As explained in the introduction above, the main legal provisions on data protection are as follows: with regard to processing for journalistic, academic and artistic purposes, the right to restriction of processing can only apply if the controller no longer needs certain personal data. Controller: the natural or legal person, public authority, agency or any other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; Where the purposes and means of such processing are determined by Union law or the law of a Member State, the controller or the specific criteria for its appointment may be provided for by Union law or the law of a Member State (Article 4(7) GDPR). In accordance with Article 19(2) of the Act, a controller who processes personal data for journalistic purposes or for academic, artistic or literary expression may exclude access to personal data in justified cases, in particular if a legitimate purpose of the processing of personal data would otherwise be compromised or thwarted or if the provision of access would involve a disproportionate effort. Art. 14 (2) (f) and Art. 15 (1) (g) GDPR do not apply to the processing of personal data for journalistic purposes or for the purposes of academic, artistic or literary expression (§ 19 para. 3 GGB). If necessary to comply with the law, social security authorities may process personal data without consent, even after the data subject has objected to the processing or disputed the accuracy of the data. In addition, those authorities may exercise their competence on the basis of automated processing of personal data. These rules apply to personal data in general, including sensitive personal data. The most relevant exceptions to allow the international transfer of personal data in the context of investigations are the following: The Data Protection Act does not provide for regulatory measures aimed at cookies. Accordingly, the general data protection provisions, as laid down in the Data Protection Act, also apply to online data protection. Sensitive personal data, including genetic data, biometric data or health data, may be processed if necessary to investigate a particular crime or offence by the police, the General Inspectorate of Security Forces, the Customs Administration or the Military Police Service.
With regard to the processing of personal data carried out for the purpose of safeguarding the interests of defence and national security of the Czech Republic, the controller or processor is also obliged to ensure that the automated processing is used only to take decisions of an authorised natural person in order to ensure that that authorised natural person has access only to: personal data corresponding to their consent and the retention of electronic records. Vojtěch specialises in European data protection law, general EU law and commercial contract law. It offers comprehensive legal services in the field of personal data protection and data protection. He has worked on several cases of implementation of the GDPR and on cases related to the protection of personal data related to employment, tracking technologies or sports organizations. Vojtěch has also prepared contractual documents, for example for the automotive industry, in the advertising and marketing sector or for the creative industries. The notification procedure and the publication of the information it contains are essential to ensure public transparency and thus to protect personal data. By accessing the electronic register of controllers, the public has the means to understand how personal data are processed by controllers. The Office for the Protection of Personal Data (UOOU) is the main authority responsible for publishing guidelines, recommendations and other documents on the protection of personal data in the form of opinions. In addition, Czech law contains additional provisions on data retention in the following legislation: However, the Czech Republic uses the possibility to restrict certain rights of data subjects in case of processing on the basis of Article 23 of the GDPR, i.e.
for purposes of national security, public order, law enforcement or, more generally, to protect the rights and freedoms of others or to assert civil actions (so-called “protected interests”), see the Key Definitions section below for more detailed information). In such cases, the restriction/suspension of certain rights of data subjects will be communicated to UOOU either by the data processor or by the data controller. A similar notification of the limitation of the rights of data subjects also applies in the event of a data breach, i.e. if the controller intends not to inform the data subject in accordance with Article 34 of the GDPR (despite the inapplicability of any exception to it) due to the reliance placed on the protected interest. Notifications can be made on an ad hoc or general basis for future cases and must always be provided with information and justifications in accordance with Article 23(2) of the GDPR. The exercise of the right to erasure of a data subject with regard to the processing of personal data for the purposes of academic, artistic or literary expression is governed by specific legal provisions. In this respect, constitutional legislation takes precedence over the provisions of the Data Protection Act. Consequently, freedom of expression and the right to information must be weighed against the interests of the data subject, especially in more complex cases. Norms having the force of constitutional law are applicable in national law to other conflicts between the norms of protection of personal data and the rights and interests protected governed by constitutional norms (freedom of expression, freedom of the press, freedom of scientific research and artistic expression, right to acquire and disseminate information), while respecting the principles of proportionality.
