and processor of personal data must always be distinguished from the situation where, on the part of the trader, there is a transfer of personal data to another controller. We will possibly address this issue in one of the further legal circulars.

Josef Aujezdský

Law Office Mašek, Kočí, Aujezdský www.e-Advokacie.cz – on-line legal consultancy

This text was originally prepared by the law office Mašek, Kočí, Aujezdský in cooperation with the association Association for Electronic Commerce (APEK) as legal circular No. 11/2015 intended for members of this association.

This text was translated from Czech to English using an AI translator.