Czech Republic Data Privacy Laws: GDPR, Act 110/2019 & ÚOOÚ Guide (2026)

Czech Republic data privacy law combines the directly applicable EU GDPR with Act No. 110/2019 Coll. (ZZOOU), which took effect on 24 April 2019 and adds national rules on public bodies, criminal-justice processing, and enforcement. The Office for Personal Data Protection (UOOU) serves as the independent supervisory authority.

The Czech Republic occupies an instructive position in the European data protection landscape. As an EU member state, it applies the GDPR directly, but the national implementing legislation and the enforcement practice of the UOOU give Czech data protection a character of its own. The landmark Avast Software fine, one of the largest GDPR penalties ever imposed by a Central European authority, signals that the UOOU is prepared to deploy its full enforcement arsenal. Meanwhile, the authority's proactive challenge to consent-or-pay models used by Czech media publishers placed it ahead of many EU peers.

This guide covers the full scope of Czech data protection law: from the constitutional roots through the statutory framework, the UOOU's powers, data subject rights, international transfers, the EU AI Act overlay, and the compliance priorities that matter most in 2025 and 2026.

---

Quick Answer

The Czech Republic's data privacy regime rests on three pillars. The EU General Data Protection Regulation (GDPR) applies directly as EU law, setting the overarching rules for all personal data processing. Act No. 110/2019 Coll. (ZZOOU) is the national implementing statute, adding Czech-specific rules on public authorities, law enforcement processing, and procedural matters. The Office for Personal Data Protection (UOOU) is the independent regulator that enforces both instruments.

For most businesses operating in the Czech Republic, GDPR compliance is the operative standard. The ZZOOU matters most for public bodies, for organizations processing data in a law enforcement context, and for certain situations where the GDPR expressly permits national variation.

---

Constitutional Basis: Charter of Fundamental Rights and Freedoms

Czech data protection law has a constitutional foundation that predates both the GDPR and the 2019 implementing statute. The Charter of Fundamental Rights and Freedoms, enacted in 1991 and carrying the same legal force as the Czech Constitution itself, protects personal data at the highest normative level.

Article 10(3) of the Charter provides that everyone has the right to protection from unauthorized gathering, publication, or other misuse of their personal data. This provision sits alongside Article 10(1), which protects human dignity and personal integrity, and Article 10(2), which guards against unauthorized interference in personal and family life.

The Charter's constitutional status means that any statute permitting personal data processing must be consistent with these protections. The Czech Constitutional Court has drawn on Article 10 in cases involving state surveillance, biometric data collection, and the scope of public registers. This constitutional grounding is why Czech data protection law cannot be reduced simply to GDPR compliance: the GDPR operates within a constitutional framework that independently constrains what Czech legislators and public authorities can authorize.

---

The GDPR and Act No. 110/2019 Coll.: The Statutory Framework

How the Two Instruments Interact

The GDPR is a directly applicable EU regulation. It does not need to be transposed into Czech law; it creates rights and obligations that apply automatically to all natural and legal persons in the Czech Republic. Any provision of the ZZOOU that conflicts with the GDPR is displaced by the regulation.

The ZZOOU (Act No. 110/2019 Coll. on Processing of Personal Data) performs three distinct functions. First, it exercises the opening clauses of the GDPR, which permit or require member states to specify national rules in particular areas. Second, it transposes Directive 2016/680 (the Law Enforcement Directive) for data processing in criminal-justice contexts. Third, it governs processing that falls outside the scope of EU law, including certain national security and intelligence-related activities.

The Act replaced the earlier Act No. 101/2000 Coll. on the Protection of Personal Data, which had implemented the 1995 EU Data Protection Directive. The gap between the GDPR's application date (25 May 2018) and the ZZOOU's entry into force (24 April 2019) meant that for nearly a year the GDPR applied directly in the Czech Republic without a completed domestic adaptation statute.

