Data & Privacy · Czechia
Data protection & GDPR compliance in Czechia (2026)
Czechia shaded by its data & privacy status
Data protection in Czechia: comprehensive law, under GDPR (Regulation (EU) 2016/679) directly applicable, supplemented by Act No. 110/2019 Coll. on Personal Data Processing (national adaptation law); supervised by the Office for Personal Data Protection (Úřad pro ochranu osobních údajů, UOOU).
Czechia operates under the EU's GDPR as directly applicable law, with Act No. 110/2019 Coll. serving as the national adaptation statute that replaced the former Act No. 101/2000 Coll. and implements GDPR derogations, the Law Enforcement Directive (2016/680), and the PNRD. The independent supervisory authority is the UOOU (uoou.gov.cz), which is a full member of the European Data Protection Board and carries active enforcement powers including significant fines.
GDPR & data protection in Czechia
In Czechia, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Office for Personal Data Protection (ÚOOÚ).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Office for Personal Data Protection (ÚOOÚ)
- Applies to
- any organisation processing the personal data of people in Czechia, wherever the organisation is based
- Maximum fine
- €20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Czechia supplements it with a national data-protection act and its own supervisory authority.
GDPR in Czechia: FAQ
Yes. As an EU/EEA member, Czechia applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Office for Personal Data Protection (ÚOOÚ).
The Office for Personal Data Protection (ÚOOÚ).
Up to €20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
Act No. 110/2019 Coll. on Personal Data Processing entered into force on 24 April 2019, replacing Act No. 101/2000 Coll. It adapts GDPR at the national level and also implements Directive (EU) 2016/680 (LED) for law-enforcement processing of personal data.
The Office for Personal Data Protection (UOOU), based in Prague, is the independent national DPA. It is a member of the EDPB, cooperates with the EDPS on Schengen-related supervisory matters, and publishes binding decisions and annual enforcement plans.
Section 7 of Act No. 110/2019 lowers the age of valid consent for information-society services to 15 years (below the GDPR default of 16), the minimum permitted under GDPR Article 8. This covers social networks, apps, streaming, and marketing newsletters.
Czech national law opts out of GDPR administrative fines for public authorities and bodies; these entities cannot be fined for GDPR or Act No. 110/2019 infringements, though other corrective powers of the UOOU still apply.
In April 2024 the UOOU issued a final binding appellate decision fining Avast Software s.r.o. CZK 351 million (approx. EUR 13.9 million) for transferring pseudonymised browsing history of ~100 million users to a sister company without a valid legal basis, violating GDPR Articles 6 and 13.
The UOOU's 2025 control plan targets retailers conditioning discounts on loyalty-programme enrolment (lawfulness of processing) and CCTV systems in public transport, applying its updated CCTV methodology to assess proportionality and transparency obligations.
Czechia - other topics
Data & Privacy in other countries
Last verified 5/24/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →