Czech Republic Data Privacy Laws: GDPR Implementation Guide (2026)

The Czech Republic's approach to GDPR implementation reflects a pragmatic balancing act. The country adopted implementing legislation that closely follows the regulation's framework while making notable national choices, including the controversial decision to fully exempt public bodies from administrative fines.

The UOOU has demonstrated its enforcement capability with the landmark Avast Software fine, one of the largest GDPR penalties in Central European history. This guide covers the full scope of Czech data protection law, from the legal foundations through enforcement practices and compliance requirements.

Legal Framework and GDPR Implementation

The Czech Republic's data protection system operates under the GDPR as supplemented by Act No. 110/2019 Coll. on Processing of Personal Data (commonly referred to as the Data Processing Act or ZZOOU). This legislation entered into force on 24 April 2019.

The Data Processing Act serves three main functions. It implements the GDPR's opening clauses where the regulation requires or permits national legislation, it transposes the Law Enforcement Directive (EU 2016/680) for data processing in criminal justice contexts, and it addresses data processing that falls outside the scope of EU law, including certain national security and immigration-related processing.

The Act replaced the earlier Act No. 101/2000 Coll. on the Protection of Personal Data, which had implemented the 1995 EU Data Protection Directive.

Legislative History

The Czech Republic was among the member states that took longer to adopt GDPR implementing legislation. The GDPR became directly applicable on 25 May 2018, but Act 110/2019 did not take effect until nearly a year later. During the interim period, the GDPR applied directly, and provisions of the older data protection act that did not conflict with the GDPR continued to apply.

The UOOU: Czech Data Protection Authority

The Office for Personal Data Protection (Urad pro ochranu osobnich udaju, or UOOU) is the Czech Republic's independent supervisory authority responsible for data protection enforcement.

The UOOU is the sole authority responsible for enforcing the GDPR in the Czech Republic. It operates with approximately 100 employees based in Prague, working with an annual budget of around EUR 7.5 million. The authority handles complaints, conducts investigations and audits, issues guidance, and imposes corrective measures.

Powers and Functions

The UOOU holds the full range of supervisory and enforcement powers specified in the GDPR. It can conduct investigations on its own initiative or following complaints, carry out data protection audits, obtain access to premises and equipment of data controllers and processors, issue warnings and reprimands, order controllers and processors to comply with GDPR requirements, impose temporary or permanent processing bans, and impose administrative fines.

The authority also maintains advisory functions, providing opinions on proposed legislation and issuing guidance for organizations navigating compliance requirements.

Fines and Penalties

The Czech Republic follows the GDPR's standard two-tier penalty framework. Fines of up to EUR 10 million or 2% of worldwide annual turnover apply to certain violations, while more serious infringements can attract fines of up to EUR 20 million or 4% of worldwide annual turnover.

The Public Body Exemption

One of the most distinctive features of Czech data protection law is the complete exemption of public bodies from GDPR administrative fines. The Czech legislator used the flexibility provided by Article 83(7) of the GDPR to exclude government entities from the UOOU's fining competence.

This means that Czech ministries, municipalities, state agencies, and other public bodies cannot be fined under the GDPR, regardless of the severity of any data protection violation. The UOOU can still issue corrective orders against public entities, but the absence of financial penalties has been criticized as reducing the incentive for public sector compliance.

Under the Law Enforcement Directive portion of the Act, public bodies can be fined, but the amount is capped at CZK 10 million (approximately EUR 400,000), a significantly lower ceiling than the GDPR's standard framework.

Notable Enforcement Actions

Avast Software (EUR 13.9 Million): The UOOU's most significant enforcement action was the approximately EUR 13.9 million fine against Avast Software for unlawful data transfers to its subsidiary Jumpshot, Inc. Avast transferred internet browsing history data of approximately 100 million users using only pseudonymization rather than proper anonymization. The case was handled through the GDPR's cooperation mechanism with other concerned EU supervisory authorities. This fine made headlines as one of the largest GDPR penalties in Central and Eastern Europe.