Key National Choices Under the ZZOOU

Several aspects of the ZZOOU reflect deliberate Czech policy choices that differ from the approaches taken by other member states.

The most significant is the complete exemption of public bodies from GDPR administrative fines. The Czech legislator exercised the discretion provided by Article 83(7) of the GDPR to exclude government entities from the UOOU's fining power for GDPR violations. Czech ministries, municipalities, regional governments, state agencies, and other public bodies cannot be fined by the UOOU under the GDPR, regardless of the seriousness of a violation. The authority retains power to issue corrective orders, but the absence of financial penalties has attracted criticism from data protection practitioners who argue that it reduces the incentive for public sector compliance.

For processing under the Law Enforcement Directive portion of the Act, public bodies can be fined, but the ceiling is capped at CZK 10 million (approximately EUR 400,000), substantially below the GDPR's standard framework.

The digital consent age is set at 15. Children aged 15 and older may independently consent to information society services. Children under 15 require parental or guardian authorization.

The ZZOOU also provides that controllers may limit or delay personal data breach notifications to the UOOU if notification would compromise the defense or security interests of the Czech Republic, a derogation available to national security and intelligence bodies.

---

The UOOU: Czech Data Protection Authority

The Office for Personal Data Protection (Urad pro ochranu osobnich udaju, UOOU) is the Czech Republic's independent supervisory authority for data protection. It was established under the predecessor 2000 Act and reconstituted under the ZZOOU as the single authority responsible for enforcing the GDPR, the Law Enforcement Directive, and other data protection statutes in the Czech Republic.

Structure and Resources

The UOOU operates with approximately 100 employees, all based in Prague. Its annual budget is approximately EUR 7.5 million. The authority is led by a President appointed by the President of the Republic for a five-year term. The UOOU President rules on administrative appeals against first-instance decisions issued by UOOU inspectors and serves as the external face of the authority.

Title V of the ZZOOU establishes the UOOU as a central administrative authority independent of government direction on individual cases. This independence is reinforced by rules preventing dismissal of the UOOU President except for serious misconduct or incapacity.

Supervisory Powers

The UOOU holds the full range of investigative and corrective powers provided by the GDPR. It can conduct inspections on its own initiative or in response to complaints. It can access business premises, obtain documents, and interview staff. It can issue warnings and reprimands, order controllers and processors to bring processing into compliance, impose temporary or permanent processing bans, order the suspension of data flows to third countries, and impose administrative fines.

Beyond GDPR enforcement, the UOOU also supervises compliance with the Electronic Communications Act (No. 127/2005 Coll.) regarding cookie consent and the processing of traffic data, and with Act No. 480/2004 Coll. regarding unsolicited commercial communications. In the AI context, the UOOU has been designated as the authority responsible for fundamental-rights oversight when high-risk AI systems listed in Annex III of the EU AI Act are deployed in the Czech Republic.

Advisory and Guidance Functions

The UOOU publishes guidance on topics ranging from CCTV methodology to DPO appointment requirements. It provides opinions on draft legislation that may affect personal data processing, and it participates in the European Data Protection Board alongside the supervisory authorities of other member states. The authority maintains a public registry of appointed DPOs and provides official forms for data breach notifications.

---

Legal Bases for Processing

Processing of personal data in the Czech Republic must rest on one of the six lawful bases in Article 6 of the GDPR.

Consent must be freely given, specific, informed, and unambiguous. It must involve an affirmative act rather than silence, pre-ticked boxes, or inactivity. Controllers must be able to demonstrate that consent was obtained and must make withdrawal as easy as giving consent. The UOOU's challenge to consent-or-pay models underlines the authority's strict approach to the freedom requirement: consent given under financial pressure to avoid a paywall may not satisfy the freely-given test.

Contractual necessity allows processing needed to perform a contract to which the data subject is a party, or to take pre-contractual steps at the data subject's request.

Legal obligation covers processing required to comply with Czech or EU law.

Vital interests allow processing to protect life where the data subject cannot consent.

