Ministry of Foreign Affairs of the Czech Republic

   česky      english     

Advanced search

Skip to menu

Article notification Print Decrease font size Increase font size

Processing and Personal Data Protection

 

Personal data processing and protection at the Ministry of Foreign Affairs of the Czech Republic

The Ministry of Foreign Affairs of the Czech Republic (hereinafter referred to as the “MFA”), registered office address: Loretánské náměstí 5,   118 00 Praha 1 - Hradčany, business identification number: 45769851, see the “Public Inquiries” section on the MFA website), as a controller of personal data, processes and protects personal data in the course of its activities while fully respecting its duties under the applicable legislation concerning the processing and protection of personal data.

Data subjects whose personal data are processed by the MFA are informed about the manner and extent of the processing including the data subject's rights.

Processing of personal data is governed by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as the "GDPR") and by the Act No. 110/2019 Coll., concerning the processing of personal data, as well as other applicable legislation protecting personal data.

1. Which of the MFA's public services involve personal data processing?

The MFA processes personal data namely in the context of the following services:

  • Visas (registration of visa and residence permit applications visa archiving system, registration of  visa refusal appeals, visa appointment system, targeted economic migration programmes, government student programmes)
  • Consular matters (emergency assistance, consular assistance, legal assistance and service of documents, authentication services (verification of copies, translations and signatures, certification of public documents), register of arrested and imprisoned Czech citizens, database of consular cases, database of recipients of emergency financial aid, sale of foreign currency, DROZD - consular database for travelers (Czech citizens), diplomatic and service passports)
  • Czech Expatriate Community issues (Certificate of Affiliation to the Czech Expatriate Community abroad)
  • Human resources and payroll (including staff selection procedures, locally hired staff at the missions abroad, internships)
  • Security (including security camera footages necessary to ensure the security of personnel and buildings)
  • Public and economic diplomacy projects and agreements, development cooperation programmes
  • Complaints
  • Services provided by the missions abroad related to the Czech citizenship, birth, marriage and death certificates, travel documents, authentication services, register of arms waybills, inheritance matters, special electoral rolls and poll card records.

2. What is the legal basis for personal data processing at the MFA?

As a rule, the processing is necessary for compliance with a legal obligation to which the MFA is subject; for the performance of a task carried out in the public interest or in the exercise of official authority vested in the MFA; for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

In some cases, the processing is necessary for the purposes of the MFA's legitimate interests (e.g. the use of a security camera system and photographs of MFA employees for the purposes of building and personnel security).

If none of the above applies, the MFA must obtain the data subject's consent to the processing of personal data. The declaration of consent must state the purpose and the time for which consent is given. The consent is needed e.g. from travelers registering in the DROZD consular database, and from jobseekers filling in the MFA recruitment questionnaire.

3. How can I withdraw my consent?

In cases where the processing is subject to your consent, you may refuse to give the consent or you may withdraw it at any time. To withdraw your consent, follow the same procedure as you did when issuing your declaration of consent.

4. What kind of personal data does the MFA process?

The extent of personal data to be processed is defined in the applicable legislation or is limited by the purpose of processing. 

In particular, it concerns the following personal data:

academic degree/title,

first name(s) and surname,

date and place of birth, in specific cases personal identification number,

permanent residence address or/and mailing address,

state citizenship,

number of the identity document presented by the data subject,

telephone number, email address, data mailbox.

 

Personal data are processed electronically or manually in case of paper records in compliance with the security rules applicable to the management and processing of personal data.

In most cases, the MFA obtains the data from the data subjects themselves. However, in some instances the data may be retrieved from government registers and other information systems. 

The time limits for personal data processing are determined in the applicable legislation, in the MFA Records Management Code/Document Retention and Destruction Schedule or may be based on the contract between the MFA and the data subject. These time limits represent maximum time necessary to comply with the rights and obligations arising from the applicable legislation or contract. 

The data subject's personal data may be disclosed or made available only to persons, authorities, or institutions authorized to have access to such data by law  or for reasons of public interest or on the basis of a contract.

There is no automated decision-making in the processing of personal data.

