As the GDPR was enacted to achieve harmonized legal standards for personal data processing across the EU, the Member States are allowed derogations only in specific pre-defined circumstances. At the same time, the Member States are obliged to ensure the compliance of national regulations with the GDPR on certain provisions, for instance, those concerning the freedom of speech and the right to information.
The Data Processing Act will enter into force on the day of its publication in the Journal of Law after being signed by the President.
Here are some of the key derogations of the Data Processing Act from the GDPR:
(i) In connection to remote electronic service offerings (for instance, the setting up of a social media account) a child can validly consent to personal data processing for specific purposes if he or she is at least 15 years of age.
(ii) The Data Processing Act has opted to provide for possible restrictions to the rights of individuals arising out of Articles 12 – 22 of the GDPR and data processing principles (Article 5 GDPR) if it is necessary and reasonable to do so to protect certain interests such as the defence of the country, public order and internal security (crime investigation and prevention, criminal prosecution, serving of sentences), other important public interests of the EU or any of the Member States (especially economic or financial, currency, budgetary, tax, fiscal market, public health or social security), the independence of the judiciary, the supervisory and regulatory functions of a public authority in all the foregoing matters, personal rights and freedom or the enforcement of private claims.
(iii) Data controllers have been allowed certain privileges concerning personal data processing for journalistic, academic, artistic and/or literary purposes.
(iv) The Czech Republic has also opted to fully exempt its public authorities and public bodies from administrative penalties.
(v) For the avoidance of doubt, the Data Processing Act clarifies that any consent to personal data processing given under the previous Act 101/2000 would be considered as consent given under the GDPR, but only if the consent given complies with the GDPR. The GDPR defines the consent as "freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to him or her".
(vi) Notably, the Data Processing Act only tackles issues that have been left to the Member States or which fall out of the scope of the GDPR. In any case, it is the GDPR itself that governs the rights and duties of the data subjects, data controllers, and data processors concerning data processing.