Spam Campaign (EUR 230,000+): The UOOU imposed its then-largest fine for sending unsolicited commercial communications. The enforcement action examined a marketing campaign consisting of emails sent to nearly 500,000 recipients without proper consent. This case demonstrated the UOOU's willingness to pursue aggressive enforcement against electronic marketing violations.

Various CCTV Cases: The UOOU has pursued multiple cases involving video surveillance compliance, including improper use of cameras in residential buildings, workplaces, and public-facing business premises.

2025 Enforcement Priorities

The UOOU announced its control plan for 2025, outlining three primary enforcement focus areas.

First, the authority will examine personal data processing by retailers who make discounts conditional on participation in loyalty programs or similar schemes. This focus targets the common practice of requiring customers to share extensive personal data in exchange for lower prices.

Second, the UOOU will scrutinize the use of CCTV in public transport, applying its recently updated CCTV methodology to assess whether surveillance systems on buses, trams, and metro systems comply with data protection requirements.

Third, the authority will investigate practices of online comparison service providers, particularly those offering insurance or loan comparisons, that send commercial communications to individuals who have used their services. This area has not previously been subject to comprehensive UOOU audit.

Data Protection Officers

The Czech Republic follows the GDPR's standard DPO appointment requirements. Public authorities, organizations conducting large-scale systematic monitoring, and organizations processing special category data on a large scale must appoint a DPO.

The UOOU has published guidance on DPO qualifications and has emphasized that DPOs must be given genuine independence within their organizations. The authority maintains a registry of appointed DPOs.

Age of Digital Consent

The Czech Republic set the age of digital consent at 15 years old. Children aged 15 and older may independently consent to information society services, while children under 15 require parental authorization.

CCTV and Video Surveillance

The UOOU has developed detailed methodology for assessing CCTV compliance that goes beyond the basic GDPR framework. The authority has addressed surveillance in various contexts including residential buildings, workplaces, retail environments, and public transport.

Key requirements include the need for a legitimate interest assessment before deploying cameras, clear signage informing individuals about surveillance, proportionate retention periods, and restrictions on surveillance of areas where individuals have a heightened expectation of privacy.

Data Breach Notification

Standard GDPR breach notification requirements apply in the Czech Republic. Controllers must notify the UOOU within 72 hours of becoming aware of a breach likely to result in a risk to individuals' rights and freedoms. The UOOU provides guidance and notification forms on its official website.

International Data Transfers

The Czech Republic follows the standard GDPR framework for international transfers. The Avast case demonstrated the UOOU's willingness to enforce transfer requirements aggressively, particularly where pseudonymization is used as a substitute for proper anonymization or adequate transfer safeguards.

Electronic Marketing

The Czech Republic has implemented the ePrivacy Directive through Act No. 480/2004 Coll. on Certain Information Society Services. This legislation governs commercial electronic communications and requires prior opt-in consent for marketing emails and messages, with a limited exception for existing customer relationships.

The UOOU has been active in enforcing electronic marketing rules, as demonstrated by the significant spam campaign fine, and has indicated that online comparison services will face increased scrutiny.

Practical Compliance Tips

Organizations operating in the Czech Republic should note the UOOU's enforcement priorities for 2025. If you operate loyalty programs, conduct a thorough review of the personal data you collect and ensure that participation requirements are GDPR-compliant.

Public transport operators and users of CCTV systems should review their surveillance practices against the UOOU's updated methodology.

While public bodies are exempt from GDPR fines, they remain subject to corrective orders. Government entities should not treat the fine exemption as a reason to neglect compliance.

Organizations that pseudonymize data for sharing with third parties should carefully assess whether their pseudonymization techniques genuinely reduce the risk of re-identification. The Avast case showed that the UOOU will challenge pseudonymization that falls short of true anonymization.

Disclaimer: This article provides general information about the Czech Republic's data privacy laws and is not legal advice. Data protection laws change frequently. Consult a qualified attorney licensed in the Czech Republic for guidance on your specific situation.