Data protection & privacy laws in Czechia (2026)

Act No. 110/2019 Coll. on Personal Data Processing entered into force on 24 April 2019, replacing Act No. 101/2000 Coll. It adapts GDPR at the national level and also implements Directive (EU) 2016/680 (LED) for law-enforcement processing of personal data.

The Office for Personal Data Protection (UOOU), based in Prague, is the independent national DPA. It is a member of the EDPB, cooperates with the EDPS on Schengen-related supervisory matters, and publishes binding decisions and annual enforcement plans.

Section 7 of Act No. 110/2019 lowers the age of valid consent for information-society services to 15 years (below the GDPR default of 16), the minimum permitted under GDPR Article 8. This covers social networks, apps, streaming, and marketing newsletters.

Czech national law opts out of GDPR administrative fines for public authorities and bodies; these entities cannot be fined for GDPR or Act No. 110/2019 infringements, though other corrective powers of the UOOU still apply.

In April 2024 the UOOU issued a final binding appellate decision fining Avast Software s.r.o. CZK 351 million (approx. EUR 13.9 million) for transferring pseudonymised browsing history of ~100 million users to a sister company without a valid legal basis, violating GDPR Articles 6 and 13.

The UOOU's 2025 control plan targets retailers conditioning discounts on loyalty-programme enrolment (lawfulness of processing) and CCTV systems in public transport, applying its updated CCTV methodology to assess proportionality and transparency obligations.