Below we present a brief overview of the recent changes and the currently available guidance.

New rules relating to cookies

Despite the fact that since the year 2009 the ePrivacy Directive generally required a prior consent for the storing and accessing of cookies (a so called opt-in), under Czech law it was sufficient to offer the possibility of refusing the storage and access to cookies (a so called opt-out). With effect as of 1 January 2022, Section 89 (3) of the Electronic Communications Act was amended to comply with the ePrivacy Directive and newly requires an opt-in for the storing of cookies or for gaining access to them, unless the cookies are of a purely technical nature, are necessary for carrying out the transmission of a communication over an electronic communications network, or for the provision of a service explicitly requested by the user (hereinafter jointly as "technical cookies").

For the storing and accessing of cookies that are not technical cookies, it is therefore necessary to obtain a prior consent that satisfies the requirements of the GDPR consent. The Office for Personal Data Protection reiterates in its statement from 25 November 2021¹ as well as in the FAQs from 22 December 2021² that the consent needs to be free, specific, informed, and unambiguous and that the user needs to be able to withdraw the consent as easily as grant it (ideally a button or URL for a withdrawal should be available on the website). Furthermore, the consent needs to be granular, which means it needs to be granted for a particular purpose.

The Office for Personal Data Protection points out that in relation to cookies it is necessary to adhere in particular to the:

1. requirements of the Electronic Communications Act, i.e., requirements for the storing and accessing of cookies, and
2. GDPR requirements (to the extent that the processing of cookies and related information constitutes personal data processing), i.e., requirements relating to personal data processing, such as having an appropriate legal basis.

Therefore, although a consent is necessary for the storing and accessing of cookies (apart from technical cookies), the processing of personal data in this context could, in practice, also be based on a legitimate interest or on the necessity for a contractual performance. In the opposite situation, despite the fact that a consent is not necessary for storing and accessing technical cookies, if they constitute personal data, an appropriate legal basis needs to be determined for their processing (in practice it will usually be a legitimate interest, however, depending on the purpose of the processing, a consent might be appropriate).

In order to satisfy the requirement of transparency, the Office for Personal Data recommends providing a list of all cookies including their purpose. The provided information needs to be clear and easily accessible for the user, whereas the number of cookies should be taken into account during the decision on the fulfilment of the transparency requirement.

New rules relating to telemarketing

The Electronic Communications Act also changes the opt‑out principle to an opt-in principle in relation to telemarketing³. Pursuant to Section 96 (1) of the Electronic Communications Act it shall be prohibited to contact a subscriber (i.e., a person using publicly available electronic communications services) with a marketing offer unless the subscriber has stated in a public subscriber directory that they wish to be contacted for marketing purposes.

As a reaction to various open questions pertaining to the interpretation and application of the new obligations, the Czech Telecommunication Office, the Office for Personal Data Protection and the Ministry of Industry and Trade issued on 21 December 2021 a joint interpretative opinion⁴. The opinion clarifies that the opt-in requirement relates to contacts made via contact details obtained from public subscriber directories. Therefore, if the contact details come from a source other than the public subscriber directory, the contacting person must merely prove how they obtained the contact (in order to prove that the requirements of the Electronic Communications Act are not applicable) and that they are entitled to process personal data and contact the person in accordance with the GDPR and Act No. 480/2004 Coll., on certain Information Society Services, if applicable.

The Electronic Communications Act stipulates a presumption that a public subscriber directory is also a list containing randomly generated phone numbers, phone numbers without identification details and a list with details of subscribers who did not state that they wish to be contacted for marketing purposes, which aims to ensure that the requirements will not be circumvented. According to the opinion, the newly introduced opt-in principle does not apply to a directory of contacts created by one's own business activity such as database of clients, patients or customers, as it only applies to marketing communication to a person with which the contacting person does not have any previous relationship.

In the opinion, the authorities also deal with the conditions under which a public subscriber directory may be created and used and provide answers to frequently asked questions relating to telemarketing. In relation to telemarketing, the Office for Personal Data Protection also updated its guidance How to prevent unsolicited telemarketing⁵ so that it reflects the new rules, which includes a guidance for persons how to prevent unsolicited telemarketing and how to proceed if they are contacted in this way.

Despite the fact that the new provisions are applicable as of 1 January 2022, pursuant to the transitional provisions, it will still be possible to contact subscribers in accordance with the previous legislation, i.e., on an opt-out basis, until 1 July 2022.

* * * * *

In light of the newly effective rules as well as the newly issued guidance, we recommend reviewing the set-up of the cookies and telemarketing rules.

We will be happy to answer any follow-up questions relating to the regulation, as well as any other queries you might have with regard to Czech law.

1 Statement of the Office for Personal Data Protection dated 25 November 2021, in Czech available here.

2 Frequently asked questions about the consent to cookies granted through the so-called cookie bar (FAQs) dated 22 December 2021, in Czech available here.

3 In addition to telemarketing, the new rules also apply to electronic marketing, where, however, an opt-in or a customer relationship was already required for a marketing communication by Act No. 480/2004 Coll., on certain Information Society Services.

4 Joint interpretative opinion dated 21 December 2021, in Czech available here.

5 Guidance of the Office for Personal Data Protection dated 3 January 2022 How to prevent unsolicited telemarketing, in Czech available here.