Public task or official authority covers processing by public bodies and organizations exercising delegated public functions.

Legitimate interests allows private organizations to process data for a genuine purpose that is not overridden by the data subject's rights. This is the most complex basis and requires a documented three-part balancing test.

For special category data (health, genetic, biometric, racial or ethnic origin, political opinions, religious beliefs, trade union membership, sex life or sexual orientation, or criminal convictions), one of the additional grounds in Article 9 of the GDPR must also be satisfied. Czech law adds no special category bases beyond those in the GDPR itself.

---

Data Subject Rights

Czech residents enjoy the full set of data subject rights under Articles 12 to 22 of the GDPR. Controllers must respond to requests without undue delay and within one calendar month. In cases of complexity or volume, the response period may be extended by a further two months, provided the controller informs the data subject of the extension and the reasons within the initial one-month window.

The right of access entitles individuals to confirmation of whether their data is processed and, if so, a copy of the data along with information about purposes, categories, recipients, retention periods, and the existence of other rights.

The right to rectification requires correction of inaccurate personal data and completion of incomplete data, having regard to the purposes of processing.

The right to erasure (the right to be forgotten) applies in defined circumstances, including where data is no longer necessary for the original purpose, where consent is withdrawn and no other basis applies, or where data has been unlawfully processed.

The right to restriction allows data subjects to suspend processing while contesting accuracy, or while awaiting the outcome of an objection.

Data portability entitles individuals to receive data in a structured, commonly used, machine-readable format, and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.

The right to object applies to processing based on legitimate interests or public task, including profiling on those bases. Controllers must cease processing unless they demonstrate compelling legitimate grounds that override the data subject's interests. The right to object to direct marketing is absolute and must always be honored.

Protection from automated decision-making entitles individuals to human review of decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects.

The UOOU handles complaints from individuals who believe their rights have not been respected. In 2024, the authority recorded 336 reported data breaches, reflecting the ongoing volume of breach-related work alongside complaint handling.

---

Data Protection Officers

The DPO appointment requirements in the Czech Republic follow Articles 37 to 39 of the GDPR without material modification by the ZZOOU.

A DPO must be appointed by any public authority or public body (with the exception of courts acting in their judicial capacity). In the private sector, a DPO is mandatory for organizations whose core activities require large-scale, regular, and systematic monitoring of individuals, or whose core activities consist of large-scale processing of special category data or data relating to criminal convictions.

The DPO may be an employee or an external contractor. The person appointed must have expert knowledge of data protection law and practice sufficient for the role. The UOOU has published guidance emphasizing that DPOs require genuine operational independence: they must not receive instructions on how to exercise their tasks, must not be penalized for doing their job, and must have direct access to senior management.

The UOOU maintains a public register of DPOs. Controllers required to appoint a DPO must communicate the DPO's contact details to the UOOU and publish them.

---

Personal Data Breach Notification

Controllers must notify the UOOU without undue delay, and where feasible within 72 hours of becoming aware of a personal data breach, if the breach is likely to result in a risk to the rights and freedoms of natural persons. Where notification is not made within 72 hours, the controller must provide a reasoned explanation for the delay.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also notify the affected data subjects directly without undue delay. The notification must describe the nature of the breach, provide contact details of the DPO or other relevant contact, describe the likely consequences, and set out the measures taken or proposed.

The UOOU provides official notification forms and guidance on its website. In its 2024 annual report, the authority recorded 336 breach notifications, with cyberattacks cited as the predominant cause. This figure reflects a consistent uptick in breach reporting as GDPR notification obligations have become embedded in organizational incident response procedures.

The ZZOOU contains a derogation for national security contexts: controllers processing data for defense or national security purposes may limit or delay notifications to the extent necessary and proportionate to protect those interests.

---

International Data Transfers

The Czech Republic applies the GDPR's Chapter V framework for transferring personal data to countries outside the European Economic Area without any material national modifications.

