Czechia

Czechia is a member of the European Union (since 2004) and is subject to the General Data Protection Regulation (GDPR), the Law Enforcement Directive (LED), and other EU data protection instruments. This page focuses on Czech national implementing legislation, the national supervisory authority, and domestic surveillance and intelligence frameworks. For the EU-wide legal framework, see the EU Privacy and Surveillance Laws page.

Overview

Czechia’s privacy landscape is shaped by the country’s post-communist transformation, a deep institutional memory of StB (Státní bezpečnost) secret police surveillance, and its integration into Euro-Atlantic structures. The ÚOOÚ (Úřad pro ochranu osobních údajů) — the Office for Personal Data Protection — enforces the GDPR and national data protection law from Prague. Czechia’s 1991 lustration law, which barred former StB collaborators and senior Communist Party officials from public office, was among the most sweeping decommunization measures in Central Europe and reflected the intensity of Czech society’s rejection of state surveillance.^[1][2]

On the intelligence side, Czechia operates three separate services: BIS (domestic), ÚZSI (foreign civilian), and VZ (military). BIS operates without executive powers — it cannot arrest, detain, or interrogate — and its surveillance activities require judicial authorization from a High Court chairman. Despite these formal constraints, Czech intelligence history includes a 2013 scandal in which military intelligence (VZ) was used to surveil the Prime Minister’s wife, exposing the gap between statutory limits and operational practice. Czechia is a NATO member (since 1999), an EU member (since 2004), and participates in the Club de Berne, the Counter-Terrorism Group, and the Visegrad Group (V4). NSA documents published by The Intercept describe early-2000s efforts to establish a Third Party SIGINT relationship with Czech intelligence.^[3][4]

Data Protection Authority: ÚOOÚ

The Úřad pro ochranu osobních údajů (ÚOOÚ) is Czechia’s independent supervisory authority established under Act No. 110/2019 Sb. in accordance with GDPR Article 51. The ÚOOÚ is based in Prague, employs approximately 100 staff, and operates with an annual budget of roughly EUR 7.5 million. It handles complaints, conducts inspections, issues binding orders, and imposes administrative fines. A notable feature of Czech law is that public authorities and bodies are exempt from GDPR fines under the national implementation — one of the more controversial derogations among EU member states.^[5][6]

Notable Decisions

The ÚOOÚ’s 2025 control plan focuses on retailers conditioning discounts on loyalty programme participation, CCTV in public transport, and online comparison services sending unsolicited commercial communications.^[9]

Key Legislation

Act No. 110/2019 Sb. — Personal Data Processing Act

Czechia’s primary GDPR implementation law, effective April 24, 2019, replacing the earlier Act No. 101/2000 Coll. It implements both the GDPR and the Law Enforcement Directive (EU) 2016/680. The Act lowers the age of consent for online services to 15 years (from the GDPR default of 16) and controversially exempts public authorities from administrative fines. It re-establishes the ÚOOÚ as the national supervisory authority.^[6]

Act No. 127/2005 Sb. — Electronic Communications Act

Governs telecommunications regulation, data retention, cookie consent, and telemarketing. Section 97(3) imposes data retention obligations on providers of public electronic communications networks. The Act has been amended multiple times, including in response to two Constitutional Court decisions in 2011 that struck down portions of the data retention framework, and again in 2022 to align cookie and telemarketing rules with the European Electronic Communications Code.^[10][11]

Act No. 412/2005 Sb. — Protection of Classified Information and Security Eligibility

Establishes the framework for security classifications, personnel and facility security clearances, and the handling of classified information. Administered by the Národní bezpečnostní úřad (NBU) — the National Security Authority — which also oversees cybersecurity through the National Cyber and Information Security Agency (NÚKIB).^[12]

Act No. 153/1994 Sb. — Intelligence Services Act

Establishes the legal framework for Czechia’s three intelligence services (BIS, ÚZSI, VZ), defines their mandates, and provides for government and parliamentary oversight. Supplemented by Act No. 154/1994 Sb. on the Security Information Service, which specifies BIS’s powers and the oversight role of the Chamber of Deputies’ Standing Commission.^[13]

Act No. 264/2025 Sb. — Cybersecurity Act (NIS2 Transposition)

Signed by the President on June 27, 2025, effective November 1, 2025. Transposes the EU NIS2 Directive, significantly expanding the scope of regulated entities across energy, healthcare, finance, and digital infrastructure. Establishes two tiers of obligations: essential entities face fines up to CZK 250 million or 2% of global turnover; important entities face fines up to CZK 175 million or 1.4% of global turnover. NÚKIB serves as the competent authority.^[14]

Surveillance and Intelligence

Intelligence Agencies

Czechia operates three separate intelligence services, a deliberate structural choice reflecting post-communist reforms designed to prevent the concentration of intelligence power that characterised the StB era. The Bezpečnostní informační služba (BIS) is the domestic security intelligence service, reporting to the Prime Minister. BIS has no executive powers — it cannot detain, arrest, or interrogate suspects — and is explicitly prohibited from political activity. The Úřad pro zahraniční styky a informace (ÚZSI) is the foreign civilian intelligence service, falling under the Ministry of the Interior, responsible for HUMINT and SIGINT collection abroad. The Vojenské zpravodajství (VZ) is the military intelligence service under the Ministry of Defence, the only Czech service integrating both intelligence and counterintelligence functions, with capabilities in IMINT, HUMINT, SIGINT, and OSINT.^[13][15][16]

Oversight Framework

Czech intelligence oversight is multi-layered. The Chamber of Deputies’ Standing Oversight Commission provides parliamentary scrutiny. Since 2018, a five-member Independent Oversight Body — appointed by the Chamber of Deputies from independent experts proposed by the government for five-year terms — conducts second-level oversight with superior competences to the parliamentary commission. Judicial oversight governs the use of intelligence technology: warrants are granted by the Chairman of the Panel of Judges of the relevant High Court. The Supreme Audit Office oversees budgetary compliance.^[13]

Post-Communist Intelligence Reform

The StB (Státní bezpečnost) — Czechoslovakia’s communist-era secret police — was dissolved on February 1, 1990, shortly after the Velvet Revolution. The October 1991 lustration law barred former StB employees and collaborators from positions in the civil service, judiciary, intelligence services, military, state enterprises, central bank, and public media. Over 300,000 lustration investigations were conducted, with fewer than 5% resulting in findings of collaboration and approximately 100 individuals ultimately barred from their positions.^[2]

BIS Surveillance and Interception Powers

Under Act No. 154/1994 Sb. on the Security Information Service, BIS is authorised to employ covert intelligence means — including electronic interception of communications, installation of tracking and listening devices, and monitoring of data transmissions — where necessary for its statutory mandate. Each use of such technical means requires an authorisation from the Chairman of the Panel of Judges of the relevant High Court. BIS has no executive powers: it cannot itself conduct searches, detain individuals, or make arrests, and must refer any required operational action to the Police of the Czech Republic or the State Prosecution. BIS publishes annual threat reports identifying Russian and Chinese intelligence services as the dominant sources of espionage, influence operations, and cyber intrusions targeting Czech government networks, defence contractors, and critical infrastructure operators.^[3][13]

Nagyová/Nečas Military Intelligence Scandal (2013)

In June 2013, Czech police uncovered that Jana Nagyová — head of the counterintelligence section of military intelligence (VZ) and partner of Prime Minister Petr Nečas — had ordered VZ personnel to conduct covert surveillance of the Prime Minister’s wife, Radka Nečasová, using state intelligence resources for personal purposes. Police arrested Nagyová and several associates on June 13, 2013; Prime Minister Nečas resigned on June 17, 2013. The affair illustrated that Czech intelligence collection tools, even within a multi-layered oversight framework, remained vulnerable to political capture and misuse outside any lawful mandate. Nagyová was ultimately convicted of abuse of power and ordering unlawful surveillance, confirming that the interception of a private individual’s communications on the instruction of an intelligence official pursuing personal objectives constitutes a criminal offence under Czech law.^[17][18]

NSA Cooperation

A 2005 NSA internal document published by The Intercept as part of the SIDtoday archive describes the NSA’s first formal delegation visit to ÚZSI in Prague, noting that Czech SIGINT professionals displayed “levels of sophistication, knowledge, practical experience, ingenuity and enthusiasm” that overcame financial and equipment limitations. The document assessed ÚZSI as “relatively advanced in FORNSAT collection” with a “very good analytic effort against Russian and Ukrainian HF networks,” and recommended exploring a Third Party SIGINT relationship. Czechia is listed among countries with Defense Telephone Links to the United States.^[4][19]

Internet Infrastructure and Transit Exposure

NIX.CZ (Neutral Internet Exchange)

The Neutral Internet Exchange (NIX.CZ) is Czechia’s primary internet exchange point, connecting over 200 local and international networks and handling approximately two-thirds of all Czech domestic internet traffic. NIX.CZ has expanded beyond Prague to include peering locations in Bratislava, Vienna, and Frankfurt, using a modern leaf-spine topology with VxLAN EVPN and supporting 100GE and 400GE connections.^[20]

Peering.cz

Peering.cz, established in 2013, is a second Czech IXP operating across 10 data centers in the Czech Republic, Slovakia, Austria, and Germany. DE-CIX Prague also provides international peering infrastructure in the Czech capital.^[21]

Transit Exposure

As a landlocked country, Czechia has no submarine cable landings. All international internet traffic must transit through neighboring states — primarily through Germany (via DE-CIX Frankfurt, where the BND has conducted cable interception since 2009) and Austria. NIX.CZ’s expansion to Frankfurt and Vienna creates direct peering with exchanges in states whose intelligence services conduct cable-level surveillance, exposing Czech international traffic to potential interception at transit points outside Czech judicial jurisdiction.^[22]

Data Retention

Under Section 97(3) of the Electronic Communications Act (No. 127/2005 Sb.), Czech telecom providers are required to retain traffic and location data for six months. Content of communications is not retained. Retained data can be accessed by the police, BIS, Military Intelligence (VZ), and in certain cases the Czech National Bank. The original 2005 framework mandated up to 12 months for telephony data, but portions were struck down by the Constitutional Court in March and December 2011 as disproportionate. Amended data retention provisions were adopted in 2012.^[10][11]

In 2024–2025, the Czech Supreme Court ruled that the country’s blanket data retention framework “heads towards the preventive retention of data of virtually all users of electronic communications virtually at all times” and does not comply with EU law as interpreted by the CJEU. The court emphasized that the Czech Republic bears EU liability when national legislation incorrectly implements European directives. As of early 2026, the retention provisions remain in force pending legislative reform.^[23]

International Data Sharing Agreements

NATO

Czechia joined NATO on March 12, 1999, alongside Poland and Hungary, as part of the first post-Cold War expansion. NATO membership provides access to alliance intelligence-sharing structures, including the NATO Intelligence Fusion Centre (NIFC) and the NATO Communications and Information Agency (NCIA).^[24]

Club de Berne and Counter-Terrorism Group

Czechia is a member of the Club de Berne, the intelligence-sharing forum of EU member states’ domestic security services plus Norway and Switzerland, and participates in the Counter-Terrorism Group (CTG), the post-9/11 operational counterterrorism offshoot. BIS represents Czechia in both fora and contributes to the CTG’s joint threat assessments.^[25]

Visegrad Group (V4)

The Visegrad Group — Czechia, Hungary, Poland, and Slovakia — provides a framework for defence, security, and cybersecurity cooperation among the four Central European states. The V4’s Central European Cyber Security Platform coordinates responses to cyber threats, and the group conducts joint military exercises, intelligence consultations, and harmonised defence procurement. NÚKIB (the Czech National Cyber and Information Security Agency) participates in the V4 cybersecurity framework.^[26]

