In the Czech Republic, there have not yet been any GDPR related court cases and only a few resolutions of the Office for Personal Data Protection (the ‘Office’) on breaches of GDPR. This is because the implementation law only became effective from 24 April 2019 and until that time the Office only issued warnings or recommendations. We nevertheless believe that the Office’s approach will be similar both in terms of sanctions and assessment of specific data privacy related situations to that adopted while the previous legal regulation was in force. Before GDPR, the Office did not fine employers for mistakes in data privacy documentation or processes or imposed very low fines (most were between EUR 100 and 1,000).
The Act on Personal Data Processing (‘Zákon o zpracování osobních údajů’) has been in effect from 24 April 2019. It does not include any specific employment law-related provisions. Therefore, employers, as data controllers, must comply mainly with the provisions of the GDPR and the Labour Code, which regulates monitoring of employees and recruitment rules. The new Act only contains minor exceptions, such as an amendment to the obligation of the controller to notify a data subject of a personal data breach or the exemption from the duty to perform a data protection impact assessment (DPIA) if the duty to process the personal data is stipulated by law.
The volume of GDPR-related information useful for employers currently available is substantially larger than what we had in May 2018. The Office for Personal Data Protection has published quite a lot of guides on the GDPR and issued several useful statements focused on specific matters, such as marketing, biometrics, employee’s consent, use of employee’s photos, the need to prepare a DPIA and more. The majority of employers are still dealing with GDPR-related problems and quite a number of them have not yet provided the relevant GDPR documentation to employees.