The Czech Republic’s Data Protection Authority, Urad pro Ochranu Osobnich Udaju, provides its guidance on GDPR and COVID-19:
- Public health authorities are authorized to process personal data to the extent and for the purpose laid down by Act No. 258/2000 on public health protection. This includes taking appropriate measures to reduce the spread of contagious disease such as informing the population by sending alerts and calls in the form of text messages.
- Art 9 of GDPR allows processing of health data which is necessary for reasons of public interest in the field of public health, such as protection against serious cross-border health threats.
- Public or private entities that are required to follow the coronavirus measures should follow the guidelines and recommendations of the competent authorities. For personal data controllers, whether in the private or public sector, this means complying with applicable regulations, including current emergency measures of the Government of the Czech Republic and other central authorities and only to process or transfer personal data in accordance with the regulations.