Standard Transfer Mechanisms

Transfers to countries covered by a European Commission adequacy decision require no additional safeguards. The current list of adequate countries includes the United Kingdom, Switzerland, Canada (commercial organizations), Israel, Japan, New Zealand, South Korea, Uruguay, and the United States under the EU-US Data Privacy Framework (adopted in 2023). Singapore received adequacy status in late 2024.

Where no adequacy decision exists, controllers must implement appropriate safeguards. The most commonly used instrument is the European Commission's standard contractual clauses (SCCs), updated in 2021. Controllers using SCCs must also conduct transfer impact assessments to evaluate whether the law and practice of the recipient country undermines the SCCs' protections.

Binding corporate rules are available for intra-group transfers within multinational enterprises. Other mechanisms include approved codes of conduct and certification schemes.

Derogations under Article 49 of the GDPR are available for specific situations including explicit consent, contract performance necessity, public interest, legal claims, and vital interests, but these are narrow exceptions and cannot serve as routine transfer mechanisms.

The Avast Lesson on Transfers

The UOOU's enforcement action against Avast Software illustrates the authority's approach to transfer requirements. Avast treated browsing data as anonymized on the basis that it had been pseudonymized before transfer to its subsidiary Jumpshot. The authority found that pseudonymized data tied to a unique identifier remained personal data because re-identification of at least some users was technically feasible. The absence of a lawful transfer basis for this personal data was one of the two GDPR violations confirmed in the April 2024 appellate decision. Organizations relying on pseudonymization as a substitute for proper transfer safeguards face the same risk.

---

EU AI Act Interaction

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024 and applies progressively across the EU, including the Czech Republic. The interaction between the AI Act and the GDPR is significant because many high-risk AI systems process personal data, meaning both regulatory regimes apply simultaneously.

The UOOU's Role Under the AI Act

The UOOU has been designated as one of the competent authorities for fundamental-rights oversight in relation to high-risk AI systems listed in Annex III of the EU AI Act. This means that when high-risk AI systems are deployed in areas such as biometric identification, employment, education, essential services, or law enforcement, the UOOU's oversight of personal data processing intersects with the AI Act's requirements.

The Public Defender of Rights (Ombudsman) has been designated alongside the UOOU for this fundamental-rights supervisory role. The two authorities are expected to coordinate their activities where AI systems raise both data protection and broader rights concerns.

Czech National AI Legislation

The Czech Republic is preparing a national Act on Artificial Intelligence to complement the EU AI Act's framework with domestic implementation measures. The Ministry of Industry and Trade was tasked with preparing a draft by 31 October 2025, with adoption anticipated in 2026. The Czech government has allocated CZK 232 million from the state budget for AI Act implementation in 2026 to 2028 and has created new positions at relevant authorities to support this work.

Under the proposed structure, the Czech Telecommunications Office will become the primary market surveillance authority and single national contact point for the EU AI Act. The UOOU will continue its fundamental-rights role. Organizations deploying high-risk AI systems in the Czech Republic should monitor the progress of the draft Act, which will clarify inspection powers, sanction levels, and the precise scope of each authority's jurisdiction.

Practical Intersection for Businesses

Organizations using AI systems to process personal data of Czech residents face compliance obligations under both regimes. An AI system that makes automated decisions affecting individuals engages both the GDPR's Article 22 protections and, if it qualifies as high-risk under the AI Act's Annex III, the Act's requirements for transparency, human oversight, and technical documentation. Privacy impact assessments and AI conformity assessments will increasingly need to be conducted in parallel.

---

Penalties and UOOU Enforcement

The Standard Fine Framework

The GDPR's two-tier administrative fine structure applies in the Czech Republic for private sector controllers and processors. The lower tier, covering violations such as failures in security measures, breach notification, DPO appointment, and data protection by design, carries a maximum of EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. The upper tier, covering violations of core principles such as the legal basis for processing, the rights of data subjects, and restrictions on international transfers, carries a maximum of EUR 20 million or 4% of total worldwide annual turnover, whichever is higher.

