The Czech Republic: Is There A Possibility To Further Process Legally Published Personal Data That Are Not Open Data?
Open data in the Czech Republic is defined in the Act on Free Access to Information, as „information published in a manner enabling remote access in an open and machine-readable format where the manner and purpose of the subsequent use of such information is not restricted and the information is recorded in the Open Data National Catalogue“. The Act also sets out mandatory publication of information, as follows: „obligatory entities publish information contained in registries, archives, records or lists maintained or administered by such entities; such information is accessible to every person by law and can be used as open data for business or other gainful activities, for study or scientific purposes or for public inspections of legally bound persons. Legally bound persons register such information in a National Open Data Catalogue. The list of information pursuant to the first sentence is set forth by an implementing legal regulation. It is presumed that the legitimate interests or fundamental rights and freedoms of data subjects which require protection of personal data do not prevail over the further processing of open data.” The following information is considered open data: information from the lists of experts and interprets, from the national information system on timetables, from the evidence of vacant posts, etc.
Further processing of information from the National Open Data Catalogue, that include personal data within the meaning of provision 4 par. 1 of the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation; hereinafter referred as “GDPR”) has, certainly, to be in compliance with GDPR. As described above interest in processing the defined open data is considered as prevailing over legitimate interests and rights of data subjects and such data is possible to process for business purposes and gainful activities of the controller.
However, the Catalogue does not include all data presented in the Czech official public registers and lists, e.g. Insolvency Register, Trade Licensing Register, Trademark database, the Commercial register, the Cadastre of Real Estate, etc. This fact raises an issue regarding possibility to re-use legally published data which are not included in the Catalogue.
Generally, data published by state authorities can be divided in two groups with specific legal regimes, i.e. (i) open data and (ii) legally published data that are not defined as open data. Both types of data may, of course, include personal data.
Before the effectiveness of GDPR, the possibility to use personal data, published in public registers, was mainly regulated by the Act on Personal Data Protection in the Czech Republic. This act included legal ground for further processing of legally published personal data for business purposes and gainful activities. However, as outlined above, this Act was replaced by new act in order to be fully compliant with GDPR, which led to deletion of this explicit possibility (of further processing for business purposes and other gainful activities) without any visible substitution. This, understandably, brought up an important issue concerning further processing of such non-open data personal data.
This matter has been dealt by the Czech Republic’s Office for Personal Data Protection in the end of 2019. This office is the supervisory authority within the meaning of Article 51 letter f) of the GDPR. Its current position is that there is no legitimate interest for processing legally published data that are not open data for business purposes. Of course, this does not prevent processing of such data upon consent of the respective data subject with such processing within the meaning of article 6 par. 1 letter a) of GDPR.
In case of open data, the law introduces a rebuttable presumption that rights of data subjects do not prevail over legitimate interests of the controller on further processing of personal data unless proven otherwise. There seems not to be any generally applicable reason supporting the Czech Personal Data Office’s standpoint, which deliberately weakens position of non-open public personal data. Even in situation, when such data has already been publicly available due to the public interest while presuming that the invasion of data subjects´ privacy is only marginal in this case. It might be assumed, as Czech Personal Data Office deduces from this presumption, that data subjects whose data are published within the regime of open data, are aware and informed about such marginal invasion into their privacy.
We are not convinced of the opinion presented by the Czech Personal Data Office for following reasons. Firstly, obtaining consent of every data subjects whose data are published in databases operated by public authorities (that are not open data) is practically impossible and therefore it would be practically impossible to further process data that are not considered as open data. Secondly, there seems not to be any reasonable argument supporting the view that data subjects are only aware of publishing of their personal data in open data registers and not in registers not belonging into regime of open data (while still publicly available). As well as why such further processing (of data that are not open data) should not be as well only marginal, also considering that e.g. data published in Trade Licensing Register are not open data, however data published in Administrative register of economic subjects are open data while the data actually in certain scope overlap.
In our opinion, the institute of open data, as presented by the Czech law currently, provides the re-processing with a special advantage – such re-processing shall be (unless proven otherwise) considered in legitimate interest of the controller (thus the intrusion into the data subject’s right is considered lighter). In case of other published personal data, the controller cannot use such advantage automatically and therefore has to (in every and each case) perform classical balance test to ensure that the processing of such data (non-open data) does not intrude into the rights of data subjects excessively. To sum up, in our opinion it should be possible to further process legally published personal data for business purposes, even though such data do not belong within open data under following conditions, with taking into account the aims of new EU directive from 2019. The controller while processing such data does not breach any other laws that would forbid such processing and before further processing the controller should carry out the balance test in order to consider if his/her/its own legitimate interest in further processing prevails over interests and rights and freedoms of data subjects, i.e. the presumption of controller’s legitimate interest will not be applied as it would be in the case of open data. Nor, however, is there any legal reason to consider such processing as illegal (in conflict with GDPR and related rules) per se.
It will be interesting to observe, whether and how this issue will be looked upon by the Czech courts. Therefore, we will keep focused on this matter and wait for the courts´ judgments regarding this topic.
Article provided by: Tomáš Nielsen (Nielsen Legal, Czech Republic)
Dr. Tobias Höllwarth (Managing Director INPLP)