US-Czech MLAT

The US-Czech MLAT on Mutual Legal Assistance in Criminal Matters was signed on February 4, 1998 and entered into force on May 7, 2000. It provides for mutual assistance including search and seizure execution, testimony taking, evidence transfer, and asset forfeiture. The Central Authority for the Czech Republic is the Office of the Prosecutor General and the Ministry of Justice.^[27]

EU Law Enforcement Cooperation

Czechia participates in the Schengen Information System (SIS II), the European Investigation Order (EIO) framework, the Prüm Convention for automated DNA, fingerprint, and vehicle data exchange, and Europol and Eurojust cooperation mechanisms.^[24]

Cross-Border Police Cooperation with Germany

A German-Czech police treaty signed on April 28, 2015 formalises cross-border law enforcement cooperation. Police forces can intervene on the other state’s territory up to 10 km from the border, with extended cooperation covering the entire territories of Saxony and Bavaria. Joint police teams of officers and liaison personnel from Western Bohemia, Saxony, and Bavaria address cross-border crime, with particular focus on drug trafficking (notably methamphetamine distribution).^[28]

The Privacy Backdoor Effect

Despite Czech data protection law and ÚOOÚ GDPR enforcement, intelligence sharing and transit exposure create parallel pathways for accessing Czech person data — while Czech intelligence law authorizes collection against foreign persons without nationality-based protections:

• DE-CIX Transit / BND: Czech internet traffic transiting Frankfurt’s DE-CIX is subject to BND interception under RAMPART-A authorities; NIX.CZ traffic routed through Germany loses GDPR protection at the German border.
• NSA Tier B Cooperation: Czech SIGINT cooperation with the NSA enables bilateral intelligence sharing about Czech nationals outside GDPR-compatible frameworks.
• Club de Berne / EU INTCEN: BIS intelligence sharing with EU INTCEN and 31 European services operates outside GDPR.
• V4 Intelligence Cooperation: Visegrad Group security cooperation shares assessments involving Czech nationals with Polish, Hungarian, and Slovak intelligence services outside GDPR.
• EU Framework Sharing: Czech person data in SIS II, Prüm, or EIO channels is accessible to 27 EU member states and, through Europol, to US FBI.
• MLAT Bypass: US authorities can request data via the US-Czech MLAT at potentially lower evidentiary thresholds than Czech judicial warrants.
• SWIFT/PNR Dragnet: International financial transactions and air travel data subject to US access.

For Czech persons, data protected by Act No. 110/2019 and GDPR applies to controllers subject to Czech jurisdiction; BIS, ÚZSI, and VZ operate under Act No. 153/1994 on Intelligence Services, explicitly separate from data protection law. Foreign nationals whose communications transit NIX.CZ or Czech fiber networks are subject to BIS collection authorities without GDPR protection — GDPR Article 2(2) excludes national security processing from its scope.

Recent Developments

New Cybersecurity Act (NIS2 Transposition) (2025)

Act No. 264/2025 Sb. signed June 27, 2025, effective November 1, 2025, transposing the EU NIS2 Directive with expanded scope, mandatory supply chain risk management, and fines up to CZK 250 million or 2% of global turnover.^[14]

Supreme Court Rules Data Retention Violates EU Law (2024–2025)

The Czech Supreme Court found that blanket retention of telecom metadata under the Electronic Communications Act does not comply with CJEU case law, creating pressure for legislative reform.^[23]

Avast Software Record GDPR Fine (April 2024)

ÚOOÚ imposed CZK 351 million (~EUR 13.9 million) on Avast for unlawfully transferring pseudonymised browsing data of ~100 million users to Jumpshot — the largest GDPR fine in Czech history.^[7]

Nagyová Convicted for Ordering Unlawful Surveillance (2019)

Jana Nagyová was convicted of abuse of power for directing military intelligence (VZ) personnel to conduct covert surveillance of a private individual for personal purposes — concluding the criminal proceedings arising from the 2013 scandal that brought down the Nečas government.^[17]

Sources