From 2018 through 2024, the UOOU issued fines totaling approximately EUR 16 million across all enforcement actions, with the Avast fine of approximately EUR 13.9 million accounting for the overwhelming majority of that total.

The Avast Software Case (April 2024)

The UOOU's most consequential enforcement action is the case against Avast Software s.r.o. and its parent Avast Limited, resulting in a fine of CZK 351 million (approximately EUR 13.9 million). The decision was made final and binding by the UOOU President on 10 April 2024.

Background. Avast operated a suite of antivirus software and browser extensions used by hundreds of millions of people worldwide. Through these tools, the company collected internet browsing history tied to a unique identifier assigned to each device. This data was transferred to Jumpshot, Inc., a subsidiary that sold analytical products to marketing clients describing consumer behavior and preferences.

Violations found. The UOOU found violations of Article 6 (lawfulness of processing) and Article 13(1) (information to be provided at collection) of the GDPR. Avast had described the data transfers as involving anonymized data used for trend analytics. The authority found that the browsing history, although pseudonymized, constituted personal data because re-identification of at least some affected individuals was possible through the unique identifier. No adequate lawful basis existed for the transfer to Jumpshot. Users were misinformed about the nature and purpose of the processing.

Procedural history. The Czech SA served as the lead supervisory authority under the GDPR's one-stop-shop cooperation mechanism, given Avast's EU establishment in the Czech Republic. The first-instance decision was issued on 14 March 2022. Avast filed an administrative appeal, and the UOOU President issued the appellate decision confirming the fine on 10 April 2024. The European Data Protection Board was involved as part of the cooperation procedure.

Significance. The case is the largest GDPR fine ever imposed by the UOOU and one of the largest in Central and Eastern Europe. It confirms that pseudonymization alone does not render data non-personal if re-identification remains technically feasible. It demonstrates the UOOU's willingness to act as a lead authority in complex cross-border cases and to sustain enforcement action through multi-year appellate proceedings.

Consent-or-Pay Model Challenge

In a notable enforcement initiative in 2024, the UOOU became one of the first EU data protection authorities to challenge the consent-or-pay model used by online publishers. Several major Czech media groups, including Czech News Centre, Mafra, Economia, and Seznam, introduced cookie walls requiring users to either consent to behavioral tracking or pay for an ad-free version of their services. The UOOU launched an investigation into whether consent given under these conditions is genuinely freely given within the meaning of the GDPR.

This action aligned with broader European scrutiny of consent-or-pay practices. The European Data Protection Board issued Opinion 08/2024 on valid consent in the context of consent-or-pay models deployed by large online platforms, and the European Commission found in July 2024 that Meta's equivalent model failed to comply with the EU Digital Markets Act.

Other Notable Enforcement Actions

Spam campaign. The UOOU imposed a fine exceeding EUR 230,000 for a mass marketing campaign that sent unsolicited commercial emails to nearly 500,000 recipients without adequate consent. This case demonstrated the authority's reach in electronic marketing enforcement.

CCTV cases. The UOOU has pursued multiple enforcement actions involving video surveillance, including improper camera use in residential buildings, workplaces, and public-facing commercial premises. The authority has developed detailed CCTV methodology that goes beyond the bare GDPR framework.

Public Body Exemption

Czech public bodies are fully exempt from GDPR administrative fines. Government entities that violate GDPR obligations face corrective orders from the UOOU but not financial penalties. This choice, made under Article 83(7) of the GDPR, has attracted criticism from civil society organizations and data protection practitioners who argue that the absence of financial consequences weakens public sector compliance incentives.

---

2025 and 2026 Enforcement Priorities and Developments

The UOOU published its 2025 control plan identifying three primary enforcement focus areas for active audit and investigation.

