Data Protection in Czech Republic during Covid-19

At the beginning of the state of emergency, the Ministry of Health adopted a measure ordering mobile telephony operators and banks to process operational - localization data  and information about the use of electronic means of payment and to hand over these data to the Ministry of Health or municipal health stations. The purpose of this is to trace and identify the contacts of an infected subject, but free and informed consent of the data subject is required for this. At the beginning, the Government also used mobile phone numbers to send SMS messages about the most important information regarding the state of emergency announced by the Government and the measures introduced. 

Now, the Government, in cooperation with private-sector entities,  has prepared a “smart quarantine” project which is mostly based on two applications aimed at mapping the contacts of individuals that tested positive for COVID-19 and helping municipal health stations trace other potentially infected people (one application – “eRouska” works on a Bluetooth basis, the second one – “mapy.cz” uses geolocation data - GPS). A municipal health station is therefore able to make a call to a potentially infected person via a call centre. Use of these applications as well as the provision of health-related information about COVID-19 positive tests are voluntary and based on 4 principles, i.e. i) free and informed consent of the data subject under GDPR, ii) decentralization – there is no central storage, all data are stored where they originated, iii) data are combined only upon a data subject’s consent, they can be used only in particular cases and should be deleted immediately (in 6 hours at the latest), and iv) where it is possible, the source codes of the application “eRouska” are published as open source so that it is possible to check the dataflow. This tracing works only among individuals having mobile phones on which the same application is installed. Regarding the safety and personal data protection, there is vigorous public discussion on this matter. The “smart quarantine” is audited externally by independent, reputable companies and by experts from the academic sphere – the Czech Technical University in Prague.

As regards travelling from/to the Czech Republic, the Government adopted several measures. The purpose of trips abroad by Czech citizens is not checked by the authorities at borders except for a few exceptions. Such exceptions consist primarily of cases of travel abroad to which an obligatory quarantine does not apply after the return of the traveller (such as travelling abroad due to a funeral/wedding, for a medical examination etc.; in these cases, the time and purpose of the journey is registered). When the traveller returns to the Czech Republic, it is necessary to report the date of arrival and the means of transport. After that it is mandatory to contact the relevant municipal health station, which has the authority to order a 14-day quarantine, or to submit a negative COVID-19 test which is not older than 4 days. Travel of citizens to the Czech Republic is still prohibited with exceptions especially for citizens working in the Czech Republic and for family members. All of these measures are connected with personal data processing by official authorities under personal data protection legislation as such processing is necessary for the performance of a task carried out in the public interest in the area of public health.

Act No. 262/2006 Coll., The Labor Code, requires employers to create a safe and non-hazardous work environment, while taking measures to prevent, eliminate or minimize risks (the so-called preventive obligation). In specific situations, the employer is obliged to proceed in such a way as to prevent, eliminate or minimize risks (he has a so-called preventive obligation).

In times of danger, the employer is therefore obliged to take the necessary protective measures and proceed in accordance with applicable regulations, extraordinary measures of the Government of the Czech Republic and instructions of public health protection authorities. The Ministry of Health of the Czech Republic prepared a manual of possible measures to prevent the spread of COVID-19 in the workplace.

Information regarding the risks associated with the coronavirus, such as whether they have travelled abroad or encountered an infected person, may be requested from employees. In practice, however, it can be difficult to penalize employees for a false or incomplete answer. An employer cannot enforce coronavirus testing. The Ministry of Labour and Social Affairs of the Czech Republic recommended to the employer to determine the fitness for work of employees through extraordinary occupational medical examinations.

The employer is entitled to keep lists of employees who have become ill with coronavirus and those who are quarantined after their return from a high-risk area. This is the processing of the so-called special category of personal data according to Article 9 of the GDPR, which the employer is entitled to process for the purpose of fulfilling obligations arising from labour law and social security law according to Article 9 (2) (a). b) GDPR. This activity also corresponds to § 101 of the Labour Code, which imposes an obligation on employers to ensure the safety and protection of their employees. Therefore, it is possible to keep records of employees with symptoms of coronavirus or employees who are quarantined after returning from high-risk areas. However, the employer may not publish lists of these employees, he may only publish the total number of quarantined employees.

If an employee has been diagnosed with COVID-19, the employer must, as part of the preventive obligation, inform the other employees about the possible risks in an appropriate manner. However, the facts about a specific person shall be communicated by the employer only to the extent necessary for the protection of health, and so as not to affect the dignity and integrity of that person. Specific data should only be provided to colleagues directly concerned.

The obligation of employees and site visits to undergo temperature measurement is not yet stipulated in any Czech regulation. The person performing the measurement should be instructed in the correct performance of the measurement. It is not recommended to record measured temperatures at this time. Potential outputs should only record decisions whether to allow work / entry into the workplace or not.

The Czech Republic would not participate in a European approach regarding development and launching a common app., the Czech Republic is not involved in the Pan-European Privacy-Preserving Proximity Tracing project.

An employer has a legitimate reason to monitor an employee who is at the home office, for which he can use, for example, a telephone or software that monitors the time the employee spends using the computer. In order to comply with the principle of transparency, the employer must inform the employee about the inspection. Without sufficient information provided to employees, information about non-performance of work tasks cannot be used for the purpose of corrective measures against the employee (e.g. reproach).

Employers often use cloud storage and access to such storage is often provided by companies outside of the EU. The company that uses such a solution is then responsible for ensuring the legality of the cross-border transfer of personal data. It is strongly recommended that you connect to a video conference only after connecting via a VPN (Virtual Private Network). When sharing files it's important to avoid using free storage without adequate security.

If teleconferences are recorded, then only in the sense of the principle of transparency according to Article 5 of the GDPR. It is necessary for the participants in the teleconference to be informed of this fact in advance. Related to this is the need to define the relevant rules (retention period of recordings, purpose, person with access to recordings, etc.).

The Office for Personal Data Protection of the Czech Republic has also called on companies to be extra careful when it comes to phishing (typically fraudulent e-mails).

Generally there are no special rules or exceptions as regards data protection obligations due to the emergency situation. The controllers and processors need to comply as always. Nevertheless the Office for Personal Data Protection encourages the use of contact via telephone and other electronic means for contacting them incl. for reporting data breaches.

As regards website protection, there are no special rules for data protection in connection with the coronavirus situation in the Czech Republic. Companies must observe the statutory rules as always.

There are no further specific except for above-mentioned.