5. What are my rights in relation to personal data processing at the MFA?

The data subject's rights are set out mainly in Chapter III of the GDPR:

  1. Right of access by the data subject, Article 15 of the GDPR

Every person has the right to obtain from the controller access to his/her personal data processed by the controller, as well as information on the data concerned, including namely: the purposes of processing, the categories of the personal data concerned, the recipients or categories of recipients, the period for which the personal data will be stored, the sources of the personal data, and the existence of automated decision-making, including profiling.

The first copy of processed personal data is provided to the data subject free of charge. For any further copies requested by the data subject, the MFA may charge a reasonable fee based on administrative costs.

  1. Right to rectification, Article 16 of the GDPR

If the data subject finds or believes that the processing of personal data has breached his/her privacy or violated the law (e.g. if the data are inaccurate), the data subject has the right to request an explanation and/or rectification (correction or erasure) of such data.

  1. Right to erasure (‘right to be forgotten’), Article 17 of the GDPR
  2. Right to restriction of processing, Article 18 of the GDPR

The data subject has the right to obtain from the controller restriction of processing where one of the following applies:

1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data,

2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead,

3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defence of legal claims,

4. the data subject has objected to processing pursuant to Article 21(1) of the GDPR pending the verification whether the legitimate grounds of the controller override those of the data subject.

  1. Right to request information on the recipients to whom the controller has communicated the rectification or erasure of personal data or restriction of processing, Article 19 of the GDPR

 

  1. Right to data portability, Article 20 of the GDPR

The data subject has the right to receive the personal data concerning him/her, which he/she has provided to the controller, in a structured, commonly used and machine-readable format, and has  the right to transmit those data to another controller without hindrance from the controller to  whom the personal data have been provided, in cases where the processing is based on consent or on a contract, and the processing is carried out by automated means.

  1. Right to object, Article 21 of the GDPR

The data subject has the right to object at any time to processing of personal data concerning him/her in cases where the processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority or for the purposes of the legitimate interests pursued by the controller.

  1. Right to lodge a complaint with a supervisory authority (Office for Personal Data

Protection), Article 77 of the GDPR

 

6. What is the time limit for the processing of requests from data subjects seeking to exercise these rights?

Requests from data subjects seeking to exercise the above rights are reviewed by the competent MFA unit. Within one month of receipt of the request, the competent MFA must take one of the following steps (Article 12(3) and (4) of the GDPR):

1. act on the request, take the necessary measures and inform the data subject of such measures, or

2. reject the request and inform the data subject about the reasons for the rejection and about the  options available to the data subject in such case, or

3. extend the above time limit by two months and inform the data subject about the reasons for the extension, and confirm that the MFA will be able to act on the request within the extended time limit.

7. What are the rules for transferring personal data abroad?

The MFA may transfer personal data to third countries and international organizations provided that the transfer is consistent with the GDPR (i.e. there must be a valid legal basis for such transfer). There is no rule restricting or banning the free movement of personal data within the European Union with reference to protection of individuals. However, transfers of personal data to countries outside the Union are subject to additional requirements set out in the GDPR.

8. How do I contact the MFA in relation to the personal data protection?

1. By a letter (with an authenticated signature) to: Ministry of Foreign Affairs, Loretánské náměstí 5, 118 00 Prague 1 - Hradčany

2. Electronically (with a qualified electronic signature) to: epodatelna@mzv.cz

3. Via a (private) data mailbox to: e4xaaxh

If you suspect or know that the protection of your personal data has been breached, you may contact the MFA Data Protection Officer, who also exercises her competence in relation to the Czech missions abroad.

Contact information as of 1 May 2019:

Alice Marie Svobodová

Ministry of Foreign Affairs

Loretánské náměstí 5

118 00 Prague 1 - Hradčany

Tel.: 00420 22418 2335

Email: poverenec@mzv.cz

 

9. How do I contact the supervisory authority?

The data subject has the right at any time to contact the supervisory authority:

Office for Personal Data Protection

pplk. Sochora 727/27

170 00 Prague 7 - Holešovice

Tel.: +420 234 665 111

 

 

 

.