Czech GDPR Guide: Your Privacy Rights Under ÚOOÚ and How to Exercise Them
The Czech data protection authority ÚOOÚ enforces GDPR in the Czech Republic. Learn your rights, how to file complaints, and how to take control of your personal data.
Czech GDPR Guide: Your Privacy Rights Under ÚOOÚ and How to Exercise Them
Since GDPR took effect in 2018, Czech residents have had some of the strongest personal data protections in the world. But many people in the Czech Republic do not realize how extensive their rights are or how to use them. The ÚOOÚ (Úřad pro ochranu osobních údajů — Office for Personal Data Protection) is the national authority responsible for enforcing these rules. Understanding what it does and how to work with it puts you in control of your personal information.
What Is ÚOOÚ?
ÚOOÚ is the Czech Republic's independent data protection authority, equivalent to CNIL in France or the ICO in the UK. Based in Prague, it oversees how companies and organizations collect, process, and store personal data of Czech residents. It investigates complaints, conducts audits, and can issue fines of up to 20 million euros or 4% of annual global revenue for serious GDPR violations.
ÚOOÚ handles complaints about both Czech and foreign companies processing data of Czech residents. If a Czech company shares your data improperly, or if an international service like Facebook or Google violates your privacy rights, ÚOOÚ is your first point of contact.
Your Core GDPR Rights in the Czech Republic
1. Right of Access (Právo na přístup)
You can ask any company what personal data they hold about you, why they have it, who they share it with, and how long they plan to keep it. The company must respond within 30 days. This applies to your employer, your bank, your health insurer, your mobile carrier, and any online service you use.
2. Right to Rectification (Právo na opravu)
If any of your personal data is incorrect or incomplete, you have the right to have it corrected. This includes your name, address, date of birth, or any other personal information held by a company.
3. Right to Erasure (Právo na výmaz)
Also known as the "right to be forgotten." You can request that a company delete all your personal data if it is no longer necessary for the purpose it was collected, if you withdraw your consent, or if the data was processed unlawfully.
Important exception: Companies can refuse deletion if the data is required by law (for example, tax records must be kept for 10 years by Finanční úřad regulations).
4. Right to Data Portability (Právo na přenositelnost)
You can request your data in a machine-readable format and transfer it to another service. This is useful when switching banks, mobile providers, or online services.
5. Right to Object (Právo vznést námitku)
You can object to your data being used for direct marketing, profiling, or processing based on "legitimate interest." Once you object, the company must stop processing your data for that purpose.
6. Right to Restrict Processing (Právo na omezení zpracování)
You can request that a company stop using your data while a dispute is being resolved — for example, if you have challenged the accuracy of the data.
How to Exercise Your Rights
Step 1: Contact the Company Directly
Start by sending a written request (email is fine) to the company's data protection officer (DPO) or their published GDPR contact. Czech law requires companies to respond within 30 days.
Include:
- Your full name and a way to verify your identity
- Specifically what you are requesting (access, deletion, correction, etc.)
- Reference to GDPR and zákon č. 110/2019 Sb. (Czech data protection act)
Step 2: If the Company Does Not Respond
If you do not receive a response within 30 days, or if the response is inadequate, you can file a complaint with ÚOOÚ.
Step 3: File a Complaint with ÚOOÚ
You can file a complaint:
- Online through the ÚOOÚ website at uoou.cz
- By email to posta@uoou.gov.cz
- By mail to Úřad pro ochranu osobních údajů, Pplk. Sochora 27, 170 00 Praha 7
- Via datová schránka (data mailbox): qkbaa2n
Your complaint should include the company name, what happened, what rights were violated, copies of your request and any response, and your contact information.
Common GDPR Violations in the Czech Republic
| Violation | Example |
|---|---|
| Excessive data collection | Employer collecting rodné číslo when it is not legally required |
| Lack of consent | Marketing emails without opt-in |
| Failure to delete data | Ex-employer retaining your personal files years after termination |
| Data breach notification failure | Company gets hacked and does not inform affected users |
| Unauthorized data sharing | Landlord sharing your personal data with third parties |
| CCTV without notice | Workplace cameras without proper signage and legal basis |
Practical Tips for Protecting Your Data in the Czech Republic
- Read privacy policies before signing contracts. Czech landlords, employers, and service providers often collect more data than necessary.
- Use your rodné číslo sparingly. Many Czech companies ask for it out of habit. You can ask whether an alternative identifier is acceptable.
- Opt out of marketing databases. Send a formal objection to direct marketing under GDPR Article 21.
- Check CzechPOINT for your digital footprint. The government portal shows which services have accessed your official records.
- Request data exports regularly. Ask your bank, mobile provider, and major online services for copies of all data they hold on you.
- Use privacy-focused tools for sharing sensitive documents. When you need to send personal information — your rodné číslo, ID card scan, or tax documents — use LOCK.PUB instead of email. Password-protected links that auto-expire leave no permanent copy in anyone's inbox.
ÚOOÚ vs. Other European DPAs
ÚOOÚ is generally considered moderate in its enforcement compared to more aggressive authorities like CNIL (France) or DPA Hamburg (Germany). However, it has become more active in recent years, particularly around employee privacy, CCTV surveillance, and commercial data processing. Czech residents should not hesitate to file complaints — ÚOOÚ does investigate and act on them.
The Bottom Line
GDPR gives Czech residents powerful tools to control their personal information. But those tools only work if you use them. Every time a company collects your data, you have the right to know why, to see what they have, and to demand its deletion when it is no longer needed.
Start treating your personal data like the valuable asset it is. When sharing sensitive information is unavoidable, use LOCK.PUB to ensure it does not persist in email chains and chat logs forever. Your data, your rules.
Keywords
You might also like
Rodné číslo Protection: How to Prevent Czech Birth Number Identity Theft
Your rodné číslo is the key to your identity in the Czech Republic. Learn how criminals exploit it, why it is so dangerous to leak, and how to share it safely when required.
Swedish GDPR and IMY: Your Complete Privacy Rights Guide
Learn your GDPR rights in Sweden and how to file complaints with IMY (Integritetsskyddsmyndigheten). From data access requests to the right to erasure, protect your privacy.
Personnummer Protection in Sweden: How to Keep Your Identity Number Safe
Learn what scammers can do with your Swedish personnummer and how to protect it. From identity theft to unauthorized loans, here is your complete guide to personnummer security.
Create your password-protected link now
Create password-protected links, secret memos, and encrypted chats for free.
Get Started Free