Czech Republic - Data Protection updates from the Czech Republic
Published 19 April 2016
Czech DPA announces 2016 'controlling plan'
The Office for Personal Data Protection (the "Czech DPA") announced its 'controlling plan' for 2016. One of the new areas of control will be cloud computing and the protection of personal data gathered during the provision of cloud services.
Organisations should be mindful that cloud computing will be one of the Czech DPA's focus areas in 2016 should it make use of cloud technology.
For the 2016 'controlling plan', click here (Czech).
Statement issued on the use of CCTV
In January 2016, the Czech DPA issued an official statement concerning the use of CCTV in multi-storey flat-houses, advising that the use of CCTV should be carefully considered and the possible gain from the use of CCTV, namely security, should be balanced against its impact on the right to privacy. The statement also addresses places where CCTV can be placed, specifically excluding the area in front of the flat-houses where the tenants enter their flat on the basis that monitoring of this area invades the tenant's privacy in an excessive manner. It was also noted that CCTV and any recordings should be kept in a safe location and the recordings should only be used in cases of investigation. Any unauthorised use of the recordings constitutes an offence and can result in a fine.
To see the statement issued by the Czech DPA, click here (Czech).
Czech DPA addresses regulation of drones
In its December 2015 bulletin the Czech DPA also addressed the regulation concerning unmanned aerial vehicles ("UAVs"), widely known as drones. Every operator of an UAV equipped with a camera that is recording is deemed to be an “administrator of personal data” and therefore subject to the Act No. 101/2000 Coll., on the Protection of Personal Data. After every flight, the operator of an UAV is obliged to check the recording for any person that can be identified and to obtain that person's consent to their personal data being processed. If consent is not given, the administrator will be obliged to delete the recording. This proves very problematic, particularly in instances where the recording has captured many people in a public place.
There is however, an exception to the obligation described above - when the recording is made in order to safeguard the legal interest of the operator of the UAV. In this case, the operator has to inform any relevant persons about the recording, the operator should register him/herself with the Czech DPA as an administrator of personal data and the UAV should be easily identifiable. There are discussions about the possible regulation of UAVs and the related problems with personal data, but to date, no appropriate solution has been identified.
Organisations should also ensure any use they make of drones in the Czech Republic is aligned with the position set out in the Czech DPA's bulletin.
For the Czech DPA's bulletin on the regulation of drones, click here (Czech).
Submitted by Dominik Pašek of JSK Law – Prague, Czech Republic