GDPR Implementation Guidelines: Czech Republic Edition

GDPR Implementation Guidelines: Czech Republic Edition

Personal Data Protection in the Czech Republic: A Focus on Deceased Persons

In the Czech Republic, personal data protections primarily apply to living individuals, as stipulated by the General Data Protection Regulation (GDPR). When it comes to the personal data of deceased persons, the regulations become less clear-cut and are often governed by estate and succession law rather than data protection law.

Under the GDPR, personal data of deceased persons is not protected, as the regulation applies only to living individuals. However, some data controllers may allow individuals to set instructions on data management after their death, such as data deletion or transfer permissions, depending on the organization's policies or national law.

The Czech Republic, as an EU member, follows the EU Succession Regulation for estate and inheritance matters. But when it comes to data protection for deceased individuals, the rules remain unchanged. There is no clear indication that Czech law has specific standalone regulations explicitly governing the processing of data of deceased persons beyond inheritance and estate administration rules.

In practice, after death, personal data may be processed for estate administration but is no longer subject to the data subject’s consent or GDPR in the usual sense. Organizations may handle and erase such data according to internal policies, sometimes guided by national laws on data retention or confidentiality.

The Act on processing of personal data (the "Data Protection Act") and the Act amending certain legislations due to the adoption of the act on processing of personal data (the "Amending Act") are the relevant legislation in force from 24 April 2019. The Data Protection Act provides additional rules for the processing of personal data in relation to criminal offences, the execution of criminal penalties, and the defense and security interests of the Czech Republic.

In the Czech Republic, all sensitive personal data can be processed if the data subject's valid consent has been obtained. There are no exemptions to a data subject's right to erasure linked to scientific or historical research purposes and statistical purposes or archiving purposes.

Data subjects may be represented by a not-for-profit legal entity whose activities include the protection of the rights of the data subjects. The age at which a child can give their consent to processing in relation to information society services (ISS) is 15 years of age.

Controllers and processors are exempt from the obligation to carry out a compatibility assessment regarding the purposes of processing if the processing is carried out for a "protected interest." There are no additional rules on apportionment of liability between joint controllers in the Czech Republic.

The Office for Personal Data Protection (Urád pro ochranu osobních údajů) is the Data Protection Authority in the Czech Republic. An administrative appeal may be brought against decisions issued by the DPA. Data transfers are not subject to restrictions beyond those set out in the GDPR, and Impact Assessments are only required in accordance with the provisions of the GDPR.

DPOs are not subject to secrecy obligations under national law. The DPA is entitled to access all the information necessary for the performance of a particular task. Data transfers from public registers are not subject to specific rules. The DPA also deals with unsolicited commercial communications.

For precise Czech statutory references or regulations regarding the processing of personal data of deceased persons, it is recommended to consult a local legal expert in data protection or inheritance law.

1. In the whitecase.com industry, legal partners provide services within the international dispute resolution practice for clients dealing with deceased person data protection matters in the Czech Republic.
2. The Czech Republic's GDPR regulations regarding deceased persons are often governed by estate and succession law, rather than data protection law.
3. Under EU laws, data controllers may allow instructions on data management for deceased persons, but these are based on their policies or national law.
4. The Czech Republic, as a member of the EU, follows the EU Succession Regulation, but doesn't have explicit regulations for data protection of deceased persons beyond inheriting and administering estates.
5. After death, personal data may be processed for estate administration, but data subjects' consent and GDPR protections may no longer apply.
6. The Act on processing of personal data (the "Data Protection Act") governs personal data processing in the Czech Republic, including rules for processing sensitive data.
7. Consent is required to process sensitive personal data in the Czech Republic, with no exemptions for scientific or historical research.
8. Data subjects in the Czech Republic can be represented by a not-for-profit legal entity for protecting rights, and children can consent to information society services at the age of 15.
9. Controllers and processors can be exempt from a compatibility assessment if processing serves a 'protected interest,' and there are no additional rules on liability apportionment for joint controllers.
10. The Office for Personal Data Protection (Urád pro ochranu osobních údajů) is the Data Protection Authority in the Czech Republic and deals with unsolicited commercial communications.
11. Data transfers from public registers are not subject to specific rules in the Czech Republic, but administrative appeals can be brought against decisions issued by the DPA.
12. For precise Czech statutory references or regulations regarding the processing of personal data of deceased persons, it is recommended to consult a local legal expert in data protection or inheritance law.

Read also: