The issue of personal data protection is regulated in the Czech Republic by Act No. 101/2000 Coll., on the Protection of Personal Data, as amended (hereinafter referred to as the “Act on the Protection of Personal Data”). It is stipulated therein that personal data means any information relating to an identified or identifiable data subject (natural person) – see Section 4(a) of the cited Act.

Practically all internet shops that operate on the principle of customer registration process personal data within the meaning of the Act on the Protection of Personal Data. This fact arises in particular from the very broad definition of the term processing of personal data pursuant to the provision of Section 4(e) of the Act on the Protection of Personal Data. Processing of personal data means “any operation or set of operations which the controller or processor systematically performs with personal data, whether by automated means or otherwise. Processing of personal data shall mean in particular the collection, storage on information carriers, disclosure, alteration or modification, retrieval, use, transfer, dissemination, publication, retention, exchange, sorting or combination, blocking and destruction.” It is sometimes incorrectly believed amongst traders that the issue of processing of personal data does not apply to internet shops.

The processing of personal data is associated with a relatively broad spectrum of statutory obligations of the controller (or processor of personal data), both of a technical and legal nature. In practice, only a small number of entrepreneurs actually comply with all these obligations. However, this circumstance cannot change the fact that this may constitute an activity which is in breach of the Act on the Protection of Personal Data. Some of the obligations of the controller of personal data are mentioned briefly below.

It generally applies that the controller may process personal data only with the consent of the data subject (Section 5(2) of the Act on the Protection of Personal Data). The controller must be able to demonstrate the consent of the data subject to the processing of personal data throughout the entire period of processing (Section 5(4) of the Act on the Protection of Personal Data). When obtaining the consent of data subjects to the processing of personal data, the controller is obliged to fulfil a relatively extensive information obligation towards the data subjects. The consent of the data subject and the extensive information obligation towards data subjects (customers) should appropriately be reflected in the wording of the terms and conditions of an internet entrepreneur.

The obligations of the controller towards public administration authorities include in particular the notification obligation pursuant to the provision of Section 16 et seq. of the Act on the Protection of Personal Data. The following further obligations are associated with the fulfilment of the notification obligation: to determine the purpose for which the personal data are to be processed, to determine the means and method of processing personal data, to process only accurate personal data which the controller has obtained in accordance with the Act on the Protection of Personal Data (to update the personal data where necessary), to collect personal data corresponding only to the specified purpose and to the extent necessary to fulfil the specified purpose, etc. (Section 5(1) of the Act on the Protection of Personal Data).

The obligations of the controller in the area of technical security of the processing of personal data include, for example, the obligation to “adopt such measures so as to prevent unauthorised or accidental access to personal data, alteration, destruction or loss thereof, unauthorised transfers, other unauthorised processing thereof, as well as other misuse of personal data. This obligation shall also apply after the termination of the processing of personal data.”

Certain administrative sanctions are threatened for breach of the Act on the Protection of Personal Information (this usually occurs only on the basis of a complaint to the administrative authority by data subjects). However, particularly for larger companies, the processing of personal data in breach of the law may also cause harm in the area of public relations.

This text was translated from Czech to English using an AI translator.