Loyalty program data processing. The authority is examining whether retailers who condition price discounts on customer participation in loyalty schemes comply with GDPR requirements. This area involves questions about whether consent is genuinely voluntary when the alternative is paying higher prices, whether the volume of data collected is proportionate to the stated purpose, and whether retention periods are justified.

CCTV in public transport. The UOOU is scrutinizing video surveillance systems operated by public transport providers, applying its updated CCTV methodology to evaluate compliance with purpose limitation, retention limits, signage requirements, and data subject rights.

Online comparison service marketing. The authority is investigating practices of providers offering insurance, loan, and similar comparison services who send commercial communications to individuals who have previously used their platforms. This sector has not previously been subject to comprehensive UOOU audit.

Looking to 2026, the UOOU's work is expected to expand into AI oversight as the national AI Act advances through the legislative process. The authority's fundamental-rights supervisory role under the EU AI Act will increasingly generate enforcement activity as organizations deploy high-risk AI systems.

Act on Digital Economics. A draft Act on Digital Economics is under preparation. If adopted, it would require renewal of customer marketing consent every two years and mandate opt-out options both at the point of data collection and in each subsequent marketing message. Parliamentary scheduling may affect the timeline, but the direction of travel is toward tighter electronic marketing rules.

2024 Annual Report highlights. The UOOU's 2024 annual report documented 336 reported data breaches, with cyberattacks as the primary cause. The authority also highlighted emerging challenges from AI and digital marketing technologies, and confirmed its fundamental-rights designation under the EU AI Act.

---

Electronic Marketing and Cookies

The Czech Republic implements the ePrivacy Directive through Act No. 480/2004 Coll. on Certain Information Society Services and Act No. 127/2005 Coll. on Electronic Communications.

Prior opt-in consent is required for marketing emails, SMS messages, and other electronic commercial communications. A limited exception applies for existing customers in relation to their own similar products or services, provided the customer was given a clear opportunity to opt out at the time of collection and in each subsequent message.

Since 1 January 2022, opt-in consent is also required for non-essential cookies and similar tracking technologies. The Czech Telecommunications Office supervises cookie compliance alongside the UOOU.

---

Business Compliance Guidance

Organizations operating in the Czech Republic should treat GDPR compliance as the baseline requirement, supplemented by awareness of the specific Czech national choices.

For controllers relying on pseudonymization, the Avast case is a direct warning. Pseudonymized data remains personal data if re-identification is technically feasible. Relying on pseudonymization as the basis for a transfer to a third party, or as a substitute for a lawful transfer mechanism, creates serious liability risk.

For retailers and loyalty programs, the UOOU's 2025 enforcement focus should prompt a review of how consent is obtained for loyalty scheme participation, what data is collected relative to the discount offered, how long that data is retained, and whether participation requirements are proportionate.

For public transport operators and CCTV users more broadly, the authority's updated CCTV methodology should be applied to all existing surveillance deployments. Key questions include whether a legitimate interest assessment has been conducted and documented, whether signage is compliant, and whether retention periods reflect genuine operational needs.

For organizations deploying AI systems, the intersection of the GDPR and the EU AI Act means that privacy impact assessments should be integrated with any conformity or risk assessment required under the AI Act framework. The UOOU's designation as a fundamental-rights authority under the AI Act means that it will be an active participant in enforcement involving high-risk AI.

For public bodies, the fine exemption does not eliminate compliance risk. The UOOU retains authority to issue corrective orders, and reputational consequences of public enforcement action are significant regardless of whether a fine is attached.

The age of digital consent (15 years) is lower than in several other EU member states, which have set the age at 16. Organizations offering information society services to Czech users must implement age verification or parental consent mechanisms consistent with the 15-year threshold.

Disclaimer: This article provides general information about the Czech Republic's data privacy laws and is not legal advice. Data protection law changes frequently. Consult a qualified attorney licensed in the Czech Republic for guidance on your specific situation. See also our related pages on Czech Republic recording laws and EU